I have been using SuSEfirewall2 for several years with IPv4. However, IIRC, it doesn't work with IPv6, which I have recently started using. What firewalls work with IPv6? tnx jk -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
James Knott wrote:
I have been using SuSEfirewall2 for several years with IPv4. However, IIRC, it doesn't work with IPv6, which I have recently started using. What firewalls work with IPv6?
SuSEfirewall2 is really just a wrapper around iptables - you should be fine using plain iptables. -- Per Jessen, Zürich (15.8°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Per Jessen wrote:
James Knott wrote:
I have been using SuSEfirewall2 for several years with IPv4. However, IIRC, it doesn't work with IPv6, which I have recently started using. What firewalls work with IPv6?
SuSEfirewall2 is really just a wrapper around iptables - you should be fine using plain iptables.
Other than address specific rules, does it require different rules for IPv6? Or does the fact that my IPv4 firewall only permits ssh and OpenVPN also apply to IPv6 traffic? Are there any port scan sites, similar to www.grc.com, available for IPv6? tnx -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
James Knott wrote:
Per Jessen wrote:
James Knott wrote:
I have been using SuSEfirewall2 for several years with IPv4. However, IIRC, it doesn't work with IPv6, which I have recently started using. What firewalls work with IPv6?
SuSEfirewall2 is really just a wrapper around iptables - you should be fine using plain iptables.
Other than address specific rules, does it require different rules for IPv6? Or does the fact that my IPv4 firewall only permits ssh and OpenVPN also apply to IPv6 traffic?
iptables for ipv6 is 'ip6tables', but otherwise I believe your setup will be roughly the same. -- Per Jessen, Zürich (11.8°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thu, 2010-06-03 at 10:25 -0400, James Knott wrote:
I have been using SuSEfirewall2 for several years with IPv4. However, IIRC, it doesn't work with IPv6, which I have recently started using. What firewalls work with IPv6?
We abandoned all else for fwbuilder *years* ago, and it has only gotten amazingly better. It supports iptables, IPv4/IPv6, BSD's ipfw, Cisco IOS, etc... it will install and activate the rules across the network... it is one *amazing* application. <http://www.fwbuilder.org/> Build your servers' firewall configurations and click install. In a beautiful GUI with zero loss of flexibility. zypper ar -cf -n 'Firewall Builder' \ http://www.fwbuilder.org/rpm/stable/opensuse-11-i586/ fwbuilder wget http://www.fwbuilder.org/PACKAGE-GPG-KEY-fwbuilder.asc rpm --import PACKAGE-GPG-KEY-fwbuilder.asc zypper refresh zypper install fwbuilder Enjoy. I only wish other aspects of Linux administration had tools of similar quality to fwbuilder. -- Adam Tauno Williams <awilliam@whitemice.org> LPIC-1, Novell CLA <http://www.whitemiceconsulting.com> OpenGroupware, Cyrus IMAPd, Postfix, OpenLDAP, Samba -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Adam Tauno Williams wrote:
On Thu, 2010-06-03 at 10:25 -0400, James Knott wrote:
I have been using SuSEfirewall2 for several years with IPv4. However, IIRC, it doesn't work with IPv6, which I have recently started using. What firewalls work with IPv6?
We abandoned all else for fwbuilder *years* ago, and it has only gotten amazingly better. It supports iptables, IPv4/IPv6, BSD's ipfw, Cisco IOS, etc... it will install and activate the rules across the network... it is one *amazing* application.
Build your servers' firewall configurations and click install. In a beautiful GUI with zero loss of flexibility.
zypper ar -cf -n 'Firewall Builder' \ http://www.fwbuilder.org/rpm/stable/opensuse-11-i586/ fwbuilder wget http://www.fwbuilder.org/PACKAGE-GPG-KEY-fwbuilder.asc rpm --import PACKAGE-GPG-KEY-fwbuilder.asc zypper refresh zypper install fwbuilder
Enjoy. I only wish other aspects of Linux administration had tools of similar quality to fwbuilder.
I tried to install using Yast software management and get this error: #### YaST2 conflicts list - generated 2010-06-04 11:29:43 #### nothing provides libstdc++.so.6(GLIBCXX_3.4.11) needed by libfwbuilder-4.0.1-b29 50.suse11.2.i586 [ ] do not install fwbuilder-4.0.1-b2950.suse11.2.i586 However, libstdc++.so.6 is part of the standard C++ shared library. This is on OpenSUSE 11.0. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, Jun 04, 2010 at 07:00:28AM -0400, Adam Tauno Williams wrote:
On Thu, 2010-06-03 at 10:25 -0400, James Knott wrote:
I have been using SuSEfirewall2 for several years with IPv4. However, IIRC, it doesn't work with IPv6, which I have recently started using. What firewalls work with IPv6?
SuSEfirewall2 supports IPv6 btw. What is missing? Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Marcus Meissner wrote:
On Fri, Jun 04, 2010 at 07:00:28AM -0400, Adam Tauno Williams wrote:
On Thu, 2010-06-03 at 10:25 -0400, James Knott wrote:
I have been using SuSEfirewall2 for several years with IPv4. However, IIRC, it doesn't work with IPv6, which I have recently started using. What firewalls work with IPv6?
SuSEfirewall2 supports IPv6 btw.
What is missing?
Ciao, Marcus
Well, for starters, how to configure the interface. I use a tunnel "sit1" to connect to the tunnel broker. I don't see that interface available in the Yast firewall configuration, even though "tun0", which I use for OpenVPN is there. BTW, I went to a coffee shop hotspot and ran nmap againt the IPv6 address of my firewall and also against a computer behind the firewall, reachable via IPv6 address. Nmap couldn't find anything with the firewall IPv6 address, but showed ssh open for IPv4, and I can ssh to it via IPv6. The computer behind the firewall showed several ports open and I could connect to it via ssh and also use samba file sharing. Fortunately, port scanning IPv6 addresses is a huge, virtually impossible job, because of all the possible addresses. In the end, I only want the IPv6 firewall to pass ssh and imaps. The IPv4 firewall interface also has to pass OpenVPN and the IP protocol 41 6to4 tunnel. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, 2010-06-04 at 16:36 -0400, James Knott wrote:
BTW, I went to a coffee shop hotspot and ran nmap againt the IPv6 address of my firewall and also against a computer behind the firewall, reachable via IPv6 address. Nmap couldn't find anything with the firewall IPv6 address,
Which probably implies that this coffeeshop isn't connected to the IPv6 network. Only if you have a native v6 address, or use a tunnelbroker, it is possible to check ipv6 with nmap... -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hans Witvliet wrote:
On Fri, 2010-06-04 at 16:36 -0400, James Knott wrote:
BTW, I went to a coffee shop hotspot and ran nmap againt the IPv6 address of my firewall and also against a computer behind the firewall, reachable via IPv6 address. Nmap couldn't find anything with the firewall IPv6 address,
Which probably implies that this coffeeshop isn't connected to the IPv6 network. Only if you have a native v6 address, or use a tunnelbroker, it is possible to check ipv6 with nmap...
I use a tunnel broker, so I have an IPv6 address. The only place I don't is at the local library, where they block just about everything but browsers. As I mentioned, I could port scan my computers behind the firewall which have only IPv6 addresses available to the world. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sat, 2010-06-05 at 07:14 -0400, James Knott wrote:
Hans Witvliet wrote:
On Fri, 2010-06-04 at 16:36 -0400, James Knott wrote:
BTW, I went to a coffee shop hotspot and ran nmap againt the IPv6 address of my firewall and also against a computer behind the firewall, reachable via IPv6 address. Nmap couldn't find anything with the firewall IPv6 address,
Which probably implies that this coffeeshop isn't connected to the IPv6 network. Only if you have a native v6 address, or use a tunnelbroker, it is possible to check ipv6 with nmap...
I use a tunnel broker, so I have an IPv6 address. The only place I don't is at the local library, where they block just about everything but browsers. As I mentioned, I could port scan my computers behind the firewall which have only IPv6 addresses available to the world.
You use a tunnelbroker, so you have a Ipv6 address: at home Or did you use your tunnelbroker to setup a second tunnel to the coffee-shop-hotspot? Untill they "see the light", most hotspots don't offer IPv6 afaicr, just a handfull of hotels in the far east. Well, they still have plenty time... ;-)) What was the estimated count-down date? 31-july-2011 And since a couple of months the depletion-speed is getting faster, it used to be end 2011. hw -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hans Witvliet wrote:
Untill they "see the light", most hotspots don't offer IPv6 afaicr, just a handfull of hotels in the far east.
Well, they still have plenty time... ;-)) What was the estimated count-down date? 31-july-2011 And since a couple of months the depletion-speed is getting faster, it used to be end 2011.
Does it matter a lot for the coffeeshops - don't they just use an RFC1918 network NAT'ed to a single IP from their provider? I think the ones who need to see the light are the access providers, but I have read or been told that the issue there is the availability of consumer-level IPv6-cabable CPE. -- Per Jessen, Zürich (24.9°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sat, 2010-06-05 at 16:06 +0200, Per Jessen wrote:
Hans Witvliet wrote:
Untill they "see the light", most hotspots don't offer IPv6 afaicr, just a handfull of hotels in the far east.
Well, they still have plenty time... ;-)) What was the estimated count-down date? 31-july-2011 And since a couple of months the depletion-speed is getting faster, it used to be end 2011.
Does it matter a lot for the coffeeshops - don't they just use an RFC1918 network NAT'ed to a single IP from their provider?
I think the ones who need to see the light are the access providers, but I have read or been told that the issue there is the availability of consumer-level IPv6-cabable CPE.
-- Per Jessen, Zürich (24.9°C)
I was tempted to write the same For any costomer it doesn't matter what address he got, But what if he tries to reach an IPv6-only site? That would only work if the customer has an rfc1918 adres, but the site has his own transparant squid proxy and the possibility to reach bot v4 and v6 network... hw -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Does it matter a lot for the coffeeshops - don't they just use an RFC1918 network NAT'ed to a single IP from their provider? We've already reached the point where many web sites are available only via IPv6. This is mainly in Asia, where they do not have enough IPv4 addresses to go around. That day is fast approaching for North America. Also, NAT is at best a bad hack to extend IPv4. In the
Per Jessen wrote: process, it violates IETF IP specs (for example IP addresses are not supposed to be changed) and breaks some protocols. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
James Knott wrote:
Per Jessen wrote:
Does it matter a lot for the coffeeshops - don't they just use an RFC1918 network NAT'ed to a single IP from their provider?
We've already reached the point where many web sites are available only via IPv6. This is mainly in Asia, where they do not have enough IPv4 addresses to go around. That day is fast approaching for North America.
Well, I didn't realize it was getting so close - I have not yet seen/met any IPv6 only sites or servers.
Also, NAT is at best a bad hack to extend IPv4.
Well, maybe that is matter of opinion, but I would say that NAT is a very useful mechanism for connecting RFC1918 networks with the outside world. -- Per Jessen, Zürich (22.0°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sun, 2010-06-06 at 10:41 +0200, Per Jessen wrote:
James Knott wrote:
Per Jessen wrote:
Does it matter a lot for the coffeeshops - don't they just use an RFC1918 network NAT'ed to a single IP from their provider?
We've already reached the point where many web sites are available only via IPv6. This is mainly in Asia, where they do not have enough IPv4 addresses to go around. That day is fast approaching for North America.
Well, I didn't realize it was getting so close - I have not yet seen/met any IPv6 only sites or servers.
Yes, i've allready seen a couple. But these were merely for IPv6-promotional purposes (torrent sites with nearly unlimited bandwith) No sites yet that just can't get (or afford) an IPv4 address. What i was told (though i can not understand exactly if its true or why), that people/enterprises in China, Japan, Korea, Thailand are the first to suffer from the depletion. Personally i would think that IANA would hand out the 16 remaining /8 networks evenly among the RIR's (Currently APNIC has more networks than RIPE)
Also, NAT is at best a bad hack to extend IPv4.
Well, maybe that is matter of opinion, but I would say that NAT is a very useful mechanism for connecting RFC1918 networks with the outside world.
No problem for people who only initiate towards internet. Problem arises when those people want to be reachable. True, that not everybody wants their own web/mail/torrent server, but a growing number of people are using voip. Though SIP works with nat, it's a cause of many problems... hw -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hans Witvliet wrote:
On Sun, 2010-06-06 at 10:41 +0200, Per Jessen wrote:
James Knott wrote:
Per Jessen wrote:
Does it matter a lot for the coffeeshops - don't they just use an RFC1918 network NAT'ed to a single IP from their provider?
We've already reached the point where many web sites are available only via IPv6. This is mainly in Asia, where they do not have enough IPv4 addresses to go around. That day is fast approaching for North America.
Well, I didn't realize it was getting so close - I have not yet seen/met any IPv6 only sites or servers.
Yes, i've allready seen a couple. But these were merely for IPv6-promotional purposes (torrent sites with nearly unlimited bandwith)
No sites yet that just can't get (or afford) an IPv4 address. What i was told (though i can not understand exactly if its true or why), that people/enterprises in China, Japan, Korea, Thailand are the first to suffer from the depletion. Personally i would think that IANA would hand out the 16 remaining /8 networks evenly among the RIR's (Currently APNIC has more networks than RIPE)
Also, NAT is at best a bad hack to extend IPv4.
Well, maybe that is matter of opinion, but I would say that NAT is a very useful mechanism for connecting RFC1918 networks with the outside world.
No problem for people who only initiate towards internet. Problem arises when those people want to be reachable. True, that not everybody wants their own web/mail/torrent server, but a growing number of people are using voip. Though SIP works with nat, it's a cause of many problems...
hw
There are already some ISPs that hand out RFC1918 addresses, rather than "real" ones. At one company that I was doing some VoIP work for had one user on such a network. It caused some issues, though not unresolvable. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sunday 06 June 2010 13:32:29 James Knott wrote:
There are already some ISPs that hand out RFC1918 addresses, rather than "real" ones.
I hope you meant "still" instead of "already". ISPs handing out private IPv4 addresses have been around for as long as I have been online. For home users, that has been standard practice in many places Anders -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Anders Johansson wrote:
On Sunday 06 June 2010 13:32:29 James Knott wrote:
There are already some ISPs that hand out RFC1918 addresses, rather than "real" ones.
I hope you meant "still" instead of "already". ISPs handing out private IPv4 addresses have been around for as long as I have been online. For home users, that has been standard practice in many places
Anders
Where is "many places"? To my knowlege, in North America most users do not get RFC1918 addresses. I can certainly understand it happening in Asia and Europe, where there are not as many IPv4 addresses available. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Anders Johansson wrote:
On Sunday 06 June 2010 13:32:29 James Knott wrote:
There are already some ISPs that hand out RFC1918 addresses, rather
On Sunday 06 June 2010 17:35:58 James Knott wrote: than
"real" ones.
I hope you meant "still" instead of "already". ISPs handing out private IPv4 addresses have been around for as long as I have been online. For home users, that has been standard practice in many places
Anders
Where is "many places"? To my knowlege, in North America most users do not get RFC1918 addresses. I can certainly understand it happening in Asia and Europe, where there are not as many IPv4 addresses available.
Well, Europe is where I have my experience from. Some ISPs give you real addresses, some don't, I have seen private address allocations on and off since my first internet account, some time in the mid 90s My last three ISPs though have all given me real addresses, which surprised me, since I expected them to become less common. Anders -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sun, 2010-06-06 at 11:35 -0400, James Knott wrote:
Anders Johansson wrote:
On Sunday 06 June 2010 13:32:29 James Knott wrote:
There are already some ISPs that hand out RFC1918 addresses, rather than "real" ones.
I hope you meant "still" instead of "already". ISPs handing out private IPv4 addresses have been around for as long as I have been online. For home users, that has been standard practice in many places
Anders
Where is "many places"? To my knowlege, in North America most users do not get RFC1918 addresses. I can certainly understand it happening in Asia and Europe, where there are not as many IPv4 addresses available.
Here in Holland, one isp did handout 10.x.y.z addresses, but they stopped that, and use routable addresses since a couple of years. afaics rfc1918 should only be used by end-users, who have an option and choose to use it. If you ever got one from your provider, you have to resort to all sort of tricks to turn it into a "normal" address. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hans Witvliet wrote:
Also, NAT is at best a bad hack to extend IPv4.
Well, maybe that is matter of opinion, but I would say that NAT is a very useful mechanism for connecting RFC1918 networks with the outside world.
No problem for people who only initiate towards internet. Problem arises when those people want to be reachable.
In iptables speak "destination NAT'ing" - no problems, it works very well.
True, that not everybody wants their own web/mail/torrent server, but a growing number of people are using voip. Though SIP works with nat, it's a cause of many problems...
Don't most SIP devices have a tickbox for "NAT keep-alive" these days? Anyway, running a stun daemon takes care of it. -- Per Jessen, Zürich (25.2°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Per Jessen wrote:
James Knott wrote:
Per Jessen wrote:
Does it matter a lot for the coffeeshops - don't they just use an RFC1918 network NAT'ed to a single IP from their provider?
We've already reached the point where many web sites are available only via IPv6. This is mainly in Asia, where they do not have enough IPv4 addresses to go around. That day is fast approaching for North America.
Well, I didn't realize it was getting so close - I have not yet seen/met any IPv6 only sites or servers.
ipv6.google.com However, as I mentioned, there are plenty in Asia, where they don't have enough IPv4
Also, NAT is at best a bad hack to extend IPv4.
Well, maybe that is matter of opinion, but I would say that NAT is a very useful mechanism for connecting RFC1918 networks with the outside world.
I didn't say it wasn't useful. It was developed as a method to extend the life of IPv4, providing local addresses that don't get routed over the internet (contrary to popular belief, those RFC1918 addresses route just fine, but are supposed to be blocked from the public internet). IPv6 provides something similar with the link-local addresses, which start with "fe80". As I recall one popular protocol, that got broken, is ftp. You had to run it in passive mode to get it to work with NAT. Browsers do that, but not all command line versions do. Peer - peer also has issues in that you have to specifically configure the NAT/router to pass it to one computer. Same with running a server. On the other hand, as soon as I set up my subnet, all my IPv6 capable computers were automagically available on the public IPv6 internet. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
James Knott wrote:
Per Jessen wrote:
James Knott wrote:
Per Jessen wrote:
Does it matter a lot for the coffeeshops - don't they just use an RFC1918 network NAT'ed to a single IP from their provider?
We've already reached the point where many web sites are available only via IPv6. This is mainly in Asia, where they do not have enough IPv4 addresses to go around. That day is fast approaching for North America.
Well, I didn't realize it was getting so close - I have not yet seen/met any IPv6 only sites or servers.
ipv6.google.com
Okay, sure there are such servers out there, but not being able to reach ipv6.google.com will not cause a problem for very many people. After all, there is still google.com :-)
However, as I mentioned, there are plenty in Asia, where they don't have enough IPv4
Also, NAT is at best a bad hack to extend IPv4.
Well, maybe that is matter of opinion, but I would say that NAT is a very useful mechanism for connecting RFC1918 networks with the outside world.
I didn't say it wasn't useful. [big snip]
James, I only objected to your calling it 'at best a bad hack' when in fact NAT'ing has been and still is incredibly useful to hundred of thousands of people. -- Per Jessen, Zürich (25.2°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Per Jessen wrote:
James, I only objected to your calling it 'at best a bad hack' when in fact NAT'ing has been and still is incredibly useful to hundred of thousands of people.
The fact that it's useful doesn't change the fact that it only became necessary due to a lack of available IPv4 addresses. In the process it violates the IP spec and breaks some protocols. It also causes other issues, such as reaching a computer behind a firewall or connecting sites via VPN, where the same RFC1918 subnet might be in use at both ends. This is one I ran into myself. I was staying at a hotel, where the local subnet was the same as I used at home. As a result, even though I had a VPN, I couldn't access anything on my home network. This situation is really aggravated by the fact that most people don't change the subnet in the router from the default. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
James Knott wrote:
Per Jessen wrote:
James, I only objected to your calling it 'at best a bad hack' when in fact NAT'ing has been and still is incredibly useful to hundred of thousands of people.
The fact that it's useful doesn't change the fact that it only became necessary due to a lack of available IPv4 addresses.
I have continued this thread on off-topic. -- Per Jessen, Zürich (17.3°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Per Jessen wrote:
I think the ones who need to see the light are the access providers, but I have read or been told that the issue there is the availability of consumer-level IPv6-cabable CPE.
Actually, some ISPs have seen the light and some consumer level equipment is now IPv6 capable. A friend of mine has a router, not sure if D-Link or Linksys, that can handle IPv6. Modern operating systems, including Linux, BSD, Mac and Windows have been IPv6 ready for years. I'd strongly recommend people set up tunnels to IPv6 brokers in the mean time. I use Freenet6 from http://gogonet.gogo6.com. They have clients for Linux, Windows, Mac and BSD and can be configured for either a /56 subnet or a single address. There are other tunnel brokers available. BTW, there is no charge for using that Freenet6 tunnel, but if you don't register, you're limited to a single address. If you register, you get a static address, DNS to that address and can configure for a subnet. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sat, 2010-06-05 at 14:45 -0400, James Knott wrote:
Per Jessen wrote:
I think the ones who need to see the light are the access providers, but I have read or been told that the issue there is the availability of consumer-level IPv6-cabable CPE.
Actually, some ISPs have seen the light and some consumer level equipment is now IPv6 capable. A friend of mine has a router, not sure if D-Link or Linksys, that can handle IPv6. Modern operating systems, including Linux, BSD, Mac and Windows have been IPv6 ready for years.
I'd strongly recommend people set up tunnels to IPv6 brokers in the mean time. I use Freenet6 from http://gogonet.gogo6.com. They have clients for Linux, Windows, Mac and BSD and can be configured for either a /56 subnet or a single address. There are other tunnel brokers available.
BTW, there is no charge for using that Freenet6 tunnel, but if you don't register, you're limited to a single address. If you register, you get a static address, DNS to that address and can configure for a subnet.
One of the big advantage of the huge address space you get for free, is that you can assign specific addresses to https web hosts. Normally (without any dirty tricks) you van not have multiple apache vhosts using SSL. Using IPv6 that's a thing of the past.... I ususaly recommend tunnelbroker.net By default you get an /64 network, and if you take the trouble of actvating another check-box, you get another /48 network For free, as in free beer. No strings attached Tunnel endpoint everywhere on the globe.. hw -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hans Witvliet wrote:
By default you get an /64 network, and if you take the trouble of actvating another check-box, you get another /48 network
I think a /56 will do me for now. ;-) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hans Witvliet wrote:
One of the big advantage of the huge address space you get for free, is that you can assign specific addresses to https web hosts.
Normally (without any dirty tricks) you van not have multiple apache vhosts using SSL. Using IPv6 that's a thing of the past....
Apache SNI has been working for quite some time now - I wouldn't call that a dirty trick?
I ususaly recommend tunnelbroker.net By default you get an /64 network, and if you take the trouble of actvating another check-box, you get another /48 network
AFAIK, the current recommendation is for providers to dish out /48 networks. That's what I have in the datacentre. -- Per Jessen, Zürich (21.9°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sun, 2010-06-06 at 10:37 +0200, Per Jessen wrote:
Hans Witvliet wrote:
One of the big advantage of the huge address space you get for free, is that you can assign specific addresses to https web hosts.
Normally (without any dirty tricks) you van not have multiple apache vhosts using SSL. Using IPv6 that's a thing of the past....
Apache SNI has been working for quite some time now - I wouldn't call that a dirty trick?
Yeah, know about it, ufortunately it only works with the latest versions of firefox, and i have heard rumors that there are still some unfortunately people who are still using internet exploder (which is known NOT to work with SNI)
I ususaly recommend tunnelbroker.net By default you get an /64 network, and if you take the trouble of actvating another check-box, you get another /48 network
AFAIK, the current recommendation is for providers to dish out /48 networks. That's what I have in the datacentre.
Well if the continue to hand out on that scale (instead of an already luxureous /116), i understand why they are allready working on v8.. ;-) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hans Witvliet wrote:
I ususaly recommend tunnelbroker.net By default you get an /64 network, and if you take the trouble of actvating another check-box, you get another /48 network
AFAIK, the current recommendation is for providers to dish out /48 networks. That's what I have in the datacentre.
Well if the continue to hand out on that scale (instead of an already luxureous /116), i understand why they are allready working on v8.. ;-)
Yeah, I did think a /48 was very grand too, but that's what RFC3177 proposes. -- Per Jessen, Zürich (23.6°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hans Witvliet wrote:
and i have heard rumors that there are still some unfortunately people who are still using internet exploder (which is known NOT to work with SNI) Some might consider that an advantage of SNI. ;-)
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Per Jessen wrote:
AFAIK, the current recommendation is for providers to dish out /48 networks. That's what I have in the datacentre.
I thought that was for business customers, but home users would have to make do with only a /64. ;-) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
James Knott wrote:
Per Jessen wrote:
AFAIK, the current recommendation is for providers to dish out /48 networks. That's what I have in the datacentre.
I thought that was for business customers, but home users would have to make do with only a /64. ;-)
RFC 3177: "In particular, we recommend: - Home network subscribers, connecting through on-demand or always-on connections should receive a /48. - Small and large enterprises should receive a /48." You would think that a home user would have enough in a /64 or even much smaller, but ... -- Per Jessen, Zürich (25.2°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Per Jessen wrote:
James Knott wrote:
Per Jessen wrote:
AFAIK, the current recommendation is for providers to dish out /48 networks. That's what I have in the datacentre.
I thought that was for business customers, but home users would have to make do with only a /64. ;-)
RFC 3177:
"In particular, we recommend:
- Home network subscribers, connecting through on-demand or always-on connections should receive a /48. - Small and large enterprises should receive a /48."
You would think that a home user would have enough in a /64 or even much smaller, but ...
With the way that's worded, I'd tend to think it was a typo. Why differentiate between home users and enterprises, if you give them both a /48 subnet? I have read other sources that say /64 for home users. Some of the arguments for it don't seem to make sense. Also, RFC 3177 is an informational document, not a "best current practice" standard for implementation. I wonder if it has been superseded, as it is from Sept. 2001? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
James Knott wrote:
Per Jessen wrote:
I think the ones who need to see the light are the access providers, but I have read or been told that the issue there is the availability of consumer-level IPv6-cabable CPE.
Actually, some ISPs have seen the light and some consumer level equipment is now IPv6 capable. A friend of mine has a router, not sure if D-Link or Linksys, that can handle IPv6. Modern operating systems, including Linux, BSD, Mac and Windows have been IPv6 ready for years. I'd strongly recommend people set up tunnels to IPv6 brokers in the mean time. I use Freenet6 from http://gogonet.gogo6.com. They have clients for Linux, Windows, Mac and BSD and can be configured for either a /56 subnet or a single address. There are other tunnel brokers available.
If you're technically minded and if your provider will dish out an IPv6 network, you could just set up your adsl box to run in bridging mode and then run pppd. -- Per Jessen, Zürich (21.4°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Per Jessen wrote:
If you're technically minded and if your provider will dish out an IPv6 network, you could just set up your adsl box to run in bridging mode and then run pppd.
I am technically minded, having worked in IT for 38 years, but I haven't heard of any IPv6 plans from my ISP. Also, I'm on a cable modem. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
James Knott wrote:
Per Jessen wrote:
If you're technically minded and if your provider will dish out an IPv6 network, you could just set up your adsl box to run in bridging mode and then run pppd.
I am technically minded, having worked in IT for 38 years, but I haven't heard of any IPv6 plans from my ISP. Also, I'm on a cable modem.
Sorry, I didn't mean _you_ in particular, I meant to say "if one is technically minded ..." As for your providers IPv6 plans - many don't advertise them, they're not very interesting to Joe Bloggs. -- Per Jessen, Zürich (25.3°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Per Jessen wrote:
As for your providers IPv6 plans - many don't advertise them, they're not very interesting to Joe Bloggs.
Not too long ago, several major Canadian ISPs were polled for a survey. Most said they had no plans. Mine didn't comment. Also, as I said in another note, I was speaking to a manager at one major ISP, who was responsible for their hosting sites. He said they hadn't any plans for either their hosting sites or ADSL subscribers. If he was correct, that's a very dangerous position to take at this date. According to other articles I've read, that situation tends to be very common among North American companies. There are exceptions, such as Google, Cisco, Verizon etc. Also, the U.S. government is helping to drive the situation, by requiring IPv6 support from vendors, but there are still many, with their head in the sand, ignoring the reality of the situation. With 4G "LTE " phones, IPv6 will be required, as those phones will be VoIP and IPv4 cannot handle them all. Me, I'm ready, regardless of what my ISP does. Also, I have a DOCSIS v2 cable modem, which will likely require a firmware upgrade to handle IPv6. DOCSIS v3 modems support it. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
James Knott wrote:
Me, I'm ready, regardless of what my ISP does. Also, I have a DOCSIS v2 cable modem, which will likely require a firmware upgrade to handle IPv6. DOCSIS v3 modems support it.
We're just about ready too - the /48 net is was assigned more than 6 months ago, the main thing that is holding us back is getting bandwidth management to work with the ppp devices. Well, that's the main issue, what's holding us back is lack of time :-) We also have a number of rented servers in Germany, but the datacentre there is also just about to announce full IPv6 support. -- Per Jessen, Zürich (26.0°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 James Knott wrote:
Per Jessen wrote:
I think the ones who need to see the light are the access providers, but I have read or been told that the issue there is the availability of consumer-level IPv6-cabable CPE.
Actually, some ISPs have seen the light and some consumer level equipment is now IPv6 capable. A friend of mine has a router, not sure if D-Link or Linksys, that can handle IPv6. Modern operating systems, including Linux, BSD, Mac and Windows have been IPv6 ready for years.
I'd strongly recommend people set up tunnels to IPv6 brokers in the mean time. I use Freenet6 from http://gogonet.gogo6.com. They have clients for Linux, Windows, Mac and BSD and can be configured for either a /56 subnet or a single address. There are other tunnel brokers available.
BTW, there is no charge for using that Freenet6 tunnel, but if you don't register, you're limited to a single address. If you register, you get a static address, DNS to that address and can configure for a subnet.
For legacy hardware there is third party firmware that provides IPv6 support. BTW The kit is produced by a few manufactures (and possibly re-badged) to a cheap and cheerful spec, and not normally by the ISP itself. I think the major issues with IPv4 based ISPs will be be the cost of any changes made, persuading their consumer base to migrate and explaining the reasons for the change. In a places with a very competitive industry no-one is going to be willing to put themselves at a potential competitive disadvantage (waiting for the first to make the change so that they can capitalise on any mistakes made will be order of the day). Try and explain how to perform the above to the average home user :-) - -- ============================================================================== I have always wished that my computer would be as easy to use as my telephone. My wish has come true. I no longer know how to use my telephone. Bjarne Stroustrup ============================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAkwLgsQACgkQasN0sSnLmgJ6zgCg7ugYM76RC5FPqM1Lav713AbR /ToAnie8LZRlYa0KmU36JyFc4HwbqtJV =5oy7 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
G T Smith wrote:
For legacy hardware there is third party firmware that provides IPv6 support. BTW The kit is produced by a few manufactures (and possibly re-badged) to a cheap and cheerful spec, and not normally by the ISP itself.
I think the major issues with IPv4 based ISPs will be be the cost of any changes made, persuading their consumer base to migrate and explaining the reasons for the change. In a places with a very competitive industry no-one is going to be willing to put themselves at a potential competitive disadvantage (waiting for the first to make the change so that they can capitalise on any mistakes made will be order of the day).
Try and explain how to perform the above to the average home user:-)
The company I get my subnet from also sells a "CPE" that plugs into your network and provides the tunnel. However, those who wait are more likely to make expensive mistakes than those who have a proper plan that gives them time to experiment. Some will find out the hard way, when they can no longer offer service to new customers. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 James Knott wrote:
G T Smith wrote: The company I get my subnet from also sells a "CPE" that plugs into your network and provides the tunnel. However, those who wait are more likely to make expensive mistakes than those who have a proper plan that gives them time to experiment.
?! Early adopters are usually the ones who end up in difficulty. Those who learn by someone else mistakes and do their own R&D usually are better positioned to not be cut by the bleeding edge when they do decide to adopt. The adoption of a technology is more usually defined by commercial and other benefits rather than the technical merits of a particular technology. In a time where cash is short, corporate priorities are more likely to be on minimising costs by downsizing staff etc, rather than the funding the adoption new technologies with no immediately apparent cash-flow benefits. Which is probably short sighted at best, but most most public companies are there to make cash for their shareholders who are tending to be less tame about board level decisions in recent times. I would expect tools (and standards) to manage IPv6 external connectivity to be developed rather than wholesale infrastructure changes to be implemented; as the former could be relatively cheap to adopt, and the second significantly expensive.
Some will find out the hard way, when
they can no longer offer service to new customers.
- -- ============================================================================== I have always wished that my computer would be as easy to use as my telephone. My wish has come true. I no longer know how to use my telephone. Bjarne Stroustrup ============================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAkwLq0UACgkQasN0sSnLmgJajACgoEskNrugoNRJ8lKxU/3bi4+O il8AoN0bSObdmTuprQEl7X5G0B8RSY+n =gTDy -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
G T Smith wrote:
James Knott wrote:
G T Smith wrote: The company I get my subnet from also sells a "CPE" that plugs into your network and provides the tunnel. However, those who wait are more likely to make expensive mistakes than those who have a proper plan that gives them time to experiment.
?! Early adopters are usually the ones who end up in difficulty. Those who learn by someone else mistakes and do their own R&D usually are better positioned to not be cut by the bleeding edge when they do decide to adopt.
I was referring to a period for setting things up and making sure they work, before deploying to customers, although they might be offered a "beta" service. Doing so is much better that working in panic mode, where you all of a sudden find you have to do something yesterday, to provide what your customers need NOW!!!. What happens to an ISP, who ignored the depletion of IPv4 addresses, when the day comes when he goes to get another IPv4 block and can't get one? Will they then start learning about IPv6? IPv6 has been in the works for many years (I first read about it 15 years ago) and has been in use for years too. The tools are already here. It's been proven. The ones who will have problems are the ones who haven't prepared. Not understanding where your business is heading and preparing for it is not only short sighted, it's suicidal.
I would expect tools (and standards) to manage IPv6 external connectivity to be developed rather than wholesale infrastructure changes to be implemented; as the former could be relatively cheap to adopt, and the second significantly expensive.
The external connectivity is already available for free, via tunnel brokers. That part is very easy. The problem is with ISPs who have to update their networks and get off their butts to support it. Some equipment may have to be updated or replaced. In the mean time, they should be getting their networks ready as much as possible. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 James Knott wrote:
G T Smith wrote:
James Knott wrote:
?! Early adopters are usually the ones who end up in difficulty. Those who learn by someone else mistakes and do their own R&D usually are better positioned to not be cut by the bleeding edge when they do decide to adopt.
I was referring to a period for setting things up and making sure they work, before deploying to customers, although they might be offered a "beta" service. Doing so is much better that working in panic mode, where you all of a sudden find you have to do something yesterday, to provide what your customers need NOW!!!. What happens to an ISP, who ignored the depletion of IPv4 addresses, when the day comes when he goes to get another IPv4 block and can't get one? Will they then start learning about IPv6? IPv6 has been in the works for many years (I first read about it 15 years ago) and has been in use for years too. The tools are already here. It's been proven. The ones who will have problems are the ones who haven't prepared. Not understanding where your business is heading and preparing for it is not only short sighted, it's suicidal.
My mobile provider uses NAT 10.x.x.x addresses while the land network seems to have fairly large network address pool (possibly by grabbing address space a long time ago), while some latecomer ISPs may be facing this as a potential problem (as they missed the early allocation grab). In the old scheme where countries tended to be allocated class A addresses, may have also had the result that some of the smaller nations may not be facing the same issues I think some providers will need a lot of persuading that this is a immediate problem for consumer networks for some time to come (commercial and academic networks are a different story). I remember predictions that American/European address space would runout a decade ago, it has not yet. The introduction of NAT seems to have mitigated some of the address issues. Usage of IPv6 is still not really that high, though policy decisions in the US and Asian address requirements will increase usage - -- ============================================================================== I have always wished that my computer would be as easy to use as my telephone. My wish has come true. I no longer know how to use my telephone. Bjarne Stroustrup ============================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAkwLxeIACgkQasN0sSnLmgLo+QCgoQq/IGlv0NBTqq3k60JgtSs7 H9UAoKSVEA1ehiURWtu9FtgJdx5Dqf/n =9SAG -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sun, 2010-06-06 at 12:13 +0100, G T Smith wrote:
For legacy hardware there is third party firmware that provides IPv6 support. BTW The kit is produced by a few manufactures (and possibly re-badged) to a cheap and cheerful spec, and not normally by the ISP itself.
Can't imagine hardware that's too old be able to run V6...
I think the major issues with IPv4 based ISPs will be be the cost of any changes made, persuading their consumer base to migrate and explaining the reasons for the change. In a places with a very competitive industry no-one is going to be willing to put themselves at a potential competitive disadvantage (waiting for the first to make the change so that they can capitalise on any mistakes made will be order of the day).
Try and explain how to perform the above to the average home user :-)
Well, some ISP's teach their customers the hardway: I heard from someone using vista, who had a malfunctioning cable modem. After complaining about it, he got a new one (doing DOCSIS-3) He noticed that he got from his ISP directly, both a V4 AND a V6 address, without even being told about the possibility! Great fun for those having their firewall neatly configured for IPv4, and finding out that IPv6 is wide open -;)) So the lesson for lot's of people: even if you're not using (knowingly) IPv6, configure your firewall for it. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hans Witvliet wrote:
He noticed that he got from his ISP directly, both a V4 AND a V6 address, without even being told about the possibility!
Did he actually get an IPv6 address from the ISP? Or did he just notice the link local IPv6 address. A quick test for IPv6 internet is to try to go to ipv6.google.com.
So the lesson for lot's of people: even if you're not using (knowingly) IPv6, configure your firewall for it.
My Linux box firewall is configured to pass only ssh, OpenVPN and the 6to4 tunnel on IPv4. When I port scan my computers that are behind the firewall, but have an IPv6 address, I can see all the open services, not just those I want available on the internet. That's something I'll have to get around to resolving soon. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sun, 2010-06-06 at 10:32 -0400, James Knott wrote:
Hans Witvliet wrote:
He noticed that he got from his ISP directly, both a V4 AND a V6 address, without even being told about the possibility!
Did he actually get an IPv6 address from the ISP? Or did he just notice the link local IPv6 address. A quick test for IPv6 internet is to try to go to ipv6.google.com.
afaicr, he got 2001: an address with a global scope. At one hand scary, otoh promissing. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hans Witvliet wrote:
On Sun, 2010-06-06 at 12:13 +0100, G T Smith wrote:
For legacy hardware there is third party firmware that provides IPv6 support. BTW The kit is produced by a few manufactures (and possibly re-badged) to a cheap and cheerful spec, and not normally by the ISP itself.
Can't imagine hardware that's too old be able to run V6...
I have some hardware that has no IPv6 support in the current installed firmware (which is not that old, however I also know there is third party firmware that is available which will give IPv6 support if required, so I am unlikely to purchase new hardware that does have the support which some manufacturers would prefer me to do ).
Try and explain how to perform the above to the average home user :-)
Well, some ISP's teach their customers the hardway:
I heard from someone using vista, who had a malfunctioning cable modem. After complaining about it, he got a new one (doing DOCSIS-3)
He noticed that he got from his ISP directly, both a V4 AND a V6 address, without even being told about the possibility! Great fun for those having their firewall neatly configured for IPv4, and finding out that IPv6 is wide open -;))
So the lesson for lot's of people: even if you're not using (knowingly) IPv6, configure your firewall for it.
Hmm... this not so much a lesson but a failure of service. How many consumer users are actually able to discover this, let alone understand the implications. - -- ============================================================================== I have always wished that my computer would be as easy to use as my telephone. My wish has come true. I no longer know how to use my telephone. Bjarne Stroustrup ============================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAkwLv9gACgkQasN0sSnLmgJYGACfUS7F3pQUr8u4LFaCiFLOAD/V YQEAoJdutYcxQIuu7v6vm+WcbO9mjsyy =emWK -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
G T Smith wrote:
Hmm... this not so much a lesson but a failure of service. How many consumer users are actually able to discover this, let alone understand the implications.
Fortunately, with IPv6, the address range is so huge and likely to always be sparsely populated, that pinging on a bunch of addresses, to find a target, will be futile. Attackers will have to intercept an address somehow, to be able to find something to attack. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 James Knott wrote:
G T Smith wrote:
Hmm... this not so much a lesson but a failure of service. How many consumer users are actually able to discover this, let alone understand the implications.
Fortunately, with IPv6, the address range is so huge and likely to always be sparsely populated, that pinging on a bunch of addresses, to find a target, will be futile. Attackers will have to intercept an address somehow, to be able to find something to attack.
Who actually uses only numeric addresses to access devices? There is a huge numeric address space but a slightly more specific name space. Broadcast and crawling attacks are also not the only way to glean info on vulnerabilities. If you have a hole is wise to assume that someone will not find and use it? - -- ============================================================================== I have always wished that my computer would be as easy to use as my telephone. My wish has come true. I no longer know how to use my telephone. Bjarne Stroustrup ============================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAkwMtRsACgkQasN0sSnLmgJgAACfZZ6Ygu4wmdBYV3cqnvigt8A3 8c0An0fPfq8lTrREGRXGF12N+CbQhmvU =K0lc -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Per Jessen wrote:
I think the ones who need to see the light are the access providers, but I have read or been told that the issue there is the availability of consumer-level IPv6-cabable CPE.
Just a quick follow-up - I've just today received a new Zyxel 660R - to my surprise, it does IPv6, although it doesn't seem to provide much control over it. -- Per Jessen, Zürich (25.9°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hans Witvliet wrote:
You use a tunnelbroker, so you have a Ipv6 address: at home
Or did you use your tunnelbroker to setup a second tunnel to the coffee-shop-hotspot?
I have my home network set up with a /56 subnet (256 /64 subnets) from a tunnel broker. My notebook computer is set up to get a single address from the broker when I'm away from home.
What was the estimated count-down date? 31-july-2011 And since a couple of months the depletion-speed is getting faster, it used to be end 2011.
I've heard similar estimates. Regardless, that day is approaching soon. Also, when the LTE (4G) cell phones appear, they'll also need IP addresses, as they'll be using VoIP. There's no way they can all get an address without IPv6. This is why I find it astounding so many are not making preparations for IPv6. A few weeks ago, I was talking to a manager at a major ISP & long distance provider. According to him, they currently have no plans to do anything with IPv6. I wonder what he'll say when they can no longer get IPv4 addresses for their customers? I've also done a lot of work with Adtran networking equipment. When I last asked them, about a year back, they still had no IPv6 support in their equipment. They are trying to compete with Cisco, which has had IPv6 support for quite some time. IIRC, they're one of the organizations that's trying to promote IPv6 use. I never thought I'd see the day, when I'd have 2^72 (4722366482869645213696) addresses assigned for my own personal use! I'm only using 5 at the moment, so that subnet should last me for a while. ;-) Another thing I'll have to look into is mapping IPv4 only devices into my IPv6 subnet. Also, most things I've tried work with IPv6, except CUPS & Webmin. I'll have to see what the problem is there. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hans Witvliet wrote:
On Fri, 2010-06-04 at 16:36 -0400, James Knott wrote:
BTW, I went to a coffee shop hotspot and ran nmap againt the IPv6 address of my firewall and also against a computer behind the firewall, reachable via IPv6 address. Nmap couldn't find anything with the firewall IPv6 address,
Which probably implies that this coffeeshop isn't connected to the IPv6 network. Only if you have a native v6 address, or use a tunnelbroker, it is possible to check ipv6 with nmap...
I found a way to test from home. I connected my notebook to my local network via a NAT router, so it can't see the local IPv6 network. I then start up the client to get a single IPv6 address via the broker. Now, when I run nmap, it's forced to go out to the broker and back, to reach my local network. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 06/03/10 16:25, James Knott wrote:
I have been using SuSEfirewall2 for several years with IPv4. However, IIRC, it doesn't work with IPv6, which I have recently started using. What firewalls work with IPv6?
You should also consider Shorewall (ipv4) and Shorewall6 (ipv6). They use (version controllable) text files for the configuration, with very straightforward contents to describe the desired firewall behaviour, including multi-routing and bandwidth control. See http://shorewall.net/shorewall_quickstart_guide.htm#Guides for quick run-trough's Theo -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (8)
-
Adam Tauno Williams -
Anders Johansson -
G T Smith -
Hans Witvliet -
James Knott -
Marcus Meissner -
Per Jessen -
Theo van Werkhoven