HackerTrans
TopNewTrendsCommentsPastAskShowJobs

bert64

no profile record

comments

bert64
·6 माह पहले·discuss
Since starlink supports v6, starlink users can p2p communicate with other v6 users. Both starlink and local carriers don't provide proper legacy connectivity, they are encumbered by cgnat so p2p does not work. Without p2p communications, users are forced into a client-server model and it's much easier to block a small number of servers rather than millions of potential peers.
bert64
·6 माह पहले·discuss
You can get a large block, split it up and announce it from different places but that doesn't stop someone blocking your larger allocation.

Getting multiple blocks is harder - the RIRs will want justification for this, and would rather give you a single large block than lots of fragmented ones.
bert64
·6 माह पहले·discuss
Only legacy address space is frequently bought and sold, so it moves between AS#s a lot and is also heavily fragmented.

With v6 this is not the case, a given AS# will typically have a single large allocation and can make it larger if they need to, it won't be sold and moved and an entity can't trade it in to get a different allocation.
bert64
·6 माह पहले·discuss
Likely very old/outdated hardware. China is heavily pushing v6 and their "great firewall" has no problem with it.

Another issue they may have however is v6 enabling internal p2p communications directly between users whereas legacy addressing with cgnat does not, although they could block this pretty easily if they wanted.
bert64
·4 वर्ष पहले·discuss
People assume that RFC1918 is not routable, but that's not the case... It's fully routable, but there is no global route. Have you ever tested routing to your RFC1918 address space from the ISP, or from a customer in the same neighborhood?

On some ISPs, all the customer routers in a given area are placed in a large legacy subnet, so if another customer adds a manual route to RFC1918 space using your router as next hop - the traffic will arrive on the WAN interface of your router. Some routers will actually route this traffic inside.

Have you ever tested this and verified that your router doesn't do this? Probably not, because most people haven't. They just assume that it can't, and get a nasty surprise if someone demonstrates that it can.
bert64
·4 वर्ष पहले·discuss
Those ISPs are broken and not following the RFCs or RIR guidelines.

There's nothing stopping you from using NAT with IPv6, people just don't do it because the only benefit of NAT is conserving limited address space. NAT on IPv6 just brings all downsides and no benefit because you (should) have no shortage of address space. In any case v6 with nat is no worse than legacy ip with nat, its just stupid because they're forcing a newer and better protocol to run in a degraded mode.

Consumer oriented routers and firewalls do not allow arbitrary inbound IPv6 connections by default, you have to explicitly enable them.

I still don't get scanned over IPv6, despite having a static /56 range for more than 10 years. Everything that's reachable over legacy IP is also reachable over v6, and i have several v6-only devices because i simply don't have enough legacy addresses for everything. Scanning v6 is extremely difficult, while the legacy blocks get scanned continuously.

Modern operating systems are not sitting there with exposed services by default, you have to manually open them up if you want. Simply connecting a win11 box to an open IPv6 connection is not going to get you joined to a botnet like connecting a winxp machine directly to a legacy connection did.

Modern devices are often exposed to hostile networks/users - every time you connect a portable device to a public wifi network you are exposing your device to the operators and other users of the network. Depending how that network is configured, you might be exposed to the internet too. You don't have any separate device between you and the hostile network, you are relying on the configuration of your machine itself.

ISP supplied routers are limited and generally garbage, this is a problem for legacy ip just as much as v6.
bert64
·4 वर्ष पहले·discuss
Using IP addresses directly is a bad practice in general, it introduced security risks in many scenarios.

SSL - usually cannot verify the cert, defeating the point of SSL SMB - windows will fail over to less secure ntlm auth instead of kerberos

If your using IP addresses instead of hostnames to reference machines, you're doing it wrong.

Also IPv6 is easier to remember in general... We have a single large IPv6 allocation (eg 2001:db8::/32), and everything sits under that in a logical layout. For legacy IP, we have several different allocations in different class A blocks (104.x, 66.x, 62.x etc) plus all the RFC1918 space used internally
bert64
·4 वर्ष पहले·discuss
A lot of mobile telcos use IPv6, but there are virtually no telcos around the world that don't force the use of some form of NAT (CGNAT, NAT64) for connecting to legacy sites. NAT64 is effectively another form of CGNAT, you only have a proper end to end connection if you're using IPv6 directly.

TMO US has 110 million customers, but they don't have 110 million legacy IP addresses, and most other telcos are in the same boat.
bert64
·4 वर्ष पहले·discuss
How you represent the address is arbitrary, using a colon instead of a dot matters little as underneath it's just an integer with the only difference being 32 or 128bit.

Using a dot causes its own problems, because it conflicts with DNS. DNS allows fully numeric domain names, but they conflict with legacy ip so are not used on a the public DNS. Using hex would make the problem worse as it's perfectly valid to have an ipv6 address ending "de" for example, which is the TLD for germany.

Legacy addresses can be represented via hex too - try ping 0xdeadbeef.

The socket apis between v6 and legacy ip are largely as compatible as they can be, you need to use sockaddr_in6 and AF_INET6 which is the same as you propose. You can open an AF_INET6 socket and still connect to legacy addresses with it.

For higher level languages that don't deal with fixed size memory structures directly it's pretty much fully compatible, you can just say "connect www.google.com tcp/443" or equivalent, and the system takes care of resolving what protocol and address to connect to.