• NAT

    From Victor Sudakov@2:5005/49 to All on Fri Jan 25 23:46:26 2019
    Dear All,

    With the proliferation of IPv6 I hear more and more often that NAT is a great security mechanism because it hides your intranet infrastructure from outsiders, and how unfit IPv6 is for enterprise networks because it lacks the notion of NAT which makes IPv6 networks so very very much insecure.

    Do you have good conter-arguments?

    Indeed, in some corporate networks I've seen, the use of the RFC1918 address space is written into security guidelines as a requirement.

    Then again, as I come to think of it, even if your IPv6 intranet has a good firewall on the border, your internal network addresses are still exposed to the Internet. Is that a problem?

    Victor Sudakov, VAS4-RIPE, VAS47-RIPN
    --- GoldED+/BSD 1.1.5-b20160322-b20160322
    * Origin: Ulthar (2:5005/49)
  • From Tony Langdon@3:633/410 to Victor Sudakov on Sat Jan 26 20:29:00 2019
    On 01-25-19 23:46, Victor Sudakov wrote to All <=-

    Dear All,

    With the proliferation of IPv6 I hear more and more often that NAT is a great security mechanism because it hides your intranet infrastructure from outsiders, and how unfit IPv6 is for enterprise networks because
    it lacks the notion of NAT which makes IPv6 networks so very very much insecure.

    Do you have good conter-arguments?

    NAT was never intended as a security mechanism, and it does nothing more than a goof packet filter could do.

    Indeed, in some corporate networks I've seen, the use of the RFC1918 address space is written into security guidelines as a requirement.

    Then again, as I come to think of it, even if your IPv6 intranet has a good firewall on the border, your internal network addresses are still exposed to the Internet. Is that a problem?

    If your firewall is blocking traffic, you can hardly say you're exposed.

    NAT still creates a lot of problems, ask anyone who'd wrestled with port forwarding, to try and get services opened to the Internet.


    ... Each experiment, success or failure, is a learning experience.
    === MultiMail/Win v0.51
    --- SBBSecho 3.03-Linux
    * Origin: Freeway BBS Bendigo,Australia freeway.apana.org.au (3:633/410)
  • From Markus Reschke@2:240/1661 to Victor Sudakov on Sat Jan 26 12:12:38 2019
    Hello Victor!

    Jan 25 23:46 2019, Victor Sudakov wrote to All:

    With the proliferation of IPv6 I hear more and more often that NAT is
    a great security mechanism because it hides your intranet
    infrastructure from outsiders,

    There's a lot of misunderstanding of NAT and security. The typical case is that NAT is done by a dedicated firewall or a router with firewall features, i.e. the firewall/router does packet filtering and NAT. So a lot of people think that NAT implies security, but it doesn't. NAT is exactly what the acronym says: network address translation. An 1:1 NAT simply translates one address or subnet to another. How could that provide any security? What you need is packet filtering (plus proxies and so on).

    infrastructure from outsiders, and how unfit IPv6 is for enterprise networks because it lacks the notion of NAT which makes IPv6 networks so very very much insecure.

    There's also NAT for IPv6. BTW, IPv6 has a nice feature called Privacy Extensions to automatically change IP addresses regularly.

    ciao,
    Markus

    ---
    * Origin: *** theca tabellaria *** (2:240/1661)
  • From Victor Sudakov@2:5005/49 to Tony Langdon on Sat Jan 26 21:18:52 2019
    Dear Tony,

    26 Jan 19 20:29, you wrote to me:

    With the proliferation of IPv6 I hear more and more often that
    NAT is a great security mechanism because it hides your intranet
    infrastructure from outsiders, and how unfit IPv6 is for
    enterprise networks because it lacks the notion of NAT which
    makes IPv6 networks so very very much insecure.

    Do you have good conter-arguments?

    NAT was never intended as a security mechanism,

    It was not intended as a security mechanism initially, but over time, it became one, and is required by many security guidelines. Ask some computer security specialist you trust, if you don't believe me.

    and it does nothing
    more than a goof packet filter could do.

    Of course it does more! No packet filter *hides* *src* *addresses* of your internal hosts, and that is exactly what security people love NAT for.

    Indeed, in some corporate networks I've seen, the use of the
    RFC1918 address space is written into security guidelines as a
    requirement.

    Then again, as I come to think of it, even if your IPv6 intranet
    has a good firewall on the border, your internal network
    addresses are still exposed to the Internet. Is that a problem?

    If your firewall is blocking traffic, you can hardly say you're
    exposed.

    Sorry you are mistaken. Very few attacks nowdays are based on injecting malicious traffic into your network, those times are long gone. Information gathering about your intranet could be much more important than the ability to send traffic into it from outside.

    NAT still creates a lot of problems, ask anyone who'd wrestled with
    port forwarding, to try and get services opened to the Internet.

    That's a different story, I myself have wrestled enough with IPv4 NAT. So I would be happy to advocate NAT-less IPv6 to anyone, but I need arguments. Have not heard anything new so far.

    Victor Sudakov, VAS4-RIPE, VAS47-RIPN
    --- GoldED+/BSD 1.1.5-b20160322-b20160322
    * Origin: Ulthar (2:5005/49)
  • From Victor Sudakov@2:5005/49 to Markus Reschke on Sat Jan 26 21:49:42 2019
    Dear Markus,

    26 Jan 19 12:12, you wrote to me:

    With the proliferation of IPv6 I hear more and more often that
    NAT is a great security mechanism because it hides your intranet
    infrastructure from outsiders,

    There's a lot of misunderstanding of NAT and security. The typical
    case is that NAT is done by a dedicated firewall or a router with
    firewall features, i.e. the firewall/router does packet filtering and
    NAT. So a lot of people think that NAT implies security, but it
    doesn't.

    The security guidelines I have read don't specify "NAT must be used." They specify "RFC1918 addresses must be used in the internal network."

    NAT is exactly what the acronym says: network address
    translation. An 1:1 NAT simply translates one address or subnet to another. How could that provide any security?

    A static NAT has limited usage and indeed does not provide much additional security. But the dynamic NAT and especially PAT provide a very important security feature no packet filter provides: they *hide* the *source* *addresses* of internal hosts thus effectively hiding the network structure from outsiders.

    What you need is packet
    filtering (plus proxies and so on).

    Yes, a proxy would do the same hiding as a dynamic NAT.

    infrastructure from outsiders, and how unfit IPv6 is for
    enterprise networks because it lacks the notion of NAT
    which makes IPv6 networks so very very much insecure.

    There's also NAT for IPv6.

    Never heard of that, other than DNS64/NAT64 which are for a different purpose.

    BTW, IPv6 has a nice feature called Privacy
    Extensions to automatically change IP addresses regularly.

    Yes, with Privacy Extensions it becomes more difficult to map a single host, but all your /64 internal networks are still mappable. For example, by analyzing browsing behaviour, you can easily guess which /64 in your company is for engineering staff and which is for the management.

    Victor Sudakov, VAS4-RIPE, VAS47-RIPN
    --- GoldED+/BSD 1.1.5-b20160322-b20160322
    * Origin: Ulthar (2:5005/49)
  • From Markus Reschke@2:240/1661 to Victor Sudakov on Sat Jan 26 16:26:02 2019
    Hi Victor!

    Jan 26 21:49 2019, Victor Sudakov wrote to Markus Reschke:

    The security guidelines I have read don't specify "NAT must be used." They specify "RFC1918 addresses must be used in the internal
    network."

    For IPv6 they could use ULA (RFC4193). ;)

    A static NAT has limited usage and indeed does not provide much additional security. But the dynamic NAT and especially PAT provide a very important security feature no packet filter provides: they
    *hide* the *source* *addresses* of internal hosts thus effectively
    hiding the network structure from outsiders.

    And some dumbass enables UPnP on the firewall/router. >:) If an organization thinks that it has to hide the internal IP addresses for security reasons it can use NAT or proxies. Anyway, they still need much more than that to secure their network.

    There's also NAT for IPv6.

    Never heard of that, other than DNS64/NAT64 which are for a different purpose.

    NAT66

    ciao,
    Markus

    ---
    * Origin: *** theca tabellaria *** (2:240/1661)
  • From Michiel van der Vlist@2:280/5555 to Victor Sudakov on Sun Jan 27 00:10:45 2019
    Hello Victor,

    On Saturday January 26 2019 21:18, you wrote to Tony Langdon:

    Of course it does more! No packet filter *hides* *src* *addresses* of
    your internal hosts,

    So what? A device on the LAN that communicates with the outside world uses a public address. In the case of IPv4 with NAT it is a public WAN address of the router. In case of IPv6 it is a public address in the prefix range assigned to the router. In either case the address used is "exposed".

    and that is exactly what security people love NAT for.

    Hmmm... I would rather not put my faith in the hands of a "security expert" that believes in "security through obscurity"...


    Cheers, Michiel

    --- GoldED+/W32-MSVC 1.1.5-b20170303
    * Origin: he.net certified sage (2:280/5555)
  • From Victor Sudakov@2:5005/49 to Markus Reschke on Sun Jan 27 15:08:18 2019
    Dear Markus,

    26 Jan 19 16:26, you wrote to me:

    The security guidelines I have read don't specify "NAT must be
    used." They specify "RFC1918 addresses must be used in the
    internal network."

    For IPv6 they could use ULA (RFC4193). ;)

    Good point. Thank you. Maybe fc00::/7 has a chance of becoming the new 192.168/16.

    A static NAT has limited usage and indeed does not provide much
    additional security. But the dynamic NAT and especially PAT
    provide a very important security feature no packet filter
    provides: they *hide* the *source* *addresses* of internal hosts
    thus effectively hiding the network structure from outsiders.

    And some dumbass enables UPnP on the firewall/router. >:)

    I don't think enterprise-class firewalls have UPnP, do they?

    And thinking about SOHO and home routers/firewalls, what kind of IPv6 connectivity are they going to have, what do you think? Those present who have native IPv6 connectivity, what's your ISP's policy on assigning addresses to customers?

    If my ISP were going to give me one IPv6 address (a /128) or even one /64 net, this would be too few for my purposes. For my current home network, I use five /64s, so for me it would be a /56 at least.

    If an
    organization thinks that it has to hide the internal IP addresses for security reasons it can use NAT or proxies. Anyway, they still need
    much more than that to secure their network.

    There's also NAT for IPv6.

    Never heard of that, other than DNS64/NAT64 which are for a
    different purpose.

    NAT66

    Interesting. Do you know of any implementations that could translate ULA addresses into one global /64 pool?

    Victor Sudakov, VAS4-RIPE, VAS47-RIPN
    --- GoldED+/BSD 1.1.5-b20160322-b20160322
    * Origin: Ulthar (2:5005/49)
  • From Victor Sudakov@2:5005/49 to Michiel van der Vlist on Sun Jan 27 15:35:30 2019
    Dear Michiel,

    27 Jan 19 00:10, you wrote to me:

    Of course it does more! No packet filter *hides* *src*
    *addresses* of your internal hosts,

    So what? A device on the LAN that communicates with the outside world
    uses a public address.

    Are you pulling my leg, or don't you really understand the difference? A *thousand* devices on the LAN use *one* public address (or maybe a dozen public addresses) when communicating with the outside world.

    In the case of IPv4 with NAT it is a public WAN
    address of the router. In case of IPv6 it is a public address in the prefix range assigned to the router.

    But the devices on the LAN become uniqely mappable from the outside. That's the point. In the case without NAT (a global IP address per internal host), the bad guys will have to resort to canvas fingerprinting, cookie abuse or other less reliable techniques.

    In either case the address used
    is "exposed".

    and that is exactly what security people love NAT for.

    Hmmm... I would rather not put my faith in the hands of a "security expert" that believes in "security through obscurity"...

    Do you call *any* attempt to keep sensitive information private "security through obscurity"? Would you also, for example, call RFC4941 mechanism "security through obscurity"? Then you probably misunderstand the terminology.

    Besides, speaking about private addresses proper, you often have no choice: this requirement has made it into too many security checklists and would be too difficult to get rid of even if we wanted.

    Victor Sudakov, VAS4-RIPE, VAS47-RIPN
    --- GoldED+/BSD 1.1.5-b20160322-b20160322
    * Origin: Ulthar (2:5005/49)
  • From Michiel van der Vlist@2:280/5555 to Victor Sudakov on Sun Jan 27 10:55:06 2019
    Hello Victor,

    On Sunday January 27 2019 15:08, you wrote to Markus Reschke:

    And thinking about SOHO and home routers/firewalls, what kind of IPv6 connectivity are they going to have, what do you think? Those present
    who have native IPv6 connectivity, what's your ISP's policy on
    assigning addresses to customers?

    My ISP assigns a /56 on a home connection and a /48 on a bussines pro connection. Some other ISPs in The Netherlands also offer a /48 for a home connection as well.

    A /48 should be enough for any big enterprise...

    If my ISP were going to give me one IPv6 address (a /128) or even one
    /64 net, this would be too few for my purposes. For my current home network, I use five /64s, so for me it would be a /56 at least.

    If you need more than a /56 on a home network, you are doing something wrong.


    Cheers, Michiel

    --- GoldED+/W32-MSVC 1.1.5-b20170303
    * Origin: he.net certified sage (2:280/5555)
  • From Tony Langdon@3:633/410 to Victor Sudakov on Sun Jan 27 20:11:00 2019
    On 01-26-19 21:18, Victor Sudakov wrote to Tony Langdon <=-

    It was not intended as a security mechanism initially, but over time,
    it became one, and is required by many security guidelines. Ask some computer security specialist you trust, if you don't believe me.

    Well, having compared notes, I am wary of anyone who calls themselves a "specialist" without personal knowledge and trust of the person. :) I've certainly heard a lot of dodgy stories about so-called "specialists" in networking from a very trusted source over the years.

    Of course it does more! No packet filter *hides* *src* *addresses* of
    your internal hosts, and that is exactly what security people love NAT for.

    True, but IPv6 has mechanisms for source IP privacy without NAT.

    Sorry you are mistaken. Very few attacks nowdays are based on injecting malicious traffic into your network, those times are long gone. Information gathering about your intranet could be much more important than the ability to send traffic into it from outside.

    That is a good point.

    NAT still creates a lot of problems, ask anyone who'd wrestled with
    port forwarding, to try and get services opened to the Internet.

    That's a different story, I myself have wrestled enough with IPv4 NAT.
    So I would be happy to advocate NAT-less IPv6 to anyone, but I need arguments. Have not heard anything new so far.

    Yeah so have I and it's a pain in the proverbial.


    ... Sir, the Romulans do not take prisoners!
    === MultiMail/Win v0.51
    --- SBBSecho 3.03-Linux
    * Origin: Freeway BBS Bendigo,Australia freeway.apana.org.au (3:633/410)
  • From Victor Sudakov@2:5005/49 to Michiel van der Vlist on Sun Jan 27 18:05:10 2019
    Dear Michiel,

    27 Jan 19 10:55, you wrote to me:

    And thinking about SOHO and home routers/firewalls, what kind of
    IPv6 connectivity are they going to have, what do you think?
    Those present who have native IPv6 connectivity, what's your
    ISP's policy on assigning addresses to customers?

    My ISP assigns a /56 on a home connection

    As a standard package?

    and a /48 on a bussines pro
    connection. Some other ISPs in The Netherlands also offer a /48 for a
    home connection as well.

    A /48 should be enough for any big enterprise...

    If my ISP were going to give me one IPv6 address (a /128) or even
    one /64 net, this would be too few for my purposes. For my
    current home network, I use five /64s, so for me it would be a
    /56 at least.

    If you need more than a /56 on a home network, you are doing something wrong.

    Unfortunately I don't have native IPv6 connectivity, and HE does not offer /56s on its tunnels, only /48s so I don't have much choice.

    I've tried several times to switch to Rostelecom who is rumored to offer IPv6 connectivity, but as soon as I start talking with their salespeople they fall into stupor and promise to call later.

    Victor Sudakov, VAS4-RIPE, VAS47-RIPN
    --- GoldED+/BSD 1.1.5-b20160322-b20160322
    * Origin: Ulthar (2:5005/49)
  • From Victor Sudakov@2:5005/49 to Tony Langdon on Sun Jan 27 18:33:50 2019
    Dear Tony,

    27 Jan 19 20:11, you wrote to me:

    It was not intended as a security mechanism initially, but over
    time, it became one, and is required by many security guidelines.
    Ask some computer security specialist you trust, if you don't
    believe me.

    Well, having compared notes, I am wary of anyone who calls themselves
    a "specialist" without personal knowledge and trust of the person. :)
    I've certainly heard a lot of dodgy stories about so-called
    "specialists" in networking from a very trusted source over the years.

    Not all IT security specialists are competent, that is true and can be said about any specialists. But the requirement of using private IP address space has made it into too many security guidelines. A Mr. Mordac can be competent or incompetent, but he has checklists to follow.

    Of course it does more! No packet filter *hides* *src*
    *addresses* of your internal hosts, and that is exactly what
    security people love NAT for.

    True, but IPv6 has mechanisms for source IP privacy without NAT.

    Unfortunately, those mechanisms don't provide privacy of your /64 nets, i.e. the nets still remain mappable.

    [dd]


    Victor Sudakov, VAS4-RIPE, VAS47-RIPN
    --- GoldED+/BSD 1.1.5-b20160322-b20160322
    * Origin: Ulthar (2:5005/49)
  • From Markus Reschke@2:240/1661 to Victor Sudakov on Sun Jan 27 13:49:30 2019
    Hi Victor!

    Jan 27 15:08 2019, Victor Sudakov wrote to Markus Reschke:

    Good point. Thank you. Maybe fc00::/7 has a chance of becoming the
    new 192.168/16.

    I'd recommend to use fd00::/8 since fc00::/8 was meant to be some kind of globally unique local address space managed by a registry (-> B2B VPNs).

    I don't think enterprise-class firewalls have UPnP, do they?

    Most don't. But you never know what e-junk some company uses. >:)

    And thinking about SOHO and home routers/firewalls, what kind of IPv6 connectivity are they going to have, what do you think? Those present
    who have native IPv6 connectivity, what's your ISP's policy on
    assigning addresses to customers?

    /64 as xfer network and a /56 for the LAN (both dynamic, forced change every 6 months).

    Interesting. Do you know of any implementations that could translate
    ULA addresses into one global /64 pool?

    Cisco, Juniper, Linux, ...
    However, you need to check the details for each box and firmware. For example, Linux can hide the complete LAN behind a single IPv6 address.

    ciao,
    Markus

    ---
    * Origin: *** theca tabellaria *** (2:240/1661)
  • From Victor Sudakov@2:5005/49 to Markus Reschke on Sun Jan 27 21:12:10 2019
    Dear Markus,

    27 Jan 19 13:49, you wrote to me:

    Good point. Thank you. Maybe fc00::/7 has a chance of becoming
    the new 192.168/16.

    I'd recommend to use fd00::/8 since fc00::/8 was meant to be some kind
    of globally unique local address space managed by a registry (-> B2B VPNs).

    fc00::/7 is from RFC4193, and where is fd00::/8 defined?

    I don't think enterprise-class firewalls have UPnP, do they?

    Most don't. But you never know what e-junk some company uses. >:)

    And thinking about SOHO and home routers/firewalls, what kind of
    IPv6 connectivity are they going to have, what do you think?
    Those present who have native IPv6 connectivity, what's your
    ISP's policy on assigning addresses to customers?

    /64 as xfer network and a /56 for the LAN (both dynamic, forced change every 6 months).

    If you want a static address?

    Interesting. Do you know of any implementations that could
    translate ULA addresses into one global /64 pool?

    Cisco, Juniper, Linux, ...
    However, you need to check the details for each box and firmware. For example, Linux can hide the complete LAN behind a single IPv6 address.

    That's nice.

    Victor Sudakov, VAS4-RIPE, VAS47-RIPN
    --- GoldED+/BSD 1.1.5-b20160322-b20160322
    * Origin: Ulthar (2:5005/49)
  • From Markus Reschke@2:240/1661 to Michiel van der Vlist on Sun Jan 27 14:32:42 2019
    Hi Michiel!

    Jan 27 00:10 2019, Michiel van der Vlist wrote to Victor Sudakov:

    and that is exactly what security people love NAT for.

    MvdV> Hmmm... I would rather not put my faith in the hands of a "security
    MvdV> expert" that believes in "security through obscurity"...

    Basically, I fully agree. There are several methods to map an internal network. If one doesn't work, the bad guy simply tries another. But it could make senses to hide internal addresses as part of a security concept. If I'm concerned about my network security I would go for application level gateways which act as proxy and also filter stuff application specific. NAT doesn't prevent malicious web content to be downloaded while browsing the web.

    ciao,
    Markus

    ---
    * Origin: *** theca tabellaria *** (2:240/1661)
  • From Alexey Vissarionov@2:5020/545 to Victor Sudakov on Sun Jan 27 19:26:00 2019
    Good ${greeting_time}, Victor!

    27 Jan 2019 21:12:10, you wrote to Markus Reschke:

    Good point. Thank you. Maybe fc00::/7 has a chance of becoming
    the new 192.168/16.
    I'd recommend to use fd00::/8 since fc00::/8 was meant to be some
    kind of globally unique local address space managed by a registry
    B2B VPNs).
    fc00::/7 is from RFC4193, and where is fd00::/8 defined?

    Guess!


    --
    Alexey V. Vissarionov aka Gremlin from Kremlin
    gremlin.ru!gremlin; +vii-cmiii-ccxxix-lxxix-xlii

    ... GPG: 8832FE9FA791F7968AC96E4E909DAC45EF3B1FA8 @ hkp://keys.gnupg.net
    --- /bin/vi
    * Origin: http://openwall.com/Owl (2:5020/545)
  • From Markus Reschke@2:240/1661 to Victor Sudakov on Sun Jan 27 18:01:16 2019
    Hello Victor!

    Jan 27 21:12 2019, Victor Sudakov wrote to Markus Reschke:

    fc00::/7 is from RFC4193, and where is fd00::/8 defined?

    Same RFC:

    3.1. Format

    The Local IPv6 addresses are created using a pseudo-randomly
    allocated global ID. They have the following format:

    | 7 bits |1| 40 bits | 16 bits | 64 bits |
    +--------+-+------------+-----------+----------------------------+
    | Prefix |L| Global ID | Subnet ID | Interface ID |
    +--------+-+------------+-----------+----------------------------+

    Prefix FC00::/7 prefix to identify Local IPv6 unicast
    addresses.

    L Set to 1 if the prefix is locally assigned.
    Set to 0 may be defined in the future. See
    Section 3.2 for additional information.


    If you want a static address?

    Then I would have to change my consumer DSL to a business one.

    ciao,
    Markus

    ---
    * Origin: *** theca tabellaria *** (2:240/1661)
  • From Michiel van der Vlist@2:280/5555 to Victor Sudakov on Mon Jan 28 15:51:34 2019
    Hello Victor,

    On Sunday January 27 2019 18:05, you wrote to me:

    My ISP assigns a /56 on a home connection

    As a standard package?

    Too early to tell. They (Ziggo) were very slow to roll out IPv6. After telling the customers that they would be rolling out IPv6 "later this year" for the last decade, they finally started moving in 2016. But it is still "unofficial", they have not yet published an official policy on IPv6. It is still a surprise if after a modem change, you will have Dual Stack, DSLite or IPv4 only. Customers that have IPv6 report they have a /56. But nothing "official" from the ISP...

    and a /48 on a bussines pro connection.

    THAT is what they offically advertise for the Bussines Pro connection.

    If you need more than a /56 on a home network, you are doing
    something wrong.

    Unfortunately I don't have native IPv6 connectivity, and HE does not
    offer /56s on its tunnels, only /48s so I don't have much choice.

    So? Just use whatever you need from the /48 and ignore the rest. There is no shortage of IPv6 addresses,,,

    I've tried several times to switch to Rostelecom who is rumored to
    offer IPv6 connectivity, but as soon as I start talking with their salespeople they fall into stupor and promise to call later.

    Be patient. I have been pestering Ziggo for a decade before they stopped dragging their feet on IPv6. ;-)


    Cheers, Michiel

    --- GoldED+/W32-MSVC 1.1.5-b20170303
    * Origin: he.net certified sage (2:280/5555)
  • From Michiel van der Vlist@2:280/5555 to Markus Reschke on Mon Jan 28 16:36:13 2019
    Hello Markus,

    On Sunday January 27 2019 13:49, you wrote to Victor Sudakov:

    Good point. Thank you. Maybe fc00::/7 has a chance of becoming
    the new 192.168/16.

    How about fe80::/10 (Link Local Address...)

    I'd recommend to use fd00::/8 since fc00::/8 was meant to be some kind
    of globally unique local address space managed by a registry (-> B2B VPNs).

    It started out as "Site Local Adresses". But since it was difficult to define what a "site" was, it was rebranded to Unique Local Address... And indeed fc00::/8 is presently "undefined".

    https://en.wikipedia.org/wiki/Unique_local_address

    For what it is worth, I registered fd51:550:40b9::/48 with SixXs...

    /64 as xfer network and a /56 for the LAN (both dynamic, forced change every 6 months).

    Here the addresses are labelled as "dynamic", but like the "dynamic IPv4" addresses, they are semi static. IPv4 adresses only change when the WAN side MAC address of the router changes. IPv6 is less predictable. It did not change for a year until this morning when I did a soft reset on the cable modem/router.


    Cheers, Michiel

    --- GoldED+/W32-MSVC 1.1.5-b20170303
    * Origin: he.net certified sage (2:280/5555)
  • From Markus Reschke@2:240/1661 to Michiel van der Vlist on Mon Jan 28 18:33:22 2019
    Hi Michiel!

    Jan 28 16:36 2019, Michiel van der Vlist wrote to Markus Reschke:

    Good point. Thank you. Maybe fc00::/7 has a chance of becoming
    the new 192.168/16.

    MvdV> How about fe80::/10 (Link Local Address...)

    Sorry, link local addresses are limited to a single broadcast domain and must not be routed.

    ciao,
    Markus

    ---
    * Origin: *** theca tabellaria *** (2:240/1661)
  • From Tony Langdon@3:633/410 to Michiel van der Vlist on Tue Jan 29 16:11:00 2019
    On 01-27-19 10:55, Michiel van der Vlist wrote to Victor Sudakov <=-

    My ISP assigns a /56 on a home connection and a /48 on a bussines pro connection. Some other ISPs in The Netherlands also offer a /48 for a home connection as well.

    Mine assigns a /56 as well.

    If you need more than a /56 on a home network, you are doing something wrong.

    Yeah a /56 is more than I'll ever use. Currently using only one /64, but that may change down the track as things change - if I ever assign a block to packet radio, or get into IoT and want to keep that separate from the home LAN, but I don't see myself using more than a handful of /64s, certainly not 256 of them. :)


    ... Look Twice... Save a Life!!! Motorcycles are Everywhere!!!
    === MultiMail/Win v0.51
    --- SBBSecho 3.03-Linux
    * Origin: Freeway BBS Bendigo,Australia freeway.apana.org.au (3:633/410)
  • From Tony Langdon@3:633/410 to Markus Reschke on Tue Jan 29 16:16:00 2019
    On 01-27-19 18:01, Markus Reschke wrote to Victor Sudakov <=-

    Then I would have to change my consumer DSL to a business one.

    That's annoying. My ISP has 3 tiers of service.

    Default (consumer) - dynamic IPv4 address and IPv6 prefix.

    "Power Pack" - static IPv4 and IPv6 prefix (this is what I have). Also some other differences.

    Business - static IPv4, optional /29, static IPv6 prefix, and priority support.


    ... Features should be discovered, not documented.
    === MultiMail/Win v0.51
    --- SBBSecho 3.03-Linux
    * Origin: Freeway BBS Bendigo,Australia freeway.apana.org.au (3:633/410)
  • From Victor Sudakov@2:5005/49 to Michiel van der Vlist on Tue Jan 29 21:17:56 2019
    Dear Michiel,

    28 Jan 19 15:51, you wrote to me:

    [dd]

    If you need more than a /56 on a home network, you are doing
    something wrong.

    Unfortunately I don't have native IPv6 connectivity, and HE does
    not offer /56s on its tunnels, only /48s so I don't have much
    choice.

    So? Just use whatever you need from the /48 and ignore the rest. There
    is no shortage of IPv6 addresses,,,

    Currently there are only 35 trillion /48 networks in the global 2000::/3 pool, if I've counted correctly. One trillion is not that many, it's the quantity of stars in the Andromeda galaxy, or the quantity of bacteria living in one human being...

    With the 64bit interface identifier, there will probably never be a shortage of IPv6 *addresses* in a network, but well may be a shortage of IPv6 network *blocks* if they are given out in an irresponsive manner. IMHO.

    I've tried several times to switch to Rostelecom who is rumored
    to offer IPv6 connectivity, but as soon as I start talking with
    their salespeople they fall into stupor and promise to call
    later.

    Be patient. I have been pestering Ziggo for a decade before they
    stopped dragging their feet on IPv6. ;-)

    :-)


    Victor Sudakov, VAS4-RIPE, VAS47-RIPN
    --- GoldED+/BSD 1.1.5-b20160322-b20160322
    * Origin: Ulthar (2:5005/49)