Checklist for Migrating to HTTPS:
- Disable all 443 port traffic
this post was submitted on 24 Jun 2024
675 points (98.0% liked)
Programmer Humor
31217 readers
36 users here now
Post funny things about programming here! (Or just rant about your favourite programming language.)
Rules:
- Posts must be relevant to programming, programmers, or computer science.
- No NSFW content.
- Jokes must be in good taste. No hate speech, bigotry, etc.
founded 4 years ago
MODERATORS
I pay yearly more for IPv4 address space for virtual machines on my dedicated server than for that dedicated server itself _(ツ)_/.
Let that thing die.
Monthly summary:
54.40€ - 30 IPv4 addresses
0.00€ - 18 quintillion IPv6 addresses
38.39€ - whole server for dozens of services
Someone is using Hetzner. :) Yes let IPv4 fade away. Still what services are you running that require so many unique IPs?
Actually, the Dutch government has mandated that all of its services need to be IPv6 compatible.
The longer you try to avoid IPv6, the harder you'll make your life when you eventually need to use it.
It's really not that hard, especially compared to the kludge of protocols that make up IPv4. I know change is scary and difficult, but if you can do IPv4, you can do IPv6.
My ISP doesn't support IPv6, now what?
It's really bullshit.
Really bullshit ISP indeed.
Hurricane Electric have a free tunnel broker that is super simple to set up if you really want to get on the bandwagon.
Though honestly I'd say the benefits of setting it up aren't really worth the trouble unless you're keen.
Yeah it's a huge source of problems. If you are outside the US your IPv6 prefix is never gonna be correct in every GeoIP database, even if you send a request to have it corrected, so you sometimes get geoblocked and other sites just block you because it sometimes gets classified as VPN.
I agree. GeoIP was never a good idea, but here we are. Any ASN could be broken up and routed wherever (and changed) but it's still far too prevalent.
load more comments
(4 replies)
Hurricane Electric will give you a bunch of free /64s and a /48 to play with, which you can set up for tunneling on any IPv4 connection that doesn't block ICMP traffic to HE. You can set this up within a range of routers, but if your router doesn't support it, you can also set it up on most PCs (Windows and Linux for sure, for macOS you'll need to check, but I'm sure it'll be fine).
You can also use IPv6 locally by simply advertising a subnet from the right range (an ULA), which is also useful for maintaining internal addressing if you do get normal IPv6 but your ISP is a bunch of dickwads that rotate the subnets they hand out (likely to happen if they make you pay extra for a static IP right now).
load more comments
(1 replies)
It also means you no longer need the kludge that is NAT. Full E2E connectivity is really nice -- though I've found some network admins dislike this idea because they're so used to thinking about it differently or (mistakenly) think it adds to their security.
NAT still has its place in obfuscating the internal network. Also, it's easier to think about firewall/routing when you segregate a network behind a router on its own subnet, IMO.
Given how large the address space is, it's super easy to segregate out your networks to the nth degree and apply proper firewall rules.
There's no reason your clients can't have public, world routeable IPs as well as security.
Security via obfuscation isn't security. It's a crutch.
There's no reason your clients can't have public, world routeable IPs as well as security.
There are a lot of valid reasons, other than security, for why you wouldn't want that though. You don't necessarily want to allow any client's activity to be traceable on an individual level, nor do you want to allow people to do things like count the number of clients at a particular location. Information like that is just unnecessary to expose, even if hiding it doesn't make anything more secure per se.
Well good news. Because ipv6 has a thing called privacy extensions which has been switched on by default on every device I've used.
That generates random ipv6 addresses (which are regularly rotated) that are used for outgoing connections. Your router should block incoming connections to those ips but the os will too. The proper permanent ip address isn't used for outgoing connections and the address space allocated to each user makes a brute force scan more prohibitive than scanning the whole Ipv4 Internet.
So I'm going to say that using routable ipv6 addresses with privacy extensions is more secure than a single Ipv4 Nat address with dnat.
That's what temporary privacy addresses are for. Clients can just keep generating new addresses in your /64, which is it's own subnet.
Obfuscation is not security, and not having IPv6 causes other issues. Including some security/privacy ones.
There is no problem having a border firewall in IPv6. NAT does not help that situation at all.
Obfuscation is not security
Yes, of course. But saying trite things like that doesn't get around the idea that giving out a map of the internal network by default isn't the best policy.
load more comments
(3 replies)
load more comments
(2 replies)
load more comments
(19 replies)
I had network speed issues and the solution was literally to disable ipv6... Fiber 1gbit network still had issues. https://www.reddit.com/r/youtube/comments/owbjdl/anyone_else_getting_buffering_when_using_ipv6/
This has nothing to do with IPv6 itself. I pull in 4K YouTube videos over IPv6 just fine. My IPv6 routes actually have lower latency than my IPv4 routes, funnily enough.
Sounds like your ISP has broken their IPv6 routes, or your modem is outdated and can't do IPv6 hardware acceleration. Disabling IPv6 to downgrade your connection will work as a workaround, at least until your ISP switches over to something using IPv6 as the connection backbone (like DS-Lite, which would allow your ISP to significantly reduce their IPv4 space and make a quick profit selling off their allocations, which is unfortunately becoming more and more common).
Your ISP or modem manufacturer needs to fix the actual problem here.
load more comments
(1 replies)
Weird. Ipv6 and YouTube stats for nerds shows between 140mbit and 600mbit depending on what's being watched and the time of day.
Is it possible your isp has problems with their ipv6 setup?
IPv6 overheads should only have a marginal impact on max speeds.
load more comments
(1 replies)
load more comments
(3 replies)
I also know that I cannot tell the difference between two IPv6 addresses because they all merge into an indiscernible blur inside my head
Back when we had to dial ipv4 addresses from memory
However I can see when any IPv6 begins with 2a02:12xx:: then it's Swisscom (biggest swiss ISP). But I can't remember any of their hundreds of IPv4 prefixes.
I have a feeling making it all CAPS would have made it just a bit easier.
That, or using monospace fonts for it everywhere.
load more comments
(4 replies)
::1 is the new 127.0.0.1
:: abbreviates empty fields
ipv6 has more addresses
there is something going on with mac addresses (asside from arp)
thats all i remember
fd00:: is the new 192.168
~~fc00::/7 are ULA (basically what RFC1918 was for IPv4)~~ not entirely true, fc00::/8 is part of ULA, but it is not yet defined. Use fd00::/8 instead.
2001:db8::/32 is for documentation purposes
load more comments
(10 replies)
I keep hearing this, and I KNOW it's true at the enterprise level, but I've been running my home LAN IPv6 native for the last - 6+ years? Ever since I learned Comcat would vend it to you from their stock router.
Works great. No problems. Didn't used to be that way, but these days most (more?) of the stack bugs have been shaken out.
I'm a network engineer and I run ipv6 natively in all of our datacenters. There are even a handful of end systems that have ipv6 native networking stacks with ipv4 sockets for our non-ipv6 compatible applications. IPv6 issues are basically self-inflicted at this point by companies that see their IT systems as cost centers, or by basilisk directors who's knowledge stopped in the 90's.
Yeah, I feel like this is one of those memes that just travevls like lightning because it's attractive to people.
IPv6 WAS crazy bad for a very long time, so I can kind of understand it at least, but wake up and smell the 128 bit addressing people, ipv6 is a SUPER useful tool when you need it :)
I am hosting a few services on my LAN over IPv6, except for Plex, which I am tunneling through IPv4, since Plex itself used to have issues with IPv6.
It's always funny when friends complain that one of my services is down, it was 100% IPv6 not working/enabled/willingly disabled on their site yet.
I made an effort to learn it. In 2000. Again in 2012 or whenever the last big push was. If past is prologue, I may need to learn it again soon. 😆
Ah, Dutch directness... Nothing says clear communication louder than the Dutch
It's an edited image, but you are darn right. Proper communication is great
It is in the style of the original, where during Covid the page on “Migrating to the Netherlands” simply just started with “Do not migrate to the Netherlands”, before expanding on the Covid restrictions on place and what foreign nationals currently in the Netherlands are to do.
On one hand: Now that's loud & clear communication. On the other hand, “Just don't” really ties in to the stereotype of Dutch directness/rudeness.
load more comments
(1 replies)
load more comments
(1 replies)
view more: next ›