
Nice internet you got here.
Be a shame if anything happened to it, right?
One of the world's five regional internet registries, or RIRS, has been the subject of campaigns by a secretive lobby group calling itself the Number Resource Society (NRS). We have learned this is part of the NRS's push for changes to the role of RIRs, the bodies that, among other things, centrally manage the internet's …
Rather: "Nice block of IP addresses you've got there. Be a shame if people refused to route traffic to or from them."
It'd only take a few people in the right places to decide that they don't like a particular block(s) and blackhole them to make the block(s) essentially worthless. Just saying.
Yes, a few people could do that, but the people you would need to make that happen are also the kind of people who wouldn't do it. Their job is not breaking the internet, no matter how bad certain things on the internet might be, and they take that job seriously. Meanwhile, if you and I decide to drop traffic to them, it will do nothing whatsoever; either we weren't going to use them anyway or we'll have to fix things when they don't work by removing the rule. It's the same reason that, even when people suggest that we drop some country which has been committing serious offenses from the internet, websites hosted in that country still work. Things have to get pretty bad before an address block is dropped in a way that shuts down the operator for good.
We slapped on a few band-aids, but if a few semi-reputable agencies start advertising routes for those blocks, they can send the traffic wherever they want, at least for a bit.
The usual gag is to then claim it was all an accident.
The foundations of the internet were built on sand. DNS, RIP, SSL. All had no or broken security, authority, and trust models. None were ever really fixed, and inevitably to many entities would need to update their shit, and never do. So to this day any CA can sign any cert they want and it will test as valid unless the local app pinned that specific cert. Unless every client app sets a known good DNS with DNSSEC and transport level security, and web request can be forged, and not only can the internet backbone no support jumbo frames, it's basic routing can be hijacked by untrusted actors from the other side of the world.
So maybe blacklisting bad actors IP blocks isn't one of the problems breaking the internet. Maybe we have already been doing it, just not from the RIR level. Maybe that's fine, and low reputation networks shouldn't expect equal treatment or footing with the rest of the internet. It didn't break the internet when we were blocking DDoS attacks, malware, and spam domains after all.
A more sane solution with easy upgrade from IPv4 - eight bytes instead of four, with the existing IPv4 netspace being mapped to 0.0.0.0.x.x.x.x and (ideally) the two MSBs of the new numbering being used to designate countries for easy geo-identification (hey, the way politics are going these days, we may well get to having 64K+ countries).
Also... The courts should be given tech-savvy advisors who could simply tell them "tell these private entities to FOaD, they have no business interfering in RIRs' workings."
Thing is, any change to IP cannot be backwards compatible at all, by definition.
So it's only ever going to be possible to send IPv4 over IPvN by using a specific wrapper, no matter what. Better to leave the IPv4 packet alone, as every (successful) wrapper of IP has always done.
There's simply no reason not to go all the way to 128bits.
Frankly, almost all of the arguments about IPv6 boil down to either "my business is based on charging people for IPv4 addresses", or "I don't like colons".
I've been critical of IPv6 for, literally, decades, but it's frankly the only game in town and so much time has elapsed that many of the issues are less relevant because so much old kit has dropped off the network while the world dragged its feet.
It's IPv6 or nothing at this stage and the sooner IPv4 is buried the better.
The main issue I see is that there are plenty of firewalls that are still not quite up to the job when it comes to IPv6, yet that's of massive importance if we switch all the way due to frankly embarrassingly weak software by companies that can do a lot better such as Microsoft and Adobe.
IPv6 has enough capacity to make desktops and devices directly accessible, so even the relatively narrow moat of Network Address Translation (nicely bridged by uPnP, thanks a bunch) is no longer there, and as soon as you have breached one weak device you have a bridgehead to the rest of the network. Frankly, it sometimes appears like these companies do this deliberately to give their own three letter agencies a global leg up. Thankfully most IoT things are too low powered and based on too old hardware to handle IPv6 (most can't even handle 5Ghz WiFi), but that too will eventually change.
So yes, we don't have much of an option but no, I'm not confident we have all the issues covered. Time to talk to nations who have been at it for a long time because the US didn't give them many IPv4 addresses like Japan, they should have picked up some issues in the process.
I have to disagree. NAT serves as a basic firewall - either you know which port(s) will let through traffic (typically because you were just told which to use), or your traffic doesn't get through. Try to connect on a non-forwarded port, and the router won't allow a connection - not because it's detecting malicious traffic, but because it doesn't know what machine to send it to. Even if a machine on the other side does accept connections on that port, it still won't get through.
NAT serves as a basic firewall - either you know which port(s) will let through traffic (typically because you were just told which to use), or your traffic doesn't get through
Which is why nmap was invented - especially if you don't have port-scanning protection enabled on your firewall. So NAT is essentially security by obscurity - with the tools needed to remove the obscurity easily available.
In other words, no security at all.
You're wrong; NAT doesn't serve as a firewall at all. The problem with your argument is this part:
but because it doesn't know what machine to send it to
which is incorrect. Your router knows where to send each incoming packet, because each incoming packet has a "destination IP" field specifying where it should be sent.
Unfortunately, one of the fundamental problems is that people seem to be clinging to demonstrable untruths.
The most frequent myth is that somehow picking n address bits where 32 < n < 128 would somehow result in something more "compatible" with IPv4. That's simply untrue.
Another myth is that Network Address Translation provides some sort of security. It doesn't. It's the stateful packet inspection in firewalls that provides the security, NAT is entirely separate and actively breaks things. The two have been conflated in many people's minds, unfortunately.
Yet another is that IoT devices are too low-powered. There's no difference in the order of complexity between IPv4 and IPv6 so any performance differences are marginal. In any device supporting TLS, the crypto overhead will be considerably more relevant than the Layer 3 overhead.
The forlorn history of IPv6 is mostly to do with the network operators not understanding the technology and the technologists not understanding network operations. That's the firewall we need to be most concerned about.
the mix between firewalls and NAT is because most of the home triple play boxes/cable routers do the two things.... In the same box, and that's what 99% of the people see ever see when it comes of network equipment.
Those that work with IP and security all days knows better, and when they have to implement NAT, they do it on a router before the firewall ( seen from inside, with the firewall being the way out ).
that insist on splitting the UI for setting up NAT and firewalling into separate pages, instead of displaying and prompting for both in the same place.
Nothing beats being pedantic for no reason in a way that also makes it possible to both misconfigure your access rules and then not see that they are when you look at them next. Item six on my checklist when looking at my own or other peoples work.
If a device inspects a packet and determines that the state of its connection is such that the packet's addresses are to be rewritten in transit, is that stateful packet inspection in the firewall or something entirely seperate in the router?
Is it only stateful packet inspection if you use "rejected" or "accepted" in place of "rewritten"?
You're trying to conflate two things.
The stateful packet inspection determines whether packets are rejected or accepted.
Subsequently, the accepted packets may also be subject to rewriting to support NAT.
It's not a ternary decision, it's a binary decision followed by an entirely different process.
Please continue to explain how one sucks on an egg.
This is a single line from the configuration my *combined* *in a single box* *running a single kernel** *through the same in-kernel virtual machine* firewall:
match out on egress inet from { $lan:network $pub:network $ms:network } nat-to (egress)
Where is the division of responsibility you're referring to? What you say hasn't been true since we stopped using "gateway" to refer to a specific thing.
[*] There are two cores so this definition is being stretched slightly. Maybe one does the firewalling (sorry: Stateful Packet Inspection) and the other does the routing (no state and no inspection of packets?)?
The line you've quoted only applies NAT to outbound connections. The lines that decide whether or not a connection is permitted (aka the actual firewall) are elsewhere in your configuration. The state tracking, which both of these separate functionalities depend on, is done elsewhere in the kernel.
ain't what she used to be
ain't what she used to be
Due to the generous and lenient moderation policies, many of out more vociferous members were refugees from other sites and brought their diverse culture of posting on topics they know nothing about beyond their personal "it works on my home router" experience with them. The old Moderatrix probably would have tired of them, but the whole rag might have disappeared if they stuck to an old format for old-timers.
To be fair, depending on the nuance of the command syntax it can look like this is all happening in a single step, and even pages of borderline wizardry under legacy tools like IPCHAINS is now just a half dozen lines in something like PF syntax.
That said, there are key parts in the network and routing stack that handle all of this, all nicely written up in your distro/kernel documentation. If you have never seen the terms MANGLE INPUT and PREROUTING you probably haven't gotten deep enough. They really are and will be separate steps in the guts of the routing code no matter how the user level tools (GUI or CLI) handle them.
>” Frankly, almost all of the arguments about IPv6 boil down to”
You omitted a big one: not supported by ISP.
It is obvious here businesses such as Cloud Innovation and NRS have little interest in IPv6 because they can make (lots of) money from the scarcity of IPv4 addresses. I expect having established the business model for IPv4 they will simply transfer it to IPv6, as most people won’t understand..
"I expect having established the business model for IPv4 they will simply transfer it to IPv6, as most people won’t understand.."
They can't do that, for various reasons. IPv6 is the best way to defeat these scumbags.
We're 44.76% of the way there according to Google's latest data.
IPv6 solved problems for a certain subset of the internet ecosystem, and belligerently ignored the needs and concerns of the people they wanted to use it. They mismanaged the standards process and promoted an ivory tower attitude where sorting out the linked issues with DNS, route advertisement and security were all someone else's problem to fix. They also chose to die on the NAT hill, which despite their whining at the time has failed to fall over and die for decades, and it never will.
Instead of offering ISPs and their customers a pragmatic and comprehensive solution, they rolled out a hot mess that people immediately hated and left an entirely different set of people to start trying to fix it.
They kept declaring world IPv6 days, while failing to ask or understand why the first one failed spectacularly.
I disagree that we are stuck with IPv6 and it's assumptions, but parts of it will probably live on in any successors. The core routing table code is efficient, but it doesn't scale well when there are a large number of exceptional routes, it doesn't handle dynamic load balancing on multiple internet connections very well, or handle fail overs gracefully because of BGP not being updated other than to handle the new address space.
But people who ignore any criticism of IPv6 will never mention the actual concerns with it, no matter how often they are repeated.
This post has been deleted by its author
Frankly, almost all of the arguments about IPv6 boil down to either "my business is based on charging people for IPv4 addresses", or "I don't like colons".
That, and IPv6 is still barely taught even at University level. My nephew just got a Bsc (hons) in Computer Science (Network Engineering) and he can't even make a patch lead...he is applying for management jobs right now because the University has hammered into him that he is ready for a management position.
I had to fill in for his lecturers on a lot of stuff because what they were teaching was guff...I spent a lot of long nights, 8 hours an night for about 2 weeks teaching him everything he needed to know and at the end of it, he told me I packed more into those two weeks than his lecturers had covered in 2 years.
Education in our sector is fucked and the path to become a trainer (and of course the incentive) is crap. I'd love to be a trainer, but I don't think I could live off the money. That, and despite having over 20 years of experience, I don't think I'd even be considered because I hold no academic qualifications related to tech past an A-Level.
That's what is done....
http://www.tcpipguide.com/free/t_IPv6IPv4AddressEmbedding.htm
And it doesn't solve the main issue : how do you route that address in IPv6 ?
Knowing that you need a network prefix in the IPv6 addressing space ( which obviously cannot be there due to all the zeros ) to route the traffic towards that address.
So this solution only works for IPv4 only devices that needs to be reachable in the local IPv6 addressing space. It's not a solution that works for Internet traffic at Tier 1 Carrier Level.
AFRINIC, KRNIC, TWNIC, and the Chinese parts of APNIC have always been a mess. By the time fighting finishes, the value of those netblocks may never be more valuable than plentiful IPv6 addresses. They going to be in various "set and forget" blocklists all over the world because of their long history of misuse and invalid ownership records.
The issue with v6 is that if you use public address in your local network, and then you switch to a different ISP, then you have to renumber ALL of your network, which is a HUGE task. No problem for the smaller home user, no problem for the AS owner, big problem for small-medium business.
Unless you can NAT (one to one, not many to one) your local network so that you keep its internal numbering fixed and then you can just reconfigure NAT rules to change ISP, or unless V6 is sold to customers like domains currently are (my /64 or /48 is MINE and I can route it through any ISP I like) then V6 will be a pain to manage for SMBs.
The other issue with v6 is its complexity and its mixed autoconfig / discovery / announce functions, which are a security/management mess. Why not just stick to DHCP? I don't get it.
>” The other issue with v6 is its complexity and its mixed autoconfig / discovery / announce functions, which are a security/management mess”
I’ve not had enough exposure to confirm, but it does seem many router/firewall vendors configure the IPv6 stack through the transposition of the IPv4 configuration and then give little visibility of the IPv6 traffic…
I dislike how there are multiple ways to configure the IPv6 connection to a 4G mobile network, yet only one will work and the mobile operator provides no information as to which one you should be using. Suspect similar will apply to fixed lines - although expect everything to be straight-forward if you use the ISP provided router.
If you are big enough to require static internal ips in such quantity that this might be a genuine headache, you know you can just get your own IPv6 block and own it entirely regardless of what ISP you have
I hear IPv6 blocks are quite plentiful and easy to get.
(Yes I am a ip block owner and have put time in to ensuring everything is dual stack)
I believe (but could be wrong) that you would undelegate your personally "owned" ipv6 block from your blighty isp and then delegate it to your italian isp (providing that both ISPs are up for it - you might need to pick a more niche/technically inclined provider like Andrews & Arnold for example).
Provider independent address blocks as they're known are assigned by the regional NCCs (RIPE, APNIC, AFRINIC, etc), so you can move them around within the region. Presumably anyone large enough to need such a block is also going to have their own ASN(s) and use BGP routing, ie they don't have an ISP as mere mortals do, just connectivity agreements.
You clearly don't know how this works if you think what country you're in determines the routeability of an assigned IP prefix, be it a v4 prefix or a v6 prefix.
If you've a block permanently assigned to you, then you just find a grown-up ISP and say "We need you to announce this over BGP". Better still get your own ASN (You'll have no problem with this is you're capable of getting a permanently assigned prefix) and advertise your prefix yourself to one or more upstream transit providers.
Can you get IPv6 -> IPv4 NAT so all of your internal addresses are from, say, 10.x.x.x block and they routed outside on whatever IPv6 addresses are allocated?
Presuming here that very few folks considering security actually want incoming connections by default, only as set up in the router via port-forwarding or whatever means used for specific needs.
Yes it's possible.
You have an internal network in IPv4 and your external facing interface is a single IPv6 address.
It's actually the easiest case, as what Internet sees is an IPv6 address, and it's up to the router doing the 4to6 translation to handle which flows goes where on the IPv4 side.
The PITA case is when you have an IPv6 network internally and only an IPv4 link towards the Internet....
Now the above consider single stacks... At this time dual stack is commonly used so both IPv4 and IPv6 can be used... Dual stack adds in reachability ( as your system will be reachable through both IPv4 and IPv6 ), but it adds in complexity if you want your network to be secure ( you have to configure the firewalls and the routers for both stacks, each stack being configured separately )
you have to configure the firewalls and the routers for both stacks, each stack being configured separately
I don't know what firewall/router combination you're using, but OPNsense lets you write rules for UDP & TCP that apply to both IPv4 and IPv6 simultaneously. Yes, the underlying software may have two rules, but you only need to think about one.
OPNsense
I'm about to migrate to that (from Sophos UTM nee Astaro Linux) - UTM doesn't seem to be under active support any more and the home 50 IP address limit is starting to be irksome.
I have OPNSense all ready to go, just need to bite the bullet and do it. OPNSense is running on one of the Lenovo mini-PC thingies whereas UTM is running on a very old HP Microserver with a Celeron processor..
The issue with v6 is that if you use public address in your local network, and then you switch to a different ISP, then you have to renumber ALL of your network, which is a HUGE task.
Nope. That's exactly what NPTv6 is for. Give all your internal machines ULA (fd00::/10) addresses so they never need renumbering, use NPTv6 as you transition to outside to transform the network prefix to whatever your ISP has given you. Change ISP, change the network prefix mapping on your externally visible router(s), don't touch anything else.
For SMBs, that’s plain wrong. Public addresses are handed out inside the prefix received from upstream. Change providers pretty much is seamless, just restart stuff and it’ll get a new address. Changing providers is also something that’s hardly ever done.
Side note: I do hope that everybody here commenting on how hard/bad/… IPv6 is has gone through at least the trouble to do Hurricane Electric’s free IPv6 course.
Which is that the prime agitator is Chinese and runs a Chinese company which, of course, means everything you do has to have the at least tacit approval of the Chinese government (unless you fancy disappearing for a while for re-education).
So the correct question is; "What do the Chinese government have to gain from fucking up the internet, which all western economies are heavily dependant on?".
The fact that they seem to be using Africa as their main lever would tie in with every other bit of global economic sabotage that they're up to their crooked little necks in at the moment.
Same old China...
It's possible, but they also have the attitude that "If we don't object to it, do whatever you want that affects other countries". It is possible that this is really just a profit-generating activity and China isn't doing anything about it because they aren't affected and get to collect some tax. Nothing requires this to be a thoroughly-considered plot even if there's a possibility that they could have one.
Yeah, but look at the last line of the article - "And as The Register will soon report, the NRS moved on to a new target: the Asia Pacific Network Information Centre". If they're going after APNIC, either the Chinese government is involved, or it soon will be.
1. Grab land.
2. Charge ever increasing rent, forever.
This story looks simply like a tale of one man's greed, let loose by his realisation that he could subvert and capture a regulatory process for personal gain. Again, another standard "free market" process, see business lobbying of politicians for "business friendly" laws that enable them to make a fortune without too much of that pesky innovation and competition malarkey.
This post has been deleted by its author
Despite the joke icon, that's an almost perfect summary.
There's very little that IPv6 offers that wasn't possible with CLNP when the IAB proposed its adoption. The fundamental mistake was that there wasn't a reference implementation so the vendors who'd worked on the ISO specs appeared to be pressing their commercial advantage - which, if they were, didn't pan out as they might have hoped.
The thing that intrigues me about this is that it all appears to be the work of one person (plus a couple of contractors) who managed to grab a big bunch of IP addresses, and is doing his best to monetise them.
I doubt he's actually raking in the $14m-$21m revenues the figures suggest, but, presuming he has few if any employees, he's likely to be nicely well off.
Here we have a Racket in Process = RIP. They file hundreds of trivial motions, via word processor, that amass into tens of thousands of dollars worth of lawyer's fees at their hourly rate, much like patent trolls = a new type of troll.
Once mature, their racket will have an annual fee(the take) that will be determined by your business (the handle)
and so this fellow will do little creative work, a computer and some scripts will create the largest cash cow any emperor ever controlled.
How to deal with it? Take it from him by decree and also do not leave it in the hands of any tin pot would be emperors.