IPv6 – Google
www.google.com
  • treadful@lemmy.zipEnglish
    6·
    6 hours ago

    I gotta suck it up and learn IPv6. My ISP now provides me with a /64. But I feel like I have a lot of knowledge gaps on their features so I’m worried about security. Especially with all the new features like SLAAC.

    What’s the best crash course these days? Go through Cisco materials or something?

    • W98BSoD@lemmy.dbzer0.comEnglish
      2·
      5 hours ago

      I feel that but I’m also torn because IPv4 keeps plugging along for me and work isn’t moving to v6 anytime soon for the private networks.

    • cmnybo@discuss.tchncs.deEnglish
      3·
      15 hours ago

      You need to find out if your ISP supports prefix delegation. A /64 will only give you one subnet. An ISP should supply a /56 if your router requests it. There are some bad ISPs out there that won’t though.

        • cmnybo@discuss.tchncs.deEnglish
          3·
          14 hours ago

          An IPv6 subnet must be /64. Anything else breaks stuff. If you want a separate network for guests or IoT devices, a single /64 won’t be enough because it can’t be divided up any smaller.

          • treadful@lemmy.zipEnglish
            1·
            12 hours ago

            You can’t subnet below a /64 at all? Or it just makes things like SLAAC/auto-addressing using the MAC address unusable?

            • cmnybo@discuss.tchncs.deEnglish
              2·
              10 hours ago

              SLAAC won’t work with a smaller subnet. Static addressing is not an option since your /64 is going to be dynamically assigned. That leaves DHCPv6, which won’t work with any android devices or chromebooks.

              It would be best to just run IPv6 on one network if you can’t at least get a /60.

              • treadful@lemmy.zipEnglish
                2·
                6 hours ago

                I’m a bit concerned about SLAAC’s metadata leakage. Sending out many of my devices’ MAC addresses to the world isn’t exactly the best for privacy. My key devices like laptop and phone use MAC randomization, but I have a ton of other stuff that doesn’t.

                That leaves DHCPv6, which won’t work with any android devices or chromebooks.

                Damn, that’s a straight WONTFIX, too since 2014. Lots of religious argument in there, maybe I’m reading all that tonight.

                Thanks for answering my questions.

                • cmnybo@discuss.tchncs.deEnglish
                  2·
                  5 hours ago

                  Modern operating systems don’t use the MAC address for SLAAC. They generate a completely random address. You can choose a stable address or a temporary one that will change frequently for more privacy. You can also use both, IPv6 allows multiple addresses on one device.

            • nonentity@sh.itjust.worksEnglish
              1·
              10 hours ago

              The only legitimate v6 prefix smaller than /64 is /127, to be used for point to point links, similar to /31’s in v4, but these aren’t processed for routing outside of the boxes the link is configured on.

              The concepts of addressing for v4 and v6 don’t map 1:1.

              From the perspective of the internet, and any properly configured routing infrastructure, they should only ever be interested in the first 64 bits when routing, the second 64 should be exclusively the domain of the last segment. It’s like inserting an additional type of addressing between the routing portion and the protocol port.

              You kind of have this with v4, but it’s variable, particularly since CIDR shot the v4 address classes in the head, so the equipment had to be able to process the entire address with every routing lookup and other functions.

              • treadful@lemmy.zipEnglish
                1·
                6 hours ago

                From the perspective of the internet, and any properly configured routing infrastructure, they should only ever be interested in the first 64 bits when routing, the second 64 should be exclusively the domain of the last segment.

                Interesting. But routers don’t actually strip that, do they? So the endpoint I’m communicating with will still get the full /128 address? I’m concerned about the privacy implications of MAC addresses being sent to everybody and their mother.

                • nonentity@sh.itjust.worksEnglish
                  1·
                  5 hours ago

                  The full 128 bits of source and destination addresses are passed end-to-end, my comment is specifically focused on routing.

                  As far as privacy is concerned, v6 allows a much broader scope for protection than v4 and NAT, as the IA portion (second 64 bits) can be changed at will by that endpoint. EUI-64 is still common with basic v6 stacks, but SLAAC will rotate every ~24 hours.

                  EDIT: I’d conflated the original SLAAC specification with the SLAAC privacy extensions RFC 4941, which at almost 2 decades old itself could be argued to be the canonical reference.

                  One of my favourite features of v6 is it explicitly permits, and caters for, multiple addresses on an interface. This means you could theoretically have a unique address per application, within multiple prefixes if they’re available.

                  I personally have all my internal services accessible only on addresses under ULA prefixes, which intrinsically prevents them from being accessed outside of my network, no firewall required. Using WireGuard permits remote access when needed.

  • shortwavesurfer@lemmy.zipEnglish
    1·
    12 hours ago

    My ISP gives me my own IPv6, and I have shared IPv4 with CGNAT, but unfortunately, they can’t assign me a static v6, so that I can have servers and stuff. So I just do things like that over Tor. Though things like Tor need work as well, because you’re not able to have a Tor relay on IPv6. You need V4 for that.

    • magic_smoke@lemmy.blahaj.zoneEnglish
      1·
      11 hours ago

      If you’re willing to spend a coupla bucks a month you can setup wireguard and iptables on a vps, and port forward through the public IP on your VPN server to yourbhome router via the wg interface.

      Also good for anonymous home hosting if you pay with xmr, turn off logging (bonus pts for luks and RO filesystems) and use the right host.

    • raldone01@lemmy.worldEnglish
      4·
      20 hours ago

      My wired carrier only gives me a /60 for ipv6 and they can’t do reverse DNS entries for ipv6. :(

      At least I get an ipv6.

        • raldone01@lemmy.worldEnglish
          1·
          51 minutes ago

          Exactly some. We are so tight on ipv6 adresses a /48 would be ludicrous. Imagine me wanting some local networks.

          This is something where ipv4 is actually better for my use. Also I have to Hardcore the ipv6 prefix in so many applications and services - I dread ever getting a different prefix.

    • smileyhead@sh.itjust.worksEnglish
      2·
      13 hours ago

      I would love to use this superior as you say IPv4 addressing technology, but newsflash we have ran out of it.

    • mschae@discuss.mschae23.deEnglish
      61·
      17 hours ago

      What makes you say that? As far as I can tell, the only actual downside of it is having to type longer addresses sometimes, but one should really just use the DNS for that. And a bigger address space was needed. Everything else seems better or at least simpler. Autoconfiguration (SLAAC), only one loopback address (which is shorter than any of IPv4’s loopback addresses), subnetting, no need for NAT, proper support for multiple addresses per interface…

      In practice, most problems with IPv6 probably just come from bad support for it in software. That means they should be improved, not that IPv6 was a failure. Also check that you’re not blocking ICMP6 traffic in a firewall or similar (or at least allow the things SLAAC and neighbor discovery need).