cancel
Showing results for 
Search instead for 
Did you mean: 

IPV6...

Strat
Community Veteran
Posts: 31,320
Thanks: 1,609
Fixes: 565
Registered: ‎14-04-2007

Re: IPV6...

Moderators Note
This topic has been moved from Plusnet Feedback to IPv6 Trial.

 

 

Windows 10 Firefox 109.0 (64-bit)
To argue with someone who has renounced the use of reason is like administering medicine to the dead - Thomas Paine
summers
Aspiring Pro
Posts: 275
Thanks: 50
Fixes: 1
Registered: ‎01-06-2014

Re: IPV6...

In IPv6 is *really* needed, have you though about using 6in4 or 6to4 if your router supports it?

I use 6to4, and plusnet is good enough to route the packages. So I have a virtual IPv6 inside my home network.

Only hassle is as the Ipv6 has an encapulation of the router IPv4 address, everytime the ADSL connection breaks and gets restablished, if the IPv4 address changes - then all the local network IPv6 adresses need reasigning. Most IPv6 implimentation are set up with this in mind, e.g. I use stateless. This means that the updated IP adress propogates behinds the scene, and I don't need to do anything.

MJN
Pro
Posts: 1,318
Thanks: 161
Fixes: 5
Registered: ‎26-08-2010

Re: IPV6...

Those with a 'need' (or even just a 'desire') have long since been using transition technologies like 6in4/6to4 but it is not a viable end-state and hence doesn't remove the push on Plusnet as an ISP to do their bit of providing native IPv6 support.
VileReynard
Hero
Posts: 12,616
Thanks: 582
Fixes: 20
Registered: ‎01-09-2007

Re: IPV6...

One of the many things about IPV6 that mystifies me is that every device can have a routable address so if anyone can access it you have to forget about firewalls and just invite everyone in.

"In The Beginning Was The Word, And The Word Was Aardvark."

coofercat
Hooked
Posts: 8
Thanks: 12
Registered: ‎12-07-2016

Re: IPV6...

You don't *have* to forget about firewalls (and in fact, you're still going to need them) - but you forget all about NAT.

VileReynard
Hero
Posts: 12,616
Thanks: 582
Fixes: 20
Registered: ‎01-09-2007

Re: IPV6...

But I am very happy with NAT.

Using non-routable addresses for my devices gives a lot of protection from the internet.

Presumably that's why people like 4 over 6 etc protocols.

"In The Beginning Was The Word, And The Word Was Aardvark."

MJN
Pro
Posts: 1,318
Thanks: 161
Fixes: 5
Registered: ‎26-08-2010

Re: IPV6...


@VileReynard wrote:

One of the many things about IPV6 that mystifies me is that every device can have a routable address so if anyone can access it you have to forget about firewalls and just invite everyone in.


Not at all; indeed quite the opposite. Reachability and accessibility are two very different things - just because an address is reachable (i.e. it is unique, routable etc) doesn't automatically mean you have to make it accessible. That is exactly the job of a firewall - controlling, amongst other things, what addresses can be accessed, by who and how etc.

This situation is not unique to IPv6. There are thousands of networks built using public (routable) IPv4 address space; that doesn't make them any more open/vulnerable than those using private address space and NAT.

MJN
Pro
Posts: 1,318
Thanks: 161
Fixes: 5
Registered: ‎26-08-2010

Re: IPV6...


@VileReynard wrote:

Using non-routable addresses for my devices gives a lot of protection from the internet.


That is a very naive view to take as it doesn't take into account the fact that most attacks are not carried out at the network layer but rather exploit vulnerabilities in layer 7 applications as well as the users that use them. NAT is limited in helping with either and provides no additional security whatsoever beyond that which a statefull firewall can provide.

There is a reason why the original authors of NAT clearly state it is not a security function and why the designers of IPv6 kept it out of the spec in its previous (IPv4) form.

SimonHobson
Rising Star
Posts: 190
Thanks: 41
Registered: ‎30-07-2007

Re: IPV6...


@VileReynard wrote:

Using non-routable addresses for my devices gives a lot of protection from the internet.

Presumably that's why people like 4 over 6 etc protocols.


 

No, it offers you the illusion of protection.

As already said, many attacks work at a higher level - eg malware in email, drive-by infections from websites, or just plain [-Censored-] sw implementations (eg some of the IoT stuff we've heard about). And, not having tried this, I strongly suspect that a malicious actor within your network could easily create the mapping needed to allow an outside actor to attack in internal resource. Nothing that NAT protects you from isn't also protected against by a basic firewall - and even a basic stateful firewall will protect against more than a NAT gateway.

As for "NAT works fine" (which is the implication of your post) - no it doesn't. Again, it gives the illusion of working most of the time for most users, for the simple reason that application devs have wasted much effort on making things work round the brokenness of NAT in it's many different forms. Yes, lots of devs have wasted a lot of time (time which would have been better spent on the application) working around this - different devs, working around the same problems multiple times for different applications. Re-inventing the "NAT breaks our NAT, we have to build in a way around it" time after time.

Incidentally, that is one (just one) reason why so many things "need" internet access to a mother ship (vendor provided server) in order to work !

Lastly, those that are using transition technologies are doing to to make things work (mostly) seamlessly. You can't go IPv6 only yet, and that's not going to change for quite a while - so you either have to go dual stack (which is the technically preferred option at the moment), or you have to have IPv6 locally and 6to4 translation to access IPv4 only services.

Other ISPs have gone dual stack for their customers with (in some cases) no fanfare. BT Internet, Sky are two that come to mind - and mostly it's just happened without customers noticing. It does help if all (or at least, most) of your customers are using your (often crappy) router which is the case with both of those two.

summers
Aspiring Pro
Posts: 275
Thanks: 50
Fixes: 1
Registered: ‎01-06-2014

Re: IPV6...

As others have said, firwewalls are a routing action. So if you adsl router impliments a firewall, then that still works under IPv6.

However you are right in a sense, that if using IPv6 you don't have to NAT. A result of which is that the IPv6 adress of the machine accessing the internet, is visible on the internet.

Where this gets tricky, is if an ISP decided to charge for each device connected to the internet. This can't be traced under NAT, but using IPv6 and no NAT, then the ISP could trace home many machines were connected.

As far as I know, no ISP is doing this, nor would I expect them to do it. It would be a backward step, easily thwarted, and would not go down well with any punters.

VileReynard
Hero
Posts: 12,616
Thanks: 582
Fixes: 20
Registered: ‎01-09-2007

Re: IPV6...

My mobile has a IPV4 & IPV6 address - presumably both gotten from my IPV4 router?

Presumably that makes it easy to get the MAC address of the mobile plus its almost certainly spilled its guts to anyone who might be interested.

I know very little about the (lack of) security of phones, though.

"In The Beginning Was The Word, And The Word Was Aardvark."

MJN
Pro
Posts: 1,318
Thanks: 161
Fixes: 5
Registered: ‎26-08-2010

Re: IPV6...

It might've come from the router, or might've come from your mobile provider or equally have been self-generated.

Note that deriving an IPv6 address from a MAC address is but one method, and one that has increasingly fallen out of favour due to privacy concerns. It is therefore more likely to have been randomly generated.

SimonHobson
Rising Star
Posts: 190
Thanks: 41
Registered: ‎30-07-2007

Re: IPV6...

Not only has creating a fixed address based on MAC address fallen from favour, it is (AIUI) formally deprecated or at least BCPs (best current practice docs) strongly advise against it's use.

More or less the default in most networks will be self assigned addressing, where each device more or less randomly picks an address, checks that nothing else is using it (work it out, there's 2^64 possible addresses 😯), and then gets on with things. Furthermore, advice is to pick multiple addresses, and change them regularly - even to the extent (and no, the mechanisms aren't there yet) for each individual application to request IP addresses.

For something like web browsing, the browser could use a different IP address for every site it pulls stuff from, changing them regularly. That would pretty well thwart some classes of monitoring - but AIUI simply tracking by IP address is out of favour anyway given the way that each IPv4 address typically has multiple users behind it, and there are other ways to do more detailed tracking.

And of course, these privacy mechanisms would also make it impossible for an ISP to charge by device or limit connected devices. Say it's basic "count the IPs seen passing on the wire" system sees 100 addresses - there's no way to know, without very expensive (in resources, and hence cost) packet size/flow analysis, whether that represents one busy device, 10 devices each with 10 addresses, or 100 devices with one address each, or perm any combination you like between 1 device/100 addresses and 100 devices/1 address each extremes.

snadge
Aspiring Pro
Posts: 183
Thanks: 34
Fixes: 6
Registered: ‎10-12-2016

Re: IPV6...

my Xbox says im using IPv4 which has to use NAT whereas IPv6 doesnt.. this apparently (IPv4) can help cause lag in games?

which GOOD isps use IPv6 as my time is almost up here and ive had nothing but issues with loss of lots of speed and poor customer service from most, dropping my MGALS every time speed is lost so im on 80/20 and was getting that, 8 months later it goes off 4 hours n comes back with no dial tone and now on 64/20  he put on a 5C and after 12 hours it was on 55/20 with tons of upstream errors....and BT said my 61MB MGALs is now 51Mb and therefore FINE! - luckily i knew what the issue was (NTE5C+SSFPmk4) and got him to swap it out for NTE5A+SSFPmk3)...back up to 64-69Mb solid with no errors

 

64Mb - Error Protection ON - normal
69Mb - Error Protection OFF - normal

all depends on hourly error rates and mines teetering on the edge so jumps between the two now and again

 

those 5C's are dodgy with their internal metal plating sucking REIN into connection under certain line/home conditions

MJN
Pro
Posts: 1,318
Thanks: 161
Fixes: 5
Registered: ‎26-08-2010

Re: IPV6...

BT and Sky are two 'mainstream' IPv6 providers, and there are smaller more specialist providers such as Andrews & Arnold but they might not be as competitive financially speaking.