671
Checklist for Migrating to HTTPS:
- Disable all 443 port traffic
I pay yearly more for IPv4 address space for virtual machines on my dedicated server than for that dedicated server itself _(ツ)_/.
Let that thing die.
Monthly summary:
54.40€ - 30 IPv4 addresses
0.00€ - 18 quintillion IPv6 addresses
38.39€ - whole server for dozens of services
Someone is using Hetzner. :) Yes let IPv4 fade away. Still what services are you running that require so many unique IPs?
Actually, the Dutch government has mandated that all of its services need to be IPv6 compatible.
The longer you try to avoid IPv6, the harder you'll make your life when you eventually need to use it.
It's really not that hard, especially compared to the kludge of protocols that make up IPv4. I know change is scary and difficult, but if you can do IPv4, you can do IPv6.
ipv6 in companies... ipv6 is not hard, but for internal networking no company (really) "needs" more than rfc1918 address space. thus any decision in that direction is always "less" needed than any bonus for (da)magement personnel is crucial for the whole companies survival...
for companies services to be reachable from outside/ipv6 mostly "only" the loadbalancers/revproxies etc need to be ipv6 ready but ... this i.e. also produces logs that possibly break decades old regexes that no one understands any more (as the good engineers left due to too many boni payed to damagement personnel) while other access/deny rules that could break or worse let through where they should block (remember that 192.168. could the local part of ipv6 IF sone genious used a matching mech that treats the dot "." as a wildcard as overpayed damagement personnel made them rush too fast), could be hidden "somewhere". altogether technical debt is a huge blocker for everything, especially company growth, and if no customer "demands" ipv6, then it stays on the damagement personnels list as "fulfilling the whishes of engineers to keep them happy" instead of on the always deleted "cleaning up technical debt caused by damagement personnel" list.
setting up firewalls for ipv6 is quite easy and if you go the finegrained "whitelisted or drop/block" approach from the beginning it might take a bit for ipv6 specials to be known to you, but the much bigger thing is IMHO the then current state of firewall rules. and who knows every existing rule? what rules should be removed already and must not be ported to ipv6? usually firewalls and their rules are a big mess due to ... again too many boni payed to damagement personnel, hindering the company from the needed steps forward...
ipv6 adoption is slow for reasons that are driving huge cars that in turn speed up other problems ;-|
I know several companies that, because of bad network planning, have ended up using public address ranges as internal IP addresses. IPv6 would've solved this easily, but I don't think the relevant network admins ever bothered to learn network configuration beyond 1990. But hey, who needs that arbitrary /8 anyway, right? Not like anyone's going to host DNS on 1.0.0.0/8!
i once had to look at a firefall appliance cluster, (discovered, it could not do any failover in its current state but somehow the decider was ok with that) but when looking at its logs, i discovered an rsh and rcp access from an ip address that belonged to a military organisation from a different continent. i had to make it a security incident. later the vendor said that this was only the cluster internal routing (over the dedicated crosslink), used for synchronisation (the thing that did not work) and was only used by a separate routing table only for clustersync and that could never be used for real traffic. but why not simply use an ip that you "own" by yourself and PTR it with a hint about what this ip is used for? instead of customers scratching their head why military still uses rcp and rsh. i guess because no company reads firewall logs anyway XD
someone elses ip? yes! becuase they'll never find out !!1!
i really appreciate that ipv6 has things like a dedicated documentation address range and that fc00:/7 is nicely short.
My ISP doesn't support IPv6, now what?
It's really bullshit.
Really bullshit ISP indeed.
Hurricane Electric will give you a bunch of free /64s and a /48 to play with, which you can set up for tunneling on any IPv4 connection that doesn't block ICMP traffic to HE. You can set this up within a range of routers, but if your router doesn't support it, you can also set it up on most PCs (Windows and Linux for sure, for macOS you'll need to check, but I'm sure it'll be fine).
You can also use IPv6 locally by simply advertising a subnet from the right range (an ULA), which is also useful for maintaining internal addressing if you do get normal IPv6 but your ISP is a bunch of dickwads that rotate the subnets they hand out (likely to happen if they make you pay extra for a static IP right now).
load more comments
(1 replies)
Hurricane Electric have a free tunnel broker that is super simple to set up if you really want to get on the bandwagon.
Though honestly I'd say the benefits of setting it up aren't really worth the trouble unless you're keen.
load more comments
(6 replies)
It also means you no longer need the kludge that is NAT. Full E2E connectivity is really nice -- though I've found some network admins dislike this idea because they're so used to thinking about it differently or (mistakenly) think it adds to their security.
NAT still has its place in obfuscating the internal network. Also, it's easier to think about firewall/routing when you segregate a network behind a router on its own subnet, IMO.
Given how large the address space is, it's super easy to segregate out your networks to the nth degree and apply proper firewall rules.
There's no reason your clients can't have public, world routeable IPs as well as security.
Security via obfuscation isn't security. It's a crutch.
There's no reason your clients can't have public, world routeable IPs as well as security.
There are a lot of valid reasons, other than security, for why you wouldn't want that though. You don't necessarily want to allow any client's activity to be traceable on an individual level, nor do you want to allow people to do things like count the number of clients at a particular location. Information like that is just unnecessary to expose, even if hiding it doesn't make anything more secure per se.
Well good news. Because ipv6 has a thing called privacy extensions which has been switched on by default on every device I've used.
That generates random ipv6 addresses (which are regularly rotated) that are used for outgoing connections. Your router should block incoming connections to those ips but the os will too. The proper permanent ip address isn't used for outgoing connections and the address space allocated to each user makes a brute force scan more prohibitive than scanning the whole Ipv4 Internet.
So I'm going to say that using routable ipv6 addresses with privacy extensions is more secure than a single Ipv4 Nat address with dnat.
Obfuscation is not security, and not having IPv6 causes other issues. Including some security/privacy ones.
There is no problem having a border firewall in IPv6. NAT does not help that situation at all.
Obfuscation is not security
Yes, of course. But saying trite things like that doesn't get around the idea that giving out a map of the internal network by default isn't the best policy.
load more comments
(3 replies)
load more comments
(2 replies)
load more comments
(1 replies)
I think you'll find some ISPs will be reluctant to let go of CGNAT - they're doing quite nicely by charging extra for 'commercial' services where it's not in the way.
Fortunately, many of us know about cloudflare tunnelling and other services, so NAT really isn't a problem to self hosters and even SMEs any more.
load more comments
(18 replies)
I had network speed issues and the solution was literally to disable ipv6... Fiber 1gbit network still had issues. https://www.reddit.com/r/youtube/comments/owbjdl/anyone_else_getting_buffering_when_using_ipv6/
This has nothing to do with IPv6 itself. I pull in 4K YouTube videos over IPv6 just fine. My IPv6 routes actually have lower latency than my IPv4 routes, funnily enough.
Sounds like your ISP has broken their IPv6 routes, or your modem is outdated and can't do IPv6 hardware acceleration. Disabling IPv6 to downgrade your connection will work as a workaround, at least until your ISP switches over to something using IPv6 as the connection backbone (like DS-Lite, which would allow your ISP to significantly reduce their IPv4 space and make a quick profit selling off their allocations, which is unfortunately becoming more and more common).
Your ISP or modem manufacturer needs to fix the actual problem here.
load more comments
(1 replies)
Weird. Ipv6 and YouTube stats for nerds shows between 140mbit and 600mbit depending on what's being watched and the time of day.
Is it possible your isp has problems with their ipv6 setup?
IPv6 overheads should only have a marginal impact on max speeds.
load more comments
(1 replies)
maybe start with an adjustable setup:
- rent a cheap vm, i got one for 1€/month (for the first year,cancel monthly) from ovh currently
- setup 3 openvpn instances to redirect all routes through the tunnel, one with ipv4 only, one with ipv6 only and one with both
- setup the client on your mobile phone and your laptop both with all three vpns to choose from
- have the option to choose now and try out ipv6, standalone or dualstack depending on what vpn you switch on
- use this setup to blame services that don't support ipv6 yet or maybe are broken with dualstack 🤣
- rise from under-the-stone (disabling ipv6 only) to in-sunlight (to a well-above-industry-standart-level !!! "quick" new network technologies adopting "genious") 🤣
- improve your openvpn setup from above to be reachable "by" ipv6 too if you haven't done it from the beginning, done: reach the pro-level of the-late-adopter-noob-group
(if you want, ask for config snippets)
btw i prefer to wait for ipv8😁 before "demanding" ipv6 from services i use 🤣
I also know that I cannot tell the difference between two IPv6 addresses because they all merge into an indiscernible blur inside my head
Back when we had to dial ipv4 addresses from memory
However I can see when any IPv6 begins with 2a02:12xx:: then it's Swisscom (biggest swiss ISP). But I can't remember any of their hundreds of IPv4 prefixes.
I have a feeling making it all CAPS would have made it just a bit easier.
That, or using monospace fonts for it everywhere.
I recite IPv6 addresses on my company networks from memory all the time. It helps that we got a bit lucky on our allocation. There are no letters.
Plus it's really easy to number subnets in a way that makes sense.
load more comments
(3 replies)
I keep hearing this, and I KNOW it's true at the enterprise level, but I've been running my home LAN IPv6 native for the last - 6+ years? Ever since I learned Comcat would vend it to you from their stock router.
Works great. No problems. Didn't used to be that way, but these days most (more?) of the stack bugs have been shaken out.
I'm a network engineer and I run ipv6 natively in all of our datacenters. There are even a handful of end systems that have ipv6 native networking stacks with ipv4 sockets for our non-ipv6 compatible applications. IPv6 issues are basically self-inflicted at this point by companies that see their IT systems as cost centers, or by basilisk directors who's knowledge stopped in the 90's.
Yeah, I feel like this is one of those memes that just travevls like lightning because it's attractive to people.
IPv6 WAS crazy bad for a very long time, so I can kind of understand it at least, but wake up and smell the 128 bit addressing people, ipv6 is a SUPER useful tool when you need it :)
::1 is the new 127.0.0.1
:: abbreviates empty fields
ipv6 has more addresses
there is something going on with mac addresses (asside from arp)
thats all i remember
fd00:: is the new 192.168
~~fc00::/7 are ULA (basically what RFC1918 was for IPv4)~~ not entirely true, fc00::/8 is part of ULA, but it is not yet defined. Use fd00::/8 instead.
2001:db8::/32 is for documentation purposes
load more comments
(10 replies)
I am hosting a few services on my LAN over IPv6, except for Plex, which I am tunneling through IPv4, since Plex itself used to have issues with IPv6.
It's always funny when friends complain that one of my services is down, it was 100% IPv6 not working/enabled/willingly disabled on their site yet.
I made an effort to learn it. In 2000. Again in 2012 or whenever the last big push was. If past is prologue, I may need to learn it again soon. 😆
Ah, Dutch directness... Nothing says clear communication louder than the Dutch
It's an edited image, but you are darn right. Proper communication is great
load more comments
(2 replies)
load more comments
(1 replies)
view more: next ›
this post was submitted on 24 Jun 2024
671 points (98.0% liked)
Programmer Humor
31183 readers
62 users here now
Post funny things about programming here! (Or just rant about your favourite programming language.)
Rules:
- Posts must be relevant to programming, programmers, or computer science.
- No NSFW content.
- Jokes must be in good taste. No hate speech, bigotry, etc.
founded 4 years ago
MODERATORS