Language:
switch to room list switch to menu My folders
Go to page: First ... 22 23 24 25 [26] 27 28 29 30 ... Last
[#] Tue Apr 05 2011 20:57:58 EDT from Ford II @ Uncensored

[Reply] [ReplyQuoted] [Headers] [Print]

I've heard of the dns tunnel thing but I've never tried it.

[#] Sun Apr 10 2011 22:30:17 EDT from the8088er @ Uncensored

[Reply] [ReplyQuoted] [Headers] [Print]

Is anyone currently messing around with or using IPv6 in a production environment? If so, what client OS(s) are you using? There seem to be a lot of Dreally bad, unpatched, easy to run IPv6 based DoS attacks for Windows and Linux out there right now. :-/

[#] Mon Apr 11 2011 11:27:23 EDT from IGnatius T Foobar @ Uncensored

[Reply] [ReplyQuoted] [Headers] [Print]

I've been hard at work IPv6-enabling our data center. So far, the only "security holes" I've seen were incompetent administrators who forget to do simple things like putting up firewalls.

[#] Mon Apr 11 2011 15:58:23 EDT from the8088er @ Uncensored

[Reply] [ReplyQuoted] [Headers] [Print]

If you have Router Discovery turned on, you're still vunerable to this one:
http://samsclass.info/ipv6/proj/flood-router6a.htm

[#] Mon Apr 11 2011 17:21:56 EDT from IGnatius T Foobar @ Uncensored

[Reply] [ReplyQuoted] [Headers] [Print]

So ... Windows is inexcusably insecure out of the box. What else is new?

[#] Mon Apr 11 2011 19:24:51 EDT from the8088er @ Uncensored

[Reply] [ReplyQuoted] [Headers] [Print]

Not much, but that's a pretty severe wide open problem.

[#] Mon Apr 11 2011 19:28:18 EDT from the8088er @ Uncensored

[Reply] [ReplyQuoted] [Headers] [Print]

Here's another less nasty one that also affects Linux http://samsclass.info/ipv6/proj/proj-124-13x-sendpees6.html:




[#] Mon Apr 11 2011 23:23:02 EDT from IGnatius T Foobar @ Uncensored

Subject: Re:

[Reply] [ReplyQuoted] [Headers] [Print]

Well, yes, it is possible to operate a rogue IPv6 router and fool the local machines into using you as their default gateway, but it's just as possible to operate a rogue DHCP server on an IPv4 network.  It's an issue but it isn't a new issue, nor is it a show-stopping one.



[#] Tue Apr 12 2011 02:14:16 EDT from the8088er @ Uncensored

Subject: Re:

[Reply] [ReplyQuoted] [Headers] [Print]

With my admittedly limited understanding of networking though, it seems like the RSA signed packet DoS is specific to IPv6 and it prevents router spoofing but opens a different can of worms. I've experienced many times rouge DHCP servers on IPv4 networks, mostly accidental though.

FWIW the guy whose website I'm linking to, Sam Bowne, gave this talk at Defcon which I found on youtube and found very informative regarding IPv6, having known little to nothing about it before : http://www.youtube.com/watch?v=zIUgH2wVt_0

So much to learn though.

[#] Tue Apr 12 2011 13:00:15 EDT from IGnatius T Foobar @ Uncensored

Subject: Re:

[Reply] [ReplyQuoted] [Headers] [Print]

I think the biggest change is getting out of the NAT mindset. IPv6 restores the original end-to-end nature of the Internet.

Allowing hosts to perform router discovery and generate their own IPv6 addresses, reminds me of the old days of Netware IPX/SPX. Hopefully it will become common for hosts to automatically register themselves with nameservers, and we will have come full circle.

I use static IPv6 addresses for routers, and for DNS servers. Everything else uses the address automatically assigned using router discovery plus the MAC address. At the moment, my workflow is to log in using IPv4 and then copy-and-paste the IPv6 address into the DNS server. This seems suboptimal and I would like to see the process automated.

[#] Tue Apr 12 2011 17:10:16 EDT from LoanShark @ Uncensored

Subject: Re:

[Reply] [ReplyQuoted] [Headers] [Print]

I think the biggest change is getting out of the NAT mindset. IPv6
restores the original end-to-end nature of the Internet.

How much you want to bet that residential access providers will continue to charge extra $ for more than one IPv6 address, continue to assign dynamic addresses, etc -- just to create an artificially tiered service?

[#] Wed Apr 13 2011 10:57:02 EDT from saltine @ Uncensored

Subject: Re:

[Reply] [ReplyQuoted] [Headers] [Print]

Theydll switch it to a change request fee.

[#] Wed Apr 13 2011 12:42:25 EDT from IGnatius T Foobar @ Uncensored

Subject: Re:

[Reply] [ReplyQuoted] [Headers] [Print]

Ideally you're going to get a /64 which is what the designers intended, but even handing those out on a dynamic basis could be annoying. Can you imagine a routine change of your provider-assigned address renumbering your entire internal network? If they do that, I'd rather be assigned a single /128 for my firewall and run NAT66.

[#] Wed Apr 13 2011 14:54:08 EDT from LoanShark @ Uncensored

[Reply] [ReplyQuoted] [Headers] [Print]


Seems more likely that your home network might just get bridged onto the provider's cable plant, so their whole network in your neighborhood looks like one big Ethernet segment.

[#] Wed Apr 13 2011 18:06:33 EDT from IGnatius T Foobar @ Uncensored

[Reply] [ReplyQuoted] [Headers] [Print]

Acecape does something similar with IPv4 on their DSL circuits. They give you an address on a /24 but it's restricted somehow at the DSLAM so that you can't use an unassigned address or exchange packets with anyone on that subnet other than the default gateway. If you sniff it, though, you see lots of ARP going over the wire.

Scoping a /64 across an entire "node" (~500 subscribers for cable, 32 subscribers for PON, and for DSL it would probably be whatever the line capacity of a single DSLAM is) seems to make sense from a capacity planning point of view, *if* they could find a way to keep neighbors from stepping on each other too much. At first it seems feasible to simply restrict intra-node traffic at layer 2, until you consider that it's perfectly reasonable that neighbors might want to Skype or play online games with each other, etc.

Perhaps it would be sufficient to restrict *broadcast* traffic at the demarc (in the cable/DSL modem or ONT, or even in a consumer grade IPv6-ready firewall) so that traffic flows freely but neighbors don't end up in one big "network neighborhood" when they bring their computers online. Or if we're going to return to the good old days of firewalls that just do filtering and not NAT, then a properly configured consumer-grade firewall would simply drop all inbound packets that are not known to be part of an existing flow -- but it would have to do it without routing.

On the other hand, one would think that The Man would very much like to have static IPv6 down to the device level for tracking purposes. MPAA/RIAA types would enjoy it. "Law" enforcement types would have an easier time nailing people for non-crimes. And the folks who sell your information would be able to tell the difference between traffic originating from different computers in the same household.

[#] Wed Apr 13 2011 20:59:18 EDT from LoanShark @ Uncensored

[Reply] [ReplyQuoted] [Headers] [Print]


Right now, I'm sitting on a /23, so I don't see how the situation is fundamentally different than what's already happening: that /23 must be bridged to other local customers.

[#] Wed Apr 13 2011 23:37:59 EDT from IGnatius T Foobar @ Uncensored

[Reply] [ReplyQuoted] [Headers] [Print]

Can you ping them? Does the whole neighborhood appear as a single broadcast domain? When I had DSL with Acecape I was on a /24 but I couldn't reach anyone on my subnet.

[#] Wed Apr 13 2011 23:58:09 EDT from IGnatius T Foobar @ Uncensored

[Reply] [ReplyQuoted] [Headers] [Print]

I'm currently on a /24, and I see lots of hosts are pingable within the subnet.
And it seems that unlike Acecape, Verizon is letting me connect to various open ports on thos hosts.

Interestingly, all of them have the same MAC address. Also, I'm not able to DHCP for more than one IPv4 address at a time. Clearly the equipment on the FiOS network is doing more than just bridging Ethernet between the port on my ONT and an upstream router somewhere. Probably both the ONT and OLT are configured to pass IPv4 through in a specific way.

Doing this effectively with IPv6 would require passing the router advertisements downstream, and then admitting the subscriber's various IPv6 addresses upstream in an orderly fashion while both suppressing inter-subscriber broadcasts and handling the conflicts that are created when two or more morons start hardcoding IPv6 addresses starting at the bottom of the subnet instead of allowing their computers and other devices to derive their IPv6 addresses from the MAC address of each device.

It's all doable -- just a question of how they go about it. It should be interesting. It would be a shame if ISP's took the easy way out. There are a lot of advantages to bringing back the end-to-end nature of the Internet, even from the ISP's point of view. For example, I'm sure that the ones who provide both Internet and Television would love to be able to talk to the various DVR's and other set top boxes without having to resort to stupid router tricks.

And there's really no reason not to let the subscribers have as many IPv6 addresses as they want. It's not as if we're back in 1999 and ISP's are still arguing that NAT violates their ToS because you're connecting multiple endpoints and only paying for one. These days, most of them even *give* you the router.

[#] Thu Apr 14 2011 03:07:14 EDT from saltine @ Uncensored

[Reply] [ReplyQuoted] [Headers] [Print]

They do something similar here in Stockholm. The city has a fiber backbone that all the ISPs sell subscriptions to.
Some allow edge-premise routing-switching while others require one arm routing back at the internet handoff.
I personally think having the ability to communicate with peers unrestricted will be a good thing and bring
people closer to one another in the same communities.

[#] Mon Apr 18 2011 00:18:17 EDT from the8088er @ Uncensored

[Reply] [ReplyQuoted] [Headers] [Print]

Oh how I wish I understood this all.

Go to page: First ... 22 23 24 25 [26] 27 28 29 30 ... Last