Re: Verison IPv6 -- I want to stick with IPv4 (was Re: ipv6: static ipv6 address with dynamic network address possible?)
Am 15. Aug 2022, um 13:44:55 Uhr schrieb Tim Woodall: > All because the same 10.x addresses had been chosed and renumbering > one or the other was too hard. That is why I hate IPv4. With IPv6 there is not NAT necessary and if ULA is implemented correctly (random bits), almost no collision occurs.
Re: Verison IPv6 -- I want to stick with IPv4 (was Re: ipv6: static ipv6 address with dynamic network address possible?)
On Mon, 15 Aug 2022, Marco wrote: Am 15. Aug 2022, um 08:15:30 Uhr schrieb Tim Woodall: Isn't the danger here that everybody starts using fd00::/64. Even for ipv4, the odds of two sets of private addresses colliding should have been small... They may collide, but it is not a real problem, because it only affects the situation when 2 sites are connected together. Using random bits avoids such a situation, but if they collide, one of the networks must be changed. Exactly. The same happens when connecting two sites using ipv4. Renumbering is often a pain, to the extent that I worked somewhere where there was natting between the two companies so that the other company looked like it had different IPs to what it really did and DNS was horrendous! Cached dns for someone moving between the sites was a problem... All because the same 10.x addresses had been chosed and renumbering one or the other was too hard.
Re: Verison IPv6 -- I want to stick with IPv4 (was Re: ipv6: static ipv6 address with dynamic network address possible?)
Am 15. Aug 2022, um 08:15:30 Uhr schrieb Tim Woodall: > Isn't the danger here that everybody starts using fd00::/64. Even for > ipv4, the odds of two sets of private addresses colliding should have > been small... They may collide, but it is not a real problem, because it only affects the situation when 2 sites are connected together. Using random bits avoids such a situation, but if they collide, one of the networks must be changed. > I know there's an RFC for avoiding this but I'll be pleasantly > surprised if it's widely followed as ipv6 starts taking over the bulk > of internet traffic for everything. IPv6 ULA isn't being used for internet traffic, it is intended for traffic within a site, like company network or a home network. If 2 companies use IPv6 ULA with random bits, the probability of a collision is very low if they now interconnect their networks via a direct connection (without internet). Internet traffic uses 2000::/3 and fd00::/7 must not be used for outgoing traffic.
Re: Verison IPv6 -- I want to stick with IPv4 (was Re: ipv6: static ipv6 address with dynamic network address possible?)
On Sun, 14 Aug 2022, David Wright wrote: On Sun 14 Aug 2022 at 05:35:17 (+), Marco wrote: Am 13. Aug 2022, um 23:42:17 Uhr schrieb David Wright: AFAICT the rest of your post is concerned with global IPv6 addresses rather than local (ULA) ones, which is why the prefix for the home LAN has to be given to you rather than generated/assigned by yourself. It is possible to use an additional ULA at home to address computers. This ULA can be taken to a new provider because it is only valid inside your network - not on the internet. Sure, and if Curt had quoted two paragraphs about ULAs instead, I would have pointed out that the user-generated pseudorandom global ID within them means that they too are unlike local IPv4 addresses, ie not fundamentally identical. A consequence of IPv6 ULAs having a global ID is that it should be straightforward to merge a number of local sites with independently assigned addresses, without causing any collisions. Perhaps that clarifies what I took from Curt's use of the term "fundamentally identical" with respect to IPv4 local addresses. Isn't the danger here that everybody starts using fd00::/64. Even for ipv4, the odds of two sets of private addresses colliding should have been small... I know there's an RFC for avoiding this but I'll be pleasantly surprised if it's widely followed as ipv6 starts taking over the bulk of internet traffic for everything.
Re: Verison IPv6 -- I want to stick with IPv4 (was Re: ipv6: static ipv6 address with dynamic network address possible?)
On Sun 14 Aug 2022 at 05:35:17 (+), Marco wrote: > Am 13. Aug 2022, um 23:42:17 Uhr schrieb David Wright: > > > AFAICT the rest of your post is concerned with global IPv6 addresses > > rather than local (ULA) ones, which is why the prefix for the home > > LAN has to be given to you rather than generated/assigned by yourself. > > It is possible to use an additional ULA at home to address computers. > This ULA can be taken to a new provider because it is only valid inside > your network - not on the internet. Sure, and if Curt had quoted two paragraphs about ULAs instead, I would have pointed out that the user-generated pseudorandom global ID within them means that they too are unlike local IPv4 addresses, ie not fundamentally identical. A consequence of IPv6 ULAs having a global ID is that it should be straightforward to merge a number of local sites with independently assigned addresses, without causing any collisions. Perhaps that clarifies what I took from Curt's use of the term "fundamentally identical" with respect to IPv4 local addresses. > Then the GUA prefix is being used to connect to other computers > on the internet outside your network. Your computer can have multiple > IPv6 addresses, it already has at least 2 (link-local and GUA). Cheers, David.
Re: Verison IPv6 -- I want to stick with IPv4 (was Re: ipv6: static ipv6 address with dynamic network address possible?)
Am 13. Aug 2022, um 23:42:17 Uhr schrieb David Wright: > AFAICT the rest of your post is concerned with global IPv6 addresses > rather than local (ULA) ones, which is why the prefix for the home > LAN has to be given to you rather than generated/assigned by yourself. It is possible to use an additional ULA at home to address computers. This ULA can be taken to a new provider because it is only valid inside your network - not on the internet. Then the GUA prefix is being used to connect to other computers on the internet outside your network. Your computer can have multiple IPv6 addresses, it already has at least 2 (link-local and GUA).
Re: Verison IPv6 -- I want to stick with IPv4 (was Re: ipv6: static ipv6 address with dynamic network address possible?)
On Sat 13 Aug 2022 at 09:37:02 (-), Curt wrote: > On 2022-08-13, David Wright wrote: > > On Wed 10 Aug 2022 at 08:12:11 (-), Curt wrote: > >> I never realized that local addresses were fundamentally identical in all > >> local networks because there weren't enough addresses in the first place, > > > > Don't you need them to be identical because otherwise everybody > > would have to configure their border equipment (like routers) > > to recognise /their/ choice as local. > > I guess they've got it all figured out. > > > It's not clear, either, how you would select your own local > > range without accidentally choosing addresses that are in use > > somewhere on the globe, unless the choice was a fixed, well- > > known set of possible values (as it is: 10, 172.16–31, 192.168). > > The IETF RFC 7084 (formerly RFC 6204), Basic Requirements for IPv6 > Customer Edge Routers, [ … … … … ] AFAICT the rest of your post is concerned with global IPv6 addresses rather than local (ULA) ones, which is why the prefix for the home LAN has to be given to you rather than generated/assigned by yourself. AIUI IPv6 local addresses are designed to be not fundamentally identical, by having a 40-bit pseudorandom global ID embedded within them. So were they to leak out onto the Internet, the chances are that you wouldn't get a collision. (Mind you, I don't know just what that chance would be.) OTOH the betting is that the IPv4 address of a home internet's router, for example, is going to be either 192.168.1.1 or 192.168.0.1, with a scattering of 192.168.1.254 (like British Telecom users, YMMV). And not forgetting Gene's choice of 71. Cheers, David.
Re: Verison IPv6 -- I want to stick with IPv4 (was Re: ipv6: static ipv6 address with dynamic network address possible?)
On Sat, 13 Aug 2022, mick.crane wrote: On 2022-08-13 10:37, Curt wrote: Getting Your IPv6 Addresses with 340,282,366,920,938,463,463,374,607,431,768,211,456 addresses you'd think everything could have it's own permanently but it would likely be too slow to find it without being able to narrow it down a bit and it would be a nightmare allocating numbers of scrapped devices? mick part of the reason ipv6 prefix are not ported is to keep the routing tables sane. People should think about having to remap from time to time when they implement IPv6. For most home setups it will be a no-brainer. Services on public ips will need dns updating.
Re: Verison IPv6 -- I want to stick with IPv4 (was Re: ipv6: static ipv6 address with dynamic network address possible?)
On 2022-08-13 10:37, Curt wrote: Getting Your IPv6 Addresses with 340,282,366,920,938,463,463,374,607,431,768,211,456 addresses you'd think everything could have it's own permanently but it would likely be too slow to find it without being able to narrow it down a bit and it would be a nightmare allocating numbers of scrapped devices? mick
Re: Verison IPv6 -- I want to stick with IPv4 (was Re: ipv6: static ipv6 address with dynamic network address possible?)
On 2022-08-13, David Wright wrote: > On Wed 10 Aug 2022 at 08:12:11 (-), Curt wrote: >> I never realized that local addresses were fundamentally identical in all >> local networks because there weren't enough addresses in the first place, > > Don't you need them to be identical because otherwise everybody > would have to configure their border equipment (like routers) > to recognise /their/ choice as local. I guess they've got it all figured out. > It's not clear, either, how you would select your own local > range without accidentally choosing addresses that are in use > somewhere on the globe, unless the choice was a fixed, well- > known set of possible values (as it is: 10, 172.16–31, 192.168). The IETF RFC 7084 (formerly RFC 6204), Basic Requirements for IPv6 Customer Edge Routers, provides a list of features that are desirable in a residential CPE device. The University of New Hampshire InterOperability Laboratory (UNH-IOL) provides IPv6 Customer Edge (CE) interoperability testing. The products that they test and certify are good examples of products that would be ideal for building a dual-protocol home lab. The Consumer Electronics Association (CEA) IPv6 Transition Working Group (formed in 2011) has also concentrated their efforts on ensuring that consumer-electronics manufacturers are creating dual-protocol devices for home use. Their CEA-2048, Host and Router Profiles for IPv6, effort provides guidance for home router vendors. ... Getting Your IPv6 Addresses Now that you have your network equipment upgraded and you are assured that your upstream connectivity support IPv6, you can connect it all together, power it on, and discovery if you have obtained a global IPv6 address. Your home router will receive an ICMPv6 Router Advertisement (RA) message from the upstream ISP network indicating that your CPE should proceed to use DHCPv6 to obtain its single external IPv6 address. The ISP likely operates a high-availability DHCPv6 service that receives the DHCPv6 Solicit messages from subscribers CPE and then determines the IPv6 addresses to allocate. After that step is complete, your CPE will also send a subsequent DHCPv6 Prefix Delegation (PD) (RFC 3633) request to obtain an IPv6 prefix (typically a /64) to be used for the internal home LAN. It is important to remember that this IPv6 address block is Provider Assigned (PA) and not Provider Independent (PI) and thus, non-portable between ISPs. If you switch ISPs, then you will need to renumber any statically-assigned systems. However, the new ISP will provide you a new IPv6 prefix from their block and the dynamically-assigned systems in your house should transition smoothly to the new address space. https://blogs.infoblox.com/ipv6-coe/home-networking-with-ipv6/ > Cheers, > David. > > --
Re: Verison IPv6 -- I want to stick with IPv4 (was Re: ipv6: static ipv6 address with dynamic network address possible?)
On Wed 10 Aug 2022 at 08:12:11 (-), Curt wrote: > I never realized that local addresses were fundamentally identical in all > local networks because there weren't enough addresses in the first place, Don't you need them to be identical because otherwise everybody would have to configure their border equipment (like routers) to recognise /their/ choice as local. It's not clear, either, how you would select your own local range without accidentally choosing addresses that are in use somewhere on the globe, unless the choice was a fixed, well- known set of possible values (as it is: 10, 172.16–31, 192.168). Cheers, David.
Re: Verison IPv6 -- I want to stick with IPv4 (was Re: ipv6: static ipv6 address with dynamic network address possible?)
On Aug 10, 2022, rhkra...@gmail.com wrote: > On Wednesday, August 10, 2022 04:12:11 AM Curt wrote: > > I never realized that local addresses were fundamentally identical in all > > local networks because there weren't enough addresses in the first > > place, and that NAT was essentially designed to palliate this shortage. > > Yes, aiui, NAT was designed because of the address shortage, but ... > > > I thought the latter was some sort of security measure. > > at least in early versions of NAT (more below) it also provided some level of > security as it was designed to only forward incoming connections (to > computers > in a LAN) from "known" external computers. > > I.e., if a computer on the LAN contacted a computer outside the LAN, NAT > would > allow incoming data from that external computer, but not allow incoming data > from other external computers. That isn't (nor ever was) a "feature" of NAT, rather the firewall. If there's a matching DNAT rule, the packet is destined for a PC using an RFC1918 address; update the IP Address and check the resulting packet against the FORWARD chain. If there's not a matching DNAT rule, the packet is destined for the machine acting as gateway; check the packet against the INPUT chain. -- |_|O|_| |_|_|O| Github: https://github.com/dpurgert |O|O|O| PGP: DDAB 23FB 19FA 7D85 1CC1 E067 6D65 70E5 4CE7 2860 signature.asc Description: PGP signature
Re: Verison IPv6 -- I want to stick with IPv4 (was Re: ipv6: static ipv6 address with dynamic network address possible?)
Hmm, big (to me) oops -- pre-2020 should have been pre-2000 On Wednesday, August 10, 2022 08:23:13 AM rhkra...@gmail.com wrote: > Background: My first encounters with NAT were back in the days (pre-2020) > when my LAN consisted only of DOS (or Windows) computers. One (DOS) -- rhk If you reply: snip, snip, and snip again; leave attributions; avoid HTML; avoid top posting; and keep it "on list". (Oxford comma included at no charge.) If you change topics, change the Subject: line. Writing is often meant for others to read (legal agreements excepted?) -- make it easier for your reader by various means, including liberal use of whitespace. If someone else has already responded to a question, decide whether any response you add will be helpful or not ... A picture is worth a thousand words -- divide by 10 for each minute of video (or audio) or create a transcript and edit it to 10% of the original.
Re: Verison IPv6 -- I want to stick with IPv4 (was Re: ipv6: static ipv6 address with dynamic network address possible?)
rhkra...@gmail.com wrote: > On Wednesday, August 10, 2022 04:12:11 AM Curt wrote: > > I never realized that local addresses were fundamentally identical in all > > local networks because there weren't enough addresses in the first > > place, and that NAT was essentially designed to palliate this shortage. > > Yes, aiui, NAT was designed because of the address shortage, but ... > > > I thought the latter was some sort of security measure. > > at least in early versions of NAT (more below) it also provided some level of > security as it was designed to only forward incoming connections (to > computers > in a LAN) from "known" external computers. > > I.e., if a computer on the LAN contacted a computer outside the LAN, NAT > would > allow incoming data from that external computer, but not allow incoming data > from other external computers. That's a slight confusion of NAT and packet filtering. NAT by itself doesn't do that. The varieties of NAT include: 1:1 - an outside address is mapped to an inside address. This allows you to renumber the outside address at the NAT device rather than changing every internal address. Sometimes called "static" NAT. 1:N - an outside address is mapped to many inside addresses. This is what bandaged the IPv4 address shortage. The mapping is typically dynamic but does not have to be. The NAT device needs to keep track of ports in use, because the multiplexing is done by reassigning ports as well as IP addresses. It's very common to include a packet filter here to allow TCP sessions to only be initiated from the inside -- but it is not mandatory. N:1 - rarely used, but legitimate: multiple outside IP addresses are mapped to a single internal address. It's almost always a better idea to use CNAMEs or multiple 1:1 mappings. N:M - usually this is an expansion of 1:N when you just have too many internal addresses active at the same time, so you expand the mapping from 1 outside address to several. Pretty common at medium-to-large organizations for end-user devices. CGNAT - "carrier grade NAT" is a chained N:M scenario with an extra layer in the 100.64/10 subnet, specifically so that it doesn't collide with RFC1918 addresses. Used mostly by mobile phone networks. > I'm not sure that current implementations of NAT provide that same > functionality, (but it is sort of a natural thing -- if something comes in > from an unrecognized external computer, it would not know which computer (on > the LAN) to forward it to, so it would presumably just be dropped. The problem is that if the packet filtering is not present, indiscriminate attacks occur. To many attackers, it does not matter what internal machine is being targeted -- any of them will do. "Any Windows machine" is a good target class, but so is "home wifi routers with known vulnerabilities". > my LAN consisted only of DOS (or Windows) computers. One (DOS) computer on > the LAN ran one or more software packages that (1) interfaced to the dial-up > (!!) modem and (2) provided the NAT functionality. > > I don't recall if that was one package or two, and in any case, I don't > recall > the package name(s). ipchains, replaced by iptables, which is now built on nftables (but nftables can be used alone). The general concept was called "masquerade" but is, as you have noted, 1:N NAT. The dialup software was often pppd (or before that, slipd). -dsr-
Re: Verison IPv6 -- I want to stick with IPv4 (was Re: ipv6: static ipv6 address with dynamic network address possible?)
On Wednesday, August 10, 2022 04:12:11 AM Curt wrote: > I never realized that local addresses were fundamentally identical in all > local networks because there weren't enough addresses in the first > place, and that NAT was essentially designed to palliate this shortage. Yes, aiui, NAT was designed because of the address shortage, but ... > I thought the latter was some sort of security measure. at least in early versions of NAT (more below) it also provided some level of security as it was designed to only forward incoming connections (to computers in a LAN) from "known" external computers. I.e., if a computer on the LAN contacted a computer outside the LAN, NAT would allow incoming data from that external computer, but not allow incoming data from other external computers. I'm not sure that current implementations of NAT provide that same functionality, (but it is sort of a natural thing -- if something comes in from an unrecognized external computer, it would not know which computer (on the LAN) to forward it to, so it would presumably just be dropped. Background: My first encounters with NAT were back in the days (pre-2020) when my LAN consisted only of DOS (or Windows) computers. One (DOS) computer on the LAN ran one or more software packages that (1) interfaced to the dial-up (!!) modem and (2) provided the NAT functionality. I don't recall if that was one package or two, and in any case, I don't recall the package name(s). -- rhk If you reply: snip, snip, and snip again; leave attributions; avoid HTML; avoid top posting; and keep it "on list". (Oxford comma included at no charge.) If you change topics, change the Subject: line. Writing is often meant for others to read (legal agreements excepted?) -- make it easier for your reader by various means, including liberal use of whitespace. If someone else has already responded to a question, decide whether any response you add will be helpful or not ... A picture is worth a thousand words -- divide by 10 for each minute of video (or audio) or create a transcript and edit it to 10% of the original.
Re: Verison IPv6 -- I want to stick with IPv4 (was Re: ipv6: static ipv6 address with dynamic network address possible?)
On 2022-08-09, Andy Smith wrote: > Hello, > > On Tue, Aug 09, 2022 at 05:15:15PM -0400, Celejar wrote: >> On Tue, 2 Aug 2022 15:04:13 + >> Andy Smith wrote: >> > On Tue, Aug 02, 2022 at 10:44:54AM -0400, rhkra...@gmail.com wrote: >> > > I guess if I read that right, Verizon still supports IPv4 and has not >> > > announced any plans to discontinue it? >> > >> > That would be commercial suicide. At present you have to go out of >> > your way to buy IPv6-only services. >> >> I may be misunderstanding what you're saying here, but T-Mobile >> wireless is IPv6 only (and uses its own (now standardized as RFC 6877) >> 464XLAT protocol to talk to IPv4 only networks: > > The context of the question was about a provider with existing end to end IPv4 > support hypothetically "discontinuing" IPv4 in favour of IPv6, instead of just > introducing v6 along side. I did mention in a later email in this thread that > some end user networks, especially mobile ones, are v6-only and use 464XLAT or > similar to talk to the IPv4 Internet. But I was simplifying this for the > poster > who feared that they might no longer be able to use IPv4 at all. That's what I > meant would be commercial suicide. > I never realized that local addresses were fundamentally identical in all local networks because there weren't enough addresses in the first place, and that NAT was essentially designed to palliate this shortage. I thought the latter was some sort of security measure. If that's true, that is, and I've finally got it right now that it's all being phased out. :-)
Re: Verison IPv6 -- I want to stick with IPv4 (was Re: ipv6: static ipv6 address with dynamic network address possible?)
Hello, On Tue, Aug 09, 2022 at 05:15:15PM -0400, Celejar wrote: > On Tue, 2 Aug 2022 15:04:13 + > Andy Smith wrote: > > On Tue, Aug 02, 2022 at 10:44:54AM -0400, rhkra...@gmail.com wrote: > > > I guess if I read that right, Verizon still supports IPv4 and has not > > > announced any plans to discontinue it? > > > > That would be commercial suicide. At present you have to go out of > > your way to buy IPv6-only services. > > I may be misunderstanding what you're saying here, but T-Mobile > wireless is IPv6 only (and uses its own (now standardized as RFC 6877) > 464XLAT protocol to talk to IPv4 only networks: The context of the question was about a provider with existing end to end IPv4 support hypothetically "discontinuing" IPv4 in favour of IPv6, instead of just introducing v6 along side. I did mention in a later email in this thread that some end user networks, especially mobile ones, are v6-only and use 464XLAT or similar to talk to the IPv4 Internet. But I was simplifying this for the poster who feared that they might no longer be able to use IPv4 at all. That's what I meant would be commercial suicide. At some point it will be more costly for the provider to do IPv4+CGNAT than v6-only + 464XLAT, due to the larger amount of traffic being able to go end to end IPv6. It seems likely that deployments that are already v4-only or dual stack might stay that way, while new deployments choose between CGNAT or things like 464XLAT for their IPv4 support. More and more hosting providers are adding IPv4 connectivity as a billable line item, and often on these services you can avoid paying for that and end up with a service that is v6-only. They sometimes do have something like 464XLAT, or sometimes are truly IPv6-only (unless you do your own 464XLAT). That's what I meant by going out of your way to get such a service. On the eyeball network side it's much harder to get by without access to the v4 Internet. Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting Please consider the environment before reading this e-mail. — John Levine
Re: Verison IPv6 -- I want to stick with IPv4 (was Re: ipv6: static ipv6 address with dynamic network address possible?)
On Tue, 2 Aug 2022 15:04:13 + Andy Smith wrote: > Hello, > > On Tue, Aug 02, 2022 at 10:44:54AM -0400, rhkra...@gmail.com wrote: > > On Monday, August 01, 2022 12:08:47 PM Lee wrote: > > > Verizon FIOS finally rolled out IPv6 in my area. yay! > > > > I guess if I read that right, Verizon still supports IPv4 and has not > > announced any plans to discontinue it? > > That would be commercial suicide. At present you have to go out of > your way to buy IPv6-only services. I may be misunderstanding what you're saying here, but T-Mobile wireless is IPv6 only (and uses its own (now standardized as RFC 6877) 464XLAT protocol to talk to IPv4 only networks: https://www.rfc-editor.org/rfc/rfc6877 https://lists.debian.org/debian-user/2019/12/msg00564.html -- Celejar
Re: Verison IPv6 -- I want to stick with IPv4 (was Re: ipv6: static ipv6 address with dynamic network address possible?)
Am Wed, 3 Aug 2022 15:50:46 + schrieb Andy Smith : > In this second reply, because you had said that no ISP will do > "this" (without saying what "this" is), I thought you were arguing > that there will be no IPv6 firewall. So my question was "why do you > think having an IPv6 firewall is more costly than having an IPv4 > one?". Ok, I misunderstood this, we meant the same. > At no point did I suggest that IPv6 NAT would be set up by the ISP. > In fact I was saying the opposite, like you. And then showed that I > was on a connection that had NAT for IPv4 but just a packet filter > for IPv6. NAT for IPv4 is quite common because of the small amount of addresses. Most residual providers do not have an SPI firewall for the customer. The SPI firewall is inside the router at home. Customers can use another router or configure the router from the ISP. I know that some cellular providers (LTE, UMTS) do SPI firewalling - the customer can't switch it off.
Re: Verison IPv6 -- I want to stick with IPv4 (was Re: ipv6: static ipv6 address with dynamic network address possible?)
Hello, On Wed, Aug 03, 2022 at 10:35:44AM +, Marco wrote: > Am Tue, 2 Aug 2022 23:02:12 + > schrieb Andy Smith : > > > Why do you believe that having their customer premises equipment do > > this for v6 is any different from having it do default NAT for v4? > > It is additional work and it breaks certain protocols. IPv6 doesn't > need NAT, so why should an ISP do it? I think you have misread my email and we are in agreement. If you go back and look at what you first replied to, you will see that it basically says "while IPv6 NAT is POSSIBLE, I think they will just add a default packet filter for IPv6, and indeed the router at the place I am at right now is doing this". In this second reply, because you had said that no ISP will do "this" (without saying what "this" is), I thought you were arguing that there will be no IPv6 firewall. So my question was "why do you think having an IPv6 firewall is more costly than having an IPv4 one?". At no point did I suggest that IPv6 NAT would be set up by the ISP. In fact I was saying the opposite, like you. And then showed that I was on a connection that had NAT for IPv4 but just a packet filter for IPv6. Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting
Re: Verison IPv6 -- I want to stick with IPv4 (was Re: ipv6: static ipv6 address with dynamic network address possible?)
On Wed, Aug 3, 2022 at 6:36 AM Marco wrote: > Am Tue, 2 Aug 2022 23:02:12 + > schrieb Andy Smith : > > > Why do you believe that having their customer premises equipment do > > this for v6 is any different from having it do default NAT for v4? > > It is additional work and it breaks certain protocols. IPv6 doesn't > need NAT, so why should an ISP do it? > IPv6 is not backward compatible with IPv4. IPv6 and IPv4 are usually implemented in a dual stack implementation where you have addresses from both protocols. IPv4 is used to transfer data with IPv4 servers and IPv6 is used to transfer data with IPv6 servers. > I understand SPI firewalls to protect the customer and don't allow > servers inside, but NAT isn't something that is needed to reach that. > > Additionally, I have NEVER seen a provider that does NAT or IPv6 yet. > > -- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system ⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org/ ⠈⠳⣄⠀⠀
Re: Verison IPv6 -- I want to stick with IPv4 (was Re: ipv6: static ipv6 address with dynamic network address possible?)
Am Tue, 2 Aug 2022 23:02:12 + schrieb Andy Smith : > Why do you believe that having their customer premises equipment do > this for v6 is any different from having it do default NAT for v4? It is additional work and it breaks certain protocols. IPv6 doesn't need NAT, so why should an ISP do it? I understand SPI firewalls to protect the customer and don't allow servers inside, but NAT isn't something that is needed to reach that. Additionally, I have NEVER seen a provider that does NAT or IPv6 yet.
Re: Verison IPv6 -- I want to stick with IPv4 (was Re: ipv6: static ipv6 address with dynamic network address possible?)
Hello, On Tue, Aug 02, 2022 at 06:23:26PM +, Marco wrote: > Am Tue, 2 Aug 2022 16:40:42 + > schrieb Andy Smith : > > > It's possible that some providers might do IPv6 NAT as well, but I > > think the majority would just apply some default and quite > > restrictive packet filter rules. > > I have never seen that and it makes no sense to do that for a provider > because it costs resources. In the email you are replying to I showed that one of the largest broadband providers in the UK appears to have a default packet filter for IPv6 that lets in ICMPv6 and related flows and not much else. Why do you believe that having their customer premises equipment do this for v6 is any different from having it do default NAT for v4? And if it's not doing this, what do you believe *is* doing it? Given that there is no additional equipment here beyond the ISP-provided router, and the owner of the property has not changed any of the settings themselves. Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting
Re: Verison IPv6 -- I want to stick with IPv4 (was Re: ipv6: static ipv6 address with dynamic network address possible?)
On Tue, 2 Aug 2022, Andy Smith wrote: Similarly, it is already possible to have your local network be IPv6-only and have the router convert anything that is v4-only back to IPv4. Some mobile networks work like this, and more and more networks might go this way as v6 eclipses v4, but that is very far in the future. I'm most of the way to this setup now. But I use a squid proxy for the 6 to 4 conversion for most things. I do recall a weird chrome (or possibly firefox) bug where it wouldn't accept an ipv6 proxy address without a default route (although the default route didn't actually have to point at anything) Quirks like that can sometimes make ipv6 frustrating, but it's more that we accept and know the ipv4 quirks.
Re: Verison IPv6 -- I want to stick with IPv4 (was Re: ipv6: static ipv6 address with dynamic network address possible?)
Am Tue, 2 Aug 2022 16:38:31 - (UTC) schrieb Curt : > I'm uncertain what happens with local addresses, if anything. You RFC1918 IPv4 addresses will stay the same and you computer will get additional addresses from a /64 subnet of 2000::/3. These are public addresses - no nasty and slow NAT anymore.
Re: Verison IPv6 -- I want to stick with IPv4 (was Re: ipv6: static ipv6 address with dynamic network address possible?)
Am Tue, 2 Aug 2022 16:40:42 + schrieb Andy Smith : > It's possible that some providers might do IPv6 NAT as well, but I > think the majority would just apply some default and quite > restrictive packet filter rules. I have never seen that and it makes no sense to do that for a provider because it costs resources.
Re: Verison IPv6 -- I want to stick with IPv4 (was Re: ipv6: static ipv6 address with dynamic network address possible?)
Am Tue, 2 Aug 2022 12:01:44 -0400 schrieb rhkra...@gmail.com: > I know that IPv6 is a much larger address space so, iiuc, it would be > harder for a "cracker" to find IPv6, but I'd probably want to > continue to run behind NAT, so the idea that I wouldn't even know if > my ISP switched to IPv6 does not make me comfortable. Then you should install an SPI firewall. Normal home user routers include one.
Re: Verison IPv6 -- I want to stick with IPv4 (was Re: ipv6: static ipv6 address with dynamic network address possible?)
Am Tue, 2 Aug 2022 10:44:54 -0400 schrieb rhkra...@gmail.com: > I guess if I read that right, Verizon still supports IPv4 and has not > announced any plans to discontinue it? > > I feel like I'm getting too old to learn (too many) new things, so if > my ISP made a similar announcement, I'd want to stick with IPv4. > > Or, I'd be looking for a very simple explanation of how to switch to > and use Ipv6 -- not looking for that now, but Imight have to at some > point. :-( You can operate them both at the same time. IPv6 is the successor and I want to get rid off IPv4 ASAP.
Re: Verison IPv6 -- I want to stick with IPv4 (was Re: ipv6: static ipv6 address with dynamic network address possible?)
Hello, On Tue, Aug 02, 2022 at 04:38:31PM -, Curt wrote: > I'm uncertain what happens with local addresses [in IPv6], if > anything. At the moment if you are using RFC1918 IPv4 addresses on your network, it's either an isolated network, or else it has a router that does NAT to convert those to other IPv4 addresses, usually globally routable ones. So that stays working like that for a very long time. It is already possible to instead have the router convert v4 to v6 and have the Internet traffic all be IPv6 but this would be a quite strange and specialised configuration as not everything on the Internet HAS a v6 address. For example, if you browse to https://github.com/, it doesn't have a v6 address, so what would the router translate to in this case? Similarly, it is already possible to have your local network be IPv6-only and have the router convert anything that is v4-only back to IPv4. Some mobile networks work like this, and more and more networks might go this way as v6 eclipses v4, but that is very far in the future. Right now it's a lot simpler to just continue dual stack leaving v4-only things to use the local v4 address, because if it becomes an issue it's one that can be fixed by both ends enabling IPv6 and users not having to take an action. As others have mentioned, if you particularly wanted a local v6 network that wasn't reachable from outside then there are blocks set aside for that. Unlike in IPv4 where the RFC1918 addresses are not routable by a matter of convention, the equivalent in IPv6 are just not routable by the protocol. You have to go out of your way to NAT them to/from routable addresses to have IPv6 packets traverse. Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting
Re: Verison IPv6 -- I want to stick with IPv4 (was Re: ipv6: static ipv6 address with dynamic network address possible?)
Hello, On Tue, Aug 02, 2022 at 12:01:44PM -0400, rhkra...@gmail.com wrote: > I know that IPv6 is a much larger address space so, iiuc, it would be harder > for a "cracker" to find IPv6, but I'd probably want to continue to run behind > NAT, so the idea that I wouldn't even know if my ISP switched to IPv6 does > not > make me comfortable. Okay, well, just so you know what to expect: It's possible that some providers might do IPv6 NAT as well, but I think the majority would just apply some default and quite restrictive packet filter rules. The place where I'm at just now (which I don't control, so have no access to the router configuration to confirm) seems to allow in IPv6 ping, but isn't passing packets to (TCP) ports 22, 80 or 443. I expect it's denying everything except established/related flows. These would be the default settings as the people here are non-technical and haven't changed anything. If you don't trust the ISP to pick some sensible packet filter rules and you don't want to learn about v6 packet filtering in your router (and/or on each node), then yeah I can see why you might want to disable IPv6. The only real downside to that at the moment is that some content MIGHT be less performant over v4 compared to v6, due to the extra layers of NAT that will increasingly be inflicted upon users of IPv4. It will be many years before there's any intentionally v6-only content that's not a research project or toy or something. I can see why someone who is concerned about their IPv4 packet filter might also be worried about how their ISP may provide IPv6 when the time comes. Though I would still point out that most of the users of the Internet do so in a zero-config fashion so the ISP's choices with regard to IPv4 packet filtering already are trusted by most. Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting
Re: Verison IPv6 -- I want to stick with IPv4 (was Re: ipv6: static ipv6 address with dynamic network address possible?)
On 2022-08-02, Andy Smith wrote: > >> Or, I'd be looking for a very simple explanation of how to switch to and use >> Ipv6 -- not looking for that now, but Imight have to at some point. :-( > > Just do nothing. > That's exactly what I've done about it, nothing. All I've understood concerning the change is that they were running out of IPV4 addresses and that the IPV6 system has more to choose from. I'm uncertain what happens with local addresses, if anything.
Re: Verison IPv6 -- I want to stick with IPv4 (was Re: ipv6: static ipv6 address with dynamic network address possible?)
On Tue, Aug 02, 2022 at 12:01:44PM -0400, rhkra...@gmail.com wrote: Well, I know this is probably a silly worry, but I run behind an IPv4 NAT, which makes me feel fairly safe. This is a common, but wrong, idea; NAT doesn't keep you safe, a packet filter keeps you safe. You can have either one without the other. It's essentially the same configuration to filter IPv6 as IPv4.
Re: Verison IPv6 -- I want to stick with IPv4 (was Re: ipv6: static ipv6 address with dynamic network address possible?)
On Tuesday, August 02, 2022 11:04:13 AM Andy Smith wrote: > But in reality you probably aren't ever going to have to take > any action with regard to IPv6. ... > Most of Sky's > customers will not know or care that at some point IPv6 got switched > on for them. Well, I know this is probably a silly worry, but I run behind an IPv4 NAT, which makes me feel fairly safe. I know that IPv6 is a much larger address space so, iiuc, it would be harder for a "cracker" to find IPv6, but I'd probably want to continue to run behind NAT, so the idea that I wouldn't even know if my ISP switched to IPv6 does not make me comfortable. But, no need for any replies -- I'll try to stay with IPv4 as long as I can. -- rhk If you reply: snip, snip, and snip again; leave attributions; avoid HTML; avoid top posting; and keep it "on list". (Oxford comma included at no charge.) If you change topics, change the Subject: line. Writing is often meant for others to read (legal agreements excepted?) -- make it easier for your reader by various means, including liberal use of whitespace. If someone else has already responded to a question, decide whether any response you add will be helpful or not ... A picture is worth a thousand words -- divide by 10 for each minute of video (or audio) or create a transcript and edit it to 10% of the original.
Re: ipv6: static ipv6 address with dynamic network address possible?
On Tue, 2 Aug 2022, Lee wrote: On 8/2/22, Tim Woodall wrote: On Tue, 2 Aug 2022, Lee wrote: On 8/2/22, Tim Woodall wrote: On Mon, 1 Aug 2022, Lee wrote: Verizon FIOS finally rolled out IPv6 in my area. yay! I'd like for my Debian server to have a static IPv6 address.. same as I have for IPv4. But how to do that? I have a Netgate firewall that does a dhcp6 request for a /56 from Verizon, then the firewall delegates a /64 to each internal subnet. I haven't been able to figure out how to assign a static address when the network part might [will] change.. so I've got everything using managed addresses (ie. dhcp6). So effectively the server has a static address, but still.. I'd rather not depend on DHCPv6 Thoughts on how2? Not sure I exactly understand what you want but you can specify the local part of an SLAAC ipv6 address thus: iface eth0 inet6 auto pre-up echo 64 /proc/sys/net/ipv6/conf/eth0/accept_ra_rt_info_max_plen pre-up ip token set ::0123:4567:a9ab:cdef/64 dev eth0 Yes!! That looks like what I want. Where does it go if I want to always done at boot time? I've got it in /etc/network/interfaces.d/eth0 but whereever you've put the network configuration /etc/network/interfaces perhaps? *sigh* Back when I first set up this machine I couldn't figure out how to get the /etc/network/xxx config to work. I ended up using the Advanced Network Configuration GUI that set up /etc/NetworkManager files. Running ip token set almost any time during the boot process should work. Ideally you'd want to run it before network manager. Perhaps that has a way to run pre-up scripts but otherwise almost any other way to run a script early during boot would work. If you run it after the interface is up then I think it will still work but might require you to wait for the next unsolicited RA which may or may not occur quickly. One thing to think of is whether you'll have a networking headache after a power outage or internet outage. Presumably your firewall won't start serving RAs until after the internet is connected and it can get the /56 from your ISP. Not sure what a good solution is to that. One option, as someone else suggested, is to use a locally routable /56 and then NAT at the firewall to the assigned globally routable /56. That way local connectivity will be independent of getting a /56 from upstream. If you nat an entire local /56 then it will be one rule each way IIRC. Your local machines might also take a while to stop using old addresses that you no longer "own". Again NAT will move all of the complicated logic to handle a changing /56 to the firewall. Best of all though would be to convince your ISP to give out static /56s... Tim.
Re: Verison IPv6 -- I want to stick with IPv4 (was Re: ipv6: static ipv6 address with dynamic network address possible?)
Hello, On Tue, Aug 02, 2022 at 10:44:54AM -0400, rhkra...@gmail.com wrote: > On Monday, August 01, 2022 12:08:47 PM Lee wrote: > > Verizon FIOS finally rolled out IPv6 in my area. yay! > > I guess if I read that right, Verizon still supports IPv4 and has not > announced any plans to discontinue it? That would be commercial suicide. At present you have to go out of your way to buy IPv6-only services. > I feel like I'm getting too old to learn (too many) new things, so if my ISP > made a similar announcement, I'd want to stick with IPv4. The level of panic over IPv6 is really getting silly. Smarter people than you or I have spent decades designing this. It's not perfect but the goal of it is that things continue working without the user noticing anything. Normal people don't know what an IPv4 is (though they may recognise the term "IP address"). I think the phrase, "a little knowledge is a dangerous thing" applies here: you know enough about IPv4 and networking in general to know that IPv6 is different, which worries you. But in reality you probably aren't ever going to have to take any action with regard to IPv6. > Or, I'd be looking for a very simple explanation of how to switch to and use > Ipv6 -- not looking for that now, but Imight have to at some point. :-( Just do nothing. I'm currently at a client site where I've been for 3 days and I just checked and I'm using IPv6. The connectivity is provided by Sky broadband, a popular consumer and business ISP in UK. Most of Sky's customers will not know or care that at some point IPv6 got switched on for them. If you host content/services then you might want to increase the priority of learning IPv6 basics so that you can make sure that your content is available by IPv6 as well as legacy v4. Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting
Re: Verison IPv6 -- I want to stick with IPv4 (was Re: ipv6: static ipv6 address with dynamic network address possible?)
On 8/2/22, rhkra...@gmail.com wrote: > On Monday, August 01, 2022 12:08:47 PM Lee wrote: >> Verizon FIOS finally rolled out IPv6 in my area. yay! > > I guess if I read that right, Verizon still supports IPv4 and has not > announced any plans to discontinue it? correct it's quite likely that I'll be dead before IPv4 goes away. > I feel like I'm getting too old to learn (too many) new things, so if my ISP > made a similar announcement, I'd want to stick with IPv4. If it helps, IPv6 seems faster. It _is_ a huge learning curve.. but dumping all the kludges that were required to get a world-wide network to fit into a 32 bit address space seems worthwhile even if not absolutely required now. > Or, I'd be looking for a very simple explanation of how to switch to and use > Ipv6 -- not looking for that now, but Imight have to at some point. :-( yeah.. nothing simple that I've seen :( Regards, Lee
Re: ipv6: static ipv6 address with dynamic network address possible?
On 8/2/22, Tim Woodall wrote: > On Tue, 2 Aug 2022, Lee wrote: > >> On 8/2/22, Tim Woodall wrote: >>> On Mon, 1 Aug 2022, Lee wrote: >>> Verizon FIOS finally rolled out IPv6 in my area. yay! I'd like for my Debian server to have a static IPv6 address.. same as I have for IPv4. But how to do that? I have a Netgate firewall that does a dhcp6 request for a /56 from Verizon, then the firewall delegates a /64 to each internal subnet. I haven't been able to figure out how to assign a static address when the network part might [will] change.. so I've got everything using managed addresses (ie. dhcp6). So effectively the server has a static address, but still.. I'd rather not depend on DHCPv6 Thoughts on how2? >>> Not sure I exactly understand what you want but you can specify the >>> local part of an SLAAC ipv6 address thus: >>> >>> iface eth0 inet6 auto >>> pre-up echo 64 /proc/sys/net/ipv6/conf/eth0/accept_ra_rt_info_max_plen >>> pre-up ip token set ::0123:4567:a9ab:cdef/64 dev eth0 >> >> Yes!! That looks like what I want. >> Where does it go if I want to always done at boot time? >> > > I've got it in /etc/network/interfaces.d/eth0 > > but whereever you've put the network configuration > /etc/network/interfaces perhaps? *sigh* Back when I first set up this machine I couldn't figure out how to get the /etc/network/xxx config to work. I ended up using the Advanced Network Configuration GUI that set up /etc/NetworkManager files. Hopefully you've given me enough of a hint that I can figure out the rest for myself Thanks Lee
Verison IPv6 -- I want to stick with IPv4 (was Re: ipv6: static ipv6 address with dynamic network address possible?)
On Monday, August 01, 2022 12:08:47 PM Lee wrote: > Verizon FIOS finally rolled out IPv6 in my area. yay! I guess if I read that right, Verizon still supports IPv4 and has not announced any plans to discontinue it? I feel like I'm getting too old to learn (too many) new things, so if my ISP made a similar announcement, I'd want to stick with IPv4. Or, I'd be looking for a very simple explanation of how to switch to and use Ipv6 -- not looking for that now, but Imight have to at some point. :-( -- rhk If you reply: snip, snip, and snip again; leave attributions; avoid HTML; avoid top posting; and keep it "on list". (Oxford comma included at no charge.) If you change topics, change the Subject: line. Writing is often meant for others to read (legal agreements excepted?) -- make it easier for your reader by various means, including liberal use of whitespace. If someone else has already responded to a question, decide whether any response you add will be helpful or not ... A picture is worth a thousand words -- divide by 10 for each minute of video (or audio) or create a transcript and edit it to 10% of the original.
Re: ipv6: static ipv6 address with dynamic network address possible?
On 8/2/22, Jeremy Ardley wrote: > > On 2/8/22 9:50 pm, Tim Woodall wrote: >> >>> This is a DNS & NTP server, so it needs a static address. I'd also >>> like different firewall rules for different machines.. which also >>> requires static addresses for at least some machines. >>> >> >> Yes there is - see my earlier reply. >> >> ip token set ::/64 dev eth0 >> >> (I think you might be able to do this after the interface has an IP and >> it will then acquire an additional IP but I might be misremembering. I >> use a pre-up command in e/n/i) >> >> But SLAAC should normally give you a static address anyway, just tied to >> your mac address (which maybe you don't want) >> > > You can just run your network using auto-generated link-local addresses > fe80::/64 and use IPv6 NAT on the firewall/router for external access. Thanks, but unless absolutely necessary I'd rather not do NAT Lee
Re: ipv6: static ipv6 address with dynamic network address possible?
On Tue, 2 Aug 2022, Lee wrote: On 8/2/22, Tim Woodall wrote: On Mon, 1 Aug 2022, Lee wrote: Verizon FIOS finally rolled out IPv6 in my area. yay! I'd like for my Debian server to have a static IPv6 address.. same as I have for IPv4. But how to do that? I have a Netgate firewall that does a dhcp6 request for a /56 from Verizon, then the firewall delegates a /64 to each internal subnet. I haven't been able to figure out how to assign a static address when the network part might [will] change.. so I've got everything using managed addresses (ie. dhcp6). So effectively the server has a static address, but still.. I'd rather not depend on DHCPv6 Thoughts on how2? Not sure I exactly understand what you want but you can specify the local part of an SLAAC ipv6 address thus: iface eth0 inet6 auto pre-up echo 64 /proc/sys/net/ipv6/conf/eth0/accept_ra_rt_info_max_plen pre-up ip token set ::0123:4567:a9ab:cdef/64 dev eth0 Yes!! That looks like what I want. Where does it go if I want to always done at boot time? I've got it in /etc/network/interfaces.d/eth0 but whereever you've put the network configuration /etc/network/interfaces perhaps? (Your interface may well not be called eth0. I grabbed that from a virtual machine) Tim.
Re: ipv6: static ipv6 address with dynamic network address possible?
On 2/8/22 9:50 pm, Tim Woodall wrote: This is a DNS & NTP server, so it needs a static address. I'd also like different firewall rules for different machines.. which also requires static addresses for at least some machines. Yes there is - see my earlier reply. ip token set ::/64 dev eth0 (I think you might be able to do this after the interface has an IP and it will then acquire an additional IP but I might be misremembering. I use a pre-up command in e/n/i) But SLAAC should normally give you a static address anyway, just tied to your mac address (which maybe you don't want) You can just run your network using auto-generated link-local addresses fe80::/64 and use IPv6 NAT on the firewall/router for external access. You can also allocate individual machines (multiple) non-routed addresses from ranges such as 64:ff9b:1::/48 fc00::/7 These can be used for IPv6 NAT or IPv6 to IPv4 -- Jeremy OpenPGP_signature Description: OpenPGP digital signature
Re: ipv6: static ipv6 address with dynamic network address possible?
On 8/2/22, Tim Woodall wrote: > On Mon, 1 Aug 2022, Lee wrote: > >> Verizon FIOS finally rolled out IPv6 in my area. yay! I'd like for >> my Debian server to have a static IPv6 address.. same as I have for >> IPv4. But how to do that? >> >> I have a Netgate firewall that does a dhcp6 request for a /56 from >> Verizon, then the firewall delegates a /64 to each internal subnet. >> >> I haven't been able to figure out how to assign a static address when >> the network part might [will] change.. so I've got everything using >> managed addresses (ie. dhcp6). So effectively the server has a static >> address, but still.. I'd rather not depend on DHCPv6 >> >> Thoughts on how2? >> > Not sure I exactly understand what you want but you can specify the > local part of an SLAAC ipv6 address thus: > > iface eth0 inet6 auto > pre-up echo 64 >>/proc/sys/net/ipv6/conf/eth0/accept_ra_rt_info_max_plen > pre-up ip token set ::0123:4567:a9ab:cdef/64 dev eth0 Yes!! That looks like what I want. Where does it go if I want to always done at boot time? Thanks Lee
Re: ipv6: static ipv6 address with dynamic network address possible?
On Tue, 2 Aug 2022, Lee wrote: On 8/1/22, Andy Smith wrote: Hello, On Mon, Aug 01, 2022 at 01:57:42PM -0400, Lee wrote: The dhcpv6 server on the netgate allows for static mappings like ::1:10 where it fills in the network/64 portion from the delegation and uses the ::a:b:c:d for the host address. I was hoping for something like that w/ Debian Oh, I thought you wanted to stop using DHCPv6 (protocol) entirely. I do want to stop using DHCPv6. I was hoping there was a way to tell a Debian machine to use as the (64 bit) host address and learn the network address from the router advertisement prefix info. This is a DNS & NTP server, so it needs a static address. I'd also like different firewall rules for different machines.. which also requires static addresses for at least some machines. Yes there is - see my earlier reply. ip token set ::/64 dev eth0 (I think you might be able to do this after the interface has an IP and it will then acquire an additional IP but I might be misremembering. I use a pre-up command in e/n/i) But SLAAC should normally give you a static address anyway, just tied to your mac address (which maybe you don't want)
Re: ipv6: static ipv6 address with dynamic network address possible?
On 8/1/22, Andy Smith wrote: > Hello, > > On Mon, Aug 01, 2022 at 01:57:42PM -0400, Lee wrote: >> The dhcpv6 server on the netgate allows for static mappings like >> ::1:10 >> where it fills in the network/64 portion from the delegation and uses >> the ::a:b:c:d for the host address. I was hoping for something like >> that w/ Debian > > Oh, I thought you wanted to stop using DHCPv6 (protocol) entirely. I do want to stop using DHCPv6. I was hoping there was a way to tell a Debian machine to use as the (64 bit) host address and learn the network address from the router advertisement prefix info. This is a DNS & NTP server, so it needs a static address. I'd also like different firewall rules for different machines.. which also requires static addresses for at least some machines. Thanks Lee
Re: ipv6: static ipv6 address with dynamic network address possible?
On Mon, 1 Aug 2022, Lee wrote: Verizon FIOS finally rolled out IPv6 in my area. yay! I'd like for my Debian server to have a static IPv6 address.. same as I have for IPv4. But how to do that? I have a Netgate firewall that does a dhcp6 request for a /56 from Verizon, then the firewall delegates a /64 to each internal subnet. I haven't been able to figure out how to assign a static address when the network part might [will] change.. so I've got everything using managed addresses (ie. dhcp6). So effectively the server has a static address, but still.. I'd rather not depend on DHCPv6 Thoughts on how2? Not sure I exactly understand what you want but you can specify the local part of an SLAAC ipv6 address thus: iface eth0 inet6 auto pre-up echo 64 >/proc/sys/net/ipv6/conf/eth0/accept_ra_rt_info_max_plen pre-up ip token set ::0123:4567:a9ab:cdef/64 dev eth0 The accept_ra_rt_info_max_plen only matters if you want to receive routes other than a default route. Tim.
Re: ipv6: static ipv6 address with dynamic network address possible?
Hello, On Mon, Aug 01, 2022 at 01:57:42PM -0400, Lee wrote: > The dhcpv6 server on the netgate allows for static mappings like > ::1:10 > where it fills in the network/64 portion from the delegation and uses > the ::a:b:c:d for the host address. I was hoping for something like > that w/ Debian Oh, I thought you wanted to stop using DHCPv6 (protocol) entirely. I've never tried any of this, I've only used static v6 setups everywhere, so I'm not much use. But can you not have dhclient6 send a DUID like this? https://superuser.com/a/954133/100242 Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting
Re: ipv6: static ipv6 address with dynamic network address possible?
On 8/1/22, Andy Smith wrote: > Hello, > > On Mon, Aug 01, 2022 at 12:08:47PM -0400, Lee wrote: >> I'd like for my Debian server to have a static IPv6 address.. same >> as I have for IPv4. But how to do that? >> >> I have a Netgate firewall that does a dhcp6 request for a /56 from >> Verizon, then the firewall delegates a /64 to each internal subnet. > > If you know that the /64 that's going to be delegated is always the > same then you can just statically choose an address within it in > /etc/network/interfaces as normal. I wouldn't bet on it staying the same. The external IPv4 address will stay the same for months at a time; I don't expect any different for the IPv6 network > If you can potentially get a different /56 or different /64 > delegated then you have no real choice but to use DHCPv6. *sigh* The dhcpv6 server on the netgate allows for static mappings like ::1:10 where it fills in the network/64 portion from the delegation and uses the ::a:b:c:d for the host address. I was hoping for something like that w/ Debian > I don't know if static /56 is an option on fios. Although there is > no technical reason to not allocate you a static /56, Probably because it makes renumbering much harder. > it is often > used as a differentiator for a more costly service "because they > can". probably that Thanks Lee
Re: ipv6: static ipv6 address with dynamic network address possible?
Hello, On Mon, Aug 01, 2022 at 12:08:47PM -0400, Lee wrote: > I'd like for my Debian server to have a static IPv6 address.. same > as I have for IPv4. But how to do that? > > I have a Netgate firewall that does a dhcp6 request for a /56 from > Verizon, then the firewall delegates a /64 to each internal subnet. If you know that the /64 that's going to be delegated is always the same then you can just statically choose an address within it in /etc/network/interfaces as normal. If you can potentially get a different /56 or different /64 delegated then you have no real choice but to use DHCPv6. I don't know if static /56 is an option on fios. Although there is no technical reason to not allocate you a static /56, it is often used as a differentiator for a more costly service "because they can". Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting