#ipv6
Wo stehen wir mit IPv6 aktuell?
https://friendica.waldstepperbu.de/display/4f338018-9364-73d7-a146-01f253964442
Boss: why is this service using IPv6?
Me: I just wanted to use IPv6 once in my career for a production service. Seems sad people did all that work for nothing.
Boss: 😑
#networking #ipv6 #infrastructure
@flameeyes Don't get me wrong I am all for #IPv6 adoption. But it has soo many issues, right now. Let alone the stability for networks like Vodafone, Tata and the like.
Also if your application doesn't support happy-eyeballs it's a big mess.
One example:
https://github.com/npm/cli/issues/4163#issuecomment-1084601306
XC# netstat -lnup | grep snmp
udp 0 0 0.0.0.0:161 0.0.0.0:* 22967/tinysnmpd
Danke für nix, Ubiquiti. #IPv6
Another example: If I go to create a new GCE instance in the GCP console, the Terraform it generates does not include any of the IPv6 configuration. It's included in the command line and REST equivalent code, but not the Terraform. Whhyyy??
Why does it feel like all the people who *should* care about IPv6 don’t care about it (eg GCP and one of the largest home ISPs in Sverige)?
If you want to be able to reserve IPv6 addresses on GCP with Terraform, please gimme a 👍.
https://github.com/hashicorp/terraform-provider-google/issues/14748
Where Exactly Did That Network Packet Come From? - Have you ever noticed that some websites can figure out, at least roughly, where y... - https://hackaday.com/2023/05/26/where-exactly-did-that-network-packet-come-from/ #ipgeolocation #networkhacks #ipv4 #ipv6
Supernatantmotherliquor with a rotten cherry on top!!!!!!!
Today I wanted to fire up a web browser and point it at an IPv6 link local address (with the interface/zone specifier). I know the convention with square brackets & the way to express the interface. I.e. I wanted to have my browser connect to:
http://[fe80::20d:b9ff:fe40:2f9e%en0]/
But no. Browser makers now treat the "address bar" as a search bar: Safari, Chrome, Firefox all treated the above as a search expression.
I can use the address above to make a perfectly usable SSH connection:
ssh fe80::20d:b9ff:fe40:2f9e%en0
Browsers used to do this IPv6 address thing correctly, but the race to monetize the address bar to pre-capture search queries has rotted the browsers.
I began working on the future for IPv4 back in the very early 1990s. It is sad how badly IPv6 has muddled in the years since.
GD&*@!#! Not everything on the net is a search query!!!!! Browsers should easily allow raw IPv6 addresses without sending them to a search site
Am I really in a 2023 where
RedHat RHEL subscription manager cannot happen on an IPv6-only network? I really hope I am wrong....if not, that's a significant issue for USG systems. https://access.redhat.com/solutions/465613
Come on, folks. #IPv6
Zum Stand von IPV6 – herrlich 😕
Wat, #duckduckgo kann kein #ipv6?!
On Macs, I've noticed that using #pfSense with #Ventura in Assisted mode, #macOS will acquire SLAAC addresses but never receives a #DHCP6 address. Macs are the only devices like this on my local LAN.
There's nothing wrong with stateless addresses, of course, but since the ISP can change the delegation at will, for full #IPv6 on your local network, you want #DHCP6 to conveniently enable DNS names.
I can't tell if this is a pfSense thing or an #Apple thing. But it ain't good.
INFURIATINGLY insulting comment during the Q/A section that was basically "you're late to #IPv6 and you suck".
I had to jump up to the mic and had to correct the commenter, that while "yes" the best time to deploy IPv6 was 20 years ago, but the second best time is now. Also, insulting people for being (so called) late is super counter-productive.
Don't punish the behaviour you wish to see, c'mon!
Me: Wants to switch Wireguard tunnels to use #IPv6
Also me: Wants to use link-local addresses to route my traffic and immediatly finds a Bug with the Wireguard package for Ubiquiti 🤦♂️
https://github.com/WireGuard/wireguard-vyatta-ubnt/issues/148
Interesting, an ISP decided while they will deploy #CGNAT to their users. Since the main cost center for ISPs is support costs, they did some checking for "port forwarding" on the CPE and checking for "dmz" in searches, and excluded those users from CGNAT.
They also allow users to opt-out via the customer support portal.
Info about why not other technologies are in the presentation, check it out! https://ripe86.ripe.net/programme/meeting-plan/ipv6-wg/
⬆️ Ceci est un toot purement #IPv6
https://ripe86.ripe.net/wp-content/uploads/presentations/67-RPE86-IPv6-deployment-journey.pdf_1.2.pdf #ipv6
THE BUSINESS CASE OF CGNAT PART 2
Slide 5 / 12
▪ Support calls can kill the case, be aware for the “5%”
• Exclude users that do DMZ/Port forwarding (Give them public V4)
• Easy opt-out users from CGNAT via portal/app
• Test, test ,test....
▪ Lowering CGNAT traffic, improves business case
• Bypass CGNAT for internal services (mail/dns)
• Directly route Google/Netflix traffic from Local Caches.
Finally a business case for IPv6!
Networking is weird. I setup a gif tunnel to he.net, but it doesn't really come up for some reason.
The weird thing is the setup looks fine on my side. #ipv6 traffic leaves opnsense as expected.
I can see it in tcpdump. Both on the gif interface and the wan interface.
It seems like the he.net server ignores my packets.
I really don't know any further at this point and I'm super tired of german isps not properly supporting ipv6.
Well, FreeBSD's #IPv6 mirror state is pretty poor. Right now download.freebsd.org is sending me to Tokoyo, which has a RTT of around 140ms.
Yet IPv4 has me go to ISC in the Bay Area w/ an RTT of 10ms.
Looks like part of the problem is that isc's IPv6 address is the Tokoyo address.
Me, once again noticing how old #IPv6 is already and how it is still so badly supported in many cases…
I‘ve started configuring my first #BGP connection over #Wireguard and automatically chose 2 IPv4 adresses for the transit network. In the end that really doesn’t matter but somehow I have the urge to change it over to #IPv6 addresses, just to normalize the usage of IPv6 as the default.
Though I‘ve learned that I‘d loose 20 MTU by doing that, not that that would make any measurable difference here.
Patchday für #mikrotik RouterOS 7.10beta7, 7.9.1, 6.49.8, 6.48.7 gegen CVE-2023-32154.
https://blog.mikrotik.com/security/cve-2023-32154.html
"You are only affected if one of the below settings is applied:
ipv6/settings/ set accept-router-advertisements=yes
or
ipv6/settings/set forward=no accept-router-advertisements=yes-if-forwarding-disabled"
RCE on MikroTik routers with IPv6 RA enabled
Link: https://blog.mikrotik.com/security/cve-2023-32154.html
Discussion: https://news.ycombinator.com/item?id=36029915
I got #IPv6 enabled on my home broadband connection!
What do I need to think about doing before I enable it?
How best to configure it for a bunch of computers that have been assuming no one can directly access them outside the local network (and I'd like to keep it that way)?
I'm using unifi networking equipment
op SIDN.nl: Toepassing moderne internetstandaarden bij Nederlandse bedrijven groeit -- Interessante verschillen per standaard tussen bedrijfsgrootten en bedrijfstakken
https://www.sidn.nl/nieuws-en-blogs/toepassing-moderne-internetstandaarden-bij-nederlandse-bedrijven-groeit
"De totaalscores bleken te zijn gestegen van 60,3 naar 65,1 procent. Kleine bedrijven en zzp’ers scoren beter op het gebruik van IPv6, terwijl grotere bedrijven betere resultaten halen op de toepassingen van HTTPS."
Care about #IPv6, #SRv6, and how to build great networks? Recent paper from our lab:
https://www.jstage.jst.go.jp/article/transinf/E106.D/5/E106.D_2022NTP0003/_article
Spent the last few days exercising DHCP option 108 (RFC8925 - #ipv6 mostly) across different platforms. I must say, it is quite seamless. The only wrinkle I have found so far is very, very old Android devices. Moved a legacy v4 enclave to it and so far it's working perfectly.
OH: "Meine Meisen kann ich wunderbar in v6 angucken!"
Controversial opinion: There are legit use cases for #IPv6 NAT
If you're looking for a bit more privacy in your IPv6 SLAAC address on Linux, these steps may help.
#networking #ipv6 #privacy #linux #networkmanager
https://major.io/2016/04/17/enable-ipv6-privacy-networkmanager/
@dolari whereas even for #Windows-Fans there are simple tools like #netplan ( https://netplan.io/ ) that just allow ome.to simply setup a failover-#bond between #Wifi and #Ethernet and assign it one #IPv4 (and even #IPv6)...
And it just works...
https://driveinsaturday.org/@dolari/110381477500668703
Note: #netplan does not run on Windows, because Windows is trash!
Slides and talks from the UK IPv6 Council's "Enterprise & #IPv6 Workshop" are now available: https://www.ipv6.org.uk/2023/02/03/enterprise-ipv6-workshop/ (including a good summary on IPv6 status in Kubernetes)
Ce toot vous a été envoyé grâce au protocole IPv6® 😎
Et vous ? Vous êtes en #IPv6 aussi ? Le luxe de l'Internet
Major router manufacturer where the VoIP ATA in the router stops working (even over IPv4!) if you set IPv6 DNS or IP manually:
"We've had a definitive answer [..] and it is not good news I'm afraid. [..]
[Vendor] does not support VoIP6 in [platform] today, it is not a model specific issue.
There are no immediate plans to implement VoIP6, therefore no schedule."
Add that to the pile of problems we have with the CPE vendor :( #VoIP #SIP #IPv6 #CPE
Weshalb ist mein #Heimnetzwerk mit deaktivierten #ipv6 gefühlt schneller? Ist da was falsch konfiguriert oder ist das generell so? Es merken besonders die Kids auf ihren Windows Büchsen beim Spielen. Aber auch die Streamingdienste sind irgendwie flüssiger wenn nur #ipv4 aktiv ist.
And thank you for pointing out to me that I had more work to do.
I learned a lot about #IPv6, thanks to your feedback.
Here's a quickie #PowerShell function I use to get my current #IPv6 GUA and IPv4 address on the console.
function Get-MyIpAddress
{
$ipv4 = (Invoke-WebRequest http://ip4only.me/api/).content
$ipv6 = (Invoke-WebRequest http://ip6only.me/api/).content
$output = "Protocol:$($ipv6.Split(",")[0])`tAddress:$($ipv6.Split(",")[1])`nProtocol:$($ipv4.Split(",")[0])`tAddress:$($ipv4.Split(",")[1]) "
Write-Host -ForegroundColor Yellow -Object $output
}
So, after I posted how cool #IPv6 was, I got a nice reply from a visitor that in fact this instance was NOT available via IPv6.
I think I’ve licked that issue now though I haven’t completely solved DNS updates.
But I’d appreciate hearing from folks who attempt to access @air11.social via IPv6.
One of the issues w/ #IPv6 is that it isn't monitored/maintained nearly as well as IPv4.
I've been having connectivity issues the last few days, and pretty sure it's down to spotty IPv6.
Of course people are going to disable IPv6 if the quality of their internet is worse than on IPv4 only.
Main host I've having issues w/ right now is docs.python.org, but others as well.
You’ve talked for years about protection value of NAT in consumer routers.
#FiOS here is rolling out #IPv6 (in a quirky way, as only #Verizon can). I’ve been experimenting with it using #pfSense and “losing” NAT to IPv6 GUAs is the first big head-slapper.
Would love to hear what you think of the lack of NAT in IPv6 and consumer connectivity on an upcoming #SecurityNow.
New Blog Post: Quick and dirty Mikrotik CG-NAT using NETMAP and hardware offload NAT.
https://forwardingplane.net/2023/05/09/mikrotik-cg-nat-using-netmap-and-hardware-offload-nat/
ipv6.google.com is only accessible via IPv6. Great for testing dualstack networks for working IPv6. :)
@jwildeboer @EU_Commission doesn't change the fact tho that your criticisms are totally valid anyway and that there's no excuse for ISPs to bot even assign a /64 #IPv6 statically free of charge...(
@jwildeboer @EU_Commission @torproject Even tho #Vodafone Business Germany is even more absurd since they'll assign me an entire /29 of #IPv4's at no extra cost but won't offer me even a /64 #IPv6 for no reason but being dicks...
@jwildeboer @EU_Commission that being said, I fully agree and think everyone should have a free, provider-independent #IPv6 /64 assignment and shit like #CGNAT, espechally those violating standards and using #RFC1918 adress spaces (like #mobile networks routinely do) should be abolished and forcibly disconnecting limes each 24 hours as well as trying to restrict peoples' use should be abolished.
https://social.wildeboer.net/@jwildeboer/110250521163940486
@ZDF https://internet.nl/site/zdf.social/2052706/# bei Verbesserungen fehlen noch #ipv6 #dns #tlsconfig
#IPv6 is the present and the future. But boy, identifying IPv6 addresses in log files with a regex is, well, a bit more work ;) Source: https://gist.github.com/khanzf/27996c1660317a4a2988
If I were an evil threat actor, I'd be learning as much about #ipv6 as possible right now. I'm convinced that many companies that say they "aren't using" IPv6 are in reality just ignoring IPv6, and it would be easy to set up a "shadow network" consisting of IPv6 traffic where you could get away with murder. Nobody at the company is logging IPv6 traffic and events, none of the tools are configured to monitor it, and a large majority of the staff knows nothing about it.
I added an IPv6 address to berthub.eu - the non-bot traffic quickly jumped to >45% #IPv6. Quite impressive!
Make your own VPN - Wireguard, ipv6 and ad-blocking included
https://it-notes.dragas.net/2023/04/03/make-your-own-vpn-wireguard-ipv6-and-ad-blocking-included/
#OpenBSD #vpn #vps #ipv6 #AdBlocker #SelfHosted #IT #SysAdmin #Tutorial #Wireguard
@stefano a few years ago we moved to a place where the local quasi-monopoly ISP offers properly configured and working #IPv6. I’ve been experimenting with it ever since and must say I really like using it - dual stack of course because I still see a lot of IPv4 traffic.
A lot of it turned out to be easier than I thought, once I had figured out the firewall settings. Oh, and the correct incantation to have the ISP at least cough up a /60 instead of a /64.
ARGH... I'm on my second attempt at finding a suitable #VPS host who is low cost, supports #IPv6 and isn't utterly scummy... this one looked perfect.. then I tried pinging an IPv6 server I have off HE.net... I can't believe this #Cogent to he.net IPv6 issue is STILL a thing. (also, sucks that this VPS provider has Cogent only).
Some toots ago, I spoke about doing this neat PROXY protocol thing for many hosts at the same time based on what @beasts does.
I finally wrote an article on how to achieve it: https://ryan.lahfa.xyz/en/one-trick-to-build-a-tls-enabled-ipv6-only-empire-with-only-one-legacy-ip.html
It is running in production on this very server with success! (and many others!!)
If the headers on this latest spam are to be believed (who knows), someone is passing email around between servers using 2002:: prefix #IPv6 for #IPv4 RFC1918 10.x.x.x addresses.
I am a tad sceptical of the headers, but that is a new one on me. Really rather "special" to say the least.
P.S. The spam was entirely some right to left script in a language for which I have no clue. The headers were the only interesting bit 🙂
My bad, I accidentally ran npm config set registry http:// registry.npmjs.org --global instead of *https* while troubleshooting. 🤦♂️
All good now :)
A Native American tribal ISP seems to be handing out AppleTVs to users in exchange for their Roku devices after discovering that 71% of their IPv4 traffic was Roku-related, and deciding that this would actually be the cheaper solution.