China sets goal of running single-stack IPv6 network by 2030, orders upgrade blitz

Re: A possible truth?

To the ignorant, bigoted downvoter

Bush signed a presidential order in 2002 allowing the NSA to monitor, without a warrant, domestic telephone calls and e-mail messages.

FISA created the kangaroo courts that currently dole out secret FISA warrants to legalise spying on Americans.

The PRISM surveillance programme.

The network of “Fusion” centres.

Ever heard of Snowden?

The Patriot Act. The Freedom Act.

The USPS spies on Americans by monitoring their social media.

The NSA shares data with the FBI.

Re: A possible truth?

Not really. USA has no Laogai for its dissidents. People there can still claim they don't like their leader.

Re: A possible truth?

The rhetorical error you are here exhibiting, is called 'false equivalency'.

You need to lay off the pipe weed, Chinese Gandalf.

Re: At least they won't have to worry about international payment security

In which case, let's have a look at the case in question shall we?

https://www.wired.com/2012/01/pci-lawsuit/

U.S. Bank seized about $10,000 from the McCombs' account to pay $90,000 in fines that Visa and MasterCard imposed after alleging that Cisero's had failed to secure its network and suffered a data breach that resulted in fraudulent charges on customer bank cards.

So that's the context behind it. The next relevant section is this:-

The McCombs hired two firms, Cybertrust and Cadence Assurance. Both examined Cisero's point-of-sale system (POS) and servers and found "no concrete evidence that the POS server suffered a security breach which led to the compromise of cardholder data" and no evidence that insiders had installed skimmers on card readers to collect account data. Cadence in fact determined that no evidence existed that payment card data of any kind was improperly taken from Cisero's systems.

The audits, however, did find that the POS system the restaurant used -- a system made by Micros -- was storing unencrypted customer account numbers as they were read from the magnetic stripe on bank cards.

Since storage of unencrypted card data is a violation of the PCI security standards, Visa and MasterCard imposed fines.

So; the McCombs stored unencrypted format card data, this card data was found to be circulating in the wild and there is "no concrete evidence" that it was stolen from them in particular so they think that they shouldn't be fined despite breaching the security standards they promised to implement and maintain in exchange for having a card machine.

This paragraph:-

The McCombs assert that the PCI system is less a system for securing customer card data than a system for raking in profits for the card companies via fines and penalties.

So in context they feel that they shouldn't have to comply with the payment card industry data security standards everybody else on the planet has to comply with to have a card machine because forcing them to maintain the security of your card data is infringing on their rights to store your card data indefinitely in plain text if you ever buy something from them, and the fines for non compliance when data is stolen is "a system for raking in profits via penalties".

Re: At least they won't have to worry about international payment security

While the PCI-DSS requirements are pretty solid, where much of the problem comes from is organisations that adhere strictly to the PCI-DSS standards rather than attempt to use any sense and go beyond them, to produce more secure systems. Instead it's often considersed "we're PCI-DSS compliant and therefore don't have to think security ever again".

>That would be a routing nightmare.

Could be, however, we should remember there was a time when many in the IPv6 community believed that static addresses was a good thing. Privacy in the form of address randomisation, first seen in iOS and now in Android came later.

Re: Static IP addresses

The bottom 64 bits of an IPv6 address is generally a free-for-all. Lots of servers have mostly zeos in there though a few are more creative - Facebook have 'face:b00c' as part of the address. Putting something arbitrary in there makes them a lot harder to find if they aren't in DNS, especially if it changes fairly often.

Monitoring my firewall logs I get very few hits on v6 and they are all from China

Fingerprinting

Android: No, I can see the MAC address stays the same on my access point, so Android devices don't randomize MAC address. But also remember that your device has a magic ID it reports to Google at every opportunity!

Hiding behind NAT: That doesn't work, your browser can easily be fingerprinted to distinguish between hundreds, even tens of thousands of devices, behind a NAT router.

You might think an encrypted link can only be fingerprinted by the NAT WAN IP address, and timing data, but this is not true either. You could also fingerprint stuff like the supported cipher suite.

So unless browsers start randomizing the cipher suite, and mimicking each others cipher suites, the fingerprinters/trackers (advertising networks, content deliver networks, etc) will still be able to individually track you and sell that data, even if its an encrypted link and they don't intercept the encryption.

Re: "The other evening Amazon and my credit card company managed to locate me at least 200 miles apart for an IP address that prior to GDPR whois would have given my post code"

That's a pretend game. Google+Other Location services sniffs WIFI IDs, bloothtooth ids and coordinate those with your neighbours. If you take your phone to the toilet while you dump, Google knows thats, its super fine grained.

But hey, they can PRETEND by giving you that location with some randomess added!

Re: Static IP addresses

You are thinking of EUI-64, where the IPv6 address is derived from the MAC address. This is optional, and not the default on most systems these days.

Most end user systems pick a random address at install time (of the network driver), which will be the "stable" address of your machine that you can use if you want to make inbound connections to it.

They will then pick random addresses to use for outbound connections, and rotate them periodically (24 hours by default) so that remote sites will see random addresses within your /64.

ISPs often allocate dynamic addresses, so a single /64 becomes no more trackable than a dynamic IPv4 address was. The ISP knows who it is, but the external sites you access don't, they can only tell that you're a customer of that ISP.

NAT doesn't make anything less trackable, quite the contrary. If the ISP provides you routable addresses they can just log who was allocated the address when and leave it at that. If a court orders them to hand over customer information, they do so.

With NAT the address could be multiple users, so the ISP is compelled to log a _LOT_ more traffic. They basically have to log every state - every TCP connection you make, every UDP flow, every ICMP packet you send etc, and retain this data for as long as the law requires. This gets very expensive very fast, and leaves the ISP with a huge amount of data. Once they have this data, they will seek ways to recover some of the cost, so monetising it and selling the data to advertisers or other such parties becomes an obvious thing to do since they have the data anyway.

Re: possible?

Yes, the routing principles are the same.

What people are getting confused with is that IPv6 will remove the need for dynamic addresses on fixed locations - i.e. all home residents will be able to have the same fixed ip address/addresses from the ISP, additionally, individual devices will not have to be placed behind a NAT.

There was also talk a while back how everyone could indeed have a permanent address: the last 64 bits would be uniquely assigned to a specific person/device, whilst the top 64 bits would change to the appropriate bits for the connected network. This idea has been abandoned.

But once China goes completely IPv6 good luck to anyone trying to source IPv4 or even dual-stack kit.

I think it possible that the Chinese just possibly might be able to manage export versions of their kit that support IPv4 or dual stack just as they currently support various combinations of 50/60Hz 110/220v power with a near infinite number of wall socket variations.

it also puts your attackers behind NAT alongside your paying customers...

Re: Still not there...

So what?

Now someone look up if DNSSEC is also in use?

At least they have TLS 1.3 lets take a moment to applaud that.

As bad as Virgin Media.

Hey we are in 2021 guys. All the other major UK ISPs support IPv6 now, also mobile operators too, as this is a UK centric news site I wonder if it were enabled would more than 50% of the UK traffic be IPv6?

Maybe the problem is more the other way, charges for IPv4 are a money maker, especially to organisations that have had allocations for years that were granted for free.

So adoption of IPv6 will make that money spinner come to an end sooner. All entities want to milk that one for as long as possible.

Re: Still not there...

Nope, they are fully connected, but their forum software isn't compatible (I presume they mean IP address logging etc.) - Check out my post and the official response: https://forums.theregister.com/forum/all/2019/11/25/ipv4_addresses_gone/#c_3923843

Re: Still not there...

Except they use Cloudflare, which supports IPv6 by default at no extra cost. They have explicitly turned it off by removing the DNS entry. The site is actually reachable via IPv6 using the address 2606:4700::6812:516 (try adding it to your hosts file). All Cloudflare sites are reachable like this, the IPv6 address will be 2606:4700:: followed by the IPv4 address encoded as hex.

IPv6 is actually cheaper than IPv4, because the addresses are more plentiful. Some providers charge less for IPv6-only access as it costs them less to provide. If you're using cloudflare as the frontend to your site then you can benefit from hosting the backend on an IPv6-only host:

Cloudflare handles the costs of IPv4 and hassles of dual stack, you don't need to worry about it and legacy users can still reach your site.

Your IPv6-only server won't be subject to constant scans and other background noise that plagues the legacy IPv4 internet.

You save money by not having to pay for an IPv4 address - a scarce and therefore expensive resource.

I run several sites like this, Cloudflare for the frontend, backend IPv6-only.

Re: I thought IPv9 was being ratified

if China owns the copyright, it should be rejected on that basis alone...

While I agree with the sentiment, I suggest a reciprocal approach to how China (ab)uses non-Chinese copyrights, e.g. we just use it and ignore the Chinese copyright, let them scream.