this post was submitted on 08 Jun 2024
483 points (97.4% liked)

Memes

44073 readers
2182 users here now

Rules:

  1. Be civil and nice.
  2. Try not to excessively repost, as a rule of thumb, wait at least 2 months to do it if you have to.

founded 5 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
483
Maybe we can get good IPv6 support now (lemmy.world)
submitted 3 weeks ago by [email protected] to c/[email protected]
65 comments fedilink hide all child comments
 

https://www.sidn.nl/en/news-and-blogs/cgnat-frustrates-all-ip-address-based-technologies

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 7 points 3 weeks ago* (last edited 3 weeks ago) (1 children)

This is why I use PFSense and Hurricane Electric as a v6 tunnelbroker. I have working functional IPv6 with SLAAC and DHCPv6 and full Routing Advertisements on my LAN running side-by-side so that no matter which the device implements how poorly; it gets an IPv6 address and it works and is protected by the firewall.

[–] [email protected] 2 points 3 weeks ago* (last edited 3 weeks ago) (2 children)

That sounds awesome.

I really like stateless, but it bugs me that the router has to snoop on traffic if you want a list of devices. The good ones will actually do this, but most are blind to how your network is being used with IPv6.

And it really bothers me that Android just refuses to support DHCPv6 in any capacity. Seems like a weird hill to die on. There are too many legitimate use cases.

[–] [email protected] 4 points 3 weeks ago (1 children)

I run both because of this; and because SLAAC enables features in Desktop OSes that offer some level of additional privacy.

For example; Windows can do "Temporary IPv6 Addressing" that it will hand out to various applications and browsers. That IPv6 address rotates on a periodic basis; once every 24 hours by default; and can be configured to behave differently depending on your needs via registry keys.

This could for example, allow you to quickly spin up a small application server for something; like a gaming session; and let you use/bind that IPv6 address for it. Once the application stops using it and the time period has elapsed; Windows drops the IP address and statelessly configures itself a new one.

[–] [email protected] 1 points 3 weeks ago (1 children)

I also like the privacy extensions, but how often does your prefix even change? Most places I've seen you get a /64 announced and it basically never changes -- so somewhat elementary to "break through" that regardless.

[–] [email protected] 2 points 3 weeks ago

I have a /48 that I can basically roll through.

A /64 is more than enough though to prevent most casual attempts at entry; and does force more work / enumeration to be done to break into a network and do damage with. I'm not saying the privacy extensions are the greatest; but they do work to slightly increase the difficulty of tracking and exploitation.

With a /48 or even a /56; I can subdivide things and hand out several /64s to each device too; which would shake up things if tracking expects a /64 explicitly.

I actually use /55s to cordon off blocks inside the /48 that aren't used too. So dialing a random prefix won't help. You'd be surprised how often I get intrusive portsweeps trying to enumerate my /64s this way...and it doesn't work because I'm not subnetting on any standard behavior.

[–] [email protected] 4 points 3 weeks ago

It is a weird hill to die on for sure.