Readit News logoReadit News
Dagger2 commented on I spent a week without IPv4 (2023)   apalrd.net/posts/2023/net... · Posted by u/mahirsaid
rao-v · a day ago
I’d love to pay my ISP to rotate my ipv6 subnet every week. It’s not an option. My comcast IP changes every so often and that’s of some value.

It’s very unclear to me why people should be able to deterministic reach out to a specific device on my network. It has no value to me unless I run a service.

Dagger2 · 8 hours ago
Then the value is clear, isn't it? The value is that it gives you the ability to run a service. Maybe you don't want to do that today, which is fine -- you can simply not make use of the ability. If you ever change your mind, it's available and you can use it.

Also... the ability for people to deterministically reach out to a specific device on your network is the exact same ability you use to deterministically reach out to specific devices on their networks, just viewed from the opposite side. If the Internet wasn't a place where people could decide to run services on their networks and connect to services that other people ran on their networks, what would the point even be?

IPv6 supports customer-controlled prefix rotation. You can select how often it happens by configuring your router to periodically change its DUID. Of course, your ISP can ignore this signal and always assign the same prefix anyway, but you can hardly blame that on IPv6.

Dagger2 commented on I spent a week without IPv4 (2023)   apalrd.net/posts/2023/net... · Posted by u/mahirsaid
stevekemp · 5 days ago
I guess it would, but remember there are more services out there than just HTTP(S).

For example the last time I had an IPv6-only host I had issues cloning things from github, as "git clone git@github.com..." failed due to github.com not having IPv6 records.

A quick search revealed this open 3+ year old discussion - https://github.com/orgs/community/discussions/10539

Dagger2 · 2 days ago
A quick workaround for that is to use one of the DNS servers from https://nat64.net/. There are also people running reverse proxies specifically for GitHub, e.g. https://danwin1210.de/github-ipv6-proxy.php.

(Ideally your ISP would be running NAT64 for you, especially if it's a VPS provider only giving you v6, but for whatever reason few of them do...)

Dagger2 commented on I spent a week without IPv4 (2023)   apalrd.net/posts/2023/net... · Posted by u/mahirsaid
immibis · 3 days ago
Note that V6 is easier to scan than some people assume. You don't have to scan all 2^128 addresses - you can look at provider address blocks in the registry, and make an assumption (or try it and see) what size block that provider assigns to each server, and then guess the server is ::1 or ::2 in each block. This isn't an exhaustive scan, but you'll find a lot of services this way anyway.
Dagger2 · 2 days ago
You can also e.g. monitor certificate transparency logs for hostnames. But the difference is that without NAT, knowing about one server on the network doesn't automatically give you the IP for every other accessible server on the same network. You have to actually try host IPs one by one instead of the router kindly filling that part in for you.
Dagger2 commented on I spent a week without IPv4 (2023)   apalrd.net/posts/2023/net... · Posted by u/mahirsaid
nottorp · 4 days ago
> to exhaustively enumerate every single publicly accessible server on your entire network

Enterprise thinking. It's not the publicly accessible servers i worry about, it's the other boxes that shouldn't be publicly accessible...

Dagger2 · 3 days ago
That's what I meant. On v4, it's trivial to find every server that can be reached from the Internet, whether it was intentional or not. It's not so trivial on v6.
Dagger2 commented on I spent a week without IPv4 (2023)   apalrd.net/posts/2023/net... · Posted by u/mahirsaid
mike_d · 5 days ago
This is a lot of basically sharpshooting, but I will address your last point:

> There was no way to move from 32-bits to >32-bits without every network stack of every device element (host, gateway, firewall, application, etc) getting new code. Anything that changed the type and size of sockaddr->sa_family (plus things like new DNS resource record types: A is 32-bit only; see addrinfo->ai_family) would require new code.

That is simply not true. We had one bit left (the reserved/"evil" bit) in IPv4 headers that could have been used to flag that the first N bytes of the payload were an additional IPv4.1 header indicating additional routing information. Packets would continue to transit existing networks and "4.1" capable boxes at edges could read the additional information to make further routing decisions inside of a network. It would have effectively used IPv4 as the core transport network and each connected network (think ASN) having a handful of routed /32s.

Overlay networks are widely deployed and have very minor technical issues.

But that would have only addressed the numbering exhaustion issues. Engineers often get caught in the "well if I am changing this code anyway" trap.

Dagger2 · 4 days ago
But v6 did do what you're describing here?

They didn't use the reserved bit, because there's a field that's already meant for this purpose: the next protocol field. Set that to 0x29 and it indicates that the first bytes of the payload contain a v6 address. Every v4 address has a /48 of v6 space tunnelled to it using this mechanism, and any two v4 addresses can talk v6 between them (including to the entire networks behind those addresses) via it.

If doing basically exactly what you suggested isn't enough to stop you from complaining about v6's designers, how could they possibly have done any better?

Dagger2 commented on I spent a week without IPv4 (2023)   apalrd.net/posts/2023/net... · Posted by u/mahirsaid
Sleaker · 5 days ago
Well.. that's because with ipv6 you're not technically on a lan everything is exposed by default unless you set it all up differently.
Dagger2 · 4 days ago
Nope, you're on a LAN, and usually the router has a firewall that blocks inbound connections by default. Some OSs (like Windows) also have their own by-default firewalls that block connections from hosts on different networks out of the box.
Dagger2 commented on I spent a week without IPv4 (2023)   apalrd.net/posts/2023/net... · Posted by u/mahirsaid
nottorp · 4 days ago
> Any peer-to-peer apps work much better on IPv6, and if you're developing one then it's actually possible again.

Yeah, and my Windows box is again accessible from the outside with whatever services MS deems to run by default...

Yes, there are firewalls, but isn't it better if a potential attacker doesn't even know what's behind my router?

P.S.: Since webrtc showed up to do whatever it wants with my network, peer to peer has started to mean "donating resources to some company" to me.

Dagger2 · 4 days ago
v4 networks commonly only get one IP for the whole network, and people use NAT with port forwarding to make inbound connections work. With this setup, an attacker only needs to scan the 65536 ports on the router to exhaustively enumerate every single publicly accessible server on your entire network, which is about 3 megabytes of traffic and takes approximately no seconds.

On v6, you don't use NAT and networks are /64. Finding every server requires scanning 65536 ports on all 2^64 IPs, which is about 72 billion petabytes of traffic. There are ways to prune this down somewhat, but however you do it the search space is still far larger.

If you want attackers to not know what's behind your router, you want v6.

Dagger2 commented on I spent a week without IPv4 (2023)   apalrd.net/posts/2023/net... · Posted by u/mahirsaid
ChrisMarshallNY · 5 days ago
Huh. I believe that, but didn’t know it (I write apps for Apple kit). I have done low-level networking stuff that would definitely have run into issues, but that was over ten years ago. These days, I rely on the upper layer of the stack.

I really should try an exercise like the one the author did. I’m not necessarily against IPv6, but I’m still a bit skeptical of it. We’ll likely be forced into it, as there’s no alternative, but that’s not exactly a ringing endorsement.

Dagger2 · 4 days ago
If your low-level networking code (I assume you mean BSD sockets here) is correct, it shouldn't even need to be aware of v4 or v6. The BSD socket API is designed so that the addresses are in an opaque data structure that you just pass around.
Dagger2 commented on I spent a week without IPv4 (2023)   apalrd.net/posts/2023/net... · Posted by u/mahirsaid
bigstrat2003 · 5 days ago
Yes, in fact "just". This isn't remotely hard.
Dagger2 · 4 days ago
Well, okay, show us how to follow those instructions then.

"the :1 is short for :0001 basically" is easy enough: you get 2001::0001::0001.

Then "just put that bit at the very end" -- but which bit? If it means the ":0001", then there's two of them and they can't both go at the very end. If not, then it fails to specify which bit. Either way I don't see how these instructions are followable at all, let alone easily.

Dagger2 commented on I spent a week without IPv4 (2023)   apalrd.net/posts/2023/net... · Posted by u/mahirsaid
phito · 5 days ago
Myeah... I've had weird issues on my network that I could only resolve by disabling IPv6. Granted, it's probably my fault, but if everything still works fine with ipv4 that's fine to me. One day I will get into it and learn how it work and maybe I'll get it figured out... One day...
Dagger2 · 4 days ago
Random guess: PMTUD? Like on v4, some people fuck up their PMTUD and are incapable of realizing or fixing it, so you have to have some kind of workaround.

If setting your client machine MTU to 1280 (`ip link set mtu 1280 dev eth0` or equivalent) magically fixes it, that's your problem.

D

u/Dagger2

KarmaCake day419June 6, 2012View Original