New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
IPv6 Hall of Shame
This discussion has been closed.
Comments
Not triggering reddit or youtube bot alarm, pretty cool
Be warned that NIST SP 800-119 was published in 2010, almost 15 years ago and is no longer the primary source for the latest information on IPv6 security.
That said, this is what NIST SP 800-119 states:
Add to this regular address rotation.
What will you get?
And in the next sentence it says: "This does not mean that reconnaissance attacks will go away in an IPv6 environment; it is more likely that the tactics used for network reconnaissance will be modified. "
Something like when ISPs regulary rotate IPv4 addresses but without the added benefit of pseudo annonimization as on IPv6 they know it's your /64 subnet and everyone can track you for months or years. But that's another topic.
They're doing it right, both stacks are being widely used they are both important.
What I find very odd is seeing people actively fighting against IPv6, they shouldn't be doing that.
Making things too hard for the attacker is the way true security operates, its too bad that you fail to grasp that basic tenet of security. But hey, you can keep on trying if you want, it's your life, you can waste it if you want.
That said, yes
Modified to fail, but you will still have a choice to make:
1) You can fail gracefully, the easy way to fail.
2) Or you will fail ungracefully, that would be the hard way to fail.
maybe it's because the ingineering of ipv6 is made by communists pro cityzens tracking.
Poor choice are made by ICANN, everything is made for control from the top to the bottom, ipsec is the perfect exemple and the mobile routing ipv6 extention is ulgy as possible. The simple idea to route a moving target is a stupid nightmare, the ideology is far away the reality of routing packet efficiently.
the only way to solve that is to reserve one /64 to share together on each isp where users are free to change as they need by scripting with a simple command line tool, described in the RFC. This is not their plan and ipv6 suck.
But yes i agree ipv6 is good for connectivity end to end device
Ok. It seems to some people IPv6 gives a false sense of security. From NIST publication: "From this comparison of IPv4 and IPv6 threats, one can surmise that IPv6 will not inherently be either more or less secure than IPv4."
All addresses inside a /64 block are considered equivalent and speaking of anonimisation inside block is complete nonsense. If you want anonimisation you'll need to use multiple /64 blocks but that's not the way it's supposed to be, that would be nonsense.
I clearly pointed out "without the added benefit of pseudo annonimization".
That would not help much anyway. Everyone is suppose to get a /48 and even then everyone can be tracked. The "pseudo anonymization" as it is called is an unintended consequence of IPv4.
Users need to invite ISP with an easy way to log who is using this ipv6 at this time, to be able to share a /64 because today the rule is simple one /64 = one user forever, no "pseudo anonymization" at all.
Will be hard but i think in next year we will see private network agrement based on algorythm to use the /64 of each other with just an extention of wireguard! Everything is in place for signing the agrement to make an automatic mixing and ip allocation based on pure algorythm and secret shared.
Wait and see, people always solve existential problem. Vast ip population is available, just need to find a way to use them
I talk about wireguard extention because isp can track pubkey in wireguard packet, so if a provable link to a mutual contract is made, it's easy to find the bad actor. Privacy is gained if the activitity is fair/legit and no change at all for ISP
A professional, which you clearly are not, would ask a certain question, namely "why"? One major, with very high likelihood THE reason simply is "very large numbers" - which however works both ways. To use a /64 sub-net reasonably you, to provide an example, also must have an adequate router - which most don't. No problem for Joe Normal who uses but a ridiculously tiny fraction of his allocation, but a potentially big problem for "juicy" targets. That said, chances are that Joe's router can be quite easily brought down by attacking it.
The old rule holds true: "a high-end safe lock in a door is nonsensical if the walls are made of plywood".
So, maybe one after all wasn't/isn't in such a bad position using IP4 for one's "Joe Average" couple of dozen devices behind NAT and most of the devices not needing to be publicly reachable anyway ...
THAT, the nonsensically high number of "ipv6 for everyone" actually turns out to be a weakness. Just like the solution to the problem "people want to earn more to have a decent life" is NOT "oh well, just pay everyone a couple of billions per month".
Why would anyone waste their time doing that, what for? For the kicks?
That would bring zero gain, definitely not too pro. Any good up to date professional, which you clearly are not (I'm sorry but you forced me to say that out loud,) would be able to recognize that. You struggle with basic concepts.
Thanks for amusing me!
You're welcome.
Thanks to you too, you've been precious
Nobody cares about this. There's no IETF police.
Yes it is because end to end connectivity means more direct routes and less middlebox processing delay. When you use IPv4 on a cellphone network all your packets have to go through a central processing point where CGNAT is done, but your IPv6 packets can go directly to the destination. But you're just gonna ignore this fact because you hate things that work properly. Can you just admit you're wrong?
They do this in IPv4 too. Look at the RIPE BGP IP to ASN mapping, they always have 0.0.0.0/0 announced by several ASNs.
How a cheap "router" can "explode" with ipv6? isn't just a switch and maybe a bridge for wifi
No it isn't. Let's look at real measurements again:
"These measurements show that in a large set of 1:1 individual comparisons where the IPv4 and IPv6 paths between the same two dual stack endpoints are compared, the two protocols, as measured by the TCP SYN round trip time, are roughly equivalent. The measurements are within 10ms of each other 60% of the time. "
"While the connection performance is roughly equivalent once the connection is established, the probability of establishing the connection is not the same. The current connection failure rate for IPv4 connections was seen to be some 0.2% of all connection attempts, while the equivalent connection failure rate for unicast IPv6 is nine times higher, at 1.8% of all connection attempts. "
If anything you can in theory say that IPv6 is inherently slower because it has larger addresses. In practice you will not see a difference when comparing apples to apples.
Did their test include CGNAT?
They use an online ad where a script generates a set of URLs to fetch and then they examine the packets. 10 million measurements per day. So yes, I think it includes CGNAT, as those are real world measurements.
Online ads don't have permission to view packets.
The Measurement Technique
Embed a script in an online ad
Have the script generate a set of URLs to fetch
Examine the packets seen at the server to determine reliability and RTT
@maxxxxx
When you find yourself in a hole, stop digging.
Don't know about you but I'm sure the guys at APNIC Labs know what they're doing.
They don't know what they're not doing, which is apparently IPv6.
So they're trying to invent a whole new kind of network, or course they think every other network is shit. That's what you quoted. You said they complained IPv6 was just another normal network and not a futuristic utopia that solves all problems, like what they're trying to make.
I don't really have any idea where you get such conclusions. It's not even funny.
I don't really have any idea where you get such conclusions. It's not even funny.
IPv6 released a new RFC666666 protocol to bring engineers who disagree into agreement.
The technology is still misunderstood.
Can we do an IPv4 hall of shame or will the mods delete that too?
I'm sure there's a lot of that among professionals too. But in this case, he's simply claiming I said and quoted things I did not. Perhaps he should read things more carefully instead of doing that and adding nonsense on top of it.