Lew Wolfgang wrote:
On 4/28/23 04:18, Carlos E. R. wrote:
If you are not going to use IPv6 internally, having source zone for 192.168.1.0/24 (or whatever your internal addresses are) and fallback zone for external traffic would be much more clean.
I expect^H^H^H^H^H^Hhope to have proper IPv6 one day...
What will IPv6 actually do for you? It's a serious question, what will it give you that you don't already have with IPv4 and NAT?
From my experience at work it's nothing but a PITA that reduces reliability.
Really?? or are you just trolling? I certainly can't say that matches my experience, at all. I have been running ipv6 since around 2007, first with a tunnel, later with fixed ISP ranges and since 2015 with our own /28. We also still have a number of leased external machines, all with ipv6. Reliability is fine, I don't understand how ipv6 could possibly reduce reliability of anything. Some PIT ... minor issues: * Wifi access points by Tp-Link have had trouble with ipv6. (okay, identifying that issue was a royal PITA) * dynamic ipv6 dns updates worked until we upgraded bind (they work again now) * recently, radvd threw a wobbly, still pondering that. * androids don't work with dhcpv6. I have one issue I have only just this week picked up - we need to get the reverse zone dynamic updates to work too. There is some odd bind error when we enable updates. Some days our public opensuse mirror has up to 33% ipv6 traffic. (from http://mirror.hostsuisse.com/stats/opensuse) Switzerland - 19.4% of traffic, 169 unique clients France - 34.6% of traffic, 473 unique clients Germany - 18.7% of traffic, 3333 unique clients Portugal - 47.5% of traffic, 63 unique clients Netherlands - 18.4% of traffic, 152 unique clients Spain - 3.5% of traffic, 9 unique clients However, the question in $SUBJ _is_ certainly valid, Andrei brought it up too. Well, for Joe Consumer in his armchair it brings nothing, and he or she will not even notice. When I started playing with ipv6, I think I had the following reasons - * ipv4 is boring, btdt. * need to have ipv6, to write/test code for it. * want to know ipv6, it's a challenge and fun learning. * avoid problems when the ipv4 pool is exhausted. -- Per Jessen, Zürich (17.5°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On 4/28/23 09:01, Per Jessen wrote:
Lew Wolfgang wrote:
On 4/28/23 04:18, Carlos E. R. wrote:
If you are not going to use IPv6 internally, having source zone for 192.168.1.0/24 (or whatever your internal addresses are) and fallback zone for external traffic would be much more clean. I expect^H^H^H^H^H^Hhope to have proper IPv6 one day... What will IPv6 actually do for you? It's a serious question, what will it give you that you don't already have with IPv4 and NAT?
From my experience at work it's nothing but a PITA that reduces reliability. Really?? or are you just trolling?
No, serious question.
I certainly can't say that matches my experience, at all. I have been running ipv6 since around 2007, first with a tunnel, later with fixed ISP ranges and since 2015 with our own /28. We also still have a number of leased external machines, all with ipv6.
Reliability is fine, I don't understand how ipv6 could possibly reduce reliability of anything.
My experience is with a large dual-stack network that has several class B IPv4 networks. Router advertisements seem to be slow and unreliable, for one thing. Old protocols not supporting v6 are also an issue. Then there was the time when a user could mis-configure their Windows computer to turn it into a router that led to a dead end. Random network freezes were the result. What's to prevent a bad actor who managed to gain physical access from installing her own router and then siphon off traffic for their own ill deeds?
Some PIT ... minor issues:
* Wifi access points by Tp-Link have had trouble with ipv6. (okay, identifying that issue was a royal PITA) * dynamic ipv6 dns updates worked until we upgraded bind (they work again now) * recently, radvd threw a wobbly, still pondering that. * androids don't work with dhcpv6.
I have one issue I have only just this week picked up - we need to get the reverse zone dynamic updates to work too. There is some odd bind error when we enable updates.
Some days our public opensuse mirror has up to 33% ipv6 traffic. (from http://mirror.hostsuisse.com/stats/opensuse)
Switzerland - 19.4% of traffic, 169 unique clients France - 34.6% of traffic, 473 unique clients Germany - 18.7% of traffic, 3333 unique clients Portugal - 47.5% of traffic, 63 unique clients Netherlands - 18.4% of traffic, 152 unique clients Spain - 3.5% of traffic, 9 unique clients
However, the question in $SUBJ _is_ certainly valid, Andrei brought it up too. Well, for Joe Consumer in his armchair it brings nothing, and he or she will not even notice.
When I started playing with ipv6, I think I had the following reasons -
* ipv4 is boring, btdt.
We all reach a stage in life when boring is the end goal.
* need to have ipv6, to write/test code for it.
Recursive justification?
* want to know ipv6, it's a challenge and fun learning.
That's true. Too bad the learning doesn't lead to something useful.
* avoid problems when the ipv4 pool is exhausted.
But that's why God invented NAT! Regards, Lew
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday, 2023-04-28 at 09:39 -0700, Lew Wolfgang wrote:
On 4/28/23 09:01, Per Jessen wrote:
Lew Wolfgang wrote:
* avoid problems when the ipv4 pool is exhausted.
But that's why God invented NAT!
NAT is a royal PITA. We accept it because there is, there wasn't, no alternative. For example, with IPv6 you can send email directly from your machine to somebody else direct, without any intermediate mail server collecting it. Or phone them. Or share files with them. You could send an email where the photos are direct links to your machine at home. If you wish. You can run a game server at home for your group of friends, wihout even using the game masters server for finding one oanother or obtain permission. - -- Cheers, Carlos E. R. (from openSUSE 15.4 x86_64 at Telcontar) -----BEGIN PGP SIGNATURE----- iHoEARECADoWIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCZEv7Bhwccm9iaW4ubGlz dGFzQHRlbGVmb25pY2EubmV0AAoJELUzGBxtjUfVPPEAn0DTQqtnY1518d3nxKtW rZKd4thaAJ9ZFpj+HRKYgPIvkSxy402JfbbIsA== =XyPu -----END PGP SIGNATURE-----
Carlos E. R. wrote:
On Friday, 2023-04-28 at 09:39 -0700, Lew Wolfgang wrote:
On 4/28/23 09:01, Per Jessen wrote:
Lew Wolfgang wrote:
* avoid problems when the ipv4 pool is exhausted.
But that's why God invented NAT!
NAT is a royal PITA. We accept it because there is, there wasn't, no alternative.
To be honest, I'm not sure whether to agree or not :-) I can't say I have ever had any unresolvable problems with NAT.
For example, with IPv6 you can send email directly from your machine to somebody else direct, without any intermediate mail server collecting it.
Um, same with IPv4.
Or phone them.
Um, same with IPv4. (for inbound telephony, you need something to keep the connection open). -- Per Jessen, Zürich (14.1°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
James Knott wrote:
On 2023-04-28 13:36, Per Jessen wrote:
To be honest, I'm not sure whether to agree or not 😄 I can't say I have ever had any unresolvable problems with NAT.
Try setting up a VPN with both ends on the same subnet.
Sounds a wee bit contrived, I'm not sure I see the issue nor how it is NAT related. Doesn't your VPN have to have server and clients on the same subnet? I have two VPNs - production, on 10.177.40.0/22 office, on 192.168.13.0/24 -- Per Jessen, Zürich (13.9°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On 2023-04-28 15:02, Per Jessen wrote:
Try setting up a VPN with both ends on the same subnet. Sounds a wee bit contrived, I'm not sure I see the issue nor how it is NAT related. Doesn't your VPN have to have server and clients on the same subnet?
Several years ago, I used to travel a lot with my work. I'd find myself in a hotel which used the same subnet as I did at home. This meant I could not use my VPN. I have since moved my home network to 172.16.0.0, to avoid that problem. I have only once seen anyone use anything in the 172 block.
On 2023-04-28 19:36, Per Jessen wrote:
Carlos E. R. wrote:
On Friday, 2023-04-28 at 09:39 -0700, Lew Wolfgang wrote:
On 4/28/23 09:01, Per Jessen wrote:
Lew Wolfgang wrote:
* avoid problems when the ipv4 pool is exhausted.
But that's why God invented NAT!
NAT is a royal PITA. We accept it because there is, there wasn't, no alternative.
To be honest, I'm not sure whether to agree or not :-) I can't say I have ever had any unresolvable problems with NAT.
Oh, we had to solve them, so we did. For private individuals, it is harder.
For example, with IPv6 you can send email directly from your machine to somebody else direct, without any intermediate mail server collecting it.
Um, same with IPv4.
If you have routable addresses.
Or phone them.
Um, same with IPv4. (for inbound telephony, you need something to keep the connection open).
But not with IPv6. You don't even need a directory, just type the IP address (I have not tried, it is theory). But I did do VoIP inside the LAN in that manner with IPv4. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
Carlos E. R. wrote:
On 2023-04-28 19:36, Per Jessen wrote:
Carlos E. R. wrote:
On Friday, 2023-04-28 at 09:39 -0700, Lew Wolfgang wrote:
On 4/28/23 09:01, Per Jessen wrote:
Lew Wolfgang wrote:
* avoid problems when the ipv4 pool is exhausted.
But that's why God invented NAT!
NAT is a royal PITA. We accept it because there is, there wasn't, no alternative.
To be honest, I'm not sure whether to agree or not :-) I can't say I have ever had any unresolvable problems with NAT.
Oh, we had to solve them, so we did. For private individuals, it is harder.
I was going to ask you to list some of these harder problems, but it's wayyyy off topic and not overly interesting anyway.
For example, with IPv6 you can send email directly from your machine to somebody else direct, without any intermediate mail server collecting it.
Um, same with IPv4.
If you have routable addresses.
No, that is not necessary. Technically, I can send a mail from my MUA here on 192.168.77.88 behind NAT directly to any mailserver on public IPv4. Of course, any semi-qualified mail admin will block that due to reverse lookup failure, but that applies to IPv6 too.
Or phone them.
Um, same with IPv4. (for inbound telephony, you need something to keep the connection open).
But not with IPv6.
When there is no NAT in between, correct.
You don't even need a directory, just type the IP address (I have not tried, it is theory). But I did do VoIP inside the LAN in that manner with IPv4.
Carlos, the same applies to public IPv4/5/6. Like above, I can initiate SIP from my telephone here on 192.168.77.89 behind NAT directly to any VoIP device (on port 5060) on public IPv4. <anecdote> Twelve-thirteen years ago, I had three people employed in home-office, in Bern, Basel and Solothurn, on their private ADSL lines. They each had a Linksys SPA921 phone - my Asterisk box was behind NAT. It worked exceptionally well (even if I had to dabble with traffic control to keep bandwidth reserved for VoIP). </anecdote> -- Per Jessen, Zürich (18.0°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On 2023-04-29 10:13, Per Jessen wrote:
Carlos E. R. wrote:
On 2023-04-28 19:36, Per Jessen wrote:
Carlos E. R. wrote:
On Friday, 2023-04-28 at 09:39 -0700, Lew Wolfgang wrote:
On 4/28/23 09:01, Per Jessen wrote:
Lew Wolfgang wrote:
* avoid problems when the ipv4 pool is exhausted.
But that's why God invented NAT!
NAT is a royal PITA. We accept it because there is, there wasn't, no alternative.
To be honest, I'm not sure whether to agree or not :-) I can't say I have ever had any unresolvable problems with NAT.
Oh, we had to solve them, so we did. For private individuals, it is harder.
I was going to ask you to list some of these harder problems, but it's wayyyy off topic and not overly interesting anyway.
Ver brief, then: private individuals are less likely to have fixed IPs, so we need "hacks" like dynamic dns servers out there. If we need the aid of some hack to traverse NAT (say stun) we have to use the server of somebody else, we can not do it ourselves.
For example, with IPv6 you can send email directly from your machine to somebody else direct, without any intermediate mail server collecting it.
Um, same with IPv4.
If you have routable addresses.
No, that is not necessary.
Technically, I can send a mail from my MUA here on 192.168.77.88 behind NAT directly to any mailserver on public IPv4. Of course, any semi-qualified mail admin will block that due to reverse lookup failure, but that applies to IPv6 too.
Technically, yes, but that is not what I'm suggesting. I'm suggesting sending to your friend "whatever" who is also behind NAT, without using a mail server outside. ...
You don't even need a directory, just type the IP address (I have not tried, it is theory). But I did do VoIP inside the LAN in that manner with IPv4.
Carlos, the same applies to public IPv4/5/6. Like above, I can initiate SIP from my telephone here on 192.168.77.89 behind NAT directly to any VoIP device (on port 5060) on public IPv4.
Yes, but you are using a stun server out there, and a directory out there. Or having to define virtual servers in the routers involved. I'm saying establishing a voip call without registering anywhere (non configured VoIP client software), just by telling the software the address of the other party, perhaps their user name inside that destination host machine.
<anecdote> Twelve-thirteen years ago, I had three people employed in home-office, in Bern, Basel and Solothurn, on their private ADSL lines. They each had a Linksys SPA921 phone - my Asterisk box was behind NAT. It worked exceptionally well (even if I had to dabble with traffic control to keep bandwidth reserved for VoIP). </anecdote>
-- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 2023-04-29 07:13, Carlos E. R. wrote:
Ver brief, then: private individuals are less likely to have fixed IPs, so we need "hacks" like dynamic dns servers out there. If we need the aid of some hack to traverse NAT (say stun) we have to use the server of somebody else, we can not do it ourselves.
With my ISP, the IPv4 address changes so seldom that it's virtually static and the host name, based on the modem and router MAC addresses, changes only when I change hardware. I have an alias that points to that host name, on the DNS server I use.
Carlos E. R. wrote:
On 2023-04-29 10:13, Per Jessen wrote:
Carlos E. R. wrote:
Oh, we had to solve them, so we did. For private individuals, it is harder.
I was going to ask you to list some of these harder problems, but it's wayyyy off topic and not overly interesting anyway.
Ver brief, then: private individuals are less likely to have fixed IPs, so we need "hacks" like dynamic dns servers out there.
I think our ideas of "harder problems" are worlds apart.
For example, with IPv6 you can send email directly from your machine to somebody else direct, without any intermediate mail server collecting it.
Um, same with IPv4.
If you have routable addresses.
No, that is not necessary.
Technically, I can send a mail from my MUA here on 192.168.77.88 behind NAT directly to any mailserver on public IPv4. Of course, any semi-qualified mail admin will block that due to reverse lookup failure, but that applies to IPv6 too.
Technically, yes, but that is not what I'm suggesting.
Well, maybe you would care to explain exactly what you _are_ suggesting. It is difficult having a sane conversation when half the information is omitted.
I'm suggesting sending to your friend "whatever" who is also behind NAT, without using a mail server outside.
Rapidly moving goalposts ... Why don't you open port 25 on your router and forward it a postfix instance. If it is suitably configured, I'll be happy to send you an email - directly - from this workstation (on 192.168.2.114). I'll even use telnet.
You don't even need a directory, just type the IP address (I have not tried, it is theory). But I did do VoIP inside the LAN in that manner with IPv4.
Carlos, the same applies to public IPv4/5/6. Like above, I can initiate SIP from my telephone here on 192.168.77.89 behind NAT directly to any VoIP device (on port 5060) on public IPv4.
Yes, but you are using a stun server out there, and a directory out there.
I am not using either. I don't understand why you think so. It is perfectly feasible using e.g. "Ekiga" to contact, i.e. start a SIP session to a VoIP device (on port 5060) on public IPv4 or IPv6. I don't understand why you are so intent on turning SIP into black magic, with STUN servers and directories and whathaveyou.
Or having to define virtual servers in the routers involved.
Huh? You have totally lost me. Virtual servers?
I'm saying establishing a voip call without registering anywhere (non configured VoIP client software), just by telling the software the address of the other party, perhaps their user name inside that destination host machine.
I'm sorry, exactly _what_ are you saying? Let me explain what _I_ am saying - Using e.g. "ekiga" I can dial a public ip address and establish a phone call, provided the other side has a client looking out for incoming SIP requests on port 5060. It does not have to be a fully-fledged PABX or Asterisk, a simple VoIP client will suffice. Alternatively, as I don't like dialling IP-addresses, I'll set up a SIP config in my Asterix, assign the IP-address and allocated a local number. Now I can dial '666', but in the end it is still just a SIP-session to some IP-address. -- Per Jessen, Zürich (19.2°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On 2023-04-29 14:44, Per Jessen wrote:
Carlos E. R. wrote:
On 2023-04-29 10:13, Per Jessen wrote:
Carlos E. R. wrote:
Oh, we had to solve them, so we did. For private individuals, it is harder.
I was going to ask you to list some of these harder problems, but it's wayyyy off topic and not overly interesting anyway.
Ver brief, then: private individuals are less likely to have fixed IPs, so we need "hacks" like dynamic dns servers out there.
I think our ideas of "harder problems" are worlds apart.
For example, with IPv6 you can send email directly from your machine to somebody else direct, without any intermediate mail server collecting it.
Um, same with IPv4.
If you have routable addresses.
No, that is not necessary.
Technically, I can send a mail from my MUA here on 192.168.77.88 behind NAT directly to any mailserver on public IPv4. Of course, any semi-qualified mail admin will block that due to reverse lookup failure, but that applies to IPv6 too.
Technically, yes, but that is not what I'm suggesting.
Well, maybe you would care to explain exactly what you _are_ suggesting. It is difficult having a sane conversation when half the information is omitted.
I did, in the next paragraph.
I'm suggesting sending to your friend "whatever" who is also behind NAT, without using a mail server outside.
Rapidly moving goalposts ...
No, I haven't. I have been saying this from minute 1, but you did not understand, so I had to change my wordings, which instead you interpret as moving the goalposts.
Why don't you open port 25 on your router and forward it a postfix instance. If it is suitably configured, I'll be happy to send you an email - directly - from this workstation (on 192.168.2.114). I'll even use telnet.
Because with IPv6 the forwarding part is not needed. That's the whole point. Of course I know you and can do it with IPv4. With one dedicated machine doing it in the LAN. With IPv6 all machines in the LAN could do it. No port forwarding needed, just allowing it in the firewall. Direct connections from any machine inside a LAN to any other machine inside another LAN, is the whole point of IPv6 and getting rid of NAT. That's the original idea of Internet. Of course proper firewalls and security methods are required.
You don't even need a directory, just type the IP address (I have not tried, it is theory). But I did do VoIP inside the LAN in that manner with IPv4.
Carlos, the same applies to public IPv4/5/6. Like above, I can initiate SIP from my telephone here on 192.168.77.89 behind NAT directly to any VoIP device (on port 5060) on public IPv4.
Yes, but you are using a stun server out there, and a directory out there.
I am not using either. I don't understand why you think so.
It is perfectly feasible using e.g. "Ekiga" to contact, i.e. start a SIP session to a VoIP device (on port 5060) on public IPv4 or IPv6. I don't understand why you are so intent on turning SIP into black magic, with STUN servers and directories and whathaveyou.
You said: public IPv4. We people don't have public IPv4.
Or having to define virtual servers in the routers involved.
Huh? You have totally lost me. Virtual servers?
It is how routers call "port forwarding". It is on my router manual.
I'm saying establishing a voip call without registering anywhere (non configured VoIP client software), just by telling the software the address of the other party, perhaps their user name inside that destination host machine.
I'm sorry, exactly _what_ are you saying?
Let me explain what _I_ am saying -
Using e.g. "ekiga" I can dial a public ip address and establish a phone
public address. Not a NATted address.
call, provided the other side has a client looking out for incoming SIP requests on port 5060. It does not have to be a fully-fledged PABX or Asterisk, a simple VoIP client will suffice.
Alternatively, as I don't like dialling IP-addresses, I'll set up a SIP config in my Asterix, assign the IP-address and allocated a local number. Now I can dial '666', but in the end it is still just a SIP-session to some IP-address.
-- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
Carlos E. R. wrote:
On 2023-04-29 14:44, Per Jessen wrote:
> For example, with IPv6 you can send email directly from your > machine to somebody else direct, without any intermediate mail > server collecting it.
Um, same with IPv4.
If you have routable addresses.
No, that is not necessary.
Technically, I can send a mail from my MUA here on 192.168.77.88 behind NAT directly to any mailserver on public IPv4. Of course, any semi-qualified mail admin will block that due to reverse lookup failure, but that applies to IPv6 too.
Technically, yes, but that is not what I'm suggesting.
Well, maybe you would care to explain exactly what you _are_ suggesting. It is difficult having a sane conversation when half the information is omitted.
I did, in the next paragraph.
A bit late, after seventeen posts back and forth - don't you think?
I'm suggesting sending to your friend "whatever" who is also behind NAT, without using a mail server outside.
Rapidly moving goalposts ...
No, I haven't. I have been saying this from minute 1, but you did not understand, so I had to change my wordings, which instead you interpret as moving the goalposts.
Carlos, you _never_ talked about reaching an IP address behind NAT. You have only introduced that complexity _now_ Re-read what you wrote, it is all quoted above.
Why don't you open port 25 on your router and forward it a postfix instance. If it is suitably configured, I'll be happy to send you an email - directly - from this workstation (on 192.168.2.114). I'll even use telnet.
Because with IPv6 the forwarding part is not needed. That's the whole point.
Please re-read what you posted, above. Please.
I am not using either. I don't understand why you think so.
It is perfectly feasible using e.g. "Ekiga" to contact, i.e. start a SIP session to a VoIP device (on port 5060) on public IPv4 or IPv6. I don't understand why you are so intent on turning SIP into black magic, with STUN servers and directories and whathaveyou.
You said: public IPv4. We people don't have public IPv4.
I don't care, it was never mentioned as a condition. If you set up the proper port forwarding, I can _still_ call you directly.
Or having to define virtual servers in the routers involved.
Huh? You have totally lost me. Virtual servers?
It is how routers call "port forwarding". It is on my router manual.
Well, maybe you should just start writing in Spanish, I guess that is also in your manual.
Let me explain what _I_ am saying -
Using e.g. "ekiga" I can dial a public ip address and establish a phone
public address. Not a NATted address.
Why did you feel the need to emphasize that? I'm sorry, I give up. Please re-read what you posted, above. Please. You never once mentioned NAT'ed addresses. -- Per Jessen, Zürich (20.1°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday, 2023-04-29 at 18:46 +0200, Per Jessen wrote:
On 2023-04-29 14:44, Per Jessen wrote:
...
Or having to define virtual servers in the routers involved.
Huh? You have totally lost me. Virtual servers?
It is how routers call "port forwarding". It is on my router manual.
Well, maybe you should just start writing in Spanish, I guess that is also in your manual.
Per, "Virtual Sever" is standard Home Router English parlance. Just google "what is a virtual server in routers?", you will see it. ...
Let me explain what _I_ am saying -
Using e.g. "ekiga" I can dial a public ip address and establish a phone
public address. Not a NATted address.
Why did you feel the need to emphasize that? I'm sorry, I give up.
Please re-read what you posted, above. Please. You never once mentioned NAT'ed addresses.
Sorry, but it is obvious. The advantage of IPv6 is not having to use NAT. If I didn't say it at the start of the thread, somebody else said it. No need to repeat it, till I learned you were not considering it. - -- Cheers, Carlos E. R. (from openSUSE 15.4 x86_64 at Telcontar) -----BEGIN PGP SIGNATURE----- iHoEARECADoWIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCZE1aEhwccm9iaW4ubGlz dGFzQHRlbGVmb25pY2EubmV0AAoJELUzGBxtjUfVGx4An1UuMAImwVolnfuGi1hd bl8WBohgAJ49VhvU3gU48sUShfBfbdWxb1Pw+Q== =Xx/2 -----END PGP SIGNATURE-----
On 4/28/23 09:57, Carlos E. R. wrote:
On Friday, 2023-04-28 at 09:39 -0700, Lew Wolfgang wrote:
On 4/28/23 09:01, Per Jessen wrote:
Lew Wolfgang wrote:
* avoid problems when the ipv4 pool is exhausted.
But that's why God invented NAT!
NAT is a royal PITA.
Hasn't been a PITA for me, or any of my users that I know of. Sure, it's problematic if you want to run a server open to the public. But that's most likely problematic with your ISP's AUP anyway.
We accept it because there is, there wasn't, no alternative.
One alternative is to use your Linux box as your router. You could open up the appropriate ports in your host-based firewall, and NAT to your internal networks through additional Ethernet ports. Granted, your situation might be different, but in my case I have one hot Ethernet port on my cable modem that I can connect either to my Zyxel router, or if I wanted, to my Linux desktop. I think I understand that you have a different situation? Do you have to authenticate to your ISP's router with PPPoE or something? You seemed very resistant to adding a stand-alone router behind your ISP's, but how is that different from adding your Linux desktop serving as a router? Another alternative might be to have a second IPv4 address. I don't know about now, but extra were available from my ISP if I wanted to pay for them.
For example, with IPv6 you can send email directly from your machine to somebody else direct, without any intermediate mail server collecting it.
I can send mail directly from my natted host. Granted, my ISP blocks outgoing port 25 to anywhere but it's own SMTP servers, but that's a different issue.
Or phone them.
I can phone them using Signal. Video too. And it's encrypted.
Or share files with them.
That can be accomplished with ssh port forwarding through your NAT router, correct?
You could send an email where the photos are direct links to your machine at home.
You want to run a web server at home? I used to do that with NAT port forwarding.
You can run a game server at home for your group of friends, wihout even using the game masters server for finding one oanother or obtain permission.
Yes, you could certainly do that. Carlos, I know that there are use cases for being directly connected to the Internet, but the point that I was trying to make is that for most people IPv4 with NAT is perfectly acceptable. You brought up some edge cases, which is fine and accurate. But most people don't want to set up a game server at home, wouldn't you agree? For me, a home natted network with Linux hosts, a networked printer, a WiFi hub supporting a raft of smartphones and IOT devices, is fine. My computers are on a separate network from the IOT devices, so they can generate all the mayhem they want and don't threaten my security. Could you achieve the same thing with IPv6? Probably, but it requires an advanced degree to get it provably right. Then there's the case when you can get only one /64 address from your ISP. That was my situation when I gave up with it, it prevented me from setting up isolated IPv6 subnets, at least with my Zyxel router. As with most things, YMMV. I think we've had enough of this thread, this isn't the OT list after all. Regards, Lew
On 2023-04-28 14:28, Lew Wolfgang wrote:
NAT is a royal PITA.
Hasn't been a PITA for me, or any of my users that I know of.
Sure, it's problematic if you want to run a server open to the public. But that's most likely problematic with your ISP's AUP anyway.
The first problem I came across was it blocked FTP. You had to use passive FTP to get by it, but back in those days we used FTP apps and they didn't support it. Now, it gets in the way of VoIP and some online games. You have to use another hack, called STUN, to make them work.
James Knott wrote:
On 2023-04-28 14:28, Lew Wolfgang wrote:
NAT is a royal PITA.
Hasn't been a PITA for me, or any of my users that I know of.
Sure, it's problematic if you want to run a server open to the public. But that's most likely problematic with your ISP's AUP anyway.
The first problem I came across was it blocked FTP. You had to use passive FTP to get by it, but back in those days we used FTP apps and they didn't support it. Now, it gets in the way of VoIP and some online games. You have to use another hack, called STUN, to make them work.
"now" meaning almost 15-16 years ago. My STUN server is from 2007. per@natrium:~> l /usr/bin/stund -rwxr-xr-x 1 root root 171977 2007-09-30 14:45 /usr/bin/stund* "natrium" is my Asterisk server - nobody really dares to touch it :-) Anyway, it's really wayyyyy off-topic. -- Per Jessen, Zürich (13.2°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On 2023-04-28 20:28, Lew Wolfgang wrote:
On 4/28/23 09:57, Carlos E. R. wrote:
On Friday, 2023-04-28 at 09:39 -0700, Lew Wolfgang wrote:
On 4/28/23 09:01, Per Jessen wrote:
Lew Wolfgang wrote:
* avoid problems when the ipv4 pool is exhausted.
But that's why God invented NAT!
NAT is a royal PITA.
Hasn't been a PITA for me, or any of my users that I know of.
You are simply used to it.
Sure, it's problematic if you want to run a server open to the public. But that's most likely problematic with your ISP's AUP anyway.
We accept it because there is, there wasn't, no alternative.
One alternative is to use your Linux box as your router. You could open up the appropriate ports in your host-based firewall, and NAT to your internal networks through additional Ethernet ports.
And NAT. Not direct. That's the issue.
Granted, your situation might be different, but in my case I have one hot Ethernet port on my cable modem that I can connect either to my Zyxel router, or if I wanted, to my Linux desktop. I think I understand that you have a different situation? Do you have to authenticate to your ISP's router with PPPoE or something? You seemed very resistant to adding a stand-alone router behind your ISP's, but how is that different from adding your Linux desktop serving as a router?
No other router is needed with IPv6 done properly. The only thing needed is open a hole in the firewall of the router.
Another alternative might be to have a second IPv4 address. I don't know about now, but extra were available from my ISP if I wanted to pay for them.
That's an issue. Compare with having a million of public IP addresses at your disposal.
For example, with IPv6 you can send email directly from your machine to somebody else direct, without any intermediate mail server collecting it.
I can send mail directly from my natted host. Granted, my ISP blocks outgoing port 25 to anywhere but it's own SMTP servers, but that's a different issue.
That's not directly. You are sending email to your mail provider, same as me. We are talking of me sending an email direct from my machine to your machine, with no server in between.
Or phone them.
I can phone them using Signal. Video too. And it's encrypted.
And you are using outside servers to complete the connection. Stun and other things. Signal servers. I'm saying doing it direct, no other server intervening. No big brother storing your messages and passing a copy to the authorities. Just routers, switches and firewalls. Freedom.
Or share files with them.
That can be accomplished with ssh port forwarding through your NAT router, correct?
That would be a hack, so complicated that nobody does it. With IPv6 you don't use NAT nor port forwarding. Direct. Freedom.
You could send an email where the photos are direct links to your machine at home.
You want to run a web server at home? I used to do that with NAT port forwarding.
Now do it without NAT nor port forwarding. No limits.
You can run a game server at home for your group of friends, wihout even using the game masters server for finding one oanother or obtain permission.
Yes, you could certainly do that.
Carlos, I know that there are use cases for being directly connected to the Internet, but the point that I was trying to make is that for most people IPv4 with NAT is perfectly acceptable. You brought up some edge cases, which is fine and accurate. But most people don't want to set up a game server at home, wouldn't you agree?
Many gamers do. It is not actually a server: a group of gamers decide to play a game at 8 o clock, and they just do. They just connect the computers together, not needing a subscription with a game company. Freedom.
For me, a home natted network with Linux hosts, a networked printer, a WiFi hub supporting a raft of smartphones and IOT devices, is fine. My computers are on a separate network from the IOT devices, so they can generate all the mayhem they want and don't threaten my security. Could you achieve the same thing with IPv6? Probably, but it requires an advanced degree to get it provably right. Then there's the case when you can get only one /64 address from your ISP. That was my situation when I gave up with it, it prevented me from setting up isolated IPv6 subnets, at least with my Zyxel router.
As with most things, YMMV.
I think we've had enough of this thread, this isn't the OT list after all.
Right. Just remember that you live in a privileged country that has millions of IPv4 addresses for their people, but there are many countries that don't have enough for all their citizens. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 2023-04-28 22:33, James Knott wrote:
On 2023-04-28 16:29, Carlos E. R. wrote:
That's an issue. Compare with having a million of public IP addresses at your disposal.
A single /64 has 18.4 billion, billion addresses! With my /56, I have 2^72 addresses.
yeah, I know. I just am unfamiliar with those figures, so replace "million" with the actual token :-p -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 4/28/23 13:29, Carlos E. R. wrote:
On 2023-04-28 20:28, Lew Wolfgang wrote:
On 4/28/23 09:57, Carlos E. R. wrote:
On Friday, 2023-04-28 at 09:39 -0700, Lew Wolfgang wrote:
On 4/28/23 09:01, Per Jessen wrote:
Lew Wolfgang wrote:
* avoid problems when the ipv4 pool is exhausted.
But that's why God invented NAT!
NAT is a royal PITA.
Hasn't been a PITA for me, or any of my users that I know of.
You are simply used to it.
Maybe. I haven't had to touch it in years.
Sure, it's problematic if you want to run a server open to the public. But that's most likely problematic with your ISP's AUP anyway.
We accept it because there is, there wasn't, no alternative.
One alternative is to use your Linux box as your router. You could open up the appropriate ports in your host-based firewall, and NAT to your internal networks through additional Ethernet ports.
And NAT. Not direct. That's the issue.
Why do you want direct? What are you lacking now?
Granted, your situation might be different, but in my case I have one hot Ethernet port on my cable modem that I can connect either to my Zyxel router, or if I wanted, to my Linux desktop. I think I understand that you have a different situation? Do you have to authenticate to your ISP's router with PPPoE or something? You seemed very resistant to adding a stand-alone router behind your ISP's, but how is that different from adding your Linux desktop serving as a router?
No other router is needed with IPv6 done properly. The only thing needed is open a hole in the firewall of the router.
You at least need a firewall, yet you can't trust your ISP? So the Linux box can fulfill both the firewall and the router roles. It can also be a proxy for your internal hosts if needed.
Another alternative might be to have a second IPv4 address. I don't know about now, but extra were available from my ISP if I wanted to pay for them.
That's an issue. Compare with having a million of public IP addresses at your disposal.
I get more than enough addresses with a class C natted subnet.
For example, with IPv6 you can send email directly from your machine to somebody else direct, without any intermediate mail server collecting it.
I can send mail directly from my natted host. Granted, my ISP blocks outgoing port 25 to anywhere but it's own SMTP servers, but that's a different issue.
That's not directly.
Sure it would be direct, if my ISP didn't block outgoing SMTP to any destinations other than its own. Most ISP's and corporate networks block outgoing port 25 to improve security and stop spam relaying. That has nothing to do with NAT.
You are sending email to your mail provider, same as me. We are talking of me sending an email direct from my machine to your machine, with no server in between.
Actually, I bypass my ISP's SMTP servers. I use a non-standard port to connect to my outside smart-relay host from my MUA. I don't run, and don't need, to run postfix or sendmail locally.
Or phone them.
I can phone them using Signal. Video too. And it's encrypted.
And you are using outside servers to complete the connection. Stun and other things. Signal servers. I'm saying doing it direct, no other server intervening. No big brother storing your messages and passing a copy to the authorities.
I can connect to outside services directly, ssh, https, imaps. Further, Signal is TNO, which means no one except the destination can decrypt the content.
Just routers, switches and firewalls. Freedom.
Just routers, switches, and firewalls doing NAT. Freedom.
Or share files with them.
That can be accomplished with ssh port forwarding through your NAT router, correct?
That would be a hack, so complicated that nobody does it. With IPv6 you don't use NAT nor port forwarding. Direct. Freedom.
A one-line entry in my firewall's web configuration screen handles the port forwarding. Hardly complicated.
You could send an email where the photos are direct links to your machine at home.
You want to run a web server at home? I used to do that with NAT port forwarding.
Now do it without NAT nor port forwarding. No limits.
Another one-liner in the firewall. Easy.
You can run a game server at home for your group of friends, wihout even using the game masters server for finding one oanother or obtain permission.
Yes, you could certainly do that.
Carlos, I know that there are use cases for being directly connected to the Internet, but the point that I was trying to make is that for most people IPv4 with NAT is perfectly acceptable. You brought up some edge cases, which is fine and accurate. But most people don't want to set up a game server at home, wouldn't you agree?
Many gamers do. It is not actually a server: a group of gamers decide to play a game at 8 o clock, and they just do. They just connect the computers together, not needing a subscription with a game company. Freedom.
You got me there. It might be possible with port forwarding.
For me, a home natted network with Linux hosts, a networked printer, a WiFi hub supporting a raft of smartphones and IOT devices, is fine. My computers are on a separate network from the IOT devices, so they can generate all the mayhem they want and don't threaten my security. Could you achieve the same thing with IPv6? Probably, but it requires an advanced degree to get it provably right. Then there's the case when you can get only one /64 address from your ISP. That was my situation when I gave up with it, it prevented me from setting up isolated IPv6 subnets, at least with my Zyxel router.
As with most things, YMMV.
I think we've had enough of this thread, this isn't the OT list after all.
Right. Just remember that you live in a privileged country that has millions of IPv4 addresses for their people, but there are many countries that don't have enough for all their citizens.
You don't need many IPv4 addresses with NAT. I guess we need to thank Al Gore for inventing the Internet here and bestowing the lion's share of IP addresses to us. Regards, Lew
On 2023-04-29 02:19, Lew Wolfgang wrote:
On 4/28/23 13:29, Carlos E. R. wrote:
On 2023-04-28 20:28, Lew Wolfgang wrote:
On 4/28/23 09:57, Carlos E. R. wrote:
On Friday, 2023-04-28 at 09:39 -0700, Lew Wolfgang wrote:
On 4/28/23 09:01, Per Jessen wrote:
Lew Wolfgang wrote:
* avoid problems when the ipv4 pool is exhausted.
But that's why God invented NAT!
NAT is a royal PITA.
Hasn't been a PITA for me, or any of my users that I know of.
You are simply used to it.
Maybe. I haven't had to touch it in years.
Because you are not setting up new services or connections.
Sure, it's problematic if you want to run a server open to the public. But that's most likely problematic with your ISP's AUP anyway.
We accept it because there is, there wasn't, no alternative.
One alternative is to use your Linux box as your router. You could open up the appropriate ports in your host-based firewall, and NAT to your internal networks through additional Ethernet ports.
And NAT. Not direct. That's the issue.
Why do you want direct? What are you lacking now?
Because I can. Because that is what Internet was designed for. No intermediaries.
Granted, your situation might be different, but in my case I have one hot Ethernet port on my cable modem that I can connect either to my Zyxel router, or if I wanted, to my Linux desktop. I think I understand that you have a different situation? Do you have to authenticate to your ISP's router with PPPoE or something? You seemed very resistant to adding a stand-alone router behind your ISP's, but how is that different from adding your Linux desktop serving as a router?
No other router is needed with IPv6 done properly. The only thing needed is open a hole in the firewall of the router.
You at least need a firewall, yet you can't trust your ISP? So the Linux box can fulfill both the firewall and the router roles. It can also be a proxy for your internal hosts if needed.
There are always crap admins out there. Can't be helped.
Another alternative might be to have a second IPv4 address. I don't know about now, but extra were available from my ISP if I wanted to pay for them.
That's an issue. Compare with having a million of public IP addresses at your disposal.
I get more than enough addresses with a class C natted subnet.
Not directly addressable. That is not Internet.
For example, with IPv6 you can send email directly from your machine to somebody else direct, without any intermediate mail server collecting it.
I can send mail directly from my natted host. Granted, my ISP blocks outgoing port 25 to anywhere but it's own SMTP servers, but that's a different issue.
That's not directly.
Sure it would be direct, if my ISP didn't block outgoing SMTP to any destinations other than its own. Most ISP's and corporate networks block outgoing port 25 to improve security and stop spam relaying. That has nothing to do with NAT.
No such blocking here, and still I can not mail my pals without using a mail server out there. Because of NAT.
You are sending email to your mail provider, same as me. We are talking of me sending an email direct from my machine to your machine, with no server in between.
Actually, I bypass my ISP's SMTP servers. I use a non-standard port to connect to my outside smart-relay host from my MUA. I don't run, and don't need, to run postfix or sendmail locally.
We are talking of not using an outside smart-relay host. Nothing outside, just your home machine and the destination machine at some other home. Pay attention.
Or phone them.
I can phone them using Signal. Video too. And it's encrypted.
And you are using outside servers to complete the connection. Stun and other things. Signal servers. I'm saying doing it direct, no other server intervening. No big brother storing your messages and passing a copy to the authorities.
I can connect to outside services directly, ssh, https, imaps. Further, Signal is TNO, which means no one except the destination can decrypt the content.
Again, we are talking direct home to home, room to room. Direct, no outsiders. Pay attention.
Just routers, switches and firewalls. Freedom.
Just routers, switches, and firewalls doing NAT. Freedom.
No, you don't have freedom with NAT involved. You need servers outside as intermediaries.
Or share files with them.
That can be accomplished with ssh port forwarding through your NAT router, correct?
That would be a hack, so complicated that nobody does it. With IPv6 you don't use NAT nor port forwarding. Direct. Freedom.
A one-line entry in my firewall's web configuration screen handles the port forwarding. Hardly complicated.
Still, you need that dirty hack. ... If you don't understand it, I give up. EOT. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 4/29/23 04:22, Carlos E. R. wrote:
Actually, I bypass my ISP's SMTP servers. I use a non-standard port to connect to my outside smart-relay host from my MUA. I don't run, and don't need, to run postfix or sendmail locally.
We are talking of not using an outside smart-relay host. Nothing outside, just your home machine and the destination machine at some other home.
Pay attention.
Carlos, with all due respect, we could continue this thread until the cows come home, and it would be fun. But remember, this isn't the off-topic list. Why don't we just close this thread or move it to OT. If any of the gentle readers of this list are interested, I'm sure that Per would let them join: offtopic@lists.opensuse.org Regards, Lew
Lew Wolfgang wrote:
On 4/28/23 09:01, Per Jessen wrote:
Lew Wolfgang wrote:
From my experience at work it's nothing but a PITA that reduces reliability.
Really?? or are you just trolling?
No, serious question.
I doubt it. Your suggestion above certainly suggests otherwise, I would say. YOur answers below too. You might as well have claimed "From my experience at work IPv4 is nothing but a PITA that reduces reliability.".
Reliability is fine, I don't understand how ipv6 could possibly reduce reliability of anything.
My experience is with a large dual-stack network that has several class B IPv4 networks.
I can't keep up with that, we only have a /22. Plus RFC1918 of course.
Router advertisements seem to be slow and unreliable, for one thing.
Local implementation issue, I suggest.
Old protocols not supporting v6 are also an issue.
Huh, such as?
Then there was the time when a user could mis-configure their Windows computer
Local implementation issue, I suggest. Who is stupid enough to let users configure their Windows computers?
What's to prevent a bad actor who managed to gain physical access from installing her own router and then siphon off traffic for their own ill deeds?
Are we discussing IPv4, IPv5 or IPv6? [stupid trolling deleted - please keep that to yourself] -- Per Jessen, Zürich (14.8°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2023-04-28 18:50, Lew Wolfgang wrote:
On 4/28/23 09:09, Carlos E. R. wrote:
On 2023-04-28 17:06, Lew Wolfgang wrote:
On 4/28/23 04:18, Carlos E. R. wrote:
What will IPv6 actually do for you? It's a serious question, what will it give you that you don't already have with IPv4 and NAT?
From my experience at work it's nothing but a PITA that reduces reliability. Well, it allows direct connection from outside to an internal computer, if wanted, without tricks.
Allow direct outside connection to an internal computer? What could possibly go wrong!?
If you wish. You just need a proper router/firewall and a well managed computer.
This is interesting to gamers, for instance, or for direct VoIP. Or remote working.
If a coworker needs files you have, you can just share them from your computer, no intermediate server needed.
Again, that's a security risk. Better to just forward ssh through your NAT router to the inside host.
That's a PITA. Better invent some proper, secure protocol for direct connection making use of IPv6.
As it is, there are providers in Spain that do not give you a public IPv4 address, but one in the 10.*.*.* network. This directly blocks those people from accessing home from outside.
That could be an issue, if you need outside access. You could bounce through an external proxy that you control if needed. I bet Per could offer one to you.
No need, with IPv6. As it is, those machines are a PITA for people working at home or the IT personel back and headqaurters.
All this are uses that were originally designed for Internet, but rendered impossible when NAT was implemented, because there were not enough addresses for everybody. This doesn't affect USAians as much as others. Nor Spaniards as much as Indians, for instance.
IMHO NAT has worked remarkably well.
Because we had no other way.
Then came Telefónica with their stupidity of not issuing static addresses by default and against quelled the dreams.
My ISP doesn't issue static address either, but it really doesn't matter to me with my current configuration. It's static anyway for long periods of time.
No, I mean on IPv6. - -- Cheers, Carlos E. R. (from openSUSE 15.4 x86_64 at Telcontar) -----BEGIN PGP SIGNATURE----- iHoEARECADoWIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCZEv8rRwccm9iaW4ubGlz dGFzQHRlbGVmb25pY2EubmV0AAoJELUzGBxtjUfViMgAn2Vpa7PUAzhAeZCDdPGl KQyByfbQAJwJQ0F+BD6GVMQij/Tsgu+AoWZb8Q== =oSLL -----END PGP SIGNATURE-----
On 2023-04-28 12:39, Lew Wolfgang wrote:
My experience is with a large dual-stack network that has several class B IPv4 networks. Router advertisements seem to be slow and unreliable, for one thing. Old protocols not supporting v6 are also an issue. Then there was the time when a user could mis-configure their Windows computer to turn it into a router that led to a dead end. Random network freezes were the result. What's to prevent a bad actor who managed to gain physical access from installing her own router and then siphon off traffic for their own ill deeds?
Multiple class B? Those are huge. BTW, address classes have been obsolete for decades. Now it's CIDR.
* avoid problems when the ipv4 pool is exhausted.
But that's why God invented NAT!
I thought NAT was a curse from the network gods. With IPv6, the Internet works the way the it's supposed to, that is transparent end to end.
On 4/28/23 10:45, James Knott wrote:
On 2023-04-28 12:39, Lew Wolfgang wrote:
My experience is with a large dual-stack network that has several class B IPv4 networks. Router advertisements seem to be slow and unreliable, for one thing. Old protocols not supporting v6 are also an issue. Then there was the time when a user could mis-configure their Windows computer to turn it into a router that led to a dead end. Random network freezes were the result. What's to prevent a bad actor who managed to gain physical access from installing her own router and then siphon off traffic for their own ill deeds?
Multiple class B? Those are huge. BTW, address classes have been obsolete for decades. Now it's CIDR.
It's a big organization that's been around for a long time.
* avoid problems when the ipv4 pool is exhausted.
But that's why God invented NAT!
I thought NAT was a curse from the network gods.
With IPv6, the Internet works the way the it's supposed to, that is transparent end to end.
Unless you have only a /64. Please correct me if I'm wrong. IIRC you were around when I was wrestling with this a couple of years ago. Thanks for the effort! Regards, Lew
On 2023-04-28 14:38, Lew Wolfgang wrote:
With IPv6, the Internet works the way the it's supposed to, that is transparent end to end.
Unless you have only a /64. Please correct me if I'm wrong. IIRC you were around when I was wrestling with this a couple of years ago. Thanks for the effort!
No, it still works fine with a /64. I can put my modem in gateway mode, where I will get only a /64 and it still works fine. There is no need for NAT. One thing I've noticed is many complaints about IPv6 come from people who don't know what they're talking about. I have been using it for 13 years and it was also covered when I got my CCNA. I first read about it in the April 1995 issue of Byte magazine.
On 4/28/23 11:50, James Knott wrote:
On 2023-04-28 14:38, Lew Wolfgang wrote:
With IPv6, the Internet works the way the it's supposed to, that is transparent end to end.
Unless you have only a /64. Please correct me if I'm wrong. IIRC you were around when I was wrestling with this a couple of years ago. Thanks for the effort!
No, it still works fine with a /64. I can put my modem in gateway mode, where I will get only a /64 and it still works fine. There is no need for NAT.
One thing I've noticed is many complaints about IPv6 come from people who don't know what they're talking about. I have been using it for 13 years and it was also covered when I got my CCNA. I first read about it in the April 1995 issue of Byte magazine.
Do you have multiple independent subnets with a /64? That's what I couldn't get working with a Zyxel router. Byte! I sure do miss it, and Jerry Pournelle too. I've still got an issue or two hiding around here somewhere. Regards, Lew
On 2023-04-28 15:11, Lew Wolfgang wrote:
One thing I've noticed is many complaints about IPv6 come from people who don't know what they're talking about. I have been using it for 13 years and it was also covered when I got my CCNA. I first read about it in the April 1995 issue of Byte magazine.
Do you have multiple independent subnets with a /64? That's what I couldn't get working with a Zyxel router.
I have no experience withZyxel. I currently use prefix ID 0 for my main LAN, 3 for guest WiFi, 4 for my test LAN, 5 for my Cisco router and ff for my VPN. That leaves me with only 251 free /64s. 😉
Byte! I sure do miss it, and Jerry Pournelle too. I've still got an issue or two hiding around here somewhere.
I have every paper issue of Byte on the shelf behind me, going back to Vol. 1 #1, Sept. 1975, which I bought in person, from the original publisher, Wayne Greene, at a Radio Society of Ontario ham fest in Ottawa, Ont. back in 1975.
On 4/28/23 12:59, James Knott wrote:
I have every paper issue of Byte on the shelf behind me, going back to Vol. 1 #1, Sept. 1975, which I bought in person, from the original publisher, Wayne Greene, at a Radio Society of Ontario ham fest in Ottawa, Ont. back in 1975.
Wow! That must be worth big bux! I wonder how many compete collections are still in existence? Regards, Lew
Lew Wolfgang wrote:
On 4/28/23 10:45, James Knott wrote:
With IPv6, the Internet works the way the it's supposed to, that is transparent end to end.
Unless you have only a /64. Please correct me if I'm wrong.
You're wrong. Look at Carlos' setup and his trying to bend over backward to prevent public access. The size of your prefix allocation does not matter, those 2^64 addresses are all publicly accessible. Even if you were somehow only given a /96, the same would apply. -- Per Jessen, Zürich (13.4°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On 2023-04-28 15:35, Per Jessen wrote:
Unless you have only a /64. Please correct me if I'm wrong. You're wrong. Look at Carlos' setup and his trying to bend over backward to prevent public access. The size of your prefix allocation does not matter, those 2^64 addresses are all publicly accessible.
His problem is with his firewall, not IPv6. I use pfSense and I can set up an excellent firewall for 1 /64 or 256.
On 2023-04-28 22:04, James Knott wrote:
On 2023-04-28 15:35, Per Jessen wrote:
Unless you have only a /64. Please correct me if I'm wrong. You're wrong. Look at Carlos' setup and his trying to bend over backward to prevent public access. The size of your prefix allocation does not matter, those 2^64 addresses are all publicly accessible.
His problem is with his firewall, not IPv6. I use pfSense and I can set up an excellent firewall for 1 /64 or 256.
And my ISP giving dynamic prefixes, which prevents many of the possible IPv6 uses. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 2023-04-28 16:33, Carlos E. R. wrote:
His problem is with his firewall, not IPv6. I use pfSense and I can set up an excellent firewall for 1 /64 or 256.
And my ISP giving dynamic prefixes, which prevents many of the possible IPv6 uses.
That's only a problem if you want to reach your network from outside. Otherwise, Unique Local Addresses will work for local access.
On 2023-04-28 22:35, James Knott wrote:
On 2023-04-28 16:33, Carlos E. R. wrote:
His problem is with his firewall, not IPv6. I use pfSense and I can set up an excellent firewall for 1 /64 or 256.
And my ISP giving dynamic prefixes, which prevents many of the possible IPv6 uses.
That's only a problem if you want to reach your network from outside. Otherwise, Unique Local Addresses will work for local access.
or a dynamic name server outside. If the prefix were fixed, I could write an entry in the hosts file of my laptop to connect to my desktop computer, and it would not matter if the laptop is at home or in China. Scripts and things would continue working exactly the same. (no, I have not thought the security side of this) -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
Carlos E. R. wrote:
On 2023-04-28 22:04, James Knott wrote:
On 2023-04-28 15:35, Per Jessen wrote:
Unless you have only a /64. Please correct me if I'm wrong. You're wrong. Look at Carlos' setup and his trying to bend over backward to prevent public access. The size of your prefix allocation does not matter, those 2^64 addresses are all publicly accessible.
His problem is with his firewall, not IPv6. I use pfSense and I can set up an excellent firewall for 1 /64 or 256.
And my ISP giving dynamic prefixes, which prevents many of the possible IPv6 uses.
Perhaps some yes, but depending on what you have in mind, it might just mean a bit more effort. What sort of "possible IPv6 uses" do you have in mind? Note - having a fixed prefix is _certainly_ much easier, but having one that regularly changes can be worked around. Besides, does it actually change in running operation? ie. does it change if you don't reboot the router? -- Per Jessen, Zürich (18.2°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On 2023-04-29 09:35, Per Jessen wrote:
Carlos E. R. wrote:
On 2023-04-28 22:04, James Knott wrote:
On 2023-04-28 15:35, Per Jessen wrote:
Unless you have only a /64. Please correct me if I'm wrong. You're wrong. Look at Carlos' setup and his trying to bend over backward to prevent public access. The size of your prefix allocation does not matter, those 2^64 addresses are all publicly accessible.
His problem is with his firewall, not IPv6. I use pfSense and I can set up an excellent firewall for 1 /64 or 256.
And my ISP giving dynamic prefixes, which prevents many of the possible IPv6 uses.
Perhaps some yes, but depending on what you have in mind, it might just mean a bit more effort. What sort of "possible IPv6 uses" do you have in mind?
Oh, I'll tell you in a few years which thing I actually use :-)
Note - having a fixed prefix is _certainly_ much easier, but having one that regularly changes can be worked around. Besides, does it actually change in running operation? ie. does it change if you don't reboot the router?
Not usually, but rebooting the router is typically needed here when the TV service hangs, or some other issue. Can be a problem at the house, or a problem upstream somewhere. I have not written down a log of my router prefix, so I'm not sure if it has changed or not. It is in my ToDo list. I haven't rebooted my router since this Beta started, though. Still, as I just commented on the firewall log, I may need to punch holes in the computers firewalls because they are actually using IPv6 addresses that change suffix or prefix or both. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 4/28/23 12:35, Per Jessen wrote:
Lew Wolfgang wrote:
On 4/28/23 10:45, James Knott wrote:
With IPv6, the Internet works the way the it's supposed to, that is transparent end to end.
Unless you have only a /64. Please correct me if I'm wrong. You're wrong. Look at Carlos' setup and his trying to bend over backward to prevent public access. The size of your prefix allocation does not matter, those 2^64 addresses are all publicly accessible.
Even if you were somehow only given a /96, the same would apply.
I agree with Carlos, I don't want public access to my innards. I was unable to segment that /64 to separate physical interfaces on the router. /66 wouldn't work, for example. Regards, Lew
On 2023-04-28 17:37, Lew Wolfgang wrote:
I agree with Carlos, I don't want public access to my innards.
That's what firewalls are for. For example, I allow only OpenVPN through mine.
I was unable to segment that /64 to separate physical interfaces on the router. /66 wouldn't work, for example.
You're not supposed to. LANs are supposed to be /64. If not, things like SLAAC break. If you only get a /64 the problem is with your ISP.
On 4/28/23 14:40, James Knott wrote:
On 2023-04-28 17:37, Lew Wolfgang wrote:
I agree with Carlos, I don't want public access to my innards.
That's what firewalls are for. For example, I allow only OpenVPN through mine.
Exactly, and I use the firewall to protect my internal subnets from each other. My WiFi subnet is separate from my IOT subnet which is separate from my main subnet. If I had a public web server (I used to) it would be on the DMZ subnet. How do you do that with a /64?
I was unable to segment that /64 to separate physical interfaces on the router. /66 wouldn't work, for example.
You're not supposed to. LANs are supposed to be /64. If not, things like SLAAC break. If you only get a /64 the problem is with your ISP.
That is the problem, there are no alternatives here. Which again begs the question: why? I'm fine and secure now, why upset the apple cart and risk my boring life? What will IPv6 bring to my environment that I don't already have? Regards, Lew
Lew Wolfgang wrote:
On 4/28/23 12:35, Per Jessen wrote:
Lew Wolfgang wrote:
On 4/28/23 10:45, James Knott wrote:
With IPv6, the Internet works the way the it's supposed to, that is transparent end to end.
Unless you have only a /64. Please correct me if I'm wrong. You're wrong. Look at Carlos' setup and his trying to bend over backward to prevent public access. The size of your prefix allocation does not matter, those 2^64 addresses are all publicly accessible.
Even if you were somehow only given a /96, the same would apply.
I agree with Carlos, I don't want public access to my innards.
I expect we can all agree with that ....
I was unable to segment that /64 to separate physical interfaces on the router. /66 wouldn't work, for example.
You and Carlos are kindred spirits, you both have this uncanny knack for quietly shifting the goalposts :-) What has "transparent public access to a /64" got to do with your inability to split a /64 on your router, at the time? As has been mentioned once or twice over the last week, to work with less than a /64, you need dhcpv6. The stateless auto config will only work with /64. For my home network I use 2001:db8:7d68:1 - with two distinct subnets: 2001:db8:7d68:1:ff99:ffff::/96 - unknown/foreign/guest devices 2001:db8:7d68:1:ff99::/80 - known devices without static addr 2001:db8:7d68:1::/64 - static addresses. -- Per Jessen, Zürich (18.2°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On 4/29/23 01:10, Per Jessen wrote:
I was unable to segment that /64 to separate physical interfaces on the router. /66 wouldn't work, for example. You and Carlos are kindred spirits, you both have this uncanny knack for quietly shifting the goalposts:-)
What else are goalposts good for if not shifting?
What has "transparent public access to a /64" got to do with your inability to split a /64 on your router, at the time?
As has been mentioned once or twice over the last week, to work with less than a /64, you need dhcpv6. The stateless auto config will only work with /64.
Yes, I seem to remember that from my efforts of a few years ago.
For my home network I use 2001:db8:7d68:1 - with two distinct subnets:
2001:db8:7d68:1:ff99:ffff::/96 - unknown/foreign/guest devices 2001:db8:7d68:1:ff99::/80 - known devices without static addr 2001:db8:7d68:1::/64 - static addresses.
This is what I was trying to do on my router, where each subnet is on it's own physical Ethernet interface. I couldn't do it, either due to my ignorance, the Xyxel router, or my ISP. It's been maybe a few years, should I expend the effort and try again? Why? It works perfectly well with IPv4. By the way, how do you mitigate the rogue RA problem? There's even a RFC about it? (RFC-6104) As mentioned, I've been affected by this at work. Regards, Lew
Lew Wolfgang wrote:
On 4/29/23 01:10, Per Jessen wrote:
I was unable to segment that /64 to separate physical interfaces on the router. /66 wouldn't work, for example. You and Carlos are kindred spirits, you both have this uncanny knack for quietly shifting the goalposts:-)
What else are goalposts good for if not shifting?
Uh, good point :-)
For my home network I use 2001:db8:7d68:1 - with two distinct subnets:
2001:db8:7d68:1:ff99:ffff::/96 - unknown/foreign/guest devices 2001:db8:7d68:1:ff99::/80 - known devices without static addr 2001:db8:7d68:1::/64 - static addresses.
This is what I was trying to do on my router, where each subnet is on it's own physical Ethernet interface. I couldn't do it, either due to my ignorance, the Xyxel router, or my ISP.
I expect it was too much for your (consumer?) router. "too much" = simply not supported by the GUI interface. Zyxel routers have a command line interface too though, over the console. It might well have been possible to use that instead.
It's been maybe a few years, should I expend the effort and try again? Why? It works perfectly well with IPv4.
Absolutely - for the vast majority of users, IPv6 adds nothing.
By the way, how do you mitigate the rogue RA problem? There's even a RFC about it? (RFC-6104) As mentioned, I've been affected by this at work.
I can't say I have ever even heard of it. I would have to go study that RFC I suppose, but I think I see what the issue is. -- Per Jessen, Zürich (20.6°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On 29.04.2023 18:50, Lew Wolfgang wrote:
By the way, how do you mitigate the rogue RA problem? There's even a RFC about it? (RFC-6104) As mentioned, I've been affected by this at work.
And in our office someone connected an appliance with DHCPv4 server so in the morning nobody could access servers and routers. Where is the difference? If someone has physical access and/or administrator privileges all bets are off. To prevent it you need to secure your infrastructure and do not allow anyone to access network unauthenticated. But it has nothing to do with IPv4 vs IPv6.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday, 2023-04-29 at 19:34 +0300, Andrei Borzenkov wrote:
On 29.04.2023 18:50, Lew Wolfgang wrote:
By the way, how do you mitigate the rogue RA problem? There's even a RFC about it? (RFC-6104) As mentioned, I've been affected by this at work.
And in our office someone connected an appliance with DHCPv4 server so in the morning nobody could access servers and routers. Where is the difference? If someone has physical access and/or administrator privileges all bets are off.
To prevent it you need to secure your infrastructure and do not allow anyone to access network unauthenticated. But it has nothing to do with IPv4 vs IPv6.
At a school where I was getting a training (on networking) the teacher commented that someone created a virtual machine in one of the Windows machines. Using Vmware Player. It was part of the training (another one, another group). Well, but the virtual machine was running a DHCP server... next thing, the people in the administrative section commented and said they could not use their computer. The entire school ADSL router happened to be in that schoolroom :-) It drove them nuts, exploring the entire school. - -- Cheers, Carlos E. R. (from openSUSE 15.4 x86_64 at Telcontar) -----BEGIN PGP SIGNATURE----- iHoEARECADoWIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCZE1byxwccm9iaW4ubGlz dGFzQHRlbGVmb25pY2EubmV0AAoJELUzGBxtjUfVyOQAniJuq4l9T0HOaPrm49bA a3pHlssnAKCQjUauo+XudO25O7iWbG5s75tRAw== =LGLd -----END PGP SIGNATURE-----
On 4/29/23 09:34, Andrei Borzenkov wrote:
On 29.04.2023 18:50, Lew Wolfgang wrote:
By the way, how do you mitigate the rogue RA problem? There's even a RFC about it? (RFC-6104) As mentioned, I've been affected by this at work.
And in our office someone connected an appliance with DHCPv4 server so in the morning nobody could access servers and routers. Where is the difference? If someone has physical access and/or administrator privileges all bets are off.
To prevent it you need to secure your infrastructure and do not allow anyone to access network unauthenticated. But it has nothing to do with IPv4 vs IPv6.
Of course, but on our network a Windows user could, through ignorance, configure her legitimately connect host to advertise a route to a second interface on her machine. That's different from malicious intent requiring overt compromise of the physical network. The Rogue Router Advertisement problem was so acute that an RFC was created. Indeed, the whole neighbor discovery process is funky. Regards, Lew
Lew Wolfgang wrote:
On 4/29/23 09:34, Andrei Borzenkov wrote:
On 29.04.2023 18:50, Lew Wolfgang wrote:
By the way, how do you mitigate the rogue RA problem? There's even a RFC about it? (RFC-6104) As mentioned, I've been affected by this at work.
And in our office someone connected an appliance with DHCPv4 server so in the morning nobody could access servers and routers. Where is the difference? If someone has physical access and/or administrator privileges all bets are off.
To prevent it you need to secure your infrastructure and do not allow anyone to access network unauthenticated. But it has nothing to do with IPv4 vs IPv6.
Of course, but on our network a Windows user could, through ignorance, configure her legitimately connect host to advertise a route to a second interface on her machine.
I guess your corporate networking policy is very different to anything I have seen in over thirty years. My wife works for a bank - there is virtually nothing she can do to her laptop.
That's different from malicious intent requiring overt compromise of the physical network. The Rogue Router Advertisement problem was so acute that an RFC was created.
Indeed, so acute it was left to rot ever since. If you have read the RFC (I have now), it is clear there is nothing acute about that issue, it virtually never happens. -- Per Jessen, Zürich (16.4°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On 4/29/23 11:42, Per Jessen wrote:
Of course, but on our network a Windows user could, through ignorance, configure her legitimately connect host to advertise a route to a second interface on her machine. I guess your corporate networking policy is very different to anything I have seen in over thirty years. My wife works for a bank - there is virtually nothing she can do to her laptop.
It's a large research environment.
That's different from malicious intent requiring overt compromise of the physical network. The Rogue Router Advertisement problem was so acute that an RFC was created. Indeed, so acute it was left to rot ever since. If you have read the RFC (I have now), it is clear there is nothing acute about that issue, it virtually never happens.
It happened to us. Regards, Lew
Lew Wolfgang wrote:
On 4/29/23 11:42, Per Jessen wrote:
Of course, but on our network a Windows user could, through ignorance, configure her legitimately connect host to advertise a route to a second interface on her machine. I guess your corporate networking policy is very different to anything I have seen in over thirty years. My wife works for a bank - there is virtually nothing she can do to her laptop.
It's a large research environment.
I'm not sure if that explains the lax security policies :-)
That's different from malicious intent requiring overt compromise of the physical network. The Rogue Router Advertisement problem was so acute that an RFC was created. Indeed, so acute it was left to rot ever since. If you have read the RFC (I have now), it is clear there is nothing acute about that issue, it virtually never happens.
It happened to us.
Exception to prove the rule, I would say. Lew, you bring it up here, amongst some people who have been doing ipv6 networking for fifteen years and more, and all you get is a "shrug". I think that says exactly how acute the problem is. For my own environment: * nobody unauthorised has access to the datacentre * nobody unauthorised has access to our offices * unauthorised guest devices don't get ipv6. * hosted (virtual or real) customers are very much locked down. -- Per Jessen, Zürich (15.8°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On 2023-04-29 21:02, Per Jessen wrote:
Lew Wolfgang wrote:
On 4/29/23 11:42, Per Jessen wrote:
Of course, but on our network a Windows user could, through ignorance, configure her legitimately connect host to advertise a route to a second interface on her machine. I guess your corporate networking policy is very different to anything I have seen in over thirty years. My wife works for a bank - there is virtually nothing she can do to her laptop.
It's a large research environment.
I'm not sure if that explains the lax security policies :-)
Not everybody runs a bank :-D There is a lot of ranges in security. None, or very strict. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
Carlos E. R. wrote:
On 2023-04-29 21:02, Per Jessen wrote:
Lew Wolfgang wrote:
On 4/29/23 11:42, Per Jessen wrote:
Of course, but on our network a Windows user could, through ignorance, configure her legitimately connect host to advertise a route to a second interface on her machine. I guess your corporate networking policy is very different to anything I have seen in over thirty years. My wife works for a bank - there is virtually nothing she can do to her laptop.
It's a large research environment.
I'm not sure if that explains the lax security policies :-)
Not everybody runs a bank :-D
I guess you actually believe that matters. It's been the same wherever I have worked - finance, airline industry, software development and of course my own business. In Lews case, as he has testified, the lax security policies led to problems, even a very rarely seen one. I am sure we are all only too aware of how vulnerable businesses are (or have become) due to lax security policies. The ransom attacks have been on the increase for quite some time. It simply does not matter whether you run a bank or a newspaper. Anyway, again wayyyy off-topic. -- Per Jessen, Zürich (14.4°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On 2023-04-30 09:16, Per Jessen wrote:
Carlos E. R. wrote:
On 2023-04-29 21:02, Per Jessen wrote:
Lew Wolfgang wrote:
On 4/29/23 11:42, Per Jessen wrote:
Of course, but on our network a Windows user could, through ignorance, configure her legitimately connect host to advertise a route to a second interface on her machine. I guess your corporate networking policy is very different to anything I have seen in over thirty years. My wife works for a bank - there is virtually nothing she can do to her laptop.
It's a large research environment.
I'm not sure if that explains the lax security policies :-)
Not everybody runs a bank :-D
I guess you actually believe that matters.
Yes :-) A bank will likely have strict security policies. I have worked with the military, they were strict. I have worked for Lucent Technologies, their internal policies were not strict. For example, we had "local administrator" powers in Windows. However, their windows were anti-tempest. And they prohibited WiFi in their warehouse. I had access to the resources of Bell Labs. Lots of documentation and projects. Alas, I did not have much time to explore. I have worked at schools. No security policy at all. Yes, typically the type of business indicates what type of security they will have. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 4/30/23 00:16, Per Jessen wrote:
In Lews case, as he has testified, the lax security policies led to problems, even a very rarely seen one.
Trust me, Per, the policies/procedures aren't lax. I'm just not at liberty to tell you about them. The topic was of IPv6 problems and threats. The problem is common enough that there's an RFC on the topic: https://datatracker.ietf.org/doc/html/rfc6104 I stated that we were affected by this problem, yet rather than acknowledge the poor IPv6 design you blame the victim. Way to go to address security threats! You imply that we "deserved" to have the problem because we gave Windows users too much freedom. Any protocol that requires specific configuration in clients is flawed. Security needs to be inherent by design, and not depend on clients promising to behave properly. Regarding neighbor discovery, there are problems baked in to the protocol, as defined here, and in many other places: https://www.hpc.mil/program-areas/networking-overview/2013-10-03-17-24-38/ip... It seems that there are possible mitigations, but the extent of mitigation deployment is unclear in my limited searching. I'd question whether SOHO and consumer routers and switches do any mitigation at all. My failure to reply to your inevitable criticism of this message should not be considered as my agreeing with you, it's merely acknowledgment that this isn't the right venue to discuss security edge cases. Regards, Lew
Lew Wolfgang wrote:
On 4/30/23 00:16, Per Jessen wrote:
In Lews case, as he has testified, the lax security policies led to problems, even a very rarely seen one.
Trust me, Per, the policies/procedures aren't lax. I'm just not at liberty to tell you about them.
Okay, it was only my impression.
I stated that we were affected by this problem, yet rather than acknowledge the poor IPv6 design you blame the victim.
I am simply not qualified to discuss not to mention "acknowledge" any poor IPV6 design.
Way to go to address security threats! You imply that we "deserved" to have the problem because we gave Windows users too much freedom.
Would that be completely wrong? Unfortunately, those businesses, associations and authorities who have been subject to ransom attacks, they also have no one else to blame but themselves. Of course, their respective heads of IT could blame the "poor design of Windows". Anyway, we are again wayyyyy off-topic. Even for a Sunday. -- Per Jessen, Zürich (15.1°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On Sat, 29 Apr 2023 21:02:13 +0200 Per Jessen <per@opensuse.org> wrote:
Lew Wolfgang wrote:
On 4/29/23 11:42, Per Jessen wrote:
Of course, but on our network a Windows user could, through ignorance, configure her legitimately connect host to advertise a route to a second interface on her machine. I guess your corporate networking policy is very different to anything I have seen in over thirty years. My wife works for a bank - there is virtually nothing she can do to her laptop.
It's a large research environment.
I'm not sure if that explains the lax security policies :-)
It does to a large extent, I think. The admins have a major problem. The scientists [in our case] can run pretty much whatever they decide they need. Plus there's any number of 'guests' from pretty much anyplace in the world visiting from hours to years at a time and who need access to the main network in most cases. The only tool our admins had, apart from post-facto enforcement of stated rules, was not permitting any device on the network until they had seen it and logged its MAC. That said I was never aware that we had any major problems, so either they did a very good job or everybody was very well behaved or both!
For my own environment:
* nobody unauthorised has access to the datacentre * nobody unauthorised has access to our offices * unauthorised guest devices don't get ipv6. * hosted (virtual or real) customers are very much locked down.
compare and contrast :)
Dave Howorth wrote:
On Sat, 29 Apr 2023 21:02:13 +0200 Per Jessen <per@opensuse.org> wrote:
Lew Wolfgang wrote:
On 4/29/23 11:42, Per Jessen wrote:
Of course, but on our network a Windows user could, through ignorance, configure her legitimately connect host to advertise a route to a second interface on her machine. I guess your corporate networking policy is very different to anything I have seen in over thirty years. My wife works for a bank - there is virtually nothing she can do to her laptop.
It's a large research environment.
I'm not sure if that explains the lax security policies :-)
It does to a large extent, I think. The admins have a major problem. The scientists [in our case] can run pretty much whatever they decide they need.
I have probably spent enough time in R&D environments to know it can be done differently. I once spent two-three months at a lab outside Winchester. The first day I was put through the security training - strict clean desk policy, black and white bins (one was for daily shredding), secure lockers and drawers. I think it is much more about awareness and security culture. -- Per Jessen, Zürich (13.1°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On Sun, 30 Apr 2023 09:25:54 +0200 Per Jessen <per@opensuse.org> wrote:
Dave Howorth wrote:
On Sat, 29 Apr 2023 21:02:13 +0200 Per Jessen <per@opensuse.org> wrote:
Lew Wolfgang wrote:
On 4/29/23 11:42, Per Jessen wrote:
Of course, but on our network a Windows user could, through ignorance, configure her legitimately connect host to advertise a route to a second interface on her machine. I guess your corporate networking policy is very different to anything I have seen in over thirty years. My wife works for a bank - there is virtually nothing she can do to her laptop.
It's a large research environment.
I'm not sure if that explains the lax security policies :-)
It does to a large extent, I think. The admins have a major problem. The scientists [in our case] can run pretty much whatever they decide they need.
I have probably spent enough time in R&D environments to know it can be done differently. I once spent two-three months at a lab outside Winchester. The first day I was put through the security training - strict clean desk policy, black and white bins (one was for daily shredding), secure lockers and drawers.
I think it is much more about awareness and security culture.
I think that's much more about the kind of environment. No way would those policies wash in the places I have worked. The most draconian thing they did was post a list of all URLs everybody requested in a public place, to prevent porn being watched.
Dave Howorth wrote:
On Sun, 30 Apr 2023 09:25:54 +0200 Per Jessen <per@opensuse.org> wrote:
I have probably spent enough time in R&D environments to know it can be done differently. I once spent two-three months at a lab outside Winchester. The first day I was put through the security training - strict clean desk policy, black and white bins (one was for daily shredding), secure lockers and drawers.
I think it is much more about awareness and security culture.
I think that's much more about the kind of environment. No way would those policies wash in the places I have worked. The most draconian thing they did was post a list of all URLs everybody requested in a public place, to prevent porn being watched.
The environment certainly has a major impact, I agree - but a lot of things are not dependent on the environment. The NZZ was hit by a ransom attack some weeks back - their tears are as real as those in the IT consultancy or the babyfood factory or the local Gemeinde. However, some environments are certainly better at fostering security, usually because the business side is acutely aware of the potential impact. Typically found in banks and such, where regulations also play a heavy role. Draconian - I guess removing floppy drives and sealing USB ports was pretty draconian :-) Forced password change every month too, but you got used to it. When I worked in Germany in the 90s, the datacentre was surrounded by dual 4 meter tall fences, patrolled 24/7 by guards with dogs. Many years ago in Denmark, last level access to a bank datacentre involved a weight check. The PIN code to the first door came in two variations - normal and "under duress". -- Per Jessen, Zürich (16.8°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On 2023-04-30 07:03, Per Jessen wrote:
Many years ago in Denmark, last level access to a bank datacentre involved a weight check.
Been there, done that. I have been weighed a couple of times. Also, finger print & palm scans, retina scans, pass through metal detectors, etc.. My work has taken me into several data centres, a prison, an airport tower and a NORAD radar station, among others.
On Sun, 30 Apr 2023 13:03:22 +0200 Per Jessen <per@opensuse.org> wrote:
Many years ago in Denmark, last level access to a bank datacentre involved a weight check. The PIN code to the first door came in two variations - normal and "under duress".
I worked in the state bank in Norway on a project. The whole centre of the building was closed, all doors locked, whenever the vault where the gold was kept was opened. I remember IBM buildings that weighed you. I never had the privilege of having the PIN codes. A long time ago when exchangeable disks were measured in MB and came in large boxes, the outside of the box said something like "Please take care when opening" in English and "You must not open this box unless a DEC employee is present" in German :)
On 4/30/23 04:03, Per Jessen wrote:
The PIN code to the first door came in two variations - normal and "under duress".
Now that's a good idea. Did every user have their own duress PIN? Or did one duress PIN fit all? Did the doors have video surveillance too? Regards, Lew
Lew Wolfgang wrote:
On 4/30/23 04:03, Per Jessen wrote:
The PIN code to the first door came in two variations - normal and "under duress".
Now that's a good idea. Did every user have their own duress PIN? Or did one duress PIN fit all? Did the doors have video surveillance too?
Wow, we are talking a loooooong time ago, Lew - it was my first job after graduation. 1986. There was, to my limited knowledge, only one duress code, but I wasn't exactly given a detailed tour. It was just one of those things that stuck with me - everyone had PIN codes, for cards or doors or cupboards, but being given a PIN code that would raise a silent alarm, that was new. Yes, the doors had CCTV cameras - there was also a central security station with three guards behind armoured glass. Well, I assume it was, it was 5cm thick. -- Per Jessen, Zürich (15.2°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On 4/30/23 00:25, Per Jessen wrote:
Dave Howorth wrote:
On Sat, 29 Apr 2023 21:02:13 +0200 Per Jessen <per@opensuse.org> wrote:
Lew Wolfgang wrote:
Of course, but on our network a Windows user could, through ignorance, configure her legitimately connect host to advertise a route to a second interface on her machine. I guess your corporate networking policy is very different to anything I have seen in over thirty years. My wife works for a bank - there is virtually nothing she can do to her laptop. It's a large research environment. I'm not sure if that explains the lax security policies :-) It does to a large extent, I think. The admins have a major problem. The scientists [in our case] can run pretty much whatever they decide
On 4/29/23 11:42, Per Jessen wrote: they need. I have probably spent enough time in R&D environments to know it can be done differently. I once spent two-three months at a lab outside Winchester. The first day I was put through the security training - strict clean desk policy, black and white bins (one was for daily shredding), secure lockers and drawers.
I think it is much more about awareness and security culture.
Having a good security culture is certainly important, the problem is in making the bad actors aware of your culture and that they better not annoy you. Regards, Lew
On 4/29/2023 3:02 PM, Per Jessen wrote:
Lew Wolfgang wrote:
On 4/29/23 11:42, Per Jessen wrote: . . . It's a large research environment.
I'm not sure if that explains the lax security policies :-)
It is not uncommon for environments rich in "superior intellects" to allow too much freedom, in an IT sense, under the illusion that competence in one area transfers to all areas.
On 2023-04-29 14:42, Per Jessen wrote:
I guess your corporate networking policy is very different to anything I have seen in over thirty years. My wife works for a bank - there is virtually nothing she can do to her laptop.
That is sometimes the case. Several years ago, when I worked at IBM, I was on the team that built standard desktops for IBM Canada employees. I had to "roll my own", as the standard desktop systems were too restrictive for me to do my job. However, those locked down systems are OK for the mere mortals they're aimed at.
On Sat, 29 Apr 2023 16:28:28 -0400 James Knott <james.knott@jknott.net> wrote:
On 2023-04-29 14:42, Per Jessen wrote:
I guess your corporate networking policy is very different to anything I have seen in over thirty years. My wife works for a bank - there is virtually nothing she can do to her laptop.
That is sometimes the case. Several years ago, when I worked at IBM, I was on the team that built standard desktops for IBM Canada employees. I had to "roll my own", as the standard desktop systems were too restrictive for me to do my job. However, those locked down systems are OK for the mere mortals they're aimed at.
I built trading systems that went into a lot of banks' trading rooms. There was a lot more freedom in those departments, presumably because they made a lot more money.
On 2023-04-29 17:11, Dave Howorth wrote:
I built trading systems that went into a lot of banks' trading rooms. There was a lot more freedom in those departments, presumably because they made a lot more money.
Or maybe to allow for some "creative accounting". 😉
James Knott wrote:
With IPv6, the Internet works the way the it's supposed to, that is transparent end to end.
+1 -- Per Jessen, Zürich (13.4°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On 2023-04-28 12:01, Per Jessen wrote:
What will IPv6 actually do for you? It's a serious question, what will it give you that you don't already have with IPv4 and NAT?
From my experience at work it's nothing but a PITA that reduces reliability. Really?? or are you just trolling?
I certainly can't say that matches my experience, at all. I have been running ipv6 since around 2007, first with a tunnel, later with fixed ISP ranges and since 2015 with our own /28. We also still have a number of leased external machines, all with ipv6.
Reliability is fine, I don't understand how ipv6 could possibly reduce reliability of anything.
Same here. I've been running IPv6 since May 2010, initially with a tunnel, but native for more than 7 years. Works fine here too. I have a /56.
On 2023-04-28 19:42, James Knott wrote:
On 2023-04-28 12:01, Per Jessen wrote:
What will IPv6 actually do for you? It's a serious question, what will it give you that you don't already have with IPv4 and NAT?
From my experience at work it's nothing but a PITA that reduces reliability. Really?? or are you just trolling?
I certainly can't say that matches my experience, at all. I have been running ipv6 since around 2007, first with a tunnel, later with fixed ISP ranges and since 2015 with our own /28. We also still have a number of leased external machines, all with ipv6.
Reliability is fine, I don't understand how ipv6 could possibly reduce reliability of anything.
Same here. I've been running IPv6 since May 2010, initially with a tunnel, but native for more than 7 years. Works fine here too. I have a /56.
By the way, I read that Telefónica is actually handing over /56 so that clients can have 255 /64 "LANS" - from memory, dunno if I' writing this correctly. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 2023-04-28 13:57, Carlos E. R. wrote:
Same here. I've been running IPv6 since May 2010, initially with a tunnel, but native for more than 7 years. Works fine here too. I have a /56.
By the way, I read that Telefónica is actually handing over /56 so that clients can have 255 /64 "LANS" - from memory, dunno if I' writing this correctly.
-
If they're handing out /56, that's 256 /64s. Also, if they're doing that, then they must expect the customer to be able to do that, which means using something other than the gateway they provide. With my ISP, if I use the modem in gateway mode, I get only a single /64. If I put it in bridge mode and use my own router, I can have multiple /64s, up to 256.
On 4/28/23 11:10, James Knott wrote:
On 2023-04-28 13:57, Carlos E. R. wrote:
Same here. I've been running IPv6 since May 2010, initially with a tunnel, but native for more than 7 years. Works fine here too. I have a /56.
By the way, I read that Telefónica is actually handing over /56 so that clients can have 255 /64 "LANS" - from memory, dunno if I' writing this correctly.
-
If they're handing out /56, that's 256 /64s. Also, if they're doing that, then they must expect the customer to be able to do that, which means using something other than the gateway they provide. With my ISP, if I use the modem in gateway mode, I get only a single /64. If I put it in bridge mode and use my own router, I can have multiple /64s, up to 256.
James! I wonder if that was my problem? Maybe I'm getting a single /64 because of my cable modem? What kind of a modem do you have? Regards, Lew
On 2023-04-28 14:44, Lew Wolfgang wrote:
If they're handing out /56, that's 256 /64s. Also, if they're doing that, then they must expect the customer to be able to do that, which means using something other than the gateway they provide. With my ISP, if I use the modem in gateway mode, I get only a single /64. If I put it in bridge mode and use my own router, I can have multiple /64s, up to 256.
James! I wonder if that was my problem? Maybe I'm getting a single /64 because of my cable modem? What kind of a modem do you have?
It's a Technicolor, but I have to put it in bridge mode. I then use pfSense for my router. Also, with your own router, you can have a better firewall and WiFi.
James Knott wrote:
On 2023-04-28 13:57, Carlos E. R. wrote:
Same here. I've been running IPv6 since May 2010, initially with a tunnel, but native for more than 7 years. Works fine here too. I have a /56.
By the way, I read that Telefónica is actually handing over /56 so that clients can have 255 /64 "LANS" - from memory, dunno if I' writing this correctly.
-
If they're handing out /56, that's 256 /64s. Also, if they're doing that, then they must expect the customer to be able to do that, which means using something other than the gateway they provide.
I wonder if it might be "reserved for future use" (or words to that effect). Here, we had our energy meters (electricity, gas, water) wired up to the fibre last year, but they use a separate fibre. If Carlos has just the one, it might be sensible to add some networks "in reserve". -- Per Jessen, Zürich (13.9°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On 2023-04-28 14:56, Per Jessen wrote:
If they're handing out /56, that's 256 /64s. Also, if they're doing that, then they must expect the customer to be able to do that, which means using something other than the gateway they provide. I wonder if it might be "reserved for future use" (or words to that effect). Here, we had our energy meters (electricity, gas, water) wired up to the fibre last year, but they use a separate fibre. If Carlos has just the one, it might be sensible to add some networks "in reserve".
I don't know about his ISP, but with mine, I get whatever size I request, from a single /64 to 256. There's a box in pfSense where you request the prefix size you want. The IPv6 address space is so huge, there's no point in being stingy. In fact, some ISPs had out a /48, as does Hurricane Electric with their tunnels. That's 65536 /64s!
James Knott wrote:
On 2023-04-28 14:56, Per Jessen wrote:
If they're handing out /56, that's 256 /64s. Also, if they're doing that, then they must expect the customer to be able to do that, which means using something other than the gateway they provide. I wonder if it might be "reserved for future use" (or words to that effect). Here, we had our energy meters (electricity, gas, water) wired up to the fibre last year, but they use a separate fibre. If Carlos has just the one, it might be sensible to add some networks "in reserve".
I don't know about his ISP, but with mine, I get whatever size I request, from a single /64 to 256.
Carlos' ISP does not seem to work well with the "Service" part of being an ISP. Back in 2009 when I asked my ISP for a fixed range, they asked "what would you like?" which kindof threw me. I think I ended up with a /48. The fun bit was when I asked them to delegate the reverse lookup.
The IPv6 address space is so huge, there's no point in being stingy. In fact, some ISPs had out a /48,
Right. -- Per Jessen, Zürich (13.6°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On 2023-04-28 15:27, Per Jessen wrote:
Back in 2009 when I asked my ISP for a fixed range, they asked "what would you like?" which kindof threw me. I think I ended up with a /48. The fun bit was when I asked them to delegate the reverse lookup.
When I first got on the Internet, back in the dark ages, I had a static IPv4 address. However, I suspect that was because I was using SLIP to connect, which does not provide automatic configuration, the way PPP does. When I was at IBM, in the late 90s, I had 5 static IPv4 addresses, one for my computer and four for testing. Same with 5 SNA addresses.
Andrei Borzenkov wrote:
On 28.04.2023 22:27, Per Jessen wrote:
Back in 2009 when I asked my ISP for a fixed range, they asked "what would you like?" which kindof threw me.
How much do you pay for your connection?
Back then - I really don't remember, I would have to dig out some very old books. It wasn't anything special, just regular 6Mbit ADSL. There was an additional cost for the small IPv4 range, a /30 a subnet I think. I think I probably paid something between 50 and 100 per month. -- Per Jessen, Zürich (17.3°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
On 29.04.2023 10:00, Per Jessen wrote:
Andrei Borzenkov wrote:
On 28.04.2023 22:27, Per Jessen wrote:
Back in 2009 when I asked my ISP for a fixed range, they asked "what would you like?" which kindof threw me.
How much do you pay for your connection?
Back then - I really don't remember, I would have to dig out some very old books. It wasn't anything special, just regular 6Mbit ADSL. There was an additional cost for the small IPv4 range, a /30 a subnet I think. I think I probably paid something between 50 and 100 per month.
Whatever (European) currency it is, it is an order of magnitude more than I pay for my connection. No wonder my ISP is not interested in investing anything beyond absolutely necessary. Nor would I be willing to pay that much for the questionable benefit of having multiple unused networks :)
Andrei Borzenkov wrote:
On 29.04.2023 10:00, Per Jessen wrote:
Andrei Borzenkov wrote:
On 28.04.2023 22:27, Per Jessen wrote:
Back in 2009 when I asked my ISP for a fixed range, they asked "what would you like?" which kindof threw me.
How much do you pay for your connection?
Back then - I really don't remember, I would have to dig out some very old books. It wasn't anything special, just regular 6Mbit ADSL. There was an additional cost for the small IPv4 range, a /30 a subnet I think. I think I probably paid something between 50 and 100 per month.
Whatever (European) currency it is,
Those were Swiss Francs.
it is an order of magnitude more than I pay for my connection. No wonder my ISP is not interested in investing anything beyond absolutely necessary. Nor would I be willing to pay that much for the questionable benefit of having multiple unused networks :)
These days in Switzerland, a 10Gbit internet connection can be for 60-70/month, which is pretty much what people pay for their mobile phone subscriptiona (those that travel a bit). -- Per Jessen, Zürich (17.5°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes
participants (7)
-
Andrei Borzenkov -
Carlos E. R. -
Dave Howorth -
James Knott -
joe a -
Lew Wolfgang -
Per Jessen