Re: [External] Re: IPv6 uptake
On Mon, Feb 19, 2024 at 10:31 AM Tim Howe wrote: > On Mon, 19 Feb 2024 10:01:06 -0800 > William Herrin wrote: > > So when the user wants to run a home server, their IPv4 options are to > > create a TCP or UDP port forward for a single service port or perhaps > > create a generic port forward for every port to a single internal > > machine. Protocols other than TCP and UDP not supported. > > OK, but I'm not sure what you are getting at by saying this is > TCP and UDP exclusive... I don't know why it would be; what's the > example you think is typically being denied? Hi Tim, NATs don't generally process protocols like GRE, ESP (IPSEC), SCTP and most of the hundred fifty or so other protocols that sit atop IPv4. They don't have code that would make it possible to process those packets. They're generally TCP, UDP, and ICMP. Anything else is necessarily dropped. > The assumption being that a guardrail for someone being really > self-destructive is removed. In more sophisticated scenarios where subtler errors are possible, I described it as a "security layer" rather than a "guardrail." But yes: we're talking about the same thing. > I still believe that the statement "IPv6 is typically delivered > to "most people" without border security" to be demonstrably false. I concede the claim. I am satisfied with your evidence that I was in error. Regards, Bill Herrin -- William Herrin b...@herrin.us https://bill.herrin.us/
Re: [External] Re: IPv6 uptake
Some responses below. On Mon, 19 Feb 2024 10:01:06 -0800 William Herrin wrote: > > I've never once seen a device > > that has v6 support and didn't have a stateful v6 firewall on by > > default (if v6 was "on"). > > Acknowledged. > > So when the user wants to run a home server, their IPv4 options are to > create a TCP or UDP port forward for a single service port or perhaps > create a generic port forward for every port to a single internal > machine. Protocols other than TCP and UDP not supported. OK, but I'm not sure what you are getting at by saying this is TCP and UDP exclusive... I don't know why it would be; what's the example you think is typically being denied? > They might > also have the option of a "bridge" mode in which only one internal > host is usable and the IPv4 functions of the device are disabled. The > bridge mode is the only "off" setting for the IPv4 firewall. > > Correct? > > Their IPv6 options *might* include these but also include the option > to turn the IPv6 firewall off. At which point IPv4 is still firewalled > but IPv6 is not and allows all L4 protocols, not just TCP and UDP. > > Also correct? This isn't how I would characterize any of this, to be honest. I think what you are trying to say is that a v6 firewall can be "off" while IPv6 connectivity remains unhindered, but turning "off" an IPv4 firewall means no hosts behind NAT will continue to have connectivity. The assumption being that a guardrail for someone being really self-destructive is removed. OK. So someone really wanted connectivity and really wanted to disable security. Maybe. I still believe that the statement "IPv6 is typically delivered to "most people" without border security" to be demonstrably false. -- TimH
Re: [External] Re: IPv6 uptake
On Mon, Feb 19, 2024 at 9:44 AM Tim Howe wrote: > FWIW, in the decade we have been providing dual-stack by default, I > have made a bit of a hobby out of testing every CPE and SOHO router > that I get may hands on in my PON lab. Hi Tim, I have not, so I'll defer to your experience. > I've never once seen a device > that has v6 support and didn't have a stateful v6 firewall on by > default (if v6 was "on"). Acknowledged. So when the user wants to run a home server, their IPv4 options are to create a TCP or UDP port forward for a single service port or perhaps create a generic port forward for every port to a single internal machine. Protocols other than TCP and UDP not supported. They might also have the option of a "bridge" mode in which only one internal host is usable and the IPv4 functions of the device are disabled. The bridge mode is the only "off" setting for the IPv4 firewall. Correct? Their IPv6 options *might* include these but also include the option to turn the IPv6 firewall off. At which point IPv4 is still firewalled but IPv6 is not and allows all L4 protocols, not just TCP and UDP. Also correct? Regards, Bill Herrin -- William Herrin b...@herrin.us https://bill.herrin.us/
Re: [External] Re: IPv6 uptake
OpenWrt, from which much is derived, is default deny on ipv4 and ipv6. The ipv6 firewall on most cable devices prior to the XB6 is very, very limited. On Mon, Feb 19, 2024 at 12:44 PM William Herrin wrote: > > On Mon, Feb 19, 2024 at 9:23 AM Hunter Fuller wrote: > > On Mon, Feb 19, 2024 at 11:16 AM William Herrin wrote: > > > > There isn't really an advantage to using v4 NAT. > > > I disagree with that one. Limiting discussion to the original security > > > context (rather than the wider world of how useful IPv6 is without > > > IPv4), IPv6 is typically delivered to "most people" without border > > > security, while IPv4 is delivered with a stateful NAT firewall. > > > > Maybe this is the disconnect. Who delivers v6 without a firewall? > > > > I've done a lot of T-Mobile and Comcast business connections lately, > > and those certainly both provide a firewall on v4 and v6. I'll admit > > I'm not currently well-versed in other providers (except ones that > > don't provide v6 at all...). > > Hi Hunter, > > You may be right. I haven't ordered SOHO service in a long time and in > fairness you were talking about Joe's Taco Shop not Joe's home > network. > > I -suspect- that the wifi router provided for Joe's home network > doesn't do much more than plain routing on the IPv6 side but I do not > know that for a truth. I ordered my wave and comcast services without > a router and I didn't keep the centurylink router long enough to test > whether it did any filtering on IPv6. I noticed no knobs for IPv6 > filtering or port forwarding, so I suspect it did not. > > Regards, > Bill Herrin > > > -- > William Herrin > b...@herrin.us > https://bill.herrin.us/ -- 40 years of net history, a couple songs: https://www.youtube.com/watch?v=D9RGX6QFm5E Dave Täht CSO, LibreQos
Re: [External] Re: IPv6 uptake
On Mon, 19 Feb 2024 09:16:00 -0800 William Herrin wrote: > I disagree with that one. Limiting discussion to the original security > context (rather than the wider world of how useful IPv6 is without > IPv4), IPv6 is typically delivered to "most people" without border > security, while IPv4 is delivered with a stateful NAT firewall. How is v6 being delivered without a stateful firewall while v4 is secured with one? FWIW, in the decade we have been providing dual-stack by default, I have made a bit of a hobby out of testing every CPE and SOHO router that I get may hands on in my PON lab. I've never once seen a device that has v6 support and didn't have a stateful v6 firewall on by default (if v6 was "on"). By whom and how is this being delivered? --TimH
Re: [External] Re: IPv6 uptake
On Mon, Feb 19, 2024 at 9:23 AM Hunter Fuller wrote: > On Mon, Feb 19, 2024 at 11:16 AM William Herrin wrote: > > > There isn't really an advantage to using v4 NAT. > > I disagree with that one. Limiting discussion to the original security > > context (rather than the wider world of how useful IPv6 is without > > IPv4), IPv6 is typically delivered to "most people" without border > > security, while IPv4 is delivered with a stateful NAT firewall. > > Maybe this is the disconnect. Who delivers v6 without a firewall? > > I've done a lot of T-Mobile and Comcast business connections lately, > and those certainly both provide a firewall on v4 and v6. I'll admit > I'm not currently well-versed in other providers (except ones that > don't provide v6 at all...). Hi Hunter, You may be right. I haven't ordered SOHO service in a long time and in fairness you were talking about Joe's Taco Shop not Joe's home network. I -suspect- that the wifi router provided for Joe's home network doesn't do much more than plain routing on the IPv6 side but I do not know that for a truth. I ordered my wave and comcast services without a router and I didn't keep the centurylink router long enough to test whether it did any filtering on IPv6. I noticed no knobs for IPv6 filtering or port forwarding, so I suspect it did not. Regards, Bill Herrin -- William Herrin b...@herrin.us https://bill.herrin.us/
Re: [External] Re: IPv6 uptake
On Mon, Feb 19, 2024 at 11:16 AM William Herrin wrote: > > There isn't really an advantage to using v4 NAT. > I disagree with that one. Limiting discussion to the original security > context (rather than the wider world of how useful IPv6 is without > IPv4), IPv6 is typically delivered to "most people" without border > security, while IPv4 is delivered with a stateful NAT firewall. Maybe this is the disconnect. Who delivers v6 without a firewall? I've done a lot of T-Mobile and Comcast business connections lately, and those certainly both provide a firewall on v4 and v6. I'll admit I'm not currently well-versed in other providers (except ones that don't provide v6 at all...). It is possible to order Comcast without a firewall for v6, in which case you receive a public v4 address without protection too. What common scenario leads to your average person being unprotected on the v6 Internet?
Re: [External] Re: IPv6 uptake
On Mon, Feb 19, 2024 at 9:00 AM Hunter Fuller wrote: > I guess the point I'm making is, the methods we are using today for v6 > dual WAN, work fine for most people. Hi Hunter, I accept that point. It's wobbly on some of the details, but you're talking "most" people, not everyone. > There isn't really an advantage to using v4 NAT. I disagree with that one. Limiting discussion to the original security context (rather than the wider world of how useful IPv6 is without IPv4), IPv6 is typically delivered to "most people" without border security, while IPv4 is delivered with a stateful NAT firewall. If ISPs got diligent about providing an IPv6 firewall to customers even though they don't need to do so for the customer to use more than one computer, there'd still be a security difference between internal hosts that are externally addressable (a stateful firewall without NAT) and internal hosts which are not. Security doesn't deal with "most people," it deals with people savvy enough to find and exploit the openings and errors in the software most people use. Regards, Bill Herrin -- William Herrin b...@herrin.us https://bill.herrin.us/
Re: [External] Re: IPv6 uptake
On Mon, Feb 19, 2024 at 10:22 AM William Herrin wrote: > Yes and no. The client application has to be programmed to understand > link-local addresses or it can't use them at all. You can't just say > "connect to fe80::1." Even if there's an fe80::1 on your network, it > doesn't work. The client app has to also carry the interface identity > into the stack (e.g. fe80::1%eth0) in order to use it. Sure, you and I know this, as a network engineering fact. But, all over the US, thousands of taco trucks (Joe's or otherwise) are using Square and similar solutions, and I happen to know from pcaps that they are (at least some of the time) using the method I described. So everything else we discuss is kind of academic; Joe will continue printing receipts for taco orders over link local addresses just fine, since it works in production today. We can talk all day about how it's not optimal, has limitations if you have 4000 Chromebooks, etc., but Joe won't care, because he is selling tacos. Businesses (not enterprises) that need dual WAN will fall into this category 99.9% of the time. I guess the point I'm making is, the methods we are using today for v6 dual WAN, work fine for most people. There isn't really an advantage to using v4 NAT. That was the original topic I was responding to... as it is visible fuzzily in the rearview mirror currently.
Re: [External] Re: IPv6 uptake
On Mon, Feb 19, 2024 at 8:08 AM Hunter Fuller wrote: > On Mon, Feb 19, 2024 at 9:17 AM William Herrin wrote: > > There's also the double-ISP loss scenario that causes Joe to lose all > > global-scope IP addresses. He can overcome that by deploying ULA > > addresses (a third set of IPv6 addresses) on the internal hosts, but > > convincing the internal network protocols to stay on the ULA addresses > > is wonky too. > > In the real world today, most applications seem to use mDNS and > link-local addresses to keep this connectivity working. (I am guessing > Joe's Taco Shop uses something like Square, and just needs his > register to talk to his printer. This already works with mDNS and > link-locals today.) Hi Hunter, Yes and no. The client application has to be programmed to understand link-local addresses or it can't use them at all. You can't just say "connect to fe80::1." Even if there's an fe80::1 on your network, it doesn't work. The client app has to also carry the interface identity into the stack (e.g. fe80::1%eth0) in order to use it. IPv6 link local addresses can't be expressed as a regular DNS target the way ULA and RFC1918 addresses can. No way to add that "%eth0" to the record. They only work with multicast DNS because the matching interface is known based on which interface was used to send the multicast query. And of course link local is -strictly- link local. If you want one subnet to communicate with another, you have to do it with global scope or ULA addresses. Regards, Bill Herrin -- William Herrin b...@herrin.us https://bill.herrin.us/
Re: [External] Re: IPv6 uptake
On Mon, Feb 19, 2024 at 11:13 AM Hunter Fuller via NANOG wrote: > > On Mon, Feb 19, 2024 at 9:29 AM Mike Hammett wrote: > > "In IPv6's default operation, if Joe has two connections then each of > > his computers has two IPv6 addresses and two default routes. If one > > connection goes down, one of the routes and sets of IP addresses goes > > away." > > > > This sounds like a disaster. > > You know, I thought so too, until I deployed it and it worked fine. Years ago we made "source specific routing" the default in openwrt. This means all hosts get both sets of prefixes, and naturally retry other src addresses. To what extent anyone else has adopted this is unknown. The popular mwan3 code is kind of hairy vs a vs ipv6 here. > I have done it twice now, once on MikroTik RouterOS and once on > Ubiquiti EdgeOS. You just have to make sure the timers are pretty > short, and that the router will stop sending RAs for the route if it's > not working. This is definitely something that a COTS SOHO dual WAN > router, that Joe would buy, could and should do by default (hopefully > they do; I just haven't checked). > > -- > Hunter Fuller (they) > Router Jockey > VBH M-1C > +1 256 824 5331 > > Office of Information Technology > The University of Alabama in Huntsville > Network Engineering -- 40 years of net history, a couple songs: https://www.youtube.com/watch?v=D9RGX6QFm5E Dave Täht CSO, LibreQos
Re: [External] Re: IPv6 uptake
mdns can still be "fun" in a wide variety of situations. https://www.reddit.com/r/k12sysadmin/comments/9yghdx/chromebooks_and_peer_to_peer_updates_can_be/ I do not know to what extent the upgrade to unicast feature long gestating in the IETF has been adopted. On Mon, Feb 19, 2024 at 11:10 AM Hunter Fuller via NANOG wrote: > > On Mon, Feb 19, 2024 at 9:17 AM William Herrin wrote: > > There's also the double-ISP loss scenario that causes Joe to lose all > > global-scope IP addresses. He can overcome that by deploying ULA > > addresses (a third set of IPv6 addresses) on the internal hosts, but > > convincing the internal network protocols to stay on the ULA addresses > > is wonky too. > > In the real world today, most applications seem to use mDNS and > link-local addresses to keep this connectivity working. (I am guessing > Joe's Taco Shop uses something like Square, and just needs his > register to talk to his printer. This already works with mDNS and > link-locals today.) > > -- > Hunter Fuller (they) > Router Jockey > VBH M-1C > +1 256 824 5331 > > Office of Information Technology > The University of Alabama in Huntsville > Network Engineering -- 40 years of net history, a couple songs: https://www.youtube.com/watch?v=D9RGX6QFm5E Dave Täht CSO, LibreQos
Re: [External] Re: IPv6 uptake
On Mon, Feb 19, 2024 at 9:29 AM Mike Hammett wrote: > "In IPv6's default operation, if Joe has two connections then each of > his computers has two IPv6 addresses and two default routes. If one > connection goes down, one of the routes and sets of IP addresses goes > away." > > This sounds like a disaster. You know, I thought so too, until I deployed it and it worked fine. I have done it twice now, once on MikroTik RouterOS and once on Ubiquiti EdgeOS. You just have to make sure the timers are pretty short, and that the router will stop sending RAs for the route if it's not working. This is definitely something that a COTS SOHO dual WAN router, that Joe would buy, could and should do by default (hopefully they do; I just haven't checked). -- Hunter Fuller (they) Router Jockey VBH M-1C +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering
Re: [External] Re: IPv6 uptake
On Mon, Feb 19, 2024 at 9:17 AM William Herrin wrote: > There's also the double-ISP loss scenario that causes Joe to lose all > global-scope IP addresses. He can overcome that by deploying ULA > addresses (a third set of IPv6 addresses) on the internal hosts, but > convincing the internal network protocols to stay on the ULA addresses > is wonky too. In the real world today, most applications seem to use mDNS and link-local addresses to keep this connectivity working. (I am guessing Joe's Taco Shop uses something like Square, and just needs his register to talk to his printer. This already works with mDNS and link-locals today.) -- Hunter Fuller (they) Router Jockey VBH M-1C +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering