r00ty @ r00ty @kbin.life

I'm the administrator of kbin.life, a general purpose/tech orientated kbin

---

Read more

Posts

2

Comments

1,266

Joined

2 yr. ago

Dhcpv6-pd is used by isps for prefix delegation, which most routers support now (not so when my isp first started with it).

But for advertising prefixes on a lan most networks use router adverts.

They're different use cases though.

You can include some information in router advertisements, likely there will be rfcs for more. Not sure of the full list of stuff you can advertise.

For sure I'm quite sure I had dns servers configured this way. I'll check when not on a phone to see what options there are.

Best thing to do to test the firewall is run some kind of server and try to connect to your ipv6 on that port.

Like I've said in other posts, routers really should block incoming connections by default. But it's not always the case that they do.

That's true. But there are not many differences. It's just, the differences there are, are crucial to understanding it.

Yep, it's all good. In my opinion, IPv6 routers should just be dropping incoming connections by default. If you want to run services you give your machine a static IPv6 and open ports on that IP/port specifically. It's actually easier than NAT because you don't need to translate ports and each IP can use the same ports (multiple web servers on 80/443).

I do agree that the average joe is going to expect NAT level security by default and that would provide that.

It's really not though. ISPs are a problem, but every hosting provider I've used has offered IPv6. It's really trivial to setup IPv6 name DNS, and host a website on both IPv4 and IPv6. I just do it by default now.

Once it becomes the default to deploy to both, if IPv4 died then the IPv6 side would just keep working.

For DNS, you can make a single glue record contain an IPv4 and IPv6 address.
DNS just needs A and AAAA records for the Name servers. NS records still point to the hostname as normal.

For Web servers, the web server just needs to bind to the IPv6 address(es). Then in DNS just have an A and AAAA record for each website hostname. The server name directives will cover both.

There really isn't much to it right now. The technology is mature now. It used to be a pain, but now it isn't.

In most cases, the router advertises the prefix, and the devices choose their own IPv6. Unless you run DHCPv6 (which really no-one does in reality, I don't even think android will use it if present).

It doesn't allow firewall bypass though, as the other commenter noted.

Honestly, I think most fear of IPv6 is just borne out of ignorance and assigning their understanding of IPv4 onto IPv6 and making assumptions.

Routers simply need to block incoming unestablished packets (all modern routers allow for this) to replicate NAT security without NAT translation. Then you just punch holes through on IP addresses and ports you want to run services on and be done with it.

Now, some home routers aren't doing this by default, but they absolutely should be. That's just router software designers being bad, not IPv6's fault, and would get ironed out pretty quick if there was mass adoption and IPv4 became the secondary system.

To be clear, this is not a reason not to be adopting IPv6.

Dude 10-Base2 won, get over it!

Or, just type ping -6 google.com from a command prompt. It won't work if you don't have ipv6.

I've not read the CVE but assuming it works on any IPv6 address including the privacy extensions addresses, it's a problem. Depending on what most routers do in terms of IPv6 firewalling.

My opinion is, IPv6 firewalls should, by default, offer similar levels of security to NAT. That is, no unsolicited incoming connections but allow outgoing ones freely.

In my experience, it's a bit hit-and-miss whether they do or not.

Now, if this works on privacy extension addresses, it's a problem because the IPv6 address could be harvested from outgoing connections and then attacked. If not, then scanning the IPv6 space is extremely hard and by default addresses are assigned randomly inside the /64 most people have assigned by their ISP means that the address space just within your own LAN is huge to scan.

If it doesn't work on privacy extension IPs, I would say the risk is very low, since the main IPv6 address is generally not exposed and would be very hard to find by chance.

Here's the big caveat, though. If these packets can be crafted as part of a response to an active outgoing TCP circuit/session. Then all bets are off. Because a popular web server could be hacked, adjusted to insert these packets on existing circuits/sessions in the normal response from the web server. Meaning, this could be exploited simply by visiting a website.

God damn it Lrrr. You just had to keep off it for two weeks, TWO WEEKS!

What about Omicron Persei 8? Surely they got some medal in the human eating contest?

Sync process? The other comment was talking about the old receivers for the atomic clocks on SW/MW frequencies. It was a one way thing.

Now in theory if a receiver also had GPS they could account for the distance. But, then they'd get far more accurate time from the GPS receiver so..

Yeah, but you need to factor in the distance to the transmitter. Going to add at least a few microseconds to your time accuracy!

Right! Just to prove a point, I am going to make an NTP enabled rolex, and sync it to my microsecond accurate local NTP server! :P

Setting up online accounts and allowing login via online accounts is fine. Forcing the use of an online account to use an operating system is not OK. They are actively blocking workarounds people use to setup their machine with a local account only.

Providing an easy (perhaps upon installation or first login) method to enable full disk encryption is a good thing. Automatically doing it without user intervention is not.

I would say that enabling it by default and offering a way to disable it before it happens on a laptop makes sense. I have bitlocker enabled on my laptop. But I cannot see any real reason to put it on my desktop. The number of cases where bitlocker on my desktop makes sense are too few to bother with the potential for problems it brings.

The two things are also linked, I suspect they will tie in your bitlocker unlock keys to the microsoft account they force you to login with on computer/windows setup. Should you lose access through any means you could lose access to your account, you're one misclick/hardware change away from bricking your system.

I also wonder, say for example your Microsoft account becomes banned/deleted through some obscure TOS violation and your PC doesn't have any local accounts configured. Are you locked out of your PC?

I'm not anti microsoft. I'm anti a lot of their recent actions, and cynical about their overall intentions regarding them.

Also on the 7800X3D. I think I switched at just the right time. I've been on Intel since the Athlon XP. The next buy would have been 13/14th gen.