HackerTrans
TopNewTrendsCommentsPastAskShowJobs

njibhu

no profile record

comments

njibhu
·4 anni fa·discuss
A lot of devices (android/windows) simply don't support DHCPv6. And SLAAC's RA delegates the responsibility of the IP to the device itself, so doing something like DHCP snooping is simply not possible because the RA packet doesn't tell the switch which IP belongs to which device.

SLAAC-snooping protects against ARP poisonning, not against ARP table overflow.
njibhu
·4 anni fa·discuss
> Pretty sure all reasonable devices utilise privacy extensions.

I stand corrected by throw0101a answer. This is actually not an issue

> If it's wrong is subjective. If it's not a goal to upsell a business connection there might be technical limitations.

I don't think a Guest network should be considered a business feature

> Bit of a niche use-case and still very doable with NAT66.

Yes or NPT, as I mentioned at the end of my initial answer. But it has its own con.

> I haven't seen a captive portal that wasn't able to intercept DNS or that couldn't MITM all connections to display that page. It's a non-issue.

I also stand corrected by throw0101a, this is a non-issue.

> IPv4 devices can conduct ARP spoofing, no biggie. If it's "very easy" to do either it's just poor switch software.

The actual "switch software" in IPv4 which handles that, is to use an authoritative DHCP server. This does not exist/work in IPv6.
njibhu
·4 anni fa·discuss
> And the same thing can be done with in the IPv4 world by trying to overflow a switch's ARP table. I think switch manufacturers have figured that out.

Not really though, because in Ipv4, a DHCP server can be authoritative, and switches can ignore IPs which are not assigned by the DHCP server. That's how it's usually figured out for Ipv4.

> Except that NAT re-writes both the IP and port and thus you have to use state tracking for replies and port mapping with IPv4 NAT. Whereas NPTv6 is stateless.

Yes, I didn't meant to state anything contrarily to that, but you still break applications which assumes that the local IP is the same than what is visible from a remote server on the internet.

For the captive portals, I stand corrected, and wasn't aware that you can now embed DNS directly in RAs, but stayed with the original implementation which delegates the DNS part to DHCP.

I probably have an outdated understanding of Ipv6, but to be fair it's quite a challenging exactly because of all the amendments that you linked. These are only some of the problems I encountered personally, and as you showed, each individual problem has a different RFC to solve it. You never know how stable they are and if they are properly implemented. And most of the time the safe default is to only work with the initial standard.
njibhu
·4 anni fa·discuss
I think we're talking about a different issue here. MultiWAN does break consumers which do not support reconnecting from a different source IP. But the issue is the same with IPV6, if the prefix changes, the client has to reconnect anyway.

Also, I'm personally not aware of any reliable way of invalidating IPV6 prefixes except waiting for the timeout. (And if it's republishing a RA, devices don't have to listen to it, and the packet might even be lost with an unreliable wifi for example). If I'm wrong here, I'd love to know about it.
njibhu
·4 anni fa·discuss
There are a lot of shortcomings of IPv6 which prevents it to be widely used (particularly on the consumer network side). First thing to know is that it shifts responsibilities. The router is not responsible anymore for assigning IPs to the network. The devices assign their own IP address using SLAAC. You could use DHCPv6, but many devices simply won't support it (windows and android to begin with).

Which brings the following issues:

- No support for multi-homing. Example: You have two connections, a slow reliable one, and a fast unreliable one. With IPv4 you can easily setup multiwan in any proper L3 router. The router will ping both routes, and if the fast one is working, using it as main gateway. When it doesn't answer anymore, the router simply change its route. Because of NAT, this is transparent to the devices behind its network. For IPv6, this doesn't work anymore, because the IP prefix is set by the provider, without NAT the second provider will simply refuse to forward any packet which originates from an IP which doesn't have their prefix. The "solution" is to have your own address space, and use BGP to change the routes (which is out of reach for all of private consumers).

- ISPs got it wrong ! I'm in Germany, tried 3 different providers, they all assign to my router a /64 subnet instead of /60 or /56 (as recommended by ARIN). The problem is that SLAAC only works with /64, below the devices usually won't assign themselves an IP anymore. So you can only have one network, you can't have a Guest network with a different prefix.

- As mentioned by the article, the design is terrible for privacy: SLAAC works by simply taking the prefix from the router and filling the rest with the mac address. Which means that anybody on the internet gets to know your mac address. EDIT: This is wrong. See throw0101a answer below.

- Captive portals: SLAAC does not directly support assigning DNS servers. So most captive portals simply break because the network's firewall blocks DNS requests as long as they don't use the proper DNS server, but the device might simply not even be able to receive it. (SLAAC has an extension where it can tell the device to receive the DNS servers from DHCPv6, but many devices simply ignore it and treat DNS like browsers do with DoH). EDIT: This is wrong. See throw0101a answer below.

- Security within networks: Because the responsibilities of who assigns IP is shifted to the devices, switches cannot prevent devices to assign themselves IP anymore. So it's very easy for malicious devices to flood routing tables of switches by telling them that they own all IPv6 for the whole /64. Makes the whole network abysmally slow, or completely down.

Most of these issues are solved by using NAT6 (or NPT), but the issue with it, is that it breaks some applications. Ipv6 promised to get rid of NAT, so some applications took the liberty to assume that their local IP would always be the same visible on the internet. Not sure if that's this particular case for SIP, but it's usually broken with NAT6.
njibhu
·4 anni fa·discuss
I guess I can see it, but branch protection rules and pull requests reviews would also prevent that to happen in my opinion

(also ability to do it with content:write is just speculation from my side, they don't make it clear if it is possible, that would need to be confirmed by github)
njibhu
·4 anni fa·discuss
Can somebody tell me if I'm wrong on my take but this bug/issue means:

- a github app which had read permission on issues could elevate its permission to write

- a github app which had read permissions to discussions could elevate its permissions to write.

So far if the org/user would have been compromise they would have seen with issues or conversations containing content from the app.

Since these are only examples, I can imagine the case with major impact would be a contents:read elevate to content write. But again with commit signing, this would also be caught by the user. What did I miss where the impact would have not been visible to the end user/org ?
njibhu
·4 anni fa·discuss
Source for OVH: https://network.status-ovhcloud.com/incidents/pphdyqq9cgyl Couldn't find for Arelion