Whether you’re really passionate about RPC, MQTT, Matrix or wayland, tell us more about the protocols or open standards you have strong opinions on!

  • aarroyoc@lemuria.es
    link
    fedilink
    arrow-up
    95
    ·
    7 months ago

    IPv6. Lack of IPv4 addresses it’s a problem, specially in poorer countries. But still lots of servers and ISPs don’t support it natively. And what is worse. Lots of sysadmins don’t want to learn it.

    • PlexSheep@infosec.pub
      link
      fedilink
      arrow-up
      31
      ·
      edit-2
      7 months ago

      My university recently had Internet problems, where the DHCP only leased Out ipv6 addresses. For two days, we could all see which sites implemented ipv6 and which didn’t.

      Many big corpo sites like GitHub or discord Apperently don’t. Small stuff like my personal website or https://suikagame.com do.

    • vzq@lemmy.blahaj.zone
      link
      fedilink
      arrow-up
      21
      ·
      7 months ago

      Lots of really large sites are horribly misconfigured. I had intermittent issues because one of the edge hosts in Netflix ‘s round robin dns did not do MTU discovery properly.

      • Alk@lemmy.world
        link
        fedilink
        English
        arrow-up
        6
        ·
        7 months ago

        My isp decided to put me behind a CGNAT and broke my access to my network from outside my network. Wanted to charge me $5 a month to get around it. It’s not easy to get around for a layman, but possible. More than anything it just pissed me off that I’d have to pay for something that 1 day ago was free.

          • Alk@lemmy.world
            link
            fedilink
            English
            arrow-up
            3
            ·
            7 months ago

            Set up a reverse proxy on another machine (like one of those free oracle cloud things). I can’t go into detail because I don’t know exactly how. I think cloudflare also has options for that for free. Either way it’s annoying.

            • ChilledPeppers@lemmy.world
              link
              fedilink
              arrow-up
              2
              ·
              7 months ago

              Cloudflare tunnel, and its alternatives, such as localXpose, altho the privacy is probably questionable, and a many of them require a domain.

        • cmnybo@discuss.tchncs.de
          link
          fedilink
          English
          arrow-up
          22
          arrow-down
          3
          ·
          7 months ago

          NAT is not for security, that’s what the firewall is for. Nobody can access your IPv6 network unless you allow access through the firewall.

              • ReversalHatchery@beehaw.org
                link
                fedilink
                English
                arrow-up
                1
                ·
                7 months ago

                If computers connect to others through the internet, the IPv6 address can reveal how many computers there are on the local network, and if certain traffic to different destinations are coming from the same computer, but also if one of the computers has gone offline but then resumes from sleep/hibernation.
                To me their comment means they want to avoid that, and I agree, I want to avoid that too. To fix these, I would need to configure NAT on my router for IPv6.

                Yes IPv6 address privacy extensions help somewhat, but

                • computers won’t use a different v6 address for every distinct destination, they will just start using a new one from time to time
                • computers won’t stop using the old v6 address immediately after wakeup

                With v4 addresses these did not really matter, because everything was being sent from the same public IP, and and outside observer could only see what a “network” is doing collectively. But with v6 an address identifies a computer, across websites/services. Even if it’s just for a "short’ time, even if the address is randomized.

                • frezik@midwest.social
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  7 months ago

                  If you want privacy, you need some kind of VPN or onion routing. Even if everything you list were correct, the difference between IPv4 and 6 for privacy would be marginal.

                  • ReversalHatchery@beehaw.org
                    link
                    fedilink
                    English
                    arrow-up
                    1
                    ·
                    7 months ago

                    I don’t think this is so black and white. I’m a regular tor user, but so often it’s not worth it to load webpages through a dial-up connection, and then there are the sites that block access for tor users for some reason.

                    Even if everything you list were correct

                    Which parts weren’t?

                    the difference between IPv4 and 6 for privacy would be marginal

                    I disagree

        • lemmyvore@feddit.nl
          link
          fedilink
          English
          arrow-up
          15
          arrow-down
          1
          ·
          7 months ago

          You’re thinking of a firewall. NAT is just the thing that makes a connection appear to come from an IP on the internet when it’s really coming from your router, and it’s not needed with IPv6. But you would not see any difference with IPv6 without it.

          • Dave.@aussie.zone
            link
            fedilink
            arrow-up
            1
            ·
            edit-2
            7 months ago

            You’re thinking of a firewall. NAT is just the thing that makes a connection appear to come from…

            That connection only “appears to come from” if I explicitly put a rule in my NAT table directing it to my computer behind the router doing the NAT-ing.

            Otherwise all connections through NAT are started from internal->external network requests and the state table in NAT keeps track of which internal IP is talking to which external IP and directs traffic as necessary.

            So OP is correct, it does apply a measure of security. Port scanning someone behind NAT isn’t possible, you just end up port scanning their crappy NAT router provided by their ISP unless they have specifically opened up some ports and directed them to their internal IP address.

            Compare this to IPV6 where you get a slice of the public address space to place your devices in and they are all directly addressable. In that case your crappy ISP router also is a “proper” firewall. Strangely enough it usually is a “stateful” firewall with default deny-all rules that tracks network connections and looks and performs almost exactly like the NAT version, just without address translation.

            • Domi@lemmy.secnd.me
              link
              fedilink
              arrow-up
              2
              ·
              7 months ago

              So OP is correct, it does apply a measure of security. Port scanning someone behind NAT isn’t possible, you just end up port scanning their crappy NAT router provided by their ISP unless they have specifically opened up some ports and directed them to their internal IP address.

              You end up just port scanning their crappy router on IPv6 as well because ports that are not opened are stuck at the firewall either way, no matter if you use IPv4 or IPv6.

              Just because every device gets a public IP does not mean that IP is publicly accessible.

              An advantage that IPv6 has against port scanning is the absurdly large network sizes. For example, my ISP gives me a /56 prefix, that is 4,722,366,482,869,645,213,696 IPv6 addresses. Good luck finding the used ones with the port open you need.

              Even with just a /64 prefix you get 18,446,744,073,709,551,616 addresses, way outside the feasibility of port scanning.

            • KillingTimeItself@lemmy.dbzer0.com
              link
              fedilink
              English
              arrow-up
              1
              ·
              7 months ago

              Compare this to IPV6 where you get a slice of the public address space to place your devices in and they are all directly addressable. In that case your crappy ISP router also is a “proper” firewall. Strangely enough it usually is a “stateful” firewall with default deny-all rules that tracks network connections and looks and performs almost exactly like the NAT version, just without address translation.

              realistically, it wouldnt surprise me if ISPs started NATing on residential IPV6 networks, just for the simplicity, but still allowed end users to assign their own IPs if they so pleased. Given the surge in shitty IOT devices, that’s probably a good thing for most people. Though a firewall would also accomplish this as well.

        • frezik@midwest.social
          link
          fedilink
          arrow-up
          2
          ·
          7 months ago

          No. Stop spreading that myth. NAT does fuck all for security. If you want a border gateway, you can just have a border gateway.

    • folkrav@lemmy.ca
      link
      fedilink
      arrow-up
      9
      ·
      7 months ago

      Say this to my very large Canadian ISP who still doesn’t support IPv6 for residential customers. Last I checked, adoption in Canada was still under 50%.

      • calcopiritus@lemmy.world
        link
        fedilink
        arrow-up
        4
        ·
        7 months ago

        50%?? I fucking wish. In Spain we are at 5%. I finally got IPv6 in my phone this year, but I want it in my home, which is still only available as IPv4 even if they’re the same ISP.