On 2/15/22 12:08 PM, Marco Moock wrote:
> I know and stateless NAT64

I was referring to stateless NAT44. E.g. prefix translation;
192.0.2.x/24 <=> 198.51.100.x/24

--
Grant. . . .
unix || die

On 2/13/22 6:54 AM, David Brown wrote:
> But in one simple step, NAT eliminates a whole major class of security
> issues for client systems (including Linux and other OS's). It does
> so in a way that is not only easy to get right, it is also hard to
> get wrong.

I think that the second part of that is extremely germane: "easy to get
right" and more importantly "had to get wrong".

> And it is always a balance between keeping out the stuff you don't
> want, while letting in the stuff you /do/ want with as little user
> inconvenience as possible. NAT plays an important part in the security
> in a lot of systems because it provides a huge step at keeping out
> unwanted stuff while being of very little inconvenience to most users.

I read that statement a little differently and I think that it's worth
sharing the idea. Do something that implicitly breaks communications
(e.g. incompatible addressing) such that you must do something that
explicitly enables communications (e.g. NAT / proxy).

There is a lot to be said for a security system that requires explicit
precise action to make something externally available while just about
anything else will fail to communicate externally in one of many ways.

I say "just about" because even a blind hog finds a truffle on occasion.
Chaos also dictates that the dryer be folded when you open it for the
first time.

--
Grant. . . .
unix || die

Am Dienstag, 15. Februar 2022, um 12:19:12 Uhr schrieb Grant Taylor:

> On 2/15/22 12:08 PM, Marco Moock wrote:
> > I know and stateless NAT64
>
> I was referring to stateless NAT44. E.g. prefix translation;
> 192.0.2.x/24 <=> 198.51.100.x/24

I know it exists, but what is the purpose of that?
I have never seen that in productive networks yet.

Am Dienstag, 15. Februar 2022, um 12:15:00 Uhr schrieb Grant Taylor:

> On 2/13/22 5:51 AM, Marco Moock wrote:

> > Why do we need a hierarchical system here? If we want addresses
> > for local-only services we can use ULA. also more than enough
> > addresses available for all your needs.
>
> Site-local vs link-local immediately comes to mind.

True, both are there and there are use cases where they are useful or
not.

> > That is what big companies and providers tells us. Everybody that
> > wants to use VoIP without any problems needs to be reachable from
> > the outside.
>
> I've used VoIP without any problem without globally routed addresses.

I also have that situation at home, but it is very annoying.

> > Then they can operate an SPI firewall. Windows has one enabled by
> > default, most home routers have one enabled.
>
> I think that it's important to keep time & context in mind. Windows
> has an SPI firewall enabled by default /now/. It did not 20 years
> ago.

I know, but the main problem already was and is still that Windows is
running server software by default.

> > If you have a good operating system, no server software runs on the
> > public addresses. Then there is also no problem at all without NAT
> > or an SPI fw.
>
> I will not bet my security on "good operating system" nor "no server
> software runs on the public address" /alone/. Does "belt and
> suspenders" or "layers of security" mean anything?

I know that, but I definitely don't rely on firewalling. I disable the
cause of the security issue and I don't try to make it less vulnerable
with a FW.

> Also, trusting the IP address alone is insufficient. IPs used to be
> far more dynamic than they are today. Thus you couldn't rely on them
> for identification in the vast majority of situations.

I also don't rely on them for auth, but i use them as an additional
criteria if possible.

> > NAT first creates a flexibility and then you see how bad it is.
> > Think about DNS with servers that have private addresses and should
> > have a host name. You then need NAT hairpinning and other nasty
> > stuff.
>
> I guess setting up an internal zone to resolve the name to the LAN IP
> is "other nasty stuff".

Yes, that is what I mean because that often creates problems.
Forst, DNS uses caching and a computer that was outside my have the
public IP in its cache (TTL not expired yet) and will not ask the name
server again when coming to the internal net.
Then a computer doesn't need to use the specific DNS to resolve the
name. Maybe it is configured to use a specific DNS. Google Chrome and
Firefox offer DNS over HTTPS and maybe use that instead of the DNS the
computer gets via IPv6-RA/DHCP.

> > The main problem of that is that Windows has enabled server
> > software like NetBIOS over IP and SMB. This is the problem and
> > NAT/SPI should now solve the biggest security problem that MS was
> > able to create? Personally, I don't care anymore about windows
> > machines because they are insecure by design.
> >
> > Then do it if you like a really bad network infrastructure. What I
> > wanna is that I can switch off IPv4 at all at my side without
> > having problems to connect to other's servers.
>
> Currently (2022) you will have better connectivity with IPv4+IPv6
> with NAT than you will with IPv6 only. Sadly, the Internet isn't
> even close to parity between IPv4 and IPv6 from a service
> availability standpoint.

Full ack, it is really annoying that I still need to have IPv4
connectivity, especially when self-hosting my servers I need to access
from IPv4-only nets.

On 2/15/22 1:09 PM, Marco Moock wrote:
> I know it exists, but what is the purpose of that?

It does exactly what it says on the name-plate.

There are some cases where you need to change the network prefix but not
the last octet of an IP address.

I used this for the scenario I described in the D.R. / MS AD / DNS comments.

It's an uncommon, but not unheard of use case. It allows you to
collapse many SNAT / DNAT rules down to two prefix translation rules.

> I have never seen that in productive networks yet.

I have a few times.

--
Grant. . . .
unix || die

On 2/15/22 1:18 PM, Marco Moock wrote:
> True, both are there and there are use cases where they are useful
> or not.

That can be said about any and all tools in the proverbial networking
tool box. ;-)

> I also have that situation at home, but it is very annoying.

What /specifically/ is annoying?

What doesn't function at all?

What doesn't function to satisfactorily?

What do you want to change?

What would you change it to?

Why would you change it?

I'm genuinely asking in the spirit of discussion to understand and learn
from your viewpoint.

> I know, but the main problem already was and is still that Windows
> is running server software by default.

I think that "by default" is the most operative part of that statement.

It's entirely possible to configure Windows so that it's considerably
safer to have as a server. But it takes effort and is decidedly against
the default. One of the first things to do is to unbind Client for
Microsoft Networks and File & Printer Sharing from NICs. }:-)

> I know that, but I definitely don't rely on firewalling. I disable the
> cause of the security issue and I don't try to make it less vulnerable
> with a FW.

As well you should.

> I also don't rely on them for auth, but i use them as an additional
> criteria if possible.

Fair enough.

I think that IPSec AH and / or ESP is a LOT better for authentication
than IP. That being said, I only allow IPSec from known endpoints that
should be speaking it. No need to expose services to the world where
it's not needed.

> Yes, that is what I mean because that often creates problems.

ACK

> Forst, DNS uses caching and a computer that was outside my have the
> public IP in its cache (TTL not expired yet) and will not ask the
> name server again when coming to the internal net.

Understood.

I'd be curious to know what client device is retaining local stub
resolver cache when changing networks and therefore likely changing DNS
server configuration.

> Then a computer doesn't need to use the specific DNS to resolve the
> name. Maybe it is configured to use a specific DNS. Google Chrome
> and Firefox offer DNS over HTTPS and maybe use that instead of the
> DNS the computer gets via IPv6-RA/DHCP.

Don't et me started on the over zealous use of DoH. There are MANY
aspects of enterprise networks which break when things naively assume
that an outside the enterprise DNS server can provide the same DNS service.

> Full ack, it is really annoying that I still need to have IPv4
> connectivity, especially when self-hosting my servers I need to access
> from IPv4-only nets.

Sadly, I think we're going to be in the current state for one to three
decades.

--
Grant. . . .
unix || die

On 2022-02-15, Marco Moock <mo01@posteo.de> wrote:
> I know, but the main problem already was and is still that Windows is
> running server software by default.

I'm sympathetic to your anger at NAT, but I think it's unrealistic in
this day and age to expect people to have _full control_ of their
local network. Some folks live with someone else (relatives, parent,
shared housing) who controls their network, other times you have
guests who join your network who are running things you have no
control over. When I was a kid hacking around, I was running all sorts
of insecure garbage (and writing insecure code (though that was a
different time)) on my machine.

You could try to partition your network into a "guest" subnet and a
"home" subnet and place a stateful firewall in front of the guest
subnet, but very few consumer router/AP combos offer a user-friendly
way to make this separation. (Happy to be proven wrong on this point.)

On 2/15/22 09:36, Bit Twister wrote:

> Other options of getting your Internet ip address.

<snip>

ifconfig is fine for me, thanks

On Tue, 15 Feb 2022 23:32:36 -0500, jrg <jeff.g.group@att.net> wrote:
> On 2/15/22 09:36, Bit Twister wrote:
>> Other options of getting your Internet ip address.
> ifconfig is fine for me, thanks

For ipv6, yes but for ipv4 it's the lan address, unless you only have one
computer, directly connected to the modem.

Regards, Dave Hodgins

Grant Taylor <gtaylor@tnetconsulting.net> wrote:
>On 2/13/22 5:58 AM, Marc Haber wrote:
>> You're fantasizing.
>
>No I'm not.
>
>I've worked on many servers that have (at least) the following per
>interface:
>
> - link-local
> - old GUA
> - current GUA
> - new GUA
>
>With at least three interfaces. 3 x 4 = 12
>
>That all assumes a single IPv6 address per prefix. Many systems that
>I've worked on have had multiple IPv6 addresses per prefix as part of
>how they offer services:
>
> - management IP
> - web service VIP
> - mail service VIP

All those would also apply for IPv4, are thus not a liability of IPv6.

--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834

Grant Taylor <gtaylor@tnetconsulting.net> wrote:
>On 2/13/22 6:05 AM, Marco Moock wrote:
>> site-local is deprecated since years.
>
>Agreed.
>
>Though I still think there are uses for it. E.g. the local SMTP relay
>server at this site. Road warriors don't need to reconfigure anything
>as they go office to office.

That's what sane networks have DNS for.

That being said, I like using the well-defined addresses for DNS
servers that sadly never made it into a formal standard.

Grüße
Marc
--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

meff wrote:
> [...]
> You could try to partition your network into a "guest" subnet and a
> "home" subnet and place a stateful firewall in front of the guest
> subnet, but very few consumer router/AP combos offer a user-friendly
> way to make this separation. (Happy to be proven wrong on this point.)

Even the $50 TPLink stuff can do a guest WiFi network, such as the
Archer A7.

Should take you right to chapter 8.1 "Create a guest network".

https://static.tp-link.com/2021/202103/20210325/1910012976_Archer%20C7&A7_UG_REV5.2.0.pdf#page=40

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3asj+xn6fYUcweBnbWVw5UznKGAFAmIMxfgACgkQbWVw5Uzn
KGCpXw//cJlx4hk3obn2PU52Fb+d667IfMdMzOqOg2j/L+CGL5zBMKV/wYO/5gBJ
VAytZi1lLbMfXRXDR8rmOorP977CgPRYK1+7+zfpx7/NQe5g/9oKjH1C4NQlXE9A
0xwATaSQO6WVAyQ25El7Ln8BqeMZZP44vFY19FNTjBomQgaIN8p39F9j/drtnZJE
Yb6bLHnyaHRPfSFEOKzPwqnTErA3XYBZFxYe8mRa+OCLT4xP/9DZGq8wSbibahNL
q79buT5bHsLmuJHld0DOT17le+xr0u1e4YLTNGAGYNo+ZVZ64G+/MO/XGcKg6OXO
z7iSaVWamiMQ6ed0tTeYL8eamqDfXWTqAFIT+n8UIm5vnkHCp2pmon+YV7jJVhRV
0VorsyjdUhXhNChl8G5Ut7XS4HBvZkdZQQfWwWh4Mj8GIwzBSQsOlqFy7OMSeKS4
cWRGUeWAO8WPzLdJIeuxkEtRlpNQUwU7hsOq7Bf2gPLBpmyiCD50lRCMGvOphHsJ
1nLWCGJ/K9dP2Lkcvz8HxQ+GPY2llrq/JaSRqm+t+cmtigk2lwvUZ0Pg7qYpByu1
k756GjdXhpcbY+uAWOnZtO5J8dmAJh1S4J33ctRrsVy5CKJ7vK2aSa8IKAduy5jo
xzlgW3MVFRTnyzsEllEF8sV6aADGUlwHoIZBCTUwk0LFFoahaHc=
=7m1H
-----END PGP SIGNATURE-----

--
|_|O|_|
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: DDAB 23FB 19FA 7D85 1CC1 E067 6D65 70E5 4CE7 2860

On 15/02/2022 21:18, Marco Moock wrote:
> Am Dienstag, 15. Februar 2022, um 12:15:00 Uhr schrieb Grant Taylor:
>
>> On 2/13/22 5:51 AM, Marco Moock wrote:
>

>>> Then they can operate an SPI firewall. Windows has one enabled by
>>> default, most home routers have one enabled.
>>
>> I think that it's important to keep time & context in mind. Windows
>> has an SPI firewall enabled by default /now/. It did not 20 years
>> ago.
>
> I know, but the main problem already was and is still that Windows is
> running server software by default.

Does it matter if all security problems are from Windows? Windows is
very common on desktops, laptops, and even servers. You don't have to
like it, but you have to deal with it.

In reality, all OS's have flaws, and many modern Linux distributions
have ports open in their default installation. Then come the users, who
might do any kind of misconfiguration or run software that has bugs in
it. Windows has more than its fair share of security issues,
historically even more so, but only a fool thinks other systems are "safe".

>
>>> If you have a good operating system, no server software runs on the
>>> public addresses. Then there is also no problem at all without NAT
>>> or an SPI fw.
>>
>> I will not bet my security on "good operating system" nor "no server
>> software runs on the public address" /alone/. Does "belt and
>> suspenders" or "layers of security" mean anything?
>
> I know that, but I definitely don't rely on firewalling. I disable the
> cause of the security issue and I don't try to make it less vulnerable
> with a FW.
>

Does anyone other that /you/ use the networks you set up and run? Do
you have anything on the networks other than *nix machines that you have
personally configured and checked? What about phones? Printers at the
office? Apple TV and amart power meter on the home network? Are you
/sure/ that none of these have flaws?

Unless you are absolutely sure that you have full control over /all/
systems on a network, and their users, then you /do/ rely on firewalling.

Of course it is a good idea to deal with causes of security issues
wherever you can - belts and suspenders. But you can't fix everything
on all devices on most networks, so you make a bottleneck at the
firewall where you /do/ have control. (And even there, you don't
tighten too much - or you find your users are evading your firewall by
using mobile phones as wifi hotspots.)

Perhaps you run networks dedicated solely to servers of various sorts,
and you /do/ have tight control over what is run, and it's safe to have
them "directly" attached to the internet. But most networks are not
like that.

>> Also, trusting the IP address alone is insufficient. IPs used to be
>> far more dynamic than they are today. Thus you couldn't rely on them
>> for identification in the vast majority of situations.
>
> I also don't rely on them for auth, but i use them as an additional
> criteria if possible.
>
>>> NAT first creates a flexibility and then you see how bad it is.
>>> Think about DNS with servers that have private addresses and should
>>> have a host name. You then need NAT hairpinning and other nasty
>>> stuff.
>>
>> I guess setting up an internal zone to resolve the name to the LAN IP
>> is "other nasty stuff".

I have that. Names for various servers resolve via the local DNS server
to local IP's inside the network, or public IP's from public DNS
servers. Access via the public IP's is more limited, tighter firewalls,
etc. It works simply and smoothly, with everything behind NAT, and the
normal users have no issues. The only person for whom it causes
complications is /me/, because I have a more complicated setup and need
to test things from different directions - but editing /etc/hosts is not
hard.

>
> Yes, that is what I mean because that often creates problems.
> Forst, DNS uses caching and a computer that was outside my have the
> public IP in its cache (TTL not expired yet) and will not ask the name
> server again when coming to the internal net.

Short TTL's work fine in such cases. I have never heard of this being a
problem in practice.

> Then a computer doesn't need to use the specific DNS to resolve the
> name. Maybe it is configured to use a specific DNS. Google Chrome and
> Firefox offer DNS over HTTPS and maybe use that instead of the DNS the
> computer gets via IPv6-RA/DHCP.
>

Computers should get their DNS via DHCP unless you have very specific
reasons for picking something different. Normal users don't get to faff
around with their DNS settings any more than they get to choose their
own IP address.

>>> The main problem of that is that Windows has enabled server
>>> software like NetBIOS over IP and SMB. This is the problem and
>>> NAT/SPI should now solve the biggest security problem that MS was
>>> able to create? Personally, I don't care anymore about windows
>>> machines because they are insecure by design.
>>>
>>> Then do it if you like a really bad network infrastructure. What I
>>> wanna is that I can switch off IPv4 at all at my side without
>>> having problems to connect to other's servers.
>>
>> Currently (2022) you will have better connectivity with IPv4+IPv6
>> with NAT than you will with IPv6 only. Sadly, the Internet isn't
>> even close to parity between IPv4 and IPv6 from a service
>> availability standpoint.
>
> Full ack, it is really annoying that I still need to have IPv4
> connectivity, especially when self-hosting my servers I need to access
> from IPv4-only nets.
>

I like IPv4 - addresses are easier to remember than IPv6.

Am Dienstag, 15. Februar 2022, um 18:18:24 Uhr schrieb Grant Taylor:

> On 2/15/22 1:18 PM, Marco Moock wrote:
> > I also have that situation at home, but it is very annoying.
>
> What /specifically/ is annoying?
That I need a special application gateway (that does NAT in the
background) on my Cisco router to make SIP/RTSP work.

> What doesn't function at all?
If I don't have such a special NAT "gateway" I wouldn't be able to be
called from others via IPV4.

> What do you want to change?

Getting rid off NAT here to get rid off that gateway. With IPv6 I don't
need that and it is a much easier configuration.
Easier for me means more reliable because less things can get broken.

> > I know, but the main problem already was and is still that Windows
> > is running server software by default.
>
> I think that "by default" is the most operative part of that
> statement.
>
> It's entirely possible to configure Windows so that it's considerably
> safer to have as a server. But it takes effort and is decidedly
> against the default. One of the first things to do is to unbind
> Client for Microsoft Networks and File & Printer Sharing from NICs.

Full ack, that's what I do at work when I have a Windows computer for
specific applications.

> > Forst, DNS uses caching and a computer that was outside my have the
> > public IP in its cache (TTL not expired yet) and will not ask the
> > name server again when coming to the internal net.
>
> Understood.
>
> I'd be curious to know what client device is retaining local stub
> resolver cache when changing networks and therefore likely changing
> DNS server configuration.

I assume systemd-resolved does, I already experienced that with it. The
reason for that is that DNS with global resolved domains is intended to
equal regardless which resolver ask. For the caches I see no reason in
clearing the cache if the network comes up/down.

> > Then a computer doesn't need to use the specific DNS to resolve the
> > name. Maybe it is configured to use a specific DNS. Google Chrome
> > and Firefox offer DNS over HTTPS and maybe use that instead of the
> > DNS the computer gets via IPv6-RA/DHCP.
>
> Don't et me started on the over zealous use of DoH. There are MANY
> aspects of enterprise networks which break when things naively assume
> that an outside the enterprise DNS server can provide the same DNS
> service.

Completely agree, but if you have just one computer that isn't
administered by the company you need to emanate that some users don't
use your local resolver.

> > Full ack, it is really annoying that I still need to have IPv4
> > connectivity, especially when self-hosting my servers I need to
> > access from IPv4-only nets.
>
> Sadly, I think we're going to be in the current state for one to
> three decades.

Maybe yes, but there is hope over the horizon, some big tech companies
implement IPv6 and I just wait until they say "we switch off IPv4 in
one year" or "websites without IPv6 connectivity will be unlisted from
Google".

Am Mittwoch, 16. Februar 2022, um 01:53:31 Uhr schrieb meff:

> You could try to partition your network into a "guest" subnet and a
> "home" subnet and place a stateful firewall in front of the guest
> subnet, but very few consumer router/AP combos offer a user-friendly
> way to make this separation. (Happy to be proven wrong on this point.)

The main problem here is that most people don't care about their
network. Additionally, many ISPs only offer /64 prefixes and it is a
PITA to subnet them to 2 /65 because you then need DHCPv6 to address
your devices. The additional work isn't worth the goal here for most
people.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Marco Moock wrote:
> Am Mittwoch, 16. Februar 2022, um 01:53:31 Uhr schrieb meff:
>
>> You could try to partition your network into a "guest" subnet and a
>> "home" subnet and place a stateful firewall in front of the guest
>> subnet, but very few consumer router/AP combos offer a user-friendly
>> way to make this separation. (Happy to be proven wrong on this point.)
>
> The main problem here is that most people don't care about their
> network. Additionally, many ISPs only offer /64 prefixes and it is a
> PITA to subnet them to 2 /65 because you then need DHCPv6 to address
> your devices. The additional work isn't worth the goal here for most
> people.

Last time I had a "whole home gateway" from the ISP, it'd give a
completely separate /64 to the "Guest WiFi" (if v6 was enabled on it).

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3asj+xn6fYUcweBnbWVw5UznKGAFAmINKxkACgkQbWVw5Uzn
KGBQBg/+KGPfZUHFRMireLT0LNXTphdcJafbRdYQjSOXyRfPcq2tPzoZorL/hNpZ
e0FYiimtwrrr1GO5XwlTubj3GcG2jObDGMuA2PRdfFS+PMPevu4H2YYD649fTjZ4
vkuKWE4kbtlKrVFtZtYQXjXfMZ/gqk13XloBWo6Xwh2Jf4ZaJ0ASuNG6oCELayaa
9s55DFcL4E3kGk0inyGfE89+o8MlzDkYEucYhxwMKdH+6JGw2HpV0nSIr8z8Kvmx
7DbFz8EP3E6L+gMtsWVzoAoQmkK6AIAIrCk+m0EM4qHz7yPOj2t4KM6t53TeUwyO
p0pnERI8h+ZM/ML+nQqdVJxwc7PwjEYKy8M8Stp/qHG5NnuUp1+deWmuODdXmrUI
UG1COcr0HKEZfhKRl7Zgq6rR00MwE2rSwKZL+HJ3QWR/or9BjDtaZhTHPGBQAXvB
d0LRqzO6fZ8SKEU+yomlvlAGsmb3w5KruZXysUnv/UWTzVVFkQpp9toM/DwMXdtX
xaqTnejh/9DnjHQd6+885bfYY4tv1r8qguQCQtXXCcwXJo7a0wtEFEWD9sZO9ZM8
eMLa+8jtGsIzDBLiotZGgOW9j416hqE5F25haQbKq6brIGeo46CqmU4PcLrDk1Ri
UbjoX7MzddMqlVHzaLl4o8195Jl0H3zARi5r2MU7Qb32OEJvu00=
=3sv2
-----END PGP SIGNATURE-----

--
|_|O|_|
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: DDAB 23FB 19FA 7D85 1CC1 E067 6D65 70E5 4CE7 2860

Am Mittwoch, 16. Februar 2022, um 13:01:23 Uhr schrieb David Brown:

> On 15/02/2022 21:18, Marco Moock wrote:
> > Am Dienstag, 15. Februar 2022, um 12:15:00 Uhr schrieb Grant Taylor:
> >
> >> On 2/13/22 5:51 AM, Marco Moock wrote:
> >
>
> >>> Then they can operate an SPI firewall. Windows has one enabled by
> >>> default, most home routers have one enabled.
> >>
> >> I think that it's important to keep time & context in mind.
> >> Windows has an SPI firewall enabled by default /now/. It did not
> >> 20 years ago.
> >
> > I know, but the main problem already was and is still that Windows
> > is running server software by default.
>
> Does it matter if all security problems are from Windows? Windows is
> very common on desktops, laptops, and even servers. You don't have to
> like it, but you have to deal with it.

That's what I do.
I tell everybody running Windows about that and offer to configure
their system that way that these services are turned off.

> In reality, all OS's have flaws, and many modern Linux distributions
> have ports open in their default installation. Then come the users,
> who might do any kind of misconfiguration or run software that has
> bugs in it. Windows has more than its fair share of security issues,
> historically even more so, but only a fool thinks other systems are
> "safe".

I know, I mostly use Ubuntu and it has mDNS (Avahi) by default. That is
the first thing I uninstall, although it only affect the link-local
area.
> Does anyone other that /you/ use the networks you set up and run? Do
> you have anything on the networks other than *nix machines that you
> have personally configured and checked? What about phones? Printers
> at the office? Apple TV and amart power meter on the home network?
> Are you /sure/ that none of these have flaws?

My family uses the home network. They are aware that IPv6 isn't
firewalled, IPv4 uses NAT so they are SPI-firewalled regardless if they
want it or not.

> Unless you are absolutely sure that you have full control over /all/
> systems on a network, and their users, then you /do/ rely on
> firewalling.

I often check the computers with nmap. For me that is enough,
especially because finding IPv6 computers with EUI64 addresses outside
of the local link is a very slow process unless they connect to you.

> > Yes, that is what I mean because that often creates problems.
> > Forst, DNS uses caching and a computer that was outside my have the
> > public IP in its cache (TTL not expired yet) and will not ask the
> > name server again when coming to the internal net.
>
> Short TTL's work fine in such cases. I have never heard of this
> being a problem in practice.

I already experienced it. Short TTL's are creating more DNS traffic. I
see no reason for that if it is possible to avoid it.
> Computers should get their DNS via DHCP unless you have very specific
> reasons for picking something different. Normal users don't get to
> faff around with their DNS settings any more than they get to choose
> their own IP address.

I experienced that many users configure their own DNS because they
think it is "better" in any way. I also know locations (my school) that
practises DNS spoofing. This causes people to implement DNSoTLS to go
around that restriction.

> I like IPv4 - addresses are easier to remember than IPv6.

I know, but if you only need link-local connectivity you can give them
specific link-local addresses. I do that with my router (fe80::1).
If you need routable addresses you can use ULA without randomizing bit
8 to bit 48, but only do that if you are 100% sure you will never
want to connect your link with anybody else's link.

Am Mittwoch, 16. Februar 2022, um 16:48:45 Uhr schrieb Dan Purgert:

> Last time I had a "whole home gateway" from the ISP, it'd give a
> completely separate /64 to the "Guest WiFi" (if v6 was enabled on it).

That is the best practice, but sometimes not possible because the
customer only gets /64 at all.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Marco Moock wrote:
> Am Mittwoch, 16. Februar 2022, um 16:48:45 Uhr schrieb Dan Purgert:
>
>> Last time I had a "whole home gateway" from the ISP, it'd give a
>> completely separate /64 to the "Guest WiFi" (if v6 was enabled on it).
>
> That is the best practice, but sometimes not possible because the
> customer only gets /64 at all.

Yes, the "customer" network only got one /64.

If you enabled the "guest WiFi" on the device (again, supplied by the
ISP), it got a completely separate /64.

They finally allowed a modem-only option, so said ISP-supplied gateway
has been returned & I'm using my own router; which can request a /56 or
something like that.

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3asj+xn6fYUcweBnbWVw5UznKGAFAmINTXQACgkQbWVw5Uzn
KGDYSw/+P+DAiVfQsc1vDw4FKn4z0z5EqC0+UdY47BNtPocHRU//eIaFb1vhluXf
U+FcSO9g9WGfZWFd7UcxDuNycf5nkqdc9Hs143xpM5SrKFKnHIvLVicB6G3bGyzI
0Xf6dxErhYDlyXarBc9Ml3Fgnzpj6SZCoxlIbYNA/vDqUNH9Nn/YphGTn1BSDJrA
Hcm10eQ8f5gYeBbydXBixYl/3fRIbGOtg8iAUfCrcxaBHH2VSOsZ2iBWCLcJPdxQ
0Z+88jYcdzKIWURWeqIOYNndmxYYtvU8gJ/yoiEWtKU5eTwpH9SXZvylaSNNRYki
nfxXtmL+mBPm8ju3TUueVgtzYJSWynOmiBVd8jYAnjY+vltNB/KdOcOrp5CWWvtI
ZQz5ieXhIBrUR8fE4B+JkF++WfshyBB3MsiqBTkzfwJ0+vSpqt4ejBCw3m4B1wq7
62eu+YZo173SmdMR1QzLhGp7PXviUqPBK306n+5qpZSRi3nSzvRn4RW2VS1ev1GD
JxsDaypbkD/LrUi5uo5Trp8gaMw17GsaDI7XoXQw0V079LTfJ6cJubmOt/4606yL
nxKamEc4EubGX9na2Sb8Iqoxl7u0OnTrCCoLs9DDr7Sc9dN6vMVCUiFuFSq2KXAU
ow6Bvklx6s59xkookKX1scuXrjI30tclLaaKs/Q36LIuDEMiEoQ=
=je1Y
-----END PGP SIGNATURE-----

--
|_|O|_|
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: DDAB 23FB 19FA 7D85 1CC1 E067 6D65 70E5 4CE7 2860

On 2022-02-16, Dan Purgert <dan@djph.net> wrote:
> Even the $50 TPLink stuff can do a guest WiFi network, such as the
> Archer A7.

Sorry I'm specifically referring to IPv6 subnetting here.

Marco Moock <mo01@posteo.de> wrote:
>Am Mittwoch, 16. Februar 2022, um 16:48:45 Uhr schrieb Dan Purgert:
>
>> Last time I had a "whole home gateway" from the ISP, it'd give a
>> completely separate /64 to the "Guest WiFi" (if v6 was enabled on it).
>
>That is the best practice, but sometimes not possible because the
>customer only gets /64 at all.

Thankfully, three VERY big residential ISPs in Germany (Deutsche
Telekom, O2, 1&1) assign a /56 and offer prefix delegation to support
nearly arbitrary subnetting¹ on customer site.

Greetings
Marc

¹ there are no subnets in IPv6, but you get the idea
--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834

On 2/16/22 1:28 AM, Marc Haber wrote:
> All those would also apply for IPv4, are thus not a liability of IPv6.

Not quite.

IPv4 doesn't /require/ the use of a link-local address. IPv6 does.

IPv4 would likely not have the old, current, and new IPv4 address all at
the same time.

--
Grant. . . .
unix || die

On 2/16/22 1:29 AM, Marc Haber wrote:
> That's what sane networks have DNS for.

Not everything supports DNS.

> That being said, I like using the well-defined addresses for DNS
> servers that sadly never made it into a formal standard.

You mean something like the same site-local address for the local DNS
server? }:-)

--
Grant. . . .
unix || die

On 2/16/22 8:24 AM, Marco Moock wrote:
> That I need a special application gateway (that does NAT in the
> background) on my Cisco router to make SIP/RTSP work.
>
> If I don't have such a special NAT "gateway" I wouldn't be able to
> be called from others via IPV4.

What's more responsible for that problem? SIP itself or NAT? There are
many other protocols that work through NAT perfectly fine without the
need for such shenanigans.

It's been a while, but I think that it is possible for SIP clients to
connect to a globally routed IPv4 address that is port forwarded / NATed
to an internal server without the need for the NAT gateway shenanigans.
But, maybe I'm mis-remembering things. Maybe it was configuration of
the SIP server saying "Report $THIS external IP."

> Getting rid off NAT here to get rid off that gateway. With IPv6 I
> don't need that and it is a much easier configuration. Easier for
> me means more reliable because less things can get broken.

Fair enough.

> I assume systemd-resolved does, I already experienced that with
> it. The reason for that is that DNS with global resolved domains is
> intended to equal regardless which resolver ask. For the caches I
> see no reason in clearing the cache if the network comes up/down.

Bleck

I actively avoid systemd and it's ilk.

> Completely agree, but if you have just one computer that isn't
> administered by the company you need to emanate that some users don't
> use your local resolver.
>
> Maybe yes, but there is hope over the horizon, some big tech companies
> implement IPv6 and I just wait until they say "we switch off IPv4
> in one year" or "websites without IPv6 connectivity will be unlisted
> from Google".

Ha! I don't think we'll see big services turning off IPv4 any time
soon. I doubt we will see it in the next decade, if not more like two
decades.

As long as there are more than a tiny percentage of IPv4 only clients,
the big players will still have IPv4 connectivity.

--
Grant. . . .
unix || die

Am Mittwoch, 16. Februar 2022, um 13:04:38 Uhr schrieb Grant Taylor:

> IPv4 doesn't /require/ the use of a link-local address. IPv6 does.

True.

> IPv4 would likely not have the old, current, and new IPv4 address all
> at the same time.

If you are using DHCP with short lease times you may have als the
situation that more than 1 address is attached to an interface to
ensure the communication can continue without interruption.

If you don't like that for IPv6, use static addresses and don't use
DHCPv6 or auto configuration via router advertisement.