Am Freitag, 11. Februar 2022, um 11:45:56 Uhr schrieb Grant Taylor:

> Think along the lines of a VPN. You get IPv6 inside the tunnel for
> your use while the tunnel itself uses only IPv4 on the outside.

One advantage over VPN is that it only has the IPv4 header as
additional overhead. Also no auth is supported, the tunnel endpoint at
the customer side is detected only by the IPv4 address.

On 2/11/22 11:39 AM, Marco Moock wrote:
> This is the right decision ...
Probably. I still have /some/ /minor/ qualms with it.

> was also intended for RF1918 addresses.

I disagree.

RFC 1918 IP addresses were intended for (re)use by multiple networks.
Auspiciously networks that would never have direct IP connectivity to
other outside IP networks.

However I'm not aware of any RFCs that state that RFC 1918 (or other
non-globally routed IPs) should /not/ be used for non local network
communications.

Site to site and business to business VPNs wherein each site / business
uses RFC 1918 IP addresses are prime examples of where RFC 1918 IPs are
used for non-local communications.

And the elephant in the room is all the RFC 1918 IP addresses that are
being used to access the Internet via NAT.

Conversely, there are codified rules that indicate that IPv6 site-local
IP addresses SHOULD NOT be used to communicate with external entities.

> It is against the protocol to do so.

Are you sure?

What about the /protocol/ changes, other than the value used for the end
point addresses?

The only thing that cares is an arbitrary filter that exists in some
software stacks to smack you on the hand.

The underlying IPv4 /protocol/ doesn't care.

> You can change the software, but then it doesn't follow the RFC's
> rules.

What if the RFCs change such that a new RFC conflicts with an old RFC?
Which one is wrong? Which one is correct? E.g. the ongoing effort to
make part of 127/8 be globally routed.

Or what about older RFCs that did not treat 100.64/10 as shared in a
similar way as RFC 1918?

The actual addresses don't matter to the software stack, save for the
possibility of arbitrary filters.

It's by /convention/ that we agree on how we will use some things.

Site to site / business to business VPNs using non-conflicting RFC 1918
on either side is a perfect example of this.

There is a *HUGE* difference in what the /technology/ supports as
opposed to what usage /conventions/ approve of.

--
Grant. . . .
unix || die

On 2/11/22 12:03 PM, Marco Moock wrote:
> Also no auth is supported, the tunnel endpoint at the customer side
> is detected only by the IPv4 address.

It is highly dependent on what type of tunnel is used.

IP protocol 41 (a.k.a. SIT?) may have the properties that you say.

But other types of tunnels, including full blown encrypting VPNs can
provide the same IPv6 in IPv4 connectivity.

Then there's devious behavior in using IP protocol 41 in IPsec Transport
Mode only with Authentication Header (no Encapsulating Security
Payload). That provides quite strong authentication for IP protocol 41.
}:-) It also doesn't incur the encryption / decryption processing
overhead.

--
Grant. . . .
unix || die

On 2022-02-10, Marco Moock <mo01@posteo.de> wrote:
> You will need that in future because IPv4 has too less addresses. NAT
> is very annoying and many home user ISPs don't provide public IPv4
> addresses to their customers anymore. They can only use IPv6 to operate
> a server. Now IPv4 creates additional costs and need resources. I
> really like to get rid of IPv4 as soon as possible.

I've been hearing that song and dance for the last 20 years. Sorry
to disappoint you but I doubt IPV4 will be going away any time soon.

--
------------------------------------------------------------------------------
18 Reasons I won't be vaccinated -- https://tinyurl.com/ebty2dx3
Covid vaccines: experimental biology -- https://tinyurl.com/57mncfm5
The fraud of "Climate Change" -- https://RealClimateScience.com
There is no "climate crisis" -- https://climatedepot.com
Don't talk to cops! -- https://DontTalkToCops.com
------------------------------------------------------------------------------

On 2022-02-10, Marc Haber <mh+usenetspam1118@zugschl.us> wrote:
> And you're soooooo proud of that, aren't you?

Yes, as a matter of fact I am. I've been working with what is now known as
IPV4 for nearly 40 years and have no desire to learn a new protocol. It's
not likely that IPV4 will be going away in my lifetime.

--
------------------------------------------------------------------------------
18 Reasons I won't be vaccinated -- https://tinyurl.com/ebty2dx3
Covid vaccines: experimental biology -- https://tinyurl.com/57mncfm5
The fraud of "Climate Change" -- https://RealClimateScience.com
There is no "climate crisis" -- https://climatedepot.com
Don't talk to cops! -- https://DontTalkToCops.com
------------------------------------------------------------------------------

On 2022-02-11, Marco Moock <mo01@posteo.de> wrote:
> ... We should
> switch to IPv6 ASAP.

I'm not making that switch. I doubt it will happen en masse any time
soon, probably not within my lifetime. (Or if it does I'll be too
old to give a rat's ass about the internet.)

--
------------------------------------------------------------------------------
18 Reasons I won't be vaccinated -- https://tinyurl.com/ebty2dx3
Covid vaccines: experimental biology -- https://tinyurl.com/57mncfm5
The fraud of "Climate Change" -- https://RealClimateScience.com
There is no "climate crisis" -- https://climatedepot.com
Don't talk to cops! -- https://DontTalkToCops.com
------------------------------------------------------------------------------

Am Samstag, 12. Februar 2022, um 00:33:44 Uhr schrieb Roger Blake:

> I've been hearing that song and dance for the last 20 years. Sorry
> to disappoint you but I doubt IPV4 will be going away any time soon.

I agree, IPv4 will keep for at least 10 years, but everybody not
implementing IPv6 ins his networks slows down the process.

Grant Taylor <gtaylor@tnetconsulting.net> wrote:
>On 2/11/22 6:22 AM, Marc Haber wrote:
>> For v4, yes. IPv6 was carefully crafted not to need it.
>
>The thing that IPv6 has over IPv4 is the number of IP addresses. But
>/utilizing/ those IP addresses brings inherent problems, not the least
>of which is additional routing burden.

This is utter B.S.

Routing Tables with IPv6 are significantly shorter than with IPv4 in
all but the most basic setups. The way greater address space allows
for smart address planning and much better aggregation of routes.

You get rid of all crutches the v4 needs to be still usable. Since all
LAN segments have a /64 prefix, you stop having to worry about prefix
length.

>Picture any business wherein each location is locally owned while having
>some loose affiliation with a corporate entity with different owners. A
>very good example is car dealerships affiliated with a major brand or
>service company. Wherein each individual location administers their
>network with complete autonomy and corporate administers it's network
>with complete autonomy. With that large topology in mind, consider the
>potential, nay likely, complications with needing to establish
>bi-directional communications between every single location and the
>corporate entity such that systems at corporate can print to the
>networked printer in the parts department. The C.I.R. functions as an
>integration between each individual location and corporate.

You'd have two address spaces in each LAN segment at the car
dealerships. One prefix for Internet access with local breakout, the
other assigned by the brand. Applications can choose which address to
use, leaving the rest of the burden to the network components.

That's WAY easier than with IPv4.

What makes those things complicated is people clinging to their
IPv4-based procedures.

>NAT makes this trivial to do.

quod erat demonstrandum.

>Corporate doesn't have to worry about (de)conflicting subnets across
>multiple sites.

They don't, because with IPv6 there are no conflicting subnets.

>The NAT on the C.I.R. acts as an abstraction alyer allowing each side to
>operate with almost complete autonomy from each other.

That works differently with IPv6. One needs to learn that and let go
of IPv4 mechanisms.

>I have written this email using IPv4 addresses because they are simpler
>/ shorter to type (and more mussle memory).

How many IP address do you have to type when sending mail?

Btw, this is not mail.

> But the exact same concept
>applies to IPv6 as it does to IPv4.

No, it isn't. The concepts are very different. And when one rejects
IPv6 because it isn't IPv4 one will have to pay a price.

rest deleted, it's not worth spending time with one who clearly lives
in the past and refuses to adapt.

--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834

Grant Taylor <gtaylor@tnetconsulting.net> wrote:
>Sadly, IPv6 site-local doesn't work for accessing the IPv6 internet,
>despite IPv6 NAT /because/ clients won't choose them for globally routed
>destinations.

If you want IPv6 Intenet, you deply Global Unicast Addresses.

>You /can/ route IPv6 link-local if you get creative. }:-)

You don't need to be creative to use IPv6. It's all stupid, all easy.
That's how networks should be.

--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834

Grant Taylor <gtaylor@tnetconsulting.net> wrote:
>On 2/11/22 6:22 AM, Marc Haber wrote:
>> Which ones, for example?
>
>Pick any U.S. DoD prefix for starters. }:-)

Those belong to the U.S. DoD. You're not supposed to use them.

>Or any other entity that you know that you're not going to communicate with.

That's a really stupid idea.

>-- Once you truly grok anycast and how it works, you can get *REALLY*
>creative.

Networks are not supposed to be creative. They're supposed to work.
And the simpler they are, the more reliable are they.

--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834

Marco Moock <mo01@posteo.de> wrote:
>Am Samstag, 12. Februar 2022, um 00:33:44 Uhr schrieb Roger Blake:
>
>> I've been hearing that song and dance for the last 20 years. Sorry
>> to disappoint you but I doubt IPV4 will be going away any time soon.
>
>I agree, IPv4 will keep for at least 10 years, but everybody not
>implementing IPv6 ins his networks slows down the process.

It's like the vaccination. Things would be best if everybody did it,
but since a vocal minority doesn't do it AND TAKES PRIDE IN NOT DOING
IT, the whole process is slowed down for everybody significantly.

With the vaccination, the price we pay is lifes, with IPv6, it's only
money.

--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834

Roger Blake <rogblake@iname.invalid> wrote:
>On 2022-02-10, Marc Haber <mh+usenetspam1118@zugschl.us> wrote:
>> And you're soooooo proud of that, aren't you?
>
>Yes, as a matter of fact I am. I've been working with what is now known as
>IPV4 for nearly 40 years and have no desire to learn a new protocol. It's
>not likely that IPV4 will be going away in my lifetime.
>
>--
>------------------------------------------------------------------------------
> 18 Reasons I won't be vaccinated -- https://tinyurl.com/ebty2dx3
> Covid vaccines: experimental biology -- https://tinyurl.com/57mncfm5
> The fraud of "Climate Change" -- https://RealClimateScience.com
> There is no "climate crisis" -- https://climatedepot.com
>------------------------------------------------------------------------------

Quoting the signature for a reason. I am not surprised.

End of discussion for me.
--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834

Am Samstag, 12. Februar 2022, um 10:54:57 Uhr schrieb Marc Haber:

> Marco Moock <mo01@posteo.de> wrote:
> >Am Samstag, 12. Februar 2022, um 00:33:44 Uhr schrieb Roger Blake:
> >
> >> I've been hearing that song and dance for the last 20 years. Sorry
> >> to disappoint you but I doubt IPV4 will be going away any time
> >> soon.
> >
> >I agree, IPv4 will keep for at least 10 years, but everybody not
> >implementing IPv6 ins his networks slows down the process.
>
> It's like the vaccination. Things would be best if everybody did it,
> but since a vocal minority doesn't do it AND TAKES PRIDE IN NOT DOING
> IT, the whole process is slowed down for everybody significantly.
>
> With the vaccination, the price we pay is lifes, with IPv6, it's only
> money.

A really bad comparison. If other's servers are not reachable via IPv4
I need to be able to access it, maybe via NAT64. If other servers that
need to communicate with me can't use IPv6, I HAVE to provide IPv4.

If others do not want vaccination, I don't need to care about. They
also don't need to care about my vaccination.

On 2/12/22 02:01, Marco Moock wrote:
> If others do not want vaccination, I don't need to care about. They
> also don't need to care about my vaccination.

Wrong.
You are correct in your assessment of that sig in general - one can't
cure stupid. But the statement " I don't need to care about. " is
equally stupid, as is the obverse you continued to use. It shows simply
an attitude of "hurray for me and screw you". With the number of deaths
involved, EVERYONE needs to be aware of the risks the carrier of the
"plague" puts on all those around them. If you can't grasp the point,
do the rest of us a favor and STFU - try visiting a leper colony to see
how your "enlightened" position works.

Am Samstag, 12. Februar 2022, um 12:06:04 Uhr schrieb jrg:

> On 2/12/22 02:01, Marco Moock wrote:
> > If others do not want vaccination, I don't need to care about. They
> > also don't need to care about my vaccination.
>
> Wrong.
> You are correct in your assessment of that sig in general - one can't
> cure stupid. But the statement " I don't need to care about. " is
> equally stupid, as is the obverse you continued to use. It shows
> simply an attitude of "hurray for me and screw you". With the number
> of deaths involved, EVERYONE needs to be aware of the risks the
> carrier of the "plague" puts on all those around them. If you can't
> grasp the point, do the rest of us a favor and STFU - try visiting a
> leper colony to see how your "enlightened" position works.

I just wanted to make clear that the comparison between no vaccination
and no IPv6 isn't a good one.
Regardless if you are vaccinated or not, I can decide myself if I want
to be or not.
I can't do that with IPv4/IPv6.

On 2/12/22 2:50 AM, Marc Haber wrote:
> You don't need to be creative to use IPv6. It's all stupid, all easy.
> That's how networks should be.

The hardest part about IPv6 is getting an ISP that provides it.

WAY too many don't provide IPv6.

--
Grant. . . .
unix || die

On 2/12/22 2:52 AM, Marc Haber wrote:
> Those belong to the U.S. DoD. You're not supposed to use them.

And yet there are many people doing exactly that.

Or using someone else's network.

> That's a really stupid idea.

I didn't say that squatting on someone else's IP space was a good idea.

> Networks are not supposed to be creative. They're supposed to work.
> And the simpler they are, the more reliable are they.
And how is having many (upwards of 10) IPv6 addresses on a single
machine /simpler/?

What do you do if the multiple enterprises are using site-local, despite
the deprecation?

How do you address the conflict /simply/ then?

--
Grant. . . .
unix || die

Am Samstag, 12. Februar 2022, um 19:36:15 Uhr schrieb Grant Taylor:

> On 2/12/22 2:50 AM, Marc Haber wrote:
> > You don't need to be creative to use IPv6. It's all stupid, all
> > easy. That's how networks should be.
>
> The hardest part about IPv6 is getting an ISP that provides it.
>
> WAY too many don't provide IPv6.

I completely agree. Here in Germany many small ISPs don't provide it,
but the big ones like Deutsche Telekom provide it even for home
customers.

On Sun, 13 Feb 2022 07:55:25 +0100, Marco Moock wrote:
> Am Samstag, 12. Februar 2022, um 19:36:15 Uhr schrieb Grant Taylor:
>
>> On 2/12/22 2:50 AM, Marc Haber wrote:
>> > You don't need to be creative to use IPv6. It's all stupid, all
>> > easy. That's how networks should be.
>>
>> The hardest part about IPv6 is getting an ISP that provides it.
>>
>> WAY too many don't provide IPv6.
>
> I completely agree. Here in Germany many small ISPs don't provide it,
> but the big ones like Deutsche Telekom provide it even for home
> customers.

Frontier Fios here in Dallas Texas gives ipv4
$ wget -qO - http://icanhazip.com
47.183.233.188

--
The warranty and liability expired as you read this message.
If the above breaks your system, it's yours and you keep both pieces.
Practice safe computing. Backup the file before you change it.
Do a, man command_here or cat command_here, before using it.

On 11/02/2022 09:41, Marco Moock wrote:
> Am Freitag, 11. Februar 2022, um 07:28:05 Uhr schrieb Mike Mocha:
>
>> Thanks for all the responses! Something that still is not making
>> sense to me, if for example we have a home network that contains many
>> different IPv6 devices connected, how do we control what ports get
>> exposed on each device?
>
> The concept of the internet (IPv4 and IPv6) is that every device has an
> unique address that is reachable from any other node.

That /was/ the original idea - back when IP networking was for a few
specialised uses such as military research, universities, and a few
niche companies. Such a concept does not scale to today's networking
needs, and that has /nothing/ to do with the number of IPv4 addresses.

It is a /long/ time since computers and users have had the level of
trust that existed then. With more software, has come more security
holes. The average level of knowledge of users has dropped as computers
arrived on every desk, not just the desks of experts.

The number of connected nodes has increased dramatically over the
decades. Unique addressing is not the issue - it's an irrelevancy. A
system where any node can address any other node simply does not scale.

So what we have is a somewhat hierarchical system - basically on two
levels. There is the "internet" which supports wide-range access and
routing, with many servers directly on that network. And there is there
are countless local networks with interaction within the network, and
access to internet-based servers, but with no need for anything outside
to get in.

Rounded to the nearest tenth of a percent, all computers are
client-only. (Yes, the remaining fraction that act as servers is
important.) They are mobile phones, home computers, work desktops, etc.
All of these need to be able to access servers on the internet. /None/
of them need to be accessed by any other computer. The only time
something tries to directly access them, is an attack from some hacker,
worm or other malware. No one wants that, or to make that easier.

Of course you can say that it is the job of the firewall to block
incoming connections while allowing packets of established connections
to pass through from the internet. But when the firewall is already
doing this connection tracking, it can also do NAT'ing at little cost.
That then makes the routing process upstream /hugely/ easier.

What benefit would there be from each device having a unique IP address
that is used directly, without NAT? The device would /not/ be reachable
from any other node - if you think that would be a good thing, with
every hacker on the other side of the globe having direct access to your
grandma's mobile, you are living on a different planet.

The only people that would see this as a direct benefit are the
Facebooks of the world, and the porn-site based scammers and
blackmailers. (That includes "legitimate" porn sites that get hacked by
scammers and blackmailers.) They'd love to know /exactly/ which
computer was used, as accurately as possible, rather than seeing common
router IP addresses.

> NAT and all that
> crap are just temporary solutions for keeping IPv4 alive.

NAT is a fine example of the flexibility of IP networking, and does a
fine job of helping compartmentalise and modularise the network. It is
also extremely easy to have a simple NAT setup - these days pretty much
every home has a NAT router with Wifi, that comes out of the box with a
setup that provides a basic level of security for the home (except for
the NAT routers that have hopeless default passwords). In the days of
dial-up, people would take their Windows XP machines and connect
directly to the internet, getting a global IP that was reachable from
any node. Their machine would be taken over by hostile hackers and bots
long before it had managed to download the latest service packs and
updates, which at best only blocked half the attacks anyway. Now they
connect their new Windows machines to their NAT router, and /no/ attacks
get in (until they do something stupid, like click on a phishing email
link).

> We should
> switch to IPv6 ASAP.
>
There are certainly cases where a greater availability of globally
unique addresses would be helpful. While almost all computers are not
servers, /some/ are, and sometimes a unique address on the internet
would be handy.

I see some benefits to IPv6, but not enough to bother much about it as
yet. And when I do start using it seriously, it will be with NAT.

Am Sonntag, 13. Februar 2022, um 11:49:22 Uhr schrieb David Brown:

> On 11/02/2022 09:41, Marco Moock wrote:
> > Am Freitag, 11. Februar 2022, um 07:28:05 Uhr schrieb Mike Mocha:
> >
> >> Thanks for all the responses! Something that still is not making
> >> sense to me, if for example we have a home network that contains
> >> many different IPv6 devices connected, how do we control what
> >> ports get exposed on each device?
> >
> > The concept of the internet (IPv4 and IPv6) is that every device
> > has an unique address that is reachable from any other node.
>
> That /was/ the original idea - back when IP networking was for a few
> specialised uses such as military research, universities, and a few
> niche companies. Such a concept does not scale to today's networking
> needs, and that has /nothing/ to do with the number of IPv4 addresses.

They scale very well if you have enough addresses available. It is much
easier because you don't need a NAT/PAT table nor create concepts for
interconnecting LANs with RF1918 address etc.

> It is a /long/ time since computers and users have had the level of
> trust that existed then. With more software, has come more security
> holes. The average level of knowledge of users has dropped as
> computers arrived on every desk, not just the desks of experts.
>
> The number of connected nodes has increased dramatically over the
> decades. Unique addressing is not the issue - it's an irrelevancy. A
> system where any node can address any other node simply does not
> scale.

It does very well, a home customer has about 2^64 addresses available.
Tell me what you can't do with that.

> So what we have is a somewhat hierarchical system - basically on two
> levels. There is the "internet" which supports wide-range access and
> routing, with many servers directly on that network. And there is
> there are countless local networks with interaction within the
> network, and access to internet-based servers, but with no need for
> anything outside to get in.

Why do we need a hierarchical system here?
If we want addresses for local-only services we can use ULA. also more
than enough addresses available for all your needs.

> Rounded to the nearest tenth of a percent, all computers are
> client-only. (Yes, the remaining fraction that act as servers is
> important.) They are mobile phones, home computers, work desktops,
> etc. All of these need to be able to access servers on the internet.

That is what big companies and providers tells us. Everybody that wants
to use VoIP without any problems needs to be reachable from the outside.

> /None/ of them need to be accessed by any other computer. The only
> time something tries to directly access them, is an attack from some
> hacker, worm or other malware. No one wants that, or to make that
> easier.

Then they can operate an SPI firewall. Windows has one enabled by
default, most home routers have one enabled.

> Of course you can say that it is the job of the firewall to block
> incoming connections while allowing packets of established connections
> to pass through from the internet. But when the firewall is already
> doing this connection tracking, it can also do NAT'ing at little cost.
> That then makes the routing process upstream /hugely/ easier.

Why should it do NAT?
What makes it better in the routing?
I see no benefit at all.

> What benefit would there be from each device having a unique IP
> address that is used directly, without NAT? The device would /not/
> be reachable from any other node - if you think that would be a good
> thing, with every hacker on the other side of the globe having direct
> access to your grandma's mobile, you are living on a different planet.

The grandma's router has an SPI fw enabled. Grandma's Windows has an
SPI FW enabled by default, so no problem.
If you have a good operating system, no server software runs on the
public addresses. Then there is also no problem at all without NAT or
an SPI fw.

> The only people that would see this as a direct benefit are the
> Facebooks of the world, and the porn-site based scammers and
> blackmailers. (That includes "legitimate" porn sites that get hacked
> by scammers and blackmailers.) They'd love to know /exactly/ which
> computer was used, as accurately as possible, rather than seeing
> common router IP addresses.

Because of proxy servers and NAT companies like Facebook and Google
created other methods of tracking. They use User Agents, Cookies,
Browser storage to identify a user, they don't need an unique IP
address.

> > NAT and all that
> > crap are just temporary solutions for keeping IPv4 alive.
>
> NAT is a fine example of the flexibility of IP networking, and does a
> fine job of helping compartmentalise and modularise the network. It
> is also extremely easy to have a simple NAT setup - these days pretty
> much every home has a NAT router with Wifi, that comes out of the box
> with a setup that provides a basic level of security for the home
> (except for the NAT routers that have hopeless default passwords).

NAT first creates a flexibility and then you see how bad it is. Think
about DNS with servers that have private addresses and should have a
host name. You then need NAT hairpinning and other nasty stuff.

> In the days of dial-up, people would take their Windows XP machines
> and connect directly to the internet, getting a global IP that was
> reachable from any node. Their machine would be taken over by
> hostile hackers and bots long before it had managed to download the
> latest service packs and updates, which at best only blocked half the
> attacks anyway. Now they connect their new Windows machines to their
> NAT router, and /no/ attacks get in (until they do something stupid,
> like click on a phishing email link).

The main problem of that is that Windows has enabled server software
like NetBIOS over IP and SMB. This is the problem and NAT/SPI should
now solve the biggest security problem that MS was able to create?
Personally, I don't care anymore about windows machines because they
are insecure by design.

> > We should
> > switch to IPv6 ASAP.
> >
> There are certainly cases where a greater availability of globally
> unique addresses would be helpful. While almost all computers are not
> servers, /some/ are, and sometimes a unique address on the internet
> would be handy.
>
> I see some benefits to IPv6, but not enough to bother much about it as
> yet. And when I do start using it seriously, it will be with NAT.

Then do it if you like a really bad network infrastructure.
What I wanna is that I can switch off IPv4 at all at my side without
having problems to connect to other's servers.

Grant Taylor <gtaylor@tnetconsulting.net> wrote:
>On 2/12/22 2:50 AM, Marc Haber wrote:
>> You don't need to be creative to use IPv6. It's all stupid, all easy.
>> That's how networks should be.
>
>The hardest part about IPv6 is getting an ISP that provides it.
>
>WAY too many don't provide IPv6.

Thankfully, in technologically advanced countries dual stack or dual
stack lite Internet Access is commodity and easily bought on the
market, even with competetive pricing.

Greetings
Marc
--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834

Grant Taylor <gtaylor@tnetconsulting.net> wrote:
>On 2/12/22 2:52 AM, Marc Haber wrote:
>> Networks are not supposed to be creative. They're supposed to work.
>> And the simpler they are, the more reliable are they.
>And how is having many (upwards of 10) IPv6 addresses on a single
>machine /simpler/?

You're fantasizing. In my most complex network (it's my home network)
I have at minimum four IPv6 addresses per machine¹, and that's just
cause I am too cheap to get decent BGP redundancy for my home. Any
business customer with a mind is going to have their own address space
and builds redundnacy network wise, which makes the network setup on
the actual server even easier.

¹ link local, SLAAC from the expensive, but static prefix, static
Unique Global Unicast from the expensive prefix for ssh, and SLAAC
from the dynamic but cheap and fast prefix for downloads. Add service
IP addresses from the expensive static prefix at will, I am a big fan
of having one IP address per service, which is WAY easier and WAY
cheaper with IPv4.

New setups I build with IPv6 only and provide IPv4 accress via NAT
(mainly for github, who have not woken up yet) and IPv4 services via
reverse proxy / ALG.

>What do you do if the multiple enterprises are using site-local, despite
>the deprecation?

Organizational failure to adapt to changed environment. The market
will solve that, given enough time.

>How do you address the conflict /simply/ then?

I am not a psychologist.

--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834

Am Samstag, 12. Februar 2022, um 19:40:27 Uhr schrieb Grant Taylor:

> What do you do if the multiple enterprises are using site-local,
> despite the deprecation?
>
> How do you address the conflict /simply/ then?

site-local is deprecated since years.
if they like to use a site-local-scope address range the should use ULA
and should randomize the bits from bit to to bit 48 to ensure they have
an unique prefix. If they then want to bring together 2 links with IPv6
ULA it works fine without changing one address.

On 13/02/2022 13:51, Marco Moock wrote:
> Am Sonntag, 13. Februar 2022, um 11:49:22 Uhr schrieb David Brown:

>> In the days of dial-up, people would take their Windows XP machines
>> and connect directly to the internet, getting a global IP that was
>> reachable from any node. Their machine would be taken over by
>> hostile hackers and bots long before it had managed to download the
>> latest service packs and updates, which at best only blocked half the
>> attacks anyway. Now they connect their new Windows machines to their
>> NAT router, and /no/ attacks get in (until they do something stupid,
>> like click on a phishing email link).
>
> The main problem of that is that Windows has enabled server software
> like NetBIOS over IP and SMB. This is the problem and NAT/SPI should
> now solve the biggest security problem that MS was able to create?
> Personally, I don't care anymore about windows machines because they
> are insecure by design.
>
As long as /you/ are all right, screw the rest of the world?

It's fine to blame MS for a decades-long attitude where security is an
afterthought at best - you'll find few people who are particularly
impressed with Windows security (and even fewer in a newsgroup like this
one!).

But in one simple step, NAT eliminates a whole major class of security
issues for client systems (including Linux and other OS's). It does so
in a way that is not only easy to get right, it is also hard to get wrong.

Security is not a feature - a one-off item that you attach to your
network. It is a process, and it is a matter of layers and
combinations. Each part reduces the overall risk of breaches - none is
absolute on its own, but in total you find an acceptable risk level.
And it is always a balance between keeping out the stuff you don't want,
while letting in the stuff you /do/ want with as little user
inconvenience as possible. NAT plays an important part in the security
in a lot of systems because it provides a huge step at keeping out
unwanted stuff while being of very little inconvenience to most users.
And it does this for practically nothing - stand-alone NAT routers for
small networks cost peanuts, and any serious router for a big network
will do it with negligible delay or overhead. There are not many
security measures that are so effective for so low cost.