Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
I guess the reason it jars us here is because most people post properly. Except the gmail lusers who haven't figured out how to turn off multipart html crap. +1 Unfair: the 'text' formatting mode from GMail is very standard compliant, trimming the lines etc. Maybe one should just more explicitly tell new users to enable it when posting to mailing-lists. This is even easier to activate (this hyperlink right here above the text area) than in any mail client I have ever seen (except those which do only text, of course...) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Wed, 2010-12-08 at 16:49 -0600, David G. Mackay wrote: On Wed, 2010-12-08 at 10:41 -0500, Adam Tauno Williams wrote: On Wed, 2010-12-08 at 09:37 -0600, David G. Mackay wrote: On Wed, 2010-12-08 at 10:01 +0100, David Sommerseth wrote: Nope, ARP is gone. But it gets a replacement as a part of IPv6, instead of ARP being an addition to IPv4. http://itkia.com/how-to-arp-a-in-ipv6/ http://www.tcpipguide.com/free/t_TCPIPIPv6NeighborDiscoveryProtocolND.htm I have a question about how IPV6 interacts with the switches in the local network. Right now, my sub $50(US) gigabit switch from any of several vendors keeps an arp table to determine which switch port a message will use. With the huge address space available with IPV6, how is that going to work, and when am I going to get a cheap soho switch that can handle IPV6? The switch will continue to operate using the MAC# of the client interfaces. The switch doesn't care about IPv4, IPv6, or IPX for that matter [unless you enabled vLANs or managment features - which is a different issue]. Maybe that's the case for my little cheapo soho switch. The switch does not maintain an arp table. It maintains a list of MAC#s it has seen on each port. Sorry, but that's certainly incorrect for the higher end switches. Hence: unless you enabled vLANs or managment features - which is a different issue. I've accessed the arp table on several different brands of switches. Also, look up ARP poisoning. If the switch has an IPv4 management interface then it has, by definition, an ARP table. ARP is how IPv4 works on Ethernet. This doesn't mean [necessarily] that the switching mechanism is using the ARP table to route packets. If 802.1x or some type of protection scheme is not in place all one has to do is forge the MAC address on any traffic to 'confuse' the switch. Specifically ARP cache poising is required to get an IPv4 host to misdirect its traffic to another host on the subnet. It is very fun to play with this, and Linux makes is pretty easy. ip link set address xx:xx:xx:xx:xx:xx dev eth0 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Tue, Dec 7, 2010 at 11:51 AM, Brunner, Brian T. bbrun...@gai-tronics.com wrote: From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Tom H Sent: Tuesday, December 07, 2010 11:34 AM To: CentOS mailing list Subject: Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6? On Tue, Dec 7, 2010 at 11:18 AM, Brunner, Brian T. bbrun...@gai-tronics.com wrote: Trim your quotes. LOL I was in a hurry... I think that this applies to all in this thread so I hope that you've email everyone else... Also, please keep your commands on-list; I only caught your email because it was at the top of my spam directory when I was emptying it. LOL twice, I'll top-post! (I hate M$ Office, but I'm stuck with it) I didn't want my whining (not commanding) archived for-frigging-ever, so I sent it direct. TBH I ran out of steam/indignation/angst after a few of the over-quoter under-trimmers, so I didn't get all. Having a request to trim in the archives' good! :) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Wed, Dec 8, 2010 at 10:27 AM, Adam Tauno Williams awill...@whitemice.org wrote: On Wed, 2010-12-08 at 15:16 +, lheck...@users.sourceforge.net wrote: I guess the reason it jars us here is because most people post properly. Except the gmail lusers who haven't figured out how to turn off multipart html crap. +1 Although I've found @gmail user's consider themselves far too-cool to be concerned with netiquette. GMail is the new AOL. Thanks for the compliments! ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Thu, 2010-12-09 at 08:32 -0500, Adam Tauno Williams wrote: On Wed, 2010-12-08 at 16:49 -0600, David G. Mackay wrote: On Wed, 2010-12-08 at 10:41 -0500, Adam Tauno Williams wrote: On Wed, 2010-12-08 at 09:37 -0600, David G. Mackay wrote: On Wed, 2010-12-08 at 10:01 +0100, David Sommerseth wrote: Nope, ARP is gone. But it gets a replacement as a part of IPv6, instead of ARP being an addition to IPv4. http://itkia.com/how-to-arp-a-in-ipv6/ http://www.tcpipguide.com/free/t_TCPIPIPv6NeighborDiscoveryProtocolND.htm I have a question about how IPV6 interacts with the switches in the local network. Right now, my sub $50(US) gigabit switch from any of several vendors keeps an arp table to determine which switch port a message will use. With the huge address space available with IPV6, how is that going to work, and when am I going to get a cheap soho switch that can handle IPV6? The switch will continue to operate using the MAC# of the client interfaces. The switch doesn't care about IPv4, IPv6, or IPX for that matter [unless you enabled vLANs or managment features - which is a different issue]. Maybe that's the case for my little cheapo soho switch. The switch does not maintain an arp table. It maintains a list of MAC#s it has seen on each port. Sorry, but that's certainly incorrect for the higher end switches. Hence: unless you enabled vLANs or managment features - which is a different issue. Yes, or perhaps a layer 3 switching device. I've accessed the arp table on several different brands of switches. Also, look up ARP poisoning. If the switch has an IPv4 management interface then it has, by definition, an ARP table. ARP is how IPv4 works on Ethernet. This doesn't mean [necessarily] that the switching mechanism is using the ARP table to route packets. If 802.1x or some type of protection scheme is not in place all one has to do is forge the MAC address on any traffic to 'confuse' the switch. Specifically ARP cache poising is required to get an IPv4 host to misdirect its traffic to another host on the subnet. It is very fun to play with this, and Linux makes is pretty easy. ip link set address xx:xx:xx:xx:xx:xx dev eth0 Take a look at ettercap. The idea is to use arp poisoning to overflow the switch's arp table so that the switch gives up and becomes a hub, sending traffic out of every port, which allows your friendly local hacker to view all of the traffic from every port on the switch. And no, you don't have to use vlans for this to work. Let me throw in a disclaimer that it's been over a decade since I played network manager on a good-sized network that had this kind of gear, so things have changed a bit since then. Hopefully, some of the cracks have been sealed. Dave ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 08/12/10 04:15, Les Mikesell wrote: On 12/7/10 9:02 PM, Ryan Wagoner wrote: Well in fact I don't think that will even work with the present URL rules. Just on a lark I clicked on your string, and my firefox interpreted it as http://3ffe:1900. Unless there's a special http protocol string for ipv6? Tony Since : is used to denote the port you must put the IPv6 address in brackets. http://[3ffe:1900:4545:3:200:f8ff:fe21:67cf]/ Thunderbird doesn't make that a clickable link. Since the change to ipv6 is pretty much inevitable and probably most things will eventually work out, maybe we should focus on the little things (like programs not recognizing the addresses in various contexts) that are going to cause pain during the transition. Did you file a bug to the Thunderbird bugzilla regarding this? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 08/12/10 03:36, Ross Walker wrote: On Dec 7, 2010, at 9:20 PM, Adam Tauno Williams awill...@whitemice.org wrote: On Tue, 2010-12-07 at 20:37 -0500, Ross Walker wrote: On Dec 7, 2010, at 7:41 PM, Nico Kadel-Garcia nka...@gmail.com wrote: On Tue, Dec 7, 2010 at 10:04 AM, Adam Tauno Williams awill...@whitemice.org wrote: [...snip...] I can only image phonetically calling these off on a support call, I'd get half way through it and the other end would tell me to forget it I'll wait until DNS is working again. You aren't crippled currently when DNS doesn't work? Because e-mail, Active Directory / Kerberos, and numerous other services just-don't-work without functioning DNS anyway. I'd say the network-minus-DNS is pretty much irrelevant in the real world. Well, there is DNS down and there is DNS issues causing some sites problems. These may or may not be due to our DNS servers, you get the idea. The problem with DNS being down is just as critical on IPv4 as with IPv6. The only difference is that it's a lot easier to remember or type IPv4 addresses ... at least now until we're really getting used to IPv6 addresses. By all means, DNS will be much more critically important in IPv6 though - as not everyone will be able to remember IPv6 addresses as well as IPv4 addresses. When your on your router or switch, want to traceroute or find out what port an address is on... Is there even ARP with v6? Nope, ARP is gone. But it gets a replacement as a part of IPv6, instead of ARP being an addition to IPv4. http://itkia.com/how-to-arp-a-in-ipv6/ http://www.tcpipguide.com/free/t_TCPIPIPv6NeighborDiscoveryProtocolND.htm kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Tue, Dec 07, 2010 at 09:15:50PM -0600, Les Mikesell wrote: On 12/7/10 9:02 PM, Ryan Wagoner wrote: Well in fact I don't think that will even work with the present URL rules. Just on a lark I clicked on your string, and my firefox interpreted it as http://3ffe:1900. Unless there's a special http protocol string for ipv6? Tony Since : is used to denote the port you must put the IPv6 address in brackets. http://[3ffe:1900:4545:3:200:f8ff:fe21:67cf]/ Thunderbird doesn't make that a clickable link. Since the change to ipv6 is pretty much inevitable and probably most things will eventually work out, maybe we should focus on the little things (like programs not recognizing the addresses in various contexts) that are going to cause pain during the transition. I see that UrlView in mutt gets it just fine. :-) Mihai ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Tue, 2010-12-07 at 21:36 -0500, Ross Walker wrote: I can only image phonetically calling these off on a support call, I'd get half way through it and the other end would tell me to forget it I'll wait until DNS is working again. You aren't crippled currently when DNS doesn't work? Because e-mail, Active Directory / Kerberos, and numerous other services just-don't-work without functioning DNS anyway. I'd say the network-minus-DNS is pretty much irrelevant in the real world. Well, there is DNS down and there is DNS issues causing some sites problems. These may or may not be due to our DNS servers, you get the idea. When your on your router or switch, want to traceroute or find out what port an address is on... Is there even ARP with v6? No, IPv6 uses the neighbor discovery protocol; which is in many ways superior to ARP. http://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol A lot of people will freak out - but once they get used to NDP instead of ARP... ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 12/07/2010 04:31 PM, John R. Dennison wrote: On Tue, Dec 07, 2010 at 11:51:16AM -0500, Brunner, Brian T. wrote: LOL twice, I'll top-post! (I hate M$ Office, but I'm stuck with it) Really? In blatant disregard for the published guidelines for use on this and other centos.org mailing lists? How very sporting of you. http://www.centos.org/modules/tinycontent/index.php?id=16 John Why do we bottom post? People have said so you can read what has been already written before you reply. But all the time people snip out big sections. That IMHO defeats the reason for bottom posting. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- Stephen Clark *NetWolves* Sr. Software Engineer III Phone: 813-579-3200 Fax: 813-882-0209 Email: steve.cl...@netwolves.com http://www.netwolves.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Wed, Dec 08, 2010 at 07:41:58AM -0500, Steve Clark wrote: Why do we bottom post? People have said so you can read what has been already written before you reply. But all the time people snip out big sections. That IMHO defeats the reason for bottom posting. Top posting ruins the flow of the standard English written language and makes following conversation topics awkward, at best. A classic example of this is the following section: A: Yes. Q: Are you sure? A: Because it reverses the logical flow of conversation. Q: Why is top posting frowned upon? A: Top-posting. Q: What is the most annoying thing in e-mail? As you can see the above makes absolutely no sense whatsoever and makes following the topic next to impossible. As far as trimming out extraneous junk goes... if it is done properly only non-relevant portions of quoted text is removed; when you don't trim you end up with cascade replies that contain all text from all previous replies where the message authors have not removed material. It's a complete waste of resources to have to process what amounts to junk. John -- Much of what looks like rudeness in hacker circles is not intended to give offense. Rather, it's the product of the direct, cut-through-the-bullshit communications style that is natural to people who are more concerned about solving problems than making others feel warm and fuzzy. http://www.tuxedo.org/~esr/faqs/smart-questions.html pgp9VdbhXB6r3.pgp Description: PGP signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Wednesday, December 08, 2010 05:10 PM, Ben McGinnes wrote: The even more horrendous problem, which is so pervasive it affects everyone, is the insistence on asymmetric connections. Even when Australia does get this fabled fibre-to-the-home, it still won't be symmetric. *sigh* Fibre connections that are not symmetric...sure going out of the way that. Kind of. The spec they're using (I've forgotten which one it is) supports a 2:1 ratio, I think the current maximum is supposed to be around 2.5Gb/s download and 1.25Gb/s upload. The plans being offered by the wholesaler (NBN Co.) to ISPs for resale are currently 25Mb/2Mb, 50Mb/4Mb and 100Mb/8Mb. I don't know how they expect to encourage local content like that, let alone local innovation, but that's what they're doing. Local content as in ISP provided content? Anyway, I've been drooling over the sort of connections that are only available in the corporate world here and in more civilised parts of the world for a long time. I don't really expect that to change now. /me wonders if he should get started with the charges for corporate connections too...:-p All HK ISPs are IPv6 connected. I wonder if I should get an IPv6 allocation for the school...nah, probably got other things to cook. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Wed, Dec 08, 2010 at 07:41:58AM -0500, Steve Clark wrote: On 12/07/2010 04:31 PM, John R. Dennison wrote: Why do we bottom post? People have said so you can read what has been already written before you reply. But all the time people snip out big sections. That IMHO defeats the reason for bottom posting. http://linux.sgms-centre.com/misc/netiquette.php http://howto-pages.org/posting_style give good explanations. Trimming is important. Putting a two line answer at the end of 400 line message isn't very helpful either. -- Scott Robbins PGP keyID EB3467D6 ( 1B48 077D 66F6 9DB0 FDC2 A409 FA54 EB34 67D6 ) gpg --keyserver pgp.mit.edu --recv-keys EB3467D6 Buffy: What should we do with the trio over here? Should we burn them? Willow: I brought marshmallows. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
Scott Robbins wrote: On Wed, Dec 08, 2010 at 07:41:58AM -0500, Steve Clark wrote: On 12/07/2010 04:31 PM, John R. Dennison wrote: Why do we bottom post? People have said so you can read what has been already written before you reply. But all the time people snip out big sections. That IMHO defeats the reason for bottom posting. http://linux.sgms-centre.com/misc/netiquette.php http://howto-pages.org/posting_style give good explanations. Trimming is important. Putting a two line answer at the end of 400 line message isn't very helpful either. Oh, like Certain Parties who may or may not work for RedHat, esp. over on the selinux list?, he asks, innocently mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Wed, Dec 08, 2010 at 09:43:03AM -0500, m.r...@5-cent.us wrote: Scott Robbins wrote: http://linux.sgms-centre.com/misc/netiquette.php http://howto-pages.org/posting_style give good explanations. Trimming is important. Putting a two line answer at the end of 400 line message isn't very helpful either. Oh, like Certain Parties who may or may not work for RedHat, esp. over on the selinux list?, he asks, innocently Honestly, I had no one in mind. I remember in an effort to get a life outside tech, I joined a mailing list for something else. I hadn't realized how most people top post, don't trim, and still use aol. I was actually thinking of something off that list, where someone wrote a longgg post and someone else responded at the very end, saying nice post. I guess the reason it jars us here is because most people post properly. -- Scott Robbins PGP keyID EB3467D6 ( 1B48 077D 66F6 9DB0 FDC2 A409 FA54 EB34 67D6 ) gpg --keyserver pgp.mit.edu --recv-keys EB3467D6 Angel: I'm weak. I've never been anything else. I wanted to lose myself in you. I know it will cost me my soul, and part of me didn't care. It's not the demon in me that needs killing, Buffy, it's the man. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
Scott Robbins wrote: On Wed, Dec 08, 2010 at 09:43:03AM -0500, m.r...@5-cent.us wrote: Scott Robbins wrote: http://linux.sgms-centre.com/misc/netiquette.php http://howto-pages.org/posting_style give good explanations. Trimming is important. Putting a two line answer at the end of 400 line message isn't very helpful either. Oh, like Certain Parties who may or may not work for RedHat, esp. over on the selinux list?, he asks, innocently Honestly, I had no one in mind. Honestly, I did. I remember in an effort to get a life outside tech, I joined a mailing list for something else. I hadn't realized how most people top post, don't trim, and still use aol. They do it at work, too, and I've got folks who know better. I reformat their emails, if it's worth it (i.e., more than a one-liner). I was actually thinking of something off that list, where someone wrote a longgg post and someone else responded at the very end, saying nice post. Classic usenet newby. I guess the reason it jars us here is because most people post properly. I tend to intercollate replies to direct lines, and then bottom post, to add more to the conversation. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
I guess the reason it jars us here is because most people post properly. Except the gmail lusers who haven't figured out how to turn off multipart html crap. --- This message and any attachments may contain Cypress (or its subsidiaries) confidential information. If it has been received in error, please advise the sender and immediately delete this message. --- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Wed, 2010-12-08 at 15:16 +, lheck...@users.sourceforge.net wrote: I guess the reason it jars us here is because most people post properly. Except the gmail lusers who haven't figured out how to turn off multipart html crap. +1 Although I've found @gmail user's consider themselves far too-cool to be concerned with netiquette. GMail is the new AOL. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Wed, 2010-12-08 at 10:01 +0100, David Sommerseth wrote: Nope, ARP is gone. But it gets a replacement as a part of IPv6, instead of ARP being an addition to IPv4. http://itkia.com/how-to-arp-a-in-ipv6/ http://www.tcpipguide.com/free/t_TCPIPIPv6NeighborDiscoveryProtocolND.htm I have a question about how IPV6 interacts with the switches in the local network. Right now, my sub $50(US) gigabit switch from any of several vendors keeps an arp table to determine which switch port a message will use. With the huge address space available with IPV6, how is that going to work, and when am I going to get a cheap soho switch that can handle IPV6? Dave ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Wed, 2010-12-08 at 09:37 -0600, David G. Mackay wrote: On Wed, 2010-12-08 at 10:01 +0100, David Sommerseth wrote: Nope, ARP is gone. But it gets a replacement as a part of IPv6, instead of ARP being an addition to IPv4. http://itkia.com/how-to-arp-a-in-ipv6/ http://www.tcpipguide.com/free/t_TCPIPIPv6NeighborDiscoveryProtocolND.htm I have a question about how IPV6 interacts with the switches in the local network. Right now, my sub $50(US) gigabit switch from any of several vendors keeps an arp table to determine which switch port a message will use. With the huge address space available with IPV6, how is that going to work, and when am I going to get a cheap soho switch that can handle IPV6? The switch will continue to operate using the MAC# of the client interfaces. The switch doesn't care about IPv4, IPv6, or IPX for that matter [unless you enabled vLANs or managment features - which is a different issue]. The switch does not maintain an arp table. It maintains a list of MAC#s it has seen on each port. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Wednesday, December 08, 2010 10:03:26 am Scott Robbins wrote: I remember in an effort to get a life outside tech, I joined a mailing list for something else. I hadn't realized how most people top post, don't trim, and still use aol. Lots of corporate people top post to retain the threading, and get rather upset when you trim the replies below, since they aren't using MUA's that can thread. Not to mention that top-posting is the default reply setup for the most commonly used corporate-type MUA's. I often use 'standard' netiquette in replying, and have had a few cases there the recipient had never seen that, and it confused the daylights out of them. And they want the reply thread to be in-message (again, since they're not using a threaded MUA). Or in the case of Outlook 2003 or later, they've never used 'Arrange by Conversation' and don't realize how useful that can be (Outlook 2010 I've heard greatly improves things). We use Scalix here as our MTA and web-based MUA, and the web MUA doesn't thread. The primary purpose is for being a groupware backend to MS Outlook; 'Arrange by Conversation' isn't used a whole lot. I keep getting asked 'why don't you use a real mailreader like Outlook?' and I then show them the volume of e-mail I get, and the features of Kmail that I use heavily that Outlook simply does not have, or doesn't do as well. They typically still don't get it; threading confuses many people who have never used it. Likewise for the common and irritating practice of using 'Reply' as a shortcut to sending a new post, especially to a mailing list. If your MUA is not threaded, you simply don't see a problem with the practice. Mine is, I do, and I don't do that. :-) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
Le 2010-12-08 07:41, Steve Clark a écrit : On 12/07/2010 04:31 PM, John R. Dennison wrote: On Tue, Dec 07, 2010 at 11:51:16AM -0500, Brunner, Brian T. wrote: LOL twice, I'll top-post! (I hate M$ Office, but I'm stuck with it) Really? In blatant disregard for the published guidelines for use on this and other centos.org mailing lists? How very sporting of you. http://www.centos.org/modules/tinycontent/index.php?id=16 John Why do we bottom post? People have said so you can read what has been already written before you reply. But all the time people snip out big sections. That IMHO defeats the reason for bottom posting. No IMHO. You snip a text and keep important stuff so people can better understand your answer. With bottom posting, you have the text in the normal read order. I am a tech support engineer and all i can say is that top posting is very irritating, i receive like 400 e-mail a day... Reading long posts reverse is a nightmare. You may have reason to resist bottom posting like using Outlook (which has many default like not respecting anything: Standards, posting order, etc). But that's an entire other story... Guy Boisvert Senior tech support engineer IngTegration inc. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
Adam Tauno Williams wrote: On Wed, 2010-12-08 at 15:16 +, lheck...@users.sourceforge.net wrote: I guess the reason it jars us here is because most people post properly. Except the gmail lusers who haven't figured out how to turn off multipart html crap. +1 Although I've found @gmail user's consider themselves far too-cool to be concerned with netiquette. GMail is the new AOL. Ghu! I remember when AOHell got onto the 'Net, and they autosubscribed *all* their members to certain newsgroups... and they had *no* clue. I occasionally dipped into alt.best.of.usenet, for reposting stuff from other newsgroups that was hysterical... esp. when the original poster didn't intend it that way. Then came the turkeys, and I can post whatever I want, wherever I want But this is way OT. mark, stopping now ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
Lots of corporate people top post to retain the threading, and get rather upset when you trim the replies below, since they aren't using MUA's that can thread. Not to mention that top-posting is the default reply setup for the most commonly used corporate-type MUA's. +1. M$ Outlook defaults to top-posting in HTML. Sometimes I forget to override that. I keep getting asked 'why don't you use a real mailreader like Outlook?' *solemnly bangs head on table* That's a trojan-trampoline disguised as a mail reader. Top/bottom/mingled replies don't bother me. Top-post-nazis and bottom-post-nazis do. Replies to LONG posts with one-sentence comments on the bottom are a pain. Back when Mark was writing in COBOL (and I was teaching it), we needed killfiles that really kill. Still do. End-of-off-topic *** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept for the presence of computer viruses. www.Hubbell.com - Hubbell Incorporated** ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Wed, 2010-12-08 at 10:41 -0500, Adam Tauno Williams wrote: On Wed, 2010-12-08 at 09:37 -0600, David G. Mackay wrote: On Wed, 2010-12-08 at 10:01 +0100, David Sommerseth wrote: Nope, ARP is gone. But it gets a replacement as a part of IPv6, instead of ARP being an addition to IPv4. http://itkia.com/how-to-arp-a-in-ipv6/ http://www.tcpipguide.com/free/t_TCPIPIPv6NeighborDiscoveryProtocolND.htm I have a question about how IPV6 interacts with the switches in the local network. Right now, my sub $50(US) gigabit switch from any of several vendors keeps an arp table to determine which switch port a message will use. With the huge address space available with IPV6, how is that going to work, and when am I going to get a cheap soho switch that can handle IPV6? The switch will continue to operate using the MAC# of the client interfaces. The switch doesn't care about IPv4, IPv6, or IPX for that matter [unless you enabled vLANs or managment features - which is a different issue]. Maybe that's the case for my little cheapo soho switch. The switch does not maintain an arp table. It maintains a list of MAC#s it has seen on each port. Sorry, but that's certainly incorrect for the higher end switches. I've accessed the arp table on several different brands of switches. Also, look up ARP poisoning. Dave ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Mon, Dec 6, 2010 at 6:28 PM, Bob McConnell rmcco...@lightlink.com wrote: Ryan Wagoner wrote: IPv6 is not broken by design. NAT was implemented to extend the time until IPv4 exhaustion. A side effect was hiding the internal IPv4 address, which complicates a number of protocols like FTP and SIP. The only downside I see is ISPs could try and charge based on the number of IPv6 addresses being used. No, the downside is that each address used will be exposed to the world. I consider that a serious security flaw. Having my ISP know how many computers I have is a minor issue covered by the contract I have with them. But having all of those addresses exposed to Russian mobsters, terrorists, crackers and everyone else that knows how to capture packets is another matter altogether. If IPv6 exposes that information to the world, it is definitely unsafe to use. As opposed to these Russian mobsters, terrorists, crackers looking at the headers of your email above... ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Mon, Dec 6, 2010 at 6:56 PM, Ryan Wagoner rswago...@gmail.com wrote: On Mon, Dec 6, 2010 at 6:28 PM, Bob McConnell rmcco...@lightlink.com wrote: Ryan Wagoner wrote: On Mon, Dec 6, 2010 at 5:15 PM, Bob McConnell rmcco...@lightlink.com wrote: David Sommerseth wrote: On 06/12/10 15:29, Todd Rinaldo wrote: On Dec 6, 2010, at 5:27 AM, David Sommerseth wrote: On 05/12/10 14:21, Tom H wrote: On Sun, Dec 5, 2010 at 8:13 AM, RedShift redsh...@pandora.be wrote: On 12/05/10 12:50, Rudi Ahlers wrote: (http://www.internetnews.com/infra/article.php/3915471/IPv4+Nearing+Final+Days.htm), Haven't switched yet, I have IPv6 at home using sixxs. I can't even figure out what address ranges are reserved for private use, is there even such a concept in IPv6? I think that site-local (fec0:: - fef::) is the ipv6 more-or-less-equivalent of ipv4 private addresses. Yes, that's correct and it is deprecated. http://www.ietf.org/rfc/rfc3879.txt With IPv6 there is plenty of addresses for everyone so you basically use your own assigned official IPv6 address space and setup your own private /64 net and block that subnet in your firewalls. Another thing, there is no NAT and it will not be implemented as we know it in IPv4. To call NAT a security feature is also a faulty understanding. As NAT only prevents access from outside to some computer inside a network which is NAT'ed. This restriction and filtering is the task of the firewall anyway, which does the NAT anyway. NAT basically just breaks a lot of protocols and enforces complex firewalls which needs to understand a lot of different protocols to be able to do things correctly. Which often do not work as well as it could. I've heard this before but It's always confused me. Admittedly I haven't had a chance to look at the spec. If we're saying that everyone's going to have the same private subnet, then we're saying that all the private subnets are going to have to be NAT-ed aren't they? This can be a bit confusing, especially if you see this with IPv4 eyes. In IPv6, it basically is no such things as a private subnet (range). When you contact your ISP to get a IPv6 subnet, they will most probably give you a /48 network. That means you will have a IPv6 prefix which is unique. That is a reference to all _your_ IPv6 networks. Then you will normally segment this /48 subnet into more /64 networks. A /48 subnet gives you 65536 /64 networks. So the IPv6 prefix will be something like: :::::/64 the '::' part is the prefix your ISP will provide you, and this is the first 48bits of the IPv6 address. The '' part is up to you to decide what will be, and that's the next 16 bits of the address scope. So 48 + 16 = 64 bits. And 2^16 = 65536. And this is all you need to know about IPv6 addressing. Really! That's it. No network addresses, no broadcast addresses. Just pure usable IPv6 addresses. (You may of course make even more subnets below /64, but that's usually not recommended at - especially with auto-configured networks) So then ... the next phase. As everyone who gets a /48 nets should have it flexible enough to setup private networks, the firewall just needs to block completely in-going traffic to a /64 net defined by the admins as private. It can further be decided if this /64 net should have access to IPv6 addresses outside this local network. Again this is just a firewall rule and nothing more - allow or reject/drop. And then, the former proposed site-local subnet makes pretty much no sense, as IPv6 does not support NAT. As this network would not be able to communicate across a router/firewall. This subnet (fec0:: - fef::) should not be routed anywhere. And without NAT, it can't escape the subnet at all anyway. So, spending one or two or 100s /64 subnets with public IPv6 addresses which is completely blocked in a firewall will serve exactly the same purpose as a site-local subnet. But this /64 net may get access to the Internet *if* allowed by the firewall. This is not possible with site-local at all. And of course, this is without NAT in addition. I hope this made it a little bit clearer. Clear as mud. If I understand you correctly, I have to say that IPv6 is broken by design. I have a double handful of computers on my home network. Each of them needs access to the Internet to get updates to the OS and various applications. However, I do *NOT* want each and every one of them to show up as a unique address outside of my network. With IP4 and m0n0wall running as the NAT, they are all translated to the single IP address that Roadrunner assigned to my Firewall. I need to continue that mapping. If IPv6 cannot do that, then I hope Time-Warner continues to ignore it and stays with their current address structure. Bob McConnell N2SPP IPv6 is not broken by design. NAT was implemented to extend the time until IPv4 exhaustion. A side effect
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Tuesday, December 07, 2010 11:08 AM, Todd Rinaldo wrote: On Dec 6, 2010, at 7:51 PM, Christopher Chan wrote: On Tuesday, December 07, 2010 08:57 AM, David wrote: Folks I have been following the IPV6 comments. What concerns me with the loss of NAT are the following issues: 1) My friend from half-way around the world comes to visit. He turns on his IPV6 enabled device (think Ipad), and wants to use my ISP's connection. What IP address does he get? If it's his home address, that makes routing difficult. If he dynamically gets one of my addresses a) Did my ISP give me enough? Let's see...if you apply for ipv6, you get a /48 network or as David put it, 65k worth of /64 subnets. b) Do I get charged by my ISP on a per-device basis? Heh, if they want to micromanage... I'm still waiting for the day I get a home ISP that doesn't nickel and dime me. I agree that this is a potential concern. What's sad is that if they decide to do this, there's little I can do about it since ipv6 doesn't support NAT. Don't get me wrong. Now I've reviewed the spec, I agree NAT isn't required, but unless all the end user ISPs turn into benevolent Oligopolies, it is a potential issue. Ah, I must pity you who have to live with what you've got in the United States being under the rule of these tyrants. You guys probably can only dream of getting a 100MB fibre connection for 13USD/mnth or a 1GB fibre connection for 30 or so USD/mnth. I hesitate to keep the chaps in Australia on the list to be pitied now that Telstra is being dismantled. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 07/12/10 02:26, Les Mikesell wrote: On 12/6/10 6:27 PM, Brian Mathis wrote: You are enjoying a side-effect of NAT by thinking it is a firewall. The other nice side-effect of NAT is that you get an effectively infinite number of addresses behind it without any pre-arrangement with anyone else. Even if ISPs hand out what they expect to reasonably-sized blocks, won't it be much harder to deal with when you outgrow your allotment? We've had the opportunity to move to ipv6 for ages but we haven't (in the US, anyway). I think the reason is that most people like the way NAT works and don't really want a public address on every device. So you are afraid of out-growing from an assigned /48 net? Let's do some math here ... and I hope I get it right ... IPv4: aa:bb:cc:dd that's 32 bit IPv6: :::: this is 48 bits out of 128bits In the IPv6 scenario, you have been assigned '::::' as your IPv6 prefix by your ISP. So that means that you have 128-48 bits available for your own addressing scheme. That is 80 bits you have absolutely full control over. Of course, it's recommended to have subnets no smaller than 64 bits. So that makes it: IPv6 /64 subnets: ::::: That means you have 16 bits for subnets. 2^16 = 65536 subnets, each with 64bit addressing. And if my math doesn't fail me now, a 64 bit addressing scheme is doubling the IPv4 address scope 32 times. What I mean is that from 32 bit to 33 bit, you have 2 * 32 bit addressing scope. from 32 to 34, you have you have 4 * 32 bit addressing scope. For each bit you add, you double what you had. It is simply insanely many addresses. And if you fear that ISPs or IANA might run out of address spaces. Remember that they have 48 bits to play with, which is the IPv4 address scope doubled 16 times. Of course some ISP's will probably just hand out /64 networks to most of their customers (most probably to home users). But that's another story. And a /64 network is possible but not so easy to subnet further, and is also not recommended. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Mon, 2010-12-06 at 17:15 -0500, Bob McConnell wrote: So, spending one or two or 100s /64 subnets with public IPv6 addresses which is completely blocked in a firewall will serve exactly the same purpose as a site-local subnet. But this /64 net may get access to the Internet *if* allowed by the firewall. This is not possible with site-local at all. And of course, this is without NAT in addition. I hope this made it a little bit clearer. Clear as mud. If I understand you correctly, I have to say that IPv6 is broken by design. It isn't. I have a double handful of computers on my home network. Each of them needs access to the Internet to get updates to the OS and various applications. However, I do *NOT* want each and every one of them to show up as a unique address outside of my network. Why? Things will only work better. NAT is not some magic sauce, it is a *HACK*. With IP4 and m0n0wall running as the NAT, they are all translated to the single IP address that Roadrunner assigned to my Firewall. I need to continue that mapping. Why? There is no reason. You are wrong, you do *NOT* need to continue that mapping. That mapping is pointless. If IPv6 cannot do that, then I hope Time-Warner continues to ignore it and stays with their current address structure. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Mon, 2010-12-06 at 18:28 -0500, Bob McConnell wrote: IPv6 is not broken by design. NAT was implemented to extend the time until IPv4 exhaustion. A side effect was hiding the internal IPv4 address, which complicates a number of protocols like FTP and SIP. The only downside I see is ISPs could try and charge based on the number of IPv6 addresses being used. No, the downside is that each address used will be exposed to the world. False. That is *NOT* a downside. NAT is *NOT* a magic sauce - install a firewall [which you probably already have]. Problem solved. I consider that a serious security flaw. It is not. Having my ISP know how many computers I have is a minor issue covered by the contract I have with them. So you want to cheap on the legal contract you agreed to? But having all of those addresses exposed to Russian mobsters, terrorists, crackers and everyone else that knows how to capture packets is another matter altogether. If IPv6 exposes that information to the world, it is definitely unsafe to use. The Russian mobsters can already do that; if you think NAT is protecting you from that then you are mistaken. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
b) Do I get charged by my ISP on a per-device basis? Heh, if they want to micromanage... This is no science fiction. Some big providers in some countries limit the number of device that can connect to internet. You have to register the MAC address of your single PC (which, by the way, is expected to run Windows or MacOS) In that case, a NAT router sending the MAC address expected by the provider could have (maybe, possibly...) been very handy. (I won't tell more, even though I have left the country and the provider in question) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Tuesday, December 07, 2010 07:23 PM, Mathieu Baudier wrote: b) Do I get charged by my ISP on a per-device basis? Heh, if they want to micromanage... This is no science fiction. Never said it was. Some big providers in some countries limit the number of device that can connect to internet. You have to register the MAC address of your single PC (which, by the way, is expected to run Windows or MacOS) Not news to me. Netvigator over here had single computer in its terms and conditions and single user/multiple user accounts. And only they had such terms but they never did try to enforce them. Not with all the competition around. In that case, a NAT router sending the MAC address expected by the provider could have (maybe, possibly...) been very handy. (I won't tell more, even though I have left the country and the provider in question) /me does not care. Not sure about other folks though...do them a service :-p ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
/me does not care. Not sure about other folks though...do them a service :-p In theory, a lot of residential routers (not provided by the ISP) will allow to set the sent MAC address via their web interface. And on a full fledged Linux OS: ifconfig ethX hw ether MY:MA:CA:DD:RE:SS (or something like that, see man ifconfig) I just did not say whether I have ever tried in real... ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mathieu Baudier said the following on 07/12/10 12:23: Some big providers in some countries limit the number of device that can connect to internet. FastWeb does this in Italy. They configure their router (to which you do NOT have access) giving the LAN side a 192.168.x.x/24 but only the first 'n' IPs ('n' depends on how much you pay) of the subnet are NATted. Ciao, luigi - -- / +--[Luigi Rosa]-- \ Biggest Black Hole ever Found in Nearby Galaxy. EVERYBODY PAN..IC --fark.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkz+IPkACgkQ3kWu7Tfl6ZTJkgCgk5Ze9QBWePuH0IHkFcIp/drk ve8An1LO9CW88BE2+lH+U598H1OZunDt =hWDc -END PGP SIGNATURE- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Tue, Dec 07, 2010 at 12:23:08PM +0100, Mathieu Baudier wrote: b) Do I get charged by my ISP on a per-device basis? Heh, if they want to micromanage... This is no science fiction. Some big providers in some countries limit the number of device that can connect to internet. You have to register the MAC address of your single PC (which, by the way, is expected to run Windows or MacOS) In the old days (5-6 years ago?), you were being sneaky if you used a router--this is in the US, with Roadrunner. They acknowledged, eventually, that it was common, and their terms of service specifically allow it. Verizon used to (don't know what they do now), provide a modem-cum-wireless-router when you got their service---this was with DSL, I assume they do the same with FIOS. -- Scott Robbins PGP keyID EB3467D6 ( 1B48 077D 66F6 9DB0 FDC2 A409 FA54 EB34 67D6 ) gpg --keyserver pgp.mit.edu --recv-keys EB3467D6 Anyanka: You trusting fool. How do you know the other world is any better than this? Giles: Because it has to be. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 12/07/2010 12:53 PM, Mathieu Baudier wrote: ... And on a full fledged Linux OS: ifconfig ethX hw ether MY:MA:CA:DD:RE:SS (or something like that, see man ifconfig) I just did not say whether I have ever tried in real... You just add the following line to /etc/sysconfig/network-scripts/ifcfg-eth0: MACADDR=MY:MA:CA:DD:RE:SS It works. Mogens -- Mogens Kjaer, m...@lemo.dk http://www.lemo.dk ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
Can a machine with only an IPV6 address communicate with a machine that only has an IPV4 or are they separate? -- Sincerely, John Thomas ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 07/12/10 12:23, Mathieu Baudier wrote: b) Do I get charged by my ISP on a per-device basis? Heh, if they want to micromanage... This is no science fiction. Some big providers in some countries limit the number of device that can connect to internet. You have to register the MAC address of your single PC (which, by the way, is expected to run Windows or MacOS) For a lot of people, it is always possible to vote with your wallet. If a provider is too restrictive for you, choose another one. I pay my fees to the ISP I feel is worthy to have me as customer. So if they want my money, they must please me. But I am also willing to pay a bit more to a competitor who can fulfil my demands if my current provider does not deliver according to the agreement and my expectations Of course this is not possible in places where there are only one option. But then try to approach, if possible, other ISPs anyway, to see what they can offer you. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Mon, Dec 06, 2010 at 08:55:17PM -0500, Bob McConnell wrote: 3) When I connect my IPV6 refrigerator with its automatic inventory system tracking every RFID-enabled carrot I use, won't I be making my shopping habits visible to all those annoying advertisers? Or, in other words, am I compromising my privacy? Actually, although such dissemination of information can be blocked by a correctly designed firewall, I suspect the Free IPv6 DSL Modem and Router, Sponsored by your-favorite-commercial-site that comes with your ISP contract, would err on the side of promiscuity. Why yes, yes you are giving up some of your privacy. And unless you have the time and are willing and able to learn how to configure firewalls for each device and application you use, or have the money to pay someone else you trust to do it for you, there is very little to protect you from the rest of the world. That's at least overstated, and at worst complete FUD. Generic modems and routers will be configured as they are now - with stateful firewalls blocking all incoming traffic, except for streams initiated internally. Outgoing connections that would have worked before via NAT continue to work, but without NAT. Stateful firewalls are still stateful firewalls. Where are you giving up some of your privacy? The number of hosts on your internal network? So allocate 256 ips (or 65k, if you like) to every host and use a random ip from that set for every distinct service or outgoing connection. There _is_ more information leakage with ipv6, in the sense that you are using a real ip from an internal machine on the connection. But the point is that the security benefit of that is largely illusory, security by obscurity. Cheers, Gavin ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 12/07/2010 06:56 AM, Luigi Rosa wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mathieu Baudier said the following on 07/12/10 12:23: Some big providers in some countries limit the number of device that can connect to internet. FastWeb does this in Italy. They configure their router (to which you do NOT have access) giving the LAN side a 192.168.x.x/24 but only the first 'n' IPs ('n' depends on how much you pay) of the subnet are NATted. That is easily defeated by putting a Linux box behind the provided router to do natting. Ciao, luigi - -- / +--[Luigi Rosa]-- \ Biggest Black Hole ever Found in Nearby Galaxy. EVERYBODY PAN..IC --fark.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkz+IPkACgkQ3kWu7Tfl6ZTJkgCgk5Ze9QBWePuH0IHkFcIp/drk ve8An1LO9CW88BE2+lH+U598H1OZunDt =hWDc -END PGP SIGNATURE- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- Stephen Clark *NetWolves* Sr. Software Engineer III Phone: 813-579-3200 Fax: 813-882-0209 Email: steve.cl...@netwolves.com http://www.netwolves.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 12/07/2010 05:13 AM, David Sommerseth wrote: On 07/12/10 02:26, Les Mikesell wrote: On 12/6/10 6:27 PM, Brian Mathis wrote: You are enjoying a side-effect of NAT by thinking it is a firewall. The other nice side-effect of NAT is that you get an effectively infinite number of addresses behind it without any pre-arrangement with anyone else. Even if ISPs hand out what they expect to reasonably-sized blocks, won't it be much harder to deal with when you outgrow your allotment? We've had the opportunity to move to ipv6 for ages but we haven't (in the US, anyway). I think the reason is that most people like the way NAT works and don't really want a public address on every device. So you are afraid of out-growing from an assigned /48 net? Let's do some math here ... and I hope I get it right ... IPv4: aa:bb:cc:dd that's 32 bit IPv6: :::: this is 48 bits out of 128bits In the IPv6 scenario, you have been assigned '::::' as your IPv6 prefix by your ISP. So that means that you have 128-48 bits available for your own addressing scheme. That is 80 bits you have absolutely full control over. Of course, it's recommended to have subnets no smaller than 64 bits. So that makes it: IPv6 /64 subnets: ::::: That means you have 16 bits for subnets. 2^16 = 65536 subnets, each with 64bit addressing. And if my math doesn't fail me now, a 64 bit addressing scheme is doubling the IPv4 address scope 32 times. What I mean is that from 32 bit to 33 bit, you have 2 * 32 bit addressing scope. from 32 to 34, you have you have 4 * 32 bit addressing scope. For each bit you add, you double what you had. It is simply insanely many addresses. And if you fear that ISPs or IANA might run out of address spaces. Remember that they have 48 bits to play with, which is the IPv4 address scope doubled 16 times. Of course some ISP's will probably just hand out /64 networks to most of their customers (most probably to home users). But that's another story. And a /64 network is possible but not so easy to subnet further, and is also not recommended. ISP's are supposed to hand out /48's so you can move to a new ISP without having to disrupt your internal addressing. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- Stephen Clark *NetWolves* Sr. Software Engineer III Phone: 813-579-3200 Fax: 813-882-0209 Email: steve.cl...@netwolves.com http://www.netwolves.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 07/12/10 13:22, John Thomas wrote: Can a machine with only an IPV6 address communicate with a machine that only has an IPV4 or are they separate? They are separated. It's two different protocols, even though they are similar in many aspects. There are some projects trying to bridge that for single-stack IPv6 networks. But I've concluded running dual-stack with both IPv4 and IPv6 is less error prone, as such a proxy solutions will not always work 100% perfect. The IPv4 addresses needs to be translated into a IPv6 addresses by a local DNS service, and the proxy anyway need IPv4 access to reach the IPv4 host. David S. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Mon, 2010-12-06 at 19:26 -0600, Les Mikesell wrote: On 12/6/10 6:27 PM, Brian Mathis wrote: You are enjoying a side-effect of NAT by thinking it is a firewall. The other nice side-effect of NAT is that you get an effectively infinite number of addresses behind it without any pre-arrangement with anyone else. Even if ISPs hand out what they expect to reasonably-sized blocks, won't it be much harder to deal with when you outgrow your allotment? We've had the opportunity to move to ipv6 for ages but we haven't (in the US, anyway). I think the reason is that most people like the way NAT works and don't really want a public address on every device. Bogus. The reason is that they haven't been pressured into adoption by higher powers; so we will get into a nice scramble to migrate in a pinch. most people have no idea what NAT is, don't care, and shouldn't have to care. Some people's belief that NAT is some magic sauce that makes them more secure [it does not] or provides them more flexibility [it does not] than real addresses ... causes the people who understand networking to have to spend time explaining that their love of NAT is misguided and their beliefs about NAT are bogus. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
3) When I connect my IPV6 refrigerator with its automatic inventory system tracking every RFID-enabled carrot I use, won't I be making my shopping habits visible to all those annoying advertisers? Or, in other words, am I compromising my privacy? Actually, although such dissemination of information can be blocked by a correctly designed firewall, I suspect the Free IPv6 DSL Modem and Router, Sponsored by your-favorite-commercial-site that comes with your ISP contract, would err on the side of promiscuity Set your refrigerator to fe80:0001:: and it's now only accessible on the local subnet. Quoting http://www.litech.org/~jeff/private/ipv6primer/html/ Two prefixes are set aside for link-local and site-local addresses. site-local addresses are officially deprecated. If you want a device to only be available locally - block the traffic to/from that device. Or block if from acquiring a public address and leave it as link-local only [most people will, I think, just choose the first options - like they do now when they want to block a device]. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Mon, 2010-12-06 at 20:55 -0500, Bob McConnell wrote: David wrote: Folks I have been following the IPV6 comments. What concerns me with the loss of NAT are the following issues 3) When I connect my IPV6 refrigerator with its automatic inventory system tracking every RFID-enabled carrot I use, won't I be making my shopping habits visible to all those annoying advertisers? Or, in other words, am I compromising my privacy? Actually, although such dissemination of information can be blocked by a correctly designed firewall, I suspect the Free IPv6 DSL Modem and Router, Sponsored by your-favorite-commercial-site that comes with your ISP contract, would err on the side of promiscuity. Why yes, yes you are giving up some of your privacy. And unless you have the time and are willing and able to learn how to configure firewalls for each device and application you use, or have the money to pay someone else you trust to do it for you, there is very little to protect you from the rest of the world. I just finished reviewing my firewall logs for last week. There are 127MiB with ipmon reports of rejected connection attempts. That's actually on the low side for any seven day period. I have some weeks that are half again that much. Somebody out there is pounding on that firewall pretty hard, trying to break in. I'm certain they don't have my best interests at heart. Most of the ports attacked are linked to well known services and worms on one particular OS, which I don't happen to have running on my network. But this log tells me that it is important to make it as difficult as possible for whomever is knocking on the door. I don't see that IPv6 helps improve that protection. In fact, it appears to eliminate some of the protection I have now. It does *NOT* help with that situation; nobody credible says it does. It also does *NOT* eliminate some of the protection I have now. You apparently *believe* that NAT is about protection You are wrong. NAT [at best, and not really] adds obfuscation to the source / destination. Obfuscation is not security. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
Adam Tauno Williams wrote: On Mon, 2010-12-06 at 17:15 -0500, Bob McConnell wrote: So, spending one or two or 100s /64 subnets with public IPv6 addresses which is completely blocked in a firewall will serve exactly the same purpose as a site-local subnet. But this /64 net may get access to the Internet *if* allowed by the firewall. This is not possible with site-local at all. And of course, this is without NAT in addition. I hope this made it a little bit clearer. Clear as mud. If I understand you correctly, I have to say that IPv6 is broken by design. It isn't. I have a double handful of computers on my home network. Each of them needs access to the Internet to get updates to the OS and various applications. However, I do *NOT* want each and every one of them to show up as a unique address outside of my network. Why? Things will only work better. NAT is not some magic sauce, it is a *HACK*. With IP4 and m0n0wall running as the NAT, they are all translated to the single IP address that Roadrunner assigned to my Firewall. I need to continue that mapping. Why? There is no reason. You are wrong, you do *NOT* need to continue that mapping. That mapping is pointless. No, it is not pointless. The first step in attacking any computer is finding the IP address. If that address is broadcast outside the firewall every time it talks to another computer, that step is simple. If it is hidden behind a firewall that does NAT, it becomes harder to find and that first step becomes much more difficult. Currently, the only IP address transmitted outside my firewall is the one assigned to that firewall by the Roadrunner DHCP server. None of the addresses inside are exposed. That is a level of protection I am not prepared to give up. I don't care how much you evangelists blab about the new improved sauce, I still see it as a solution in search of a problem. As far as I am concerned, NAT already solved the address space problem. Bob McConnell N2SPP ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Tuesday, December 07, 2010 05:29:09 am Adam Tauno Williams wrote: On Mon, 2010-12-06 at 18:28 -0500, Bob McConnell wrote: No, the downside is that each address used will be exposed to the world. False. That is *NOT* a downside. In your opinion. Others hold a different opinion. While security through obscurity doesn't help in many circumstances, there are physical security controls that absolutely depend upon it, and work. Physical lock and key, for one (the pinning must be kept obscure). Physical combination locks, for another; they depend upon keeping the gates in the wheels obscure. For that matter, any security that depends on any 'secret' is in essence a security through obscurity technique. Port knocking is a security through obscurity technique (which works quite well). And a NAT66 will be implemented, and people *will* NAT66 their self-assigned ULA addresses (which, unlike PA /48's are portable; the alternative is all end users wanting portability getting PI /48's, and the router ops are getting their selves in a knot thinking about the route table bloat that will cause) to whatever the PA du jour is. This *will* happen, and no amount of wishful thinking by transparent-Internet-idealogues is going to change it, since this is and will be the market demand. Whether you and I like it or not, this is the direction things are going; we might as well get used to it. You can read the NAT66 draft standard yourself at (one mirror) http://mirror.switch.ch/ftp/mirror/internet-drafts/draft-mrw-nat66-00.txt ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Tue, Dec 7, 2010 at 6:23 AM, Mathieu Baudier mbaud...@argeo.org wrote: b) Do I get charged by my ISP on a per-device basis? This is no science fiction. Some big providers in some countries limit the number of device that can connect to internet. You have to register the MAC address of your single PC (which, by the way, is expected to run Windows or MacOS) In that case, a NAT router sending the MAC address expected by the provider could have (maybe, possibly...) been very handy. (I won't tell more, even though I have left the country and the provider in question) I've had such a provider. This is why you can assign a MAC address to a dsl router's WAN interface. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
Adam Tauno Williams wrote: On Mon, 2010-12-06 at 18:28 -0500, Bob McConnell wrote: IPv6 is not broken by design. NAT was implemented to extend the time until IPv4 exhaustion. A side effect was hiding the internal IPv4 address, which complicates a number of protocols like FTP and SIP. The only downside I see is ISPs could try and charge based on the number of IPv6 addresses being used. No, the downside is that each address used will be exposed to the world. False. That is *NOT* a downside. NAT is *NOT* a magic sauce - install a firewall [which you probably already have]. Problem solved. I consider that a serious security flaw. It is not. Having my ISP know how many computers I have is a minor issue covered by the contract I have with them. So you want to cheap on the legal contract you agreed to? No, if they want too much money before I can install additional computers, I have several other choices, some of which will likely be less expensive. Currently, their TOS is not an issue. But having all of those addresses exposed to Russian mobsters, terrorists, crackers and everyone else that knows how to capture packets is another matter altogether. If IPv6 exposes that information to the world, it is definitely unsafe to use. The Russian mobsters can already do that; if you think NAT is protecting you from that then you are mistaken. NAT hides the IP addresses of the computers inside my firewall. The only address exposed is the temporary address assigned to the firewall itself. That box can be run on the most secure OS I can find (currently one of the BSD's), and allows me to operate other systems behind it that aren't as well protected. This makes it significantly more difficult for those mobsters to penetrate my network. Not allowing the most popular OS on the network at all is another layer of protection. Keeping everything up to date is another. It is a well known and established process to keep my computers secure. But now you are taking away one of those layers without providing anything of equal strength to replace it. I fail to see how that is an improvement. However, it appears some of you are actually evangelists in disguise, and refuse to acknowledge any real concerns about this change. So it becomes pointless to continue the discussion. Bob McConnell N2SPP ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Tue, Dec 7, 2010 at 10:29 AM, Bob McConnell rmcco...@lightlink.com wrote: Adam Tauno Williams wrote: On Mon, 2010-12-06 at 18:28 -0500, Bob McConnell wrote: IPv6 is not broken by design. NAT was implemented to extend the time until IPv4 exhaustion. A side effect was hiding the internal IPv4 address, which complicates a number of protocols like FTP and SIP. The only downside I see is ISPs could try and charge based on the number of IPv6 addresses being used. No, the downside is that each address used will be exposed to the world. False. That is *NOT* a downside. NAT is *NOT* a magic sauce - install a firewall [which you probably already have]. Problem solved. I consider that a serious security flaw. It is not. Having my ISP know how many computers I have is a minor issue covered by the contract I have with them. So you want to cheap on the legal contract you agreed to? No, if they want too much money before I can install additional computers, I have several other choices, some of which will likely be less expensive. Currently, their TOS is not an issue. But having all of those addresses exposed to Russian mobsters, terrorists, crackers and everyone else that knows how to capture packets is another matter altogether. If IPv6 exposes that information to the world, it is definitely unsafe to use. The Russian mobsters can already do that; if you think NAT is protecting you from that then you are mistaken. NAT hides the IP addresses of the computers inside my firewall. The only address exposed is the temporary address assigned to the firewall itself. That box can be run on the most secure OS I can find (currently one of the BSD's), and allows me to operate other systems behind it that aren't as well protected. This makes it significantly more difficult for those mobsters to penetrate my network. Is 172.16.10.72 a private address of yours or of your ISP? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
Lamar Owen wrote: On Tuesday, December 07, 2010 05:29:09 am Adam Tauno Williams wrote: On Mon, 2010-12-06 at 18:28 -0500, Bob McConnell wrote: No, the downside is that each address used will be exposed to the world. False. That is *NOT* a downside. In your opinion. Others hold a different opinion. While security through obscurity doesn't help in many circumstances, there are physical security controls that absolutely depend upon it, and work. Physical lock and key, for one (the pinning must be kept obscure). Physical combination locks, for another; they depend upon keeping the gates in the wheels obscure. For that matter, any security that depends on any 'secret' is in essence a security through obscurity technique. Port knocking is a security through obscurity technique (which works quite well). snip Sorry, let me jump in here: how is a hidden IP address, whether it's 10.x, or 192.168.x, obscurity. Rather, AFAIK, trying to get there from outside are unreachable, because the addresses are not valid on the 'Net itself. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Tue, 2010-12-07 at 10:11 -0500, Lamar Owen wrote: On Tuesday, December 07, 2010 05:29:09 am Adam Tauno Williams wrote: On Mon, 2010-12-06 at 18:28 -0500, Bob McConnell wrote: No, the downside is that each address used will be exposed to the world. False. That is *NOT* a downside. In your opinion. Others hold a different opinion. Others are wrong. Check the RFCs and other papers. While security through obscurity doesn't help in many circumstances, there are physical security controls that absolutely depend upon it, and work. False analogy. And a NAT66 will be implemented, and people *will* NAT66 their self-assigned ULA addresses (which, unlike PA /48's are portable; the alternative is all end users wanting portability getting PI /48's, and the router ops are getting their selves in a knot thinking about the route table bloat that will cause) to whatever the PA du jour is. But it isn't NAT. Not like IPv4 NAT, so this doesn't do much to the argument in defense of IPv4-style NAT. IPv6 routing tables are significantly smaller - which is a large advantage to IPv6. This *will* happen, and no amount of wishful thinking by t ransparent-Internet-idealogues is going to change it, since this is and will be the market demand. Whether you and I like it or not, this is the direction things are going; we might as well get used to it. You can read the NAT66 draft standard yourself at (one mirror) http://mirror.switch.ch/ftp/mirror/internet-drafts/draft-mrw-nat66-00.txt I'm certain some people will use it, and that there are legitimate uses. But it doesn't, and won't, serve the same purpose as NAT does in IPv4. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Tuesday, December 07, 2010 10:32:32 am Tom H wrote: Is 172.16.10.72 a private address of yours or of your ISP? More to the point; do you have a route to his address? Blackhole routing makes the best firewall in the world; you can't even attempt to hack an address to which your autonomous system (or your provider's autonomous system) has no route in the BGP routing tables. You can't even reproducibly DoS his address, since he can probably acquire another inside global one fairly easily through DHCP. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Tue, 2010-12-07 at 10:32 -0500, Tom H wrote: On Tue, Dec 7, 2010 at 10:29 AM, Bob McConnell rmcco...@lightlink.com wrote: Adam Tauno Williams wrote: On Mon, 2010-12-06 at 18:28 -0500, Bob McConnell wrote: IPv6 is not broken by design. NAT was implemented to extend the time until IPv4 exhaustion. A side effect was hiding the internal IPv4 address, which complicates a number of protocols like FTP and SIP. The only downside I see is ISPs could try and charge based on the number of IPv6 addresses being used. No, the downside is that each address used will be exposed to the world. False. That is *NOT* a downside. NAT is *NOT* a magic sauce - install a firewall [which you probably already have]. Problem solved. I consider that a serious security flaw. It is not. Having my ISP know how many computers I have is a minor issue covered by the contract I have with them. So you want to cheap on the legal contract you agreed to? No, if they want too much money before I can install additional computers, I have several other choices, some of which will likely be less expensive. Currently, their TOS is not an issue But having all of those addresses exposed to Russian mobsters, terrorists, crackers and everyone else that knows how to capture packets is another matter altogether. If IPv6 exposes that information to the world, it is definitely unsafe to use. The Russian mobsters can already do that; if you think NAT is protecting you from that then you are mistaken. NAT hides the IP addresses of the computers inside my firewall. The only address exposed is the temporary address assigned to the firewall itself. That box can be run on the most secure OS I can find (currently one of the BSD's), and allows me to operate other systems behind it that aren't as well protected. This makes it significantly more difficult for those mobsters to penetrate my network. Is 172.16.10.72 a private address of yours or of your ISP? +1 NAT isn't doing what Bob McConnell thinks it is. Any russian mobster can afford to hire a halfway decent hacker who will only laugh at the obfuscation added by NAT. Determining how many computers, and quite a bit of detail about them, are behind a NAT is not hard. You just watch the traffic and these things reveal themselves. Your traffic can be compromised just as easily with or without NAT. Very few actually useful attacks on a host require direct access to the interface; stateful firewalls made such vectors pretty useless a long time ago. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
Gavin Carr wrote: On Mon, Dec 06, 2010 at 08:55:17PM -0500, Bob McConnell wrote: 3) When I connect my IPV6 refrigerator with its automatic inventory system tracking every RFID-enabled carrot I use, won't I be making my shopping habits visible to all those annoying advertisers? Or, in other words, am I compromising my privacy? Actually, although such dissemination of information can be blocked by a correctly designed firewall, I suspect the Free IPv6 DSL Modem and Router, Sponsored by your-favorite-commercial-site that comes with your ISP contract, would err on the side of promiscuity. Why yes, yes you are giving up some of your privacy. And unless you have the time and are willing and able to learn how to configure firewalls for each device and application you use, or have the money to pay someone else you trust to do it for you, there is very little to protect you from the rest of the world. That's at least overstated, and at worst complete FUD. Generic modems and routers will be configured as they are now - with stateful firewalls blocking all incoming traffic, except for streams initiated internally. Outgoing connections that would have worked before via NAT continue to work, but without NAT. Stateful firewalls are still stateful firewalls. Where are you giving up some of your privacy? The number of hosts on your internal network? So allocate 256 ips (or 65k, if you like) to every host and use a random ip from that set for every distinct service or outgoing connection. There _is_ more information leakage with ipv6, in the sense that you are using a real ip from an internal machine on the connection. But the point is that the security benefit of that is largely illusory, security by obscurity. No, it is not FUD, it is a real concern by people with much to lose. Those of you evangelizing this new, and still unproven technology can't seem to recognize this simple fact. I consider that information leakage to be very significant. It advertises the presence of another computer with explicit information on where to reach it. Regardless of the firewall, none of which are perfect, this increases the exposure of my systems in an adverse fashion. It increases my risk of being penetrated by someone I probably don't want rummaging around in my files. But I don't see any additional protection being offered to replace what is being taken away. Bob McConnell N2SPP ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 12/7/10 9:07 AM, Adam Tauno Williams wrote: site-local addresses are officially deprecated. If you want a device to only be available locally - block the traffic to/from that device. So security will depend on every connection owner having a high level of knowledge about ipv6 internals? Is this being designed by people planning careers as consultants? -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Tue, 2010-12-07 at 10:49 -0500, Bob McConnell wrote: There _is_ more information leakage with ipv6, in the sense that you are using a real ip from an internal machine on the connection. But the point is that the security benefit of that is largely illusory, security by obscurity. No, it is not FUD, It is FUD. it is a real concern by people with much to lose. Those of you evangelizing this new, and still unproven technology can't seem to recognize this simple fact. Calling IPv6 unproved is absurd. It is widely deployed and used extensively. Security is/was taken very seriously in the design. I consider that information leakage to be very significant. You have a huge address pool - periodically change your address if you feel that is significant. That certainly adds more obfuscation than IPv4 NAT ever did. It advertises the presence of another computer with explicit information on where to reach it. You already do that with every e-mail message and HTTP request. Do you obscure the User-Agent string in all your traffic? (Your not using Thunderbird 2.0.0.24 in X-Windows?) Because that information is just as [if not more] valuable to a potential attacker than your firewalled address. It increases my risk of being penetrated by someone I probably don't want rummaging around in my files. But I don't see any additional protection being offered to replace what is being taken away. You are on a network - you can always disconnect the drive. If you really feel *NAT* is really that critical to hiding your data this seems a very reasonable option. Because NAT is providing only an extremely trivial additive to security you feel you need. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Tue, 2010-12-07 at 10:01 -0600, Les Mikesell wrote: On 12/7/10 9:07 AM, Adam Tauno Williams wrote: site-local addresses are officially deprecated. If you want a device to only be available locally - block the traffic to/from that device. So security will depend on every connection owner having a high level of knowledge about ipv6 internals? Yes. Exactly like IPv4! (given that network security professionals have existed for a long time) Install a stateful firewall just like with IPv4! Stateful firewalls being things created by people having a high level of knowledge about ... internals. Problem solved [for 99.44% of the population], just like IPv4! And to add a nice sprinkling of obscurity - every time your computer reboots [or interface resets] it generates a different [random] IPv6 address within your *HUGE* subnet. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 12/7/10 9:04 AM, Adam Tauno Williams wrote: The other nice side-effect of NAT is that you get an effectively infinite number of addresses behind it without any pre-arrangement with anyone else. Even if ISPs hand out what they expect to reasonably-sized blocks, won't it be much harder to deal with when you outgrow your allotment? We've had the opportunity to move to ipv6 for ages but we haven't (in the US, anyway). I think the reason is that most people like the way NAT works and don't really want a public address on every device. Bogus. The reason is that they haven't been pressured into adoption by higher powers; so we will get into a nice scramble to migrate in a pinch. Agreed, but the reason that hasn't happened is that there's no visible benefit to the consumer. most people have no idea what NAT is, don't care, and shouldn't have to care. Agreed again, but the reason is that the vast majority only want outbound client connections and they would be perfectly happy if application protocols adapted to client registration to some central registry for portability instead of ever assuming that a person or associated application had anything to do with any particular device or fixed address. Compare the number of people who use an IM/chat application to the number who have directly reachable SIP endpoints without a forwarding service, for example. There are good reasons for that. Some people's belief that NAT is some magic sauce that makes them more secure [it does not] or provides them more flexibility [it does not] than real addresses ... causes the people who understand networking to have to spend time explaining that their love of NAT is misguided and their beliefs about NAT are bogus. If the ipv6 routers come with defaults that work the same as current NAT routers, people will be able to continue to misunderstand them happily. That is, permit outbound client connections from anything connected behind them without much regard to how many devices there are, and block everything else. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Tue, 2010-12-07 at 10:16 -0600, Les Mikesell wrote: On 12/7/10 9:04 AM, Adam Tauno Williams wrote: Some people's belief that NAT is some magic sauce that makes themmore secure [it does not] or provides them more flexibility [it does not] than real addresses ... causes the people who understand networking to have to spend time explaining that their love of NAT is misguided and their beliefs about NAT are bogus. If the ipv6 routers come with defaults that work the same as current NAT routers, people will be able to continue to misunderstand them happily. That is, permit outbound client connections from anything connected behind them without much regard to how many devices there are, and block everything else. And doesn't that sound like you just describe a firewall? permit outbound client connections from anything connected behind them without much regard to how many devices there are, and block everything else isn't NAT. That's a router/firewall. Happily IPv6 does that exactly. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Tue, Dec 7, 2010 at 11:18 AM, Brunner, Brian T. bbrun...@gai-tronics.com wrote: Trim your quotes. LOL I was in a hurry... I think that this applies to all in this thread so I hope that you've email everyone else... Also, please keep your commands on-list; I only caught your email because it was at the top of my spam directory when I was emptying it. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Tue, Dec 7, 2010 at 10:43 AM, Lamar Owen lo...@pari.edu wrote: On Tuesday, December 07, 2010 10:32:32 am Tom H wrote: Is 172.16.10.72 a private address of yours or of your ISP? More to the point; do you have a route to his address? I have a route to his dsl router, which, assuming that the ipv4 and ipv6 firewalls are as good at allowing/disallowing access, makes his current ipv4 and his future ipv6 addresses equally accessible. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
LOL twice, I'll top-post! (I hate M$ Office, but I'm stuck with it) I didn't want my whining (not commanding) archived for-frigging-ever, so I sent it direct. TBH I ran out of steam/indignation/angst after a few of the over-quoter under-trimmers, so I didn't get all. -Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Tom H Sent: Tuesday, December 07, 2010 11:34 AM To: CentOS mailing list Subject: Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6? On Tue, Dec 7, 2010 at 11:18 AM, Brunner, Brian T. bbrun...@gai-tronics.com wrote: Trim your quotes. LOL I was in a hurry... I think that this applies to all in this thread so I hope that you've email everyone else... Also, please keep your commands on-list; I only caught your email because it was at the top of my spam directory when I was emptying it. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos *** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept for the presence of computer viruses. www.Hubbell.com - Hubbell Incorporated** ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 12/7/10 10:20 AM, Adam Tauno Williams wrote: Some people's belief that NAT is some magic sauce that makes themmore secure [it does not] or provides them more flexibility [it does not] than real addresses ... causes the people who understand networking to have to spend time explaining that their love of NAT is misguided and their beliefs about NAT are bogus. If the ipv6 routers come with defaults that work the same as current NAT routers, people will be able to continue to misunderstand them happily. That is, permit outbound client connections from anything connected behind them without much regard to how many devices there are, and block everything else. And doesn't that sound like you just describe a firewall? It sounds like a complex setup for a firewall with dynamic entries to temporarily pass tcp and upd with different timeouts, where 1-many NAT doesn't have any other choice. If you don't send outbound you don't get the nat table entry to forward anything back through it. permit outbound client connections from anything connected behind them without much regard to how many devices there are, and block everything else isn't NAT. That's a router/firewall. Happily IPv6 does that exactly. You didn't mention the number of devices - how does that play out when you exceed the number initially set up? -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 12/7/2010 11:36 AM, Tom H wrote: I have a route to his dsl router, which, assuming that the ipv4 and ipv6 firewalls are as good at allowing/disallowing access, makes his current ipv4 and his future ipv6 addresses equally accessible. I've been following the NAT debate here and something occurred to me. If you have an IPv4 network with NAT, an attacker doesn't need to know your internal IPs. All he needs is the IP to your router. NAT will nicely forward his packets along to whichever internal computer handles the port. With that one address, he can scan your entire network for any services available to the Internet. With an IPv6 network without NAT, an attacker would need to know the specific IP of the computer he wants to attack. There is no NAT to forward along his SSH attack to the correct computer. To scan your network for vulnerabilities, he would have to scan every port on every IP. Even if he can come up with a list of the IPs that are in use, this is still much more work than scanning a single (NATed) IP. -- Bowie ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 07/12/10 16:49, Bob McConnell wrote: Gavin Carr wrote: On Mon, Dec 06, 2010 at 08:55:17PM -0500, Bob McConnell wrote: 3) When I connect my IPV6 refrigerator with its automatic inventory system tracking every RFID-enabled carrot I use, won't I be making my shopping habits visible to all those annoying advertisers? Or, in other words, am I compromising my privacy? Actually, although such dissemination of information can be blocked by a correctly designed firewall, I suspect the Free IPv6 DSL Modem and Router, Sponsored by your-favorite-commercial-site that comes with your ISP contract, would err on the side of promiscuity. Why yes, yes you are giving up some of your privacy. And unless you have the time and are willing and able to learn how to configure firewalls for each device and application you use, or have the money to pay someone else you trust to do it for you, there is very little to protect you from the rest of the world. That's at least overstated, and at worst complete FUD. Generic modems and routers will be configured as they are now - with stateful firewalls blocking all incoming traffic, except for streams initiated internally. Outgoing connections that would have worked before via NAT continue to work, but without NAT. Stateful firewalls are still stateful firewalls. Where are you giving up some of your privacy? The number of hosts on your internal network? So allocate 256 ips (or 65k, if you like) to every host and use a random ip from that set for every distinct service or outgoing connection. There _is_ more information leakage with ipv6, in the sense that you are using a real ip from an internal machine on the connection. But the point is that the security benefit of that is largely illusory, security by obscurity. No, it is not FUD, it is a real concern by people with much to lose. Those of you evangelizing this new, and still unproven technology can't seem to recognize this simple fact. This is FUD. IPv6 has been talked about and worked on for about 15 years, the early talks about IPv6 started in the early 1990's. It's been implemented in most OSes over the last 10 years. It's been available to users for a long time. But a reluctant market who is not willing to change until it's absolutely needed have delayed the implementation. Now we're running out of IPv4 addresses pretty soon, and system admins and network implementers begins to feel the heat. http://datatracker.ietf.org/wg/ipv6/ Notice that the IETF IPv6 Working Group concluded their work Jun 2007. For more information, also check out: http://www.ipv6actnow.org/info/statement/ Based on the list of supporters, it also seems to quite proven. I meet every day more and more Internet services which provides both IPv4 and IPv6 services. IPv6 is in production many places already. Did you know that these sites already provide IPv6? http://ipv6.google.com http://www.v6.facebook.com http://www.heise.de None of them are small. A-Pressen, a Norwegian media group, is looking into rolling out IPv6 to the vast majority of on-line newspapers. That IPv6 is unproven, is simply a false statement. I consider that information leakage to be very significant. It advertises the presence of another computer with explicit information on where to reach it. Regardless of the firewall, none of which are perfect, this increases the exposure of my systems in an adverse fashion. It increases my risk of being penetrated by someone I probably don't want rummaging around in my files. But I don't see any additional protection being offered to replace what is being taken away. There is no more information leakage in IPv6 compared to IPv4. In IPv4 and IPv6 you still have to use public IP addresses to communicate with the rest of the world. The only difference with IPv4 + NAT is that all computers on the inside uses your firewalls public IP address. That's actually an even worse situation in my opinion. As that tells an attacker where your firewall is. With IPv6, you can have your firewall with whatever IPv6 address you want, and an attacker don't know if he is hitting a firewall or the destination host. Which means the attacker will know *less* about the attack vector than with IPv4. And due to the enormous address space IPv6 gives each single site, doing a brute-force attack against more IP addresses will be a never-ending story. Try to double 4.294.967.296 32 times, and you'll have the number of addresses available *only to you* in *one* /64 subnet. If you then even introduce IPv6 Privacy Extensions, which will randomise and change the IPv6 address regularly, an attacker will shoot at a moving target. Then put this moving target behind a firewall which doesn't provide access from the outside to the inside (only from inside to outside), and the attacker will not know if he hits or not. (This is seen from an IPv6 client side perspective, as for the server side
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Les Mikesell said the following on 07/12/10 17:01: So security will depend on every connection owner having a high level of knowledge about ipv6 internals? Is this being designed by people planning careers as consultants? A network protocol should not be designed to accommodate for the flaws of some OSes. If an OS is full of bug and if certain OS installations out of the box cannot survive longer than few hours exposed to a direct Internet connection, it's not a failure of the network protocol, but is a failure of the OS. Let's try not to build an infrastructure in a way to make easier to develop and distribute bogous OSes Ciao, luigi - -- / +--[Luigi Rosa]-- \ Those who do not understand Unix are condemned to reinvent it, poorly. --Henry Spencer -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkz+a7IACgkQ3kWu7Tfl6ZTWqgCdG/gfNuVTqU8A+SFjh3ArJlwz uCYAoIHECm9/yxXENF/fRsP1//kr4CYy =tIoS -END PGP SIGNATURE- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 07/12/10 18:01, Les Mikesell wrote: On 12/7/10 10:20 AM, Adam Tauno Williams wrote: [...snip...] permit outbound client connections from anything connected behind them without much regard to how many devices there are, and block everything else isn't NAT. That's a router/firewall. Happily IPv6 does that exactly. You didn't mention the number of devices - how does that play out when you exceed the number initially set up? How many devices? You mean exceeding the number of available inside a IPv6 subnet? I do hope you're kidding ... as for a /64 subnet we're talking about 4.294.967.296 addresses doubled 32 times. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Tue, Dec 7, 2010 at 6:01 PM, Les Mikesell lesmikes...@gmail.com wrote: On 12/7/10 9:07 AM, Adam Tauno Williams wrote: site-local addresses are officially deprecated. If you want a device to only be available locally - block the traffic to/from that device. So security will depend on every connection owner having a high level of knowledge about ipv6 internals? Is this being designed by people planning careers as consultants? -- Yes, I can see where you're coming from with this argument. We supply ADSL to our clients and could offer them security on a network level. I know some mobile operators already do this on their networks on IPV4. Basically, if I want remote access to a machine connected to the internet via their network I have to apply for permission to have the security removed. The contract states that I know what I'm doing and will take full responsibility for anything that goes wrong on my side. They're basically covered legally (if one could call it that) if something goes wrong with my connection. We have some measures in place where we block, at a client's request, all ports except 23, 25, 80, 110 and 443. So, I'm sure many other ISP's could do the same thing? -- Kind Regards Rudi Ahlers SoftDux Website: http://www.SoftDux.com Technical Blog: http://Blog.SoftDux.com Office: 087 805 9573 Cell: 082 554 7532 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 07/12/10 16:45, Adam Tauno Williams wrote: On Tue, 2010-12-07 at 10:32 -0500, Tom H wrote: On Tue, Dec 7, 2010 at 10:29 AM, Bob McConnell rmcco...@lightlink.com wrote: Adam Tauno Williams wrote: On Mon, 2010-12-06 at 18:28 -0500, Bob McConnell wrote: IPv6 is not broken by design. NAT was implemented to extend the time until IPv4 exhaustion. A side effect was hiding the internal IPv4 address, which complicates a number of protocols like FTP and SIP. The only downside I see is ISPs could try and charge based on the number of IPv6 addresses being used. No, the downside is that each address used will be exposed to the world. False. That is *NOT* a downside. NAT is *NOT* a magic sauce - install a firewall [which you probably already have]. Problem solved. I consider that a serious security flaw. It is not. Having my ISP know how many computers I have is a minor issue covered by the contract I have with them. So you want to cheap on the legal contract you agreed to? No, if they want too much money before I can install additional computers, I have several other choices, some of which will likely be less expensive. Currently, their TOS is not an issue But having all of those addresses exposed to Russian mobsters, terrorists, crackers and everyone else that knows how to capture packets is another matter altogether. If IPv6 exposes that information to the world, it is definitely unsafe to use. The Russian mobsters can already do that; if you think NAT is protecting you from that then you are mistaken. NAT hides the IP addresses of the computers inside my firewall. The only address exposed is the temporary address assigned to the firewall itself. That box can be run on the most secure OS I can find (currently one of the BSD's), and allows me to operate other systems behind it that aren't as well protected. This makes it significantly more difficult for those mobsters to penetrate my network. Is 172.16.10.72 a private address of yours or of your ISP? +1 NAT isn't doing what Bob McConnell thinks it is. Any russian mobster can afford to hire a halfway decent hacker who will only laugh at the obfuscation added by NAT. Determining how many computers, and quite a bit of detail about them, are behind a NAT is not hard. You just watch the traffic and these things reveal themselves. Your traffic can be compromised just as easily with or without NAT. Very few actually useful attacks on a host require direct access to the interface; stateful firewalls made such vectors pretty useless a long time ago. You mean something along the way ... Oh, this Bob uses 172.16.10.72 ... let's run some traceroutes towards his gateway. That could be 64.57.176.18, right? Then we can just setup a direct route from us to his 172.16.10.0/24 network. Wait! Lets add 172.16.0.0/12, just to be sure we hit the right path kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 12/7/10 11:19 AM, David Sommerseth wrote: On 07/12/10 18:01, Les Mikesell wrote: On 12/7/10 10:20 AM, Adam Tauno Williams wrote: [...snip...] permit outbound client connections from anything connected behind them without much regard to how many devices there are, and block everything else isn't NAT. That's a router/firewall. Happily IPv6 does that exactly. You didn't mention the number of devices - how does that play out when you exceed the number initially set up? How many devices? You mean exceeding the number of available inside a IPv6 subnet? I do hope you're kidding ... as for a /64 subnet we're talking about 4.294.967.296 addresses doubled 32 times. Is that what people will automatically get in a home ISP connection? -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 07/12/10 18:10, Bowie Bailey wrote: On 12/7/2010 11:36 AM, Tom H wrote: I have a route to his dsl router, which, assuming that the ipv4 and ipv6 firewalls are as good at allowing/disallowing access, makes his current ipv4 and his future ipv6 addresses equally accessible. I've been following the NAT debate here and something occurred to me. If you have an IPv4 network with NAT, an attacker doesn't need to know your internal IPs. All he needs is the IP to your router. NAT will nicely forward his packets along to whichever internal computer handles the port. With that one address, he can scan your entire network for any services available to the Internet. To some degree, at least if the attacker breaks into the firewall. But to use this approach without breaking into the firewall you would need to forge network packets pretty well to be able to trick a firewall to pass on packets from the outside to the inside, especially on stateful packet inspection, where the firewall would know if the connection is initiated from the inside or outside, and to which inside client the connection belongs to. With an IPv6 network without NAT, an attacker would need to know the specific IP of the computer he wants to attack. There is no NAT to forward along his SSH attack to the correct computer. To scan your network for vulnerabilities, he would have to scan every port on every IP. Even if he can come up with a list of the IPs that are in use, this is still much more work than scanning a single (NATed) IP. Bingo! You have caught the point exactly! An attacker will not know for sure if there is a firewall in between or not. Most probably he will presume so. But he still don't know for sure the IPv6 address of that firewall, or even if there are more cascaded firewalls in front of a public IPv6 address. Traceroute might give some clues, but if it's a strict firewall just dropping packages, this can take a looong loong time. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 07/12/10 18:39, Les Mikesell wrote: On 12/7/10 11:19 AM, David Sommerseth wrote: On 07/12/10 18:01, Les Mikesell wrote: On 12/7/10 10:20 AM, Adam Tauno Williams wrote: [...snip...] permit outbound client connections from anything connected behind them without much regard to how many devices there are, and block everything else isn't NAT. That's a router/firewall. Happily IPv6 does that exactly. You didn't mention the number of devices - how does that play out when you exceed the number initially set up? How many devices? You mean exceeding the number of available inside a IPv6 subnet? I do hope you're kidding ... as for a /64 subnet we're talking about 4.294.967.296 addresses doubled 32 times. Is that what people will automatically get in a home ISP connection? Yes. Either a /64 subnet or more likely a /48 subnet, where a /48 subnet == 65536 /64 subnets. And the 48 bits ISPs gives customers corresponds to 281.474.976.710.656 /48 subnets. Compare that number to IPv4 32 bits: 4.294.967.296 Kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 12/7/2010 12:43 PM, David Sommerseth wrote: On 07/12/10 18:10, Bowie Bailey wrote: On 12/7/2010 11:36 AM, Tom H wrote: I have a route to his dsl router, which, assuming that the ipv4 and ipv6 firewalls are as good at allowing/disallowing access, makes his current ipv4 and his future ipv6 addresses equally accessible. I've been following the NAT debate here and something occurred to me. If you have an IPv4 network with NAT, an attacker doesn't need to know your internal IPs. All he needs is the IP to your router. NAT will nicely forward his packets along to whichever internal computer handles the port. With that one address, he can scan your entire network for any services available to the Internet. To some degree, at least if the attacker breaks into the firewall. But to use this approach without breaking into the firewall you would need to forge network packets pretty well to be able to trick a firewall to pass on packets from the outside to the inside, especially on stateful packet inspection, where the firewall would know if the connection is initiated from the inside or outside, and to which inside client the connection belongs to. I wasn't referring to breaking into the firewall or forging packets. I was just referring to using the normal operation of the NAT to forward (for example) an SSH attack to the computer on the network that accepts SSH connections. Stateful packet inspection works the same way regardless of whether or not you have NAT or IPv6, so it is mostly irrelevant to this discussion. -- Bowie ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 12/7/10 11:10 AM, Bowie Bailey wrote: I have a route to his dsl router, which, assuming that the ipv4 and ipv6 firewalls are as good at allowing/disallowing access, makes his current ipv4 and his future ipv6 addresses equally accessible. I've been following the NAT debate here and something occurred to me. If you have an IPv4 network with NAT, an attacker doesn't need to know your internal IPs. All he needs is the IP to your router. NAT will nicely forward his packets along to whichever internal computer handles the port. What port/computer would that be? Most consumer routers default to not forwarding anything that is not related to prior outbound activity. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 07/12/10 18:52, Bowie Bailey wrote: On 12/7/2010 12:43 PM, David Sommerseth wrote: On 07/12/10 18:10, Bowie Bailey wrote: On 12/7/2010 11:36 AM, Tom H wrote: I have a route to his dsl router, which, assuming that the ipv4 and ipv6 firewalls are as good at allowing/disallowing access, makes his current ipv4 and his future ipv6 addresses equally accessible. I've been following the NAT debate here and something occurred to me. If you have an IPv4 network with NAT, an attacker doesn't need to know your internal IPs. All he needs is the IP to your router. NAT will nicely forward his packets along to whichever internal computer handles the port. With that one address, he can scan your entire network for any services available to the Internet. To some degree, at least if the attacker breaks into the firewall. But to use this approach without breaking into the firewall you would need to forge network packets pretty well to be able to trick a firewall to pass on packets from the outside to the inside, especially on stateful packet inspection, where the firewall would know if the connection is initiated from the inside or outside, and to which inside client the connection belongs to. I wasn't referring to breaking into the firewall or forging packets. I was just referring to using the normal operation of the NAT to forward (for example) an SSH attack to the computer on the network that accepts SSH connections. Ahh, well, yeah. With NAT, you will expose your single public IP address no matter what, providing a good surface for starting an attack immediately, no matter who is doing what on the inside. Your public IP address will be available in all kind of logs and mail headers - and with more users on the inside using the Internet, the more likely it is that someone will find your address interesting. But that won't be much more different with IPv6, except that you spread the attack surface over multiple IP addresses in a huge address scope. But then by using the IPv6 Privacy Extensions, it will be more like shooting on a moving target. The public IP address being used today might not be the same which was used yesterday, or even some hours ago. However, if someone uses a public IPv6 address for SSH from the outside world, that IPv6 address will need to be static and known. And a static IPv6 address is still just as vulnerable for an attack as any public IPv4 address. But finding this IP address will be much more difficult due to the different huge address scope, unless there's a DNS pointer to it from www.my-own-cool-site.com. Stateful packet inspection works the same way regardless of whether or not you have NAT or IPv6, so it is mostly irrelevant to this discussion. Absolutely true. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 7/12/10 8:33 PM, Christopher Chan wrote: Ah, I must pity you who have to live with what you've got in the United States being under the rule of these tyrants. You guys probably can only dream of getting a 100MB fibre connection for 13USD/mnth or a 1GB fibre connection for 30 or so USD/mnth. I hesitate to keep the chaps in Australia on the list to be pitied now that Telstra is being dismantled. It's okay, soon we'll have a new monopoly to whinge about: NBN Co. ;) The real problem here is the quotas on broadband connections, although that is in part due to the cost of hauling almost all the data half-way around the globe. The even more horrendous problem, which is so pervasive it affects everyone, is the insistence on asymmetric connections. Even when Australia does get this fabled fibre-to-the-home, it still won't be symmetric. *sigh* Regards, Ben signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 12/7/2010 1:13 PM, Les Mikesell wrote: On 12/7/10 11:10 AM, Bowie Bailey wrote: I have a route to his dsl router, which, assuming that the ipv4 and ipv6 firewalls are as good at allowing/disallowing access, makes his current ipv4 and his future ipv6 addresses equally accessible. I've been following the NAT debate here and something occurred to me. If you have an IPv4 network with NAT, an attacker doesn't need to know your internal IPs. All he needs is the IP to your router. NAT will nicely forward his packets along to whichever internal computer handles the port. What port/computer would that be? Most consumer routers default to not forwarding anything that is not related to prior outbound activity. And is there any reason to believe that a consumer IPv6 router would default any differently? If nothing is being allowed through, there's not much to be concerned about in either case. Outside attacks are only possible if the router/firewall allows the packets through. I was referring to a case where there are computers on the inside doing HTTP, SSH, VPN, SMTP, etc. If we are talking about a true consumer where there are no services on the inside, then what does it matter whether the network is presented as a NAT or a collection of different IP addresses? If the firewall does not allow any connections from the outside, who cares whether an attacker knows your IP? -- Bowie ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 8/12/10 4:12 AM, David Sommerseth wrote: On 07/12/10 16:49, Bob McConnell wrote: No, it is not FUD, it is a real concern by people with much to lose. Those of you evangelizing this new, and still unproven technology can't seem to recognize this simple fact. This is FUD. Agreed, but I'm not adding more to the pro-IPv6 chorus, because it's already being covered very well, both here and on NANOG (and ipv6-ops). And due to the enormous address space IPv6 gives each single site, doing a brute-force attack against more IP addresses will be a never-ending story. Try to double 4.294.967.296 32 times, and you'll have the number of addresses available *only to you* in *one* /64 subnet. Anyone wanting a nice clear explanation of the numbers of IPv6 address space: http://www.ripe.net/info/info-services/addressing.html If you then even introduce IPv6 Privacy Extensions, which will randomise and change the IPv6 address regularly, an attacker will shoot at a moving target. Then put this moving target behind a firewall which doesn't provide access from the outside to the inside (only from inside to outside), and the attacker will not know if he hits or not. This coupled with statefull firewalling should cover everyone's needs. No doubt there will still be people like Bob who will remain unconvinced until everyone around them become the proof. If they really want to deliberately break things to retain their NAT-like world, they can configure a single box with 6to4 and 4to6, give it a /128 and then run their existing v4 NAT space behind that. They'll get very little sympathy when it breaks other things, though. Regards, Ben signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Tuesday, December 07, 2010 12:26:30 pm David Sommerseth wrote: You mean something along the way ... Oh, this Bob uses 172.16.10.72 ... let's run some traceroutes towards his gateway. That could be 64.57.176.18, right? Then we can just setup a direct route from us to his 172.16.10.0/24 network. Wait! Lets add 172.16.0.0/12, just to be sure we hit the right path And if his or your or any ISP between you and him implements BCP38 properly the packets with a destination of the RFC1918 address will be blackholed and will never get there, even if you put a static source route to them. You don't have a direct path to his router, at least not for routing purposes, since your packets are going to be inspected and routed by routers in between. It does depend on some best current practices being implemented, though. Like RFC1918 bogon filtering at the AS boundary as part of the BGP session between AS routers. And unless you are operating your own BGP border (I am at one site), you can't influence the AS path the packet will follow on the DFZ. The basis for 'NAT security' is relying on the best practice of blackholing RFC1918 addresses on the DFZ router mesh. Not all AS's implement the policy properly, but enough do that trying to route (using essentially source routing) to an RFC1918 address will fail when it hits the DFZ, and virtually all inter-AS packets hit the DFZ at some point. Source routing is blocked by most AS borders, so you can't 'hint' the routers in between that you have to pass traffic to 172.16.0.0/12 through that particular router; the DFZ is going to tell your hint to shove it. But it does depend on the specific policies of each AS between you and the RFC1918-using target. The security for RFC1918, or for IPv6 ULA RFC4193 addresses relies not on NAT per se, but on the basic non-global-routability of the addresses in question on the default-free-zone. NAT just allows you to use non-globally-routable addresses by translating to globally-routable ones. About the only thing you could really do to gain direct access to his RFC1918-using network behind the NAT is to compromise his router and set up GRE (or similar) tunnels into it. Further, what's to say his MUA isn't set to poison the mail headers this 172.160.0.0/12 address came from? That's relying on the mail headers; if I were to ssh to your server from behind a NAT I challenge you to determine the RFC1918 address I'm using. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Tuesday, December 07, 2010 12:39:28 pm Les Mikesell wrote: How many devices? You mean exceeding the number of available inside a IPv6 subnet? I do hope you're kidding ... as for a /64 subnet we're talking about 4.294.967.296 addresses doubled 32 times. Is that what people will automatically get in a home ISP connection? Abbreviations: PI = Provider Independent, PA = Provider Assigned, RIR = Regional Internet Registry, ARIN = American Registry of Internet Numbers, BGP = Border Gateway Protocol, AS = Autonomous System (the routing 'atom' at the BGP level), ASN = Autonomous System Number. It will depend upon your provider if you get PA addresses; if you go straight to the RIR (ARIN for North America) and pay to get PI addresses you will get by default a /48; but then you have to get your provider to agree to advertise that /48 over BGP. The IPv6 table has the potential to be vastly larger than the IPv4 table (the number of /48's in IPv6 is 65,536 times the total addresses in IPv4!) One hopes providers will intelligently aggregate; until there is sane multihoming for enterprise endusers good aggregation is going to be elusive, since multihomed sites are going to desire PI space, which will fragment the routing tables. IPv6 routing tables do require larger entries thanks to the four times larger address, after all, and with 32 bit ASN's the AS path for that table entry also doubles in size. Having said that, most providers probably will give you one of a /48, /56, or /64. There are plenty of addresses available, but if you ever have to renumber (like when changing providers) you'll want PI, or ULA with NAT66 to PA. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Tuesday, December 07, 2010 03:31:15 pm Lamar Owen wrote: It will depend upon your provider if you get PA addresses; Minor edit: 'The prefix size of your address block with depend upon your provider, if you get PA addresses by default from your provider; Sorry for the error. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Tue, Dec 07, 2010 at 11:51:16AM -0500, Brunner, Brian T. wrote: LOL twice, I'll top-post! (I hate M$ Office, but I'm stuck with it) Really? In blatant disregard for the published guidelines for use on this and other centos.org mailing lists? How very sporting of you. http://www.centos.org/modules/tinycontent/index.php?id=16 John -- Normal is getting dressed in clothes that you buy for work and driving through traffic in a car that you are still paying for -- in order to get to the job you need to pay for the clothes and the car, and the house you leave vacant all day so you can afford to live in it. -- Ellen Goodman (1941-), American journalist and Pulitzer Prize-winning syndicated columnist pgpEg1bCxeZak.pgp Description: PGP signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Tue, Dec 7, 2010 at 10:04 AM, Adam Tauno Williams awill...@whitemice.org wrote: Bogus. The reason is that they haven't been pressured into adoption by higher powers; so we will get into a nice scramble to migrate in a pinch. most people have no idea what NAT is, don't care, and shouldn't have to care. Some people's belief that NAT is some magic sauce that makes them more secure [it does not] or provides them more flexibility [it does not] than real addresses ... causes the people who understand networking to have to spend time explaining that their love of NAT is misguided and their beliefs about NAT are bogus. *I'm* a fairly expert network person. (10base2, baby, I remember crimping those cables!) Forcing people to specifically select the services they wish to expose, rather than selecting what to cut off in configuring a typical firewall, is basic policy automatically enforced by NAT. It's especially helpful to ISP's, who *do not want* to try to remember all those furshlugginer individual policies and find it far simpler in routing and firewall terms to force all traffic to the NAT. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Dec 7, 2010, at 7:41 PM, Nico Kadel-Garcia nka...@gmail.com wrote: On Tue, Dec 7, 2010 at 10:04 AM, Adam Tauno Williams awill...@whitemice.org wrote: Bogus. The reason is that they haven't been pressured into adoption by higher powers; so we will get into a nice scramble to migrate in a pinch. most people have no idea what NAT is, don't care, and shouldn't have to care. Some people's belief that NAT is some magic sauce that makes them more secure [it does not] or provides them more flexibility [it does not] than real addresses ... causes the people who understand networking to have to spend time explaining that their love of NAT is misguided and their beliefs about NAT are bogus. *I'm* a fairly expert network person. (10base2, baby, I remember crimping those cables!) Forcing people to specifically select the services they wish to expose, rather than selecting what to cut off in configuring a typical firewall, is basic policy automatically enforced by NAT. It's especially helpful to ISP's, who *do not want* to try to remember all those furshlugginer individual policies and find it far simpler in routing and firewall terms to force all traffic to the NAT. Does this mean I have to type in URLs like: http://3ffe:1900:4545:3:200:f8ff:fe21:67cf/ I can only image phonetically calling these off on a support call, I'd get half way through it and the other end would tell me to forget it I'll wait until DNS is working again. In fact with DNS problems we'd be pretty much crippled. I'd use IPv6 if the addresses weren't so hard to remember. -Ross ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
Does this mean I have to type in URLs like: http://3ffe:1900:4545:3:200:f8ff:fe21:67cf/ I can only image phonetically calling these off on a support call, I'd get half way through it and the other end would tell me to forget it I'll wait until DNS is working again. In fact with DNS problems we'd be pretty much crippled. I'd use IPv6 if the addresses weren't so hard to remember. -Ross Well in fact I don't think that will even work with the present URL rules. Just on a lark I clicked on your string, and my firefox interpreted it as http://3ffe:1900. Unless there's a special http protocol string for ipv6? Tony ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Tue, 2010-12-07 at 20:37 -0500, Ross Walker wrote: On Dec 7, 2010, at 7:41 PM, Nico Kadel-Garcia nka...@gmail.com wrote: On Tue, Dec 7, 2010 at 10:04 AM, Adam Tauno Williams awill...@whitemice.org wrote: Bogus. The reason is that they haven't been pressured into adoption by higher powers; so we will get into a nice scramble to migrate in a pinch. most people have no idea what NAT is, don't care, and shouldn't have to care. Some people's belief that NAT is some magic sauce that makes them more secure [it does not] or provides them more flexibility [it does not] than real addresses ... causes the people who understand networking to have to spend time explaining that their love of NAT is misguided and their beliefs about NAT are bogus. *I'm* a fairly expert network person. (10base2, baby, I remember crimping those cables!) Forcing people to specifically select the services they wish to expose, rather than selecting what to cut off in configuring a typical firewall, is basic policy automatically enforced by NAT. It's especially helpful to ISP's, who *do not want* to try to remember all those furshlugginer individual policies and find it far simpler in routing and firewall terms to force all traffic to the NAT. Does this mean I have to type in URLs like: http://3ffe:1900:4545:3:200:f8ff:fe21:67cf/ Correct syntax for that is http://[3ffe:1900:4545:3:200:f8ff:fe21:67cf]/ if you want to specify the port it goes outside the brackets http://[3ffe:1900:4545:3:200:f8ff:fe21:67cf]:8080/ I can only image phonetically calling these off on a support call, I'd get half way through it and the other end would tell me to forget it I'll wait until DNS is working again. You aren't crippled currently when DNS doesn't work? Because e-mail, Active Directory / Kerberos, and numerous other services just-don't-work without functioning DNS anyway. I'd say the network-minus-DNS is pretty much irrelevant in the real world. In fact with DNS problems we'd be pretty much crippled. I'd use IPv6 if the addresses weren't so hard to remember. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Tue, 2010-12-07 at 20:44 -0500, Tony Schreiner wrote: Does this mean I have to type in URLs like: http://3ffe:1900:4545:3:200:f8ff:fe21:67cf/ I can only image phonetically calling these off on a support call, I'd get half way through it and the other end would tell me to forget it I'll wait until DNS is working again. In fact with DNS problems we'd be pretty much crippled. I'd use IPv6 if the addresses weren't so hard to remember. Well in fact I don't think that will even work with the present URL rules. Just on a lark I clicked on your string, and my firefox interpreted it as http://3ffe:1900. Unless there's a special http protocol string for ipv6? The URL is incorrectly formatted; enter it as http://[3ffe:1900:4545:3:200:f8ff:fe21:67cf]/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Dec 7, 2010, at 9:20 PM, Adam Tauno Williams awill...@whitemice.org wrote: On Tue, 2010-12-07 at 20:37 -0500, Ross Walker wrote: On Dec 7, 2010, at 7:41 PM, Nico Kadel-Garcia nka...@gmail.com wrote: On Tue, Dec 7, 2010 at 10:04 AM, Adam Tauno Williams awill...@whitemice.org wrote: Bogus. The reason is that they haven't been pressured into adoption by higher powers; so we will get into a nice scramble to migrate in a pinch. most people have no idea what NAT is, don't care, and shouldn't have to care. Some people's belief that NAT is some magic sauce that makes them more secure [it does not] or provides them more flexibility [it does not] than real addresses ... causes the people who understand networking to have to spend time explaining that their love of NAT is misguided and their beliefs about NAT are bogus. *I'm* a fairly expert network person. (10base2, baby, I remember crimping those cables!) Forcing people to specifically select the services they wish to expose, rather than selecting what to cut off in configuring a typical firewall, is basic policy automatically enforced by NAT. It's especially helpful to ISP's, who *do not want* to try to remember all those furshlugginer individual policies and find it far simpler in routing and firewall terms to force all traffic to the NAT. Does this mean I have to type in URLs like: http://3ffe:1900:4545:3:200:f8ff:fe21:67cf/ Correct syntax for that is http://[3ffe:1900:4545:3:200:f8ff:fe21:67cf]/ if you want to specify the port it goes outside the brackets http://[3ffe:1900:4545:3:200:f8ff:fe21:67cf]:8080/ Thanks, I googled it afterwards and caught the proper syntax. I can only image phonetically calling these off on a support call, I'd get half way through it and the other end would tell me to forget it I'll wait until DNS is working again. You aren't crippled currently when DNS doesn't work? Because e-mail, Active Directory / Kerberos, and numerous other services just-don't-work without functioning DNS anyway. I'd say the network-minus-DNS is pretty much irrelevant in the real world. Well, there is DNS down and there is DNS issues causing some sites problems. These may or may not be due to our DNS servers, you get the idea. When your on your router or switch, want to traceroute or find out what port an address is on... Is there even ARP with v6? -Ross ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Tue, Dec 7, 2010 at 8:44 PM, Tony Schreiner schre...@bc.edu wrote: Does this mean I have to type in URLs like: http://3ffe:1900:4545:3:200:f8ff:fe21:67cf/ I can only image phonetically calling these off on a support call, I'd get half way through it and the other end would tell me to forget it I'll wait until DNS is working again. In fact with DNS problems we'd be pretty much crippled. I'd use IPv6 if the addresses weren't so hard to remember. -Ross Well in fact I don't think that will even work with the present URL rules. Just on a lark I clicked on your string, and my firefox interpreted it as http://3ffe:1900. Unless there's a special http protocol string for ipv6? Tony Since : is used to denote the port you must put the IPv6 address in brackets. http://[3ffe:1900:4545:3:200:f8ff:fe21:67cf]/ Ryan ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 12/7/10 9:02 PM, Ryan Wagoner wrote: Well in fact I don't think that will even work with the present URL rules. Just on a lark I clicked on your string, and my firefox interpreted it as http://3ffe:1900. Unless there's a special http protocol string for ipv6? Tony Since : is used to denote the port you must put the IPv6 address in brackets. http://[3ffe:1900:4545:3:200:f8ff:fe21:67cf]/ Thunderbird doesn't make that a clickable link. Since the change to ipv6 is pretty much inevitable and probably most things will eventually work out, maybe we should focus on the little things (like programs not recognizing the addresses in various contexts) that are going to cause pain during the transition. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Wednesday, December 08, 2010 03:11 AM, Ben McGinnes wrote: On 7/12/10 8:33 PM, Christopher Chan wrote: Ah, I must pity you who have to live with what you've got in the United States being under the rule of these tyrants. You guys probably can only dream of getting a 100MB fibre connection for 13USD/mnth or a 1GB fibre connection for 30 or so USD/mnth. I hesitate to keep the chaps in Australia on the list to be pitied now that Telstra is being dismantled. It's okay, soon we'll have a new monopoly to whinge about: NBN Co. ;) The real problem here is the quotas on broadband connections, although that is in part due to the cost of hauling almost all the data half-way around the globe. Thanks Ben, you just gave me another thing to coo about that I had forgotten. What quotas? :-p The even more horrendous problem, which is so pervasive it affects everyone, is the insistence on asymmetric connections. Even when Australia does get this fabled fibre-to-the-home, it still won't be symmetric. *sigh* Fibre connections that are not symmetric...sure going out of the way that. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 05/12/10 14:21, Tom H wrote: On Sun, Dec 5, 2010 at 8:13 AM, RedShift redsh...@pandora.be wrote: On 12/05/10 12:50, Rudi Ahlers wrote: (http://www.internetnews.com/infra/article.php/3915471/IPv4+Nearing+Final+Days.htm), Haven't switched yet, I have IPv6 at home using sixxs. I can't even figure out what address ranges are reserved for private use, is there even such a concept in IPv6? I think that site-local (fec0:: - fef::) is the ipv6 more-or-less-equivalent of ipv4 private addresses. Yes, that's correct and it is deprecated. http://www.ietf.org/rfc/rfc3879.txt With IPv6 there is plenty of addresses for everyone so you basically use your own assigned official IPv6 address space and setup your own private /64 net and block that subnet in your firewalls. Another thing, there is no NAT and it will not be implemented as we know it in IPv4. To call NAT a security feature is also a faulty understanding. As NAT only prevents access from outside to some computer inside a network which is NAT'ed. This restriction and filtering is the task of the firewall anyway, which does the NAT anyway. NAT basically just breaks a lot of protocols and enforces complex firewalls which needs to understand a lot of different protocols to be able to do things correctly. Which often do not work as well as it could. kind regards, David Sommerseth ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Sun, 2010-12-05 at 13:50 +0200, Rudi Ahlers wrote: Seeing as IPV4 is near it's end of life (http://www.internetnews.com/infra/article.php/3915471/IPv4+Nearing+Final+Days.htm), I'm curios as who know whether everyone is ready for the changeover to IPV6? Is anyone using it in production already, and what are your experiences with it? Yes, dual-stack, internally. It works fine; it is certainly nicer to manage than IPv4. Nearly everything supports it at this point. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On 12/06/2010 01:22 PM, Adam Tauno Williams wrote: I'm curios as who know whether everyone is ready for the changeover to IPV6? Is anyone using it in production already, and what are your experiences with it? generic questions like that are more suited to ipv6 centric lists. if you are looking for specific CentOS centric ipv6 experience - yes, it works. I've got about 2 dozen machines on native ipv6 only for $VariousWork stuff, and almost all of my own personal kit runs dual stack. Yes, dual-stack, internally. It works fine; it is certainly nicer to manage than IPv4. Nearly everything supports it at this point. I agree, having used ipv6 for a few years now : much easier to manage than ipv4 and way more functional. - KB ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Sun, 2010-12-05 at 14:13 +0100, RedShift wrote: On 12/05/10 12:50, Rudi Ahlers wrote: Seeing as IPV4 is near it's end of life (http://www.internetnews.com/infra/article.php/3915471/IPv4+Nearing+Final+Days.htm), I'm curios as who know whether everyone is ready for the changeover to IPV6? Is anyone using it in production already, and what are your experiences with it? Haven't switched yet, I have IPv6 at home using sixxs. IMO the slow adoption is caused by the complexity IPv6 brings. They should have just modified IP to use 128 bits addresses and leave the rest as is. Disagree, IPv4 at this point is a whole heap of hacks. IPv6 throws out lots of crap and provides for much better performance [routing IPv6 requires much less horsepower than routing IPv4]. For example, what is the use of a link scoped IPv6 address? Why would you want to assign an IP address to yourself that's of no use at all? It is incredibly useful. There is a lot of traffic that is only relevant to the local-link. Now two computers on the same wire can communicate automatically - true zero-configuration. IPv6 uses link-local for neighbor discovery. Remember IPV6 does not use ARP. I can't even figure out what address ranges are reserved for private use, is there even such a concept in IPv6? None, and no. There is no exact equivalent - thank goodness. Everyone using 192.168.1.x and NAT is a real pain. I know that IPv6 is supposed to allow every address to be publicly route-able but having your computers in private ranges and use NAT has big advantages towards security. NO NO NO NO NO NO NO and NO! (*...@!^*...@$ @*^*$@ *...@^*@ How many times does this have to be explained??? NAT *IS* *NOT* a @*(^*(^@(*@ security tool. It isn't. Stop saying it is. You use *firewalls* for security. Just block ingress traffic and you are just as well off as you are on NAT - and odds are in your NAT configure you are doing that already. All you do is eliminate the hacks, performance penalty, and interoperability problems created by NAT. NAT is a *problem*, not a solution for anything other than a deficient network protocol. And what about this arbitrarily chosen /64 subnet? So we're returning back to classfull routing? Yes, thank goodness. No more ridiculously tedious netmasks. Stateless auto-configuration is a useless feature, just like APIPA. I much prefer DHCP and thankfully it still exists for v6. Correct, nothing is lost, things are gained. All to the good. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Dec 6, 2010, at 5:27 AM, David Sommerseth wrote: On 05/12/10 14:21, Tom H wrote: On Sun, Dec 5, 2010 at 8:13 AM, RedShift redsh...@pandora.be wrote: On 12/05/10 12:50, Rudi Ahlers wrote: (http://www.internetnews.com/infra/article.php/3915471/IPv4+Nearing+Final+Days.htm), Haven't switched yet, I have IPv6 at home using sixxs. I can't even figure out what address ranges are reserved for private use, is there even such a concept in IPv6? I think that site-local (fec0:: - fef::) is the ipv6 more-or-less-equivalent of ipv4 private addresses. Yes, that's correct and it is deprecated. http://www.ietf.org/rfc/rfc3879.txt With IPv6 there is plenty of addresses for everyone so you basically use your own assigned official IPv6 address space and setup your own private /64 net and block that subnet in your firewalls. Another thing, there is no NAT and it will not be implemented as we know it in IPv4. To call NAT a security feature is also a faulty understanding. As NAT only prevents access from outside to some computer inside a network which is NAT'ed. This restriction and filtering is the task of the firewall anyway, which does the NAT anyway. NAT basically just breaks a lot of protocols and enforces complex firewalls which needs to understand a lot of different protocols to be able to do things correctly. Which often do not work as well as it could. I've heard this before but It's always confused me. Admittedly I haven't had a chance to look at the spec. If we're saying that everyone's going to have the same private subnet, then we're saying that all the private subnets are going to have to be NAT-ed aren't they? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Mon, 2010-12-06 at 08:29 -0600, Todd Rinaldo wrote: On Dec 6, 2010, at 5:27 AM, David Sommerseth wrote: On 05/12/10 14:21, Tom H wrote: On Sun, Dec 5, 2010 at 8:13 AM, RedShift redsh...@pandora.be wrote: On 12/05/10 12:50, Rudi Ahlers wrote: (http://www.internetnews.com/infra/article.php/3915471/IPv4+Nearing+Final+Days.htm), Haven't switched yet, I have IPv6 at home using sixxs. I can't even figure out what address ranges are reserved for private use, is there even such a concept in IPv6? I think that site-local (fec0:: - fef::) is the ipv6 more-or-less-equivalent of ipv4 private addresses. Yes, that's correct and it is deprecated. http://www.ietf.org/rfc/rfc3879.txt With IPv6 there is plenty of addresses for everyone so you basically use your own assigned official IPv6 address space and setup your own private /64 net and block that subnet in your firewalls. Another thing, there is no NAT and it will not be implemented as we know it in IPv4. To call NAT a security feature is also a faulty understanding. As NAT only prevents access from outside to some computer inside a network which is NAT'ed. This restriction and filtering is the task of the firewall anyway, which does the NAT anyway. NAT basically just breaks a lot of protocols and enforces complex firewalls which needs to understand a lot of different protocols to be able to do things correctly. Which often do not work as well as it could. I've heard this before but It's always confused me. Admittedly I haven't had a chance to look at the spec. If we're saying that everyone's going to have the same private subnet, then we're saying that all the private subnets are going to have to be NAT-ed aren't they? I'm not sure what is confusing you. There is *NO PRIVATE SUBNET*; at least in terms of addressing. There is no equivalent to 192.168.x.x, 10.x.x.x, ... in IPv6. There is no need for such a hack. So everyone's going to have the same private subnet? No - nobody is going to have a private subnet. all the private subnets are going to have to be NAT-ed aren't they? No - no subnet will be NAT'd. Privacy is an effect of provisioning, not of addressing. [Provisioning as in - you install a firewall]. This has *always* been true. NAT has just confused people into *thinking* [incorrectly] that there was a link [which there was and is *not*] between subnets and privacy. Security is provided by firewalls, which is totally absolutely utterly and completely separate from NAT (although in IPv4 world NAT and firewall are typically provided by the same device - that doesn't make two functions into one function). When dealing with IPv6 it is the disambiguation of these two concepts [firewall and NAT], in the wetware, that is probably the biggest hurdle. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] IPV4 is nearly depleted, are you ready for IPV6?
On Dec 6, 2010, at 8:37 AM, Adam Tauno Williams awill...@whitemice.org wrote: NO NO NO NO NO NO NO and NO! (*...@!^*...@$ @*^*$@ *...@^*@ How many times does this have to be explained??? NAT *IS* *NOT* a @*(^*(^@(*@ security tool. It isn't. Stop saying it is. You use *firewalls* for security. Just block ingress traffic and you are just as well off as you are on NAT - and odds are in your NAT configure you are doing that already. All you do is eliminate the hacks, performance penalty, and interoperability problems created by NAT. NAT is a *problem*, not a solution for anything other than a deficient network protocol. There is no arguing that NAT is not a security tool, but if your firewall drops it's pants it's better to have non-routable addresses behind it. -Ross ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos