Skip to content
 
If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(The Register)   Internet engineers have spotted what may be the first case of an IPv6-based DDOS attack (which means that someone actually bothered to set up IPv6)   ( theregister.co.uk) divider line
    More: Interesting, IPv6 addresses, IPv4, IPv6 protocols, IPv6 attacks, mitigation tools, IPv4 address space, new attack vectors, Internet  
•       •       •

1577 clicks; posted to Geek » on 05 Mar 2018 at 7:35 PM (28 weeks ago)   |   Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



65 Comments     (+0 »)
 
View Voting Results: Smartest and Funniest


Oldest | « | 1 | 2 | » | Newest | Show all

 
2018-03-05 06:39:39 PM  
You do realize that a lot of mobile carriers now use IPv6 by default, right? Hell, T-Mobile doesn't even give individual phones an IPv4 address anymore, which breaks a fair number of apps on the iPhone that depend on one.

/ask me how I know
 
2018-03-05 07:38:49 PM  
I was about to say... if you're reading Fark on a LTE phone, you're almost certainly using IPv6 for it.
 
2018-03-05 07:39:12 PM  
I had IPv6 set up on my home network, but the way SLAAC + RA was implemented meant that if I wanted my PiHole to work, i had to send all my outbound traffic through it.

Needs better DHCPv6 options.
 
2018-03-05 07:53:54 PM  
img.fark.netView Full Size
 
2018-03-05 07:55:33 PM  
ACLs.  Learn them, use them, love them.
 
2018-03-05 07:55:35 PM  

themindiswatching: You do realize that a lot of mobile carriers now use IPv6 by default, right? Hell, T-Mobile doesn't even give individual phones an IPv4 address anymore, which breaks a fair number of apps on the iPhone that depend on one.

/ask me how I know


How do you know?

\ no, really, it sounds interesting
 
2018-03-05 07:58:33 PM  
FTFA network engineers are getting their IPv6 networks up first and then worrying about locking down security later.

So network engineers are being network engineers.  The more things change the more they stay the same.
 
2018-03-05 08:17:48 PM  
sturnus vulgaris:How do you know?

\ no, really, it sounds interesting


Method 1
Google "what is my IP address".

IPV6 address will look like:
2001:0db8:85a3:0000:0000:8a2e:0370:733​4

IPV4 address will be a 4-part number like:
19.117.63.126

Method 2
At the bottom of the Gmail page is a button labeled Details.
Click it and you can see the IP addresses of your recent connections to Gmail.

img.fark.netView Full Size
 
2018-03-05 08:20:41 PM  

agent00pi: I had IPv6 set up on my home network, but the way SLAAC + RA was implemented meant that if I wanted my PiHole to work, i had to send all my outbound traffic through it.

Needs better DHCPv6 options.


Yeah, pihole is funny that way. I ended up setting up stateless DHCPv6 on my server to get it to block ipv6 ads (see: YouTube) and it works, but I setup a second pihole instance as a failover because every now and then dnsmasq on pihole decides to turn itself off depending on the update
 
2018-03-05 08:21:40 PM  
Boy, IPv4 could sure use a fifth octet.  They could call it IPv4.5

Aww, that's too easy.  Let's just create a whole new protocol that assumes that every device on the planet has to have a unique address and won't be using NAT.  Then let's turn it on by default.
 
2018-03-05 08:26:25 PM  
40-bit numbers aren't particularly efficient on either 32 or 64 bit CPUs.  And it's not like we want to go through this all again in a few decades.  That's why 128-bit.
 
2018-03-05 08:28:17 PM  
I'm secretly on IPv10.
 
2018-03-05 08:34:55 PM  

MightyPez: agent00pi: I had IPv6 set up on my home network, but the way SLAAC + RA was implemented meant that if I wanted my PiHole to work, i had to send all my outbound traffic through it.

Needs better DHCPv6 options.

Yeah, pihole is funny that way. I ended up setting up stateless DHCPv6 on my server to get it to block ipv6 ads (see: YouTube) and it works, but I setup a second pihole instance as a failover because every now and then dnsmasq on pihole decides to turn itself off depending on the update


Ads on YouTube aren't a concern for me, because I have a Play Music subscription. As far as I could tell, clients on my network were preferring my router for DNS(v6, and therefore my ISP) as that had the RA flag.

From a skim of literature, even the pro-grade (Cisco) stuff doesn't necessarily have options to configure DNS the way you want, though I'm really at the edge of my understanding with how a lot of this stuff is implemented.
 
2018-03-05 08:38:27 PM  

TheManofPA: I'm secretly on IPv10.


These are the IPv setting knobs on my network card.
 
2018-03-05 08:38:57 PM  
Let's try this again.

TheManofPA: I'm secretly on IPv10.


These are the IPv setting knobs on my network card. 
upload.wikimedia.orgView Full Size
 
2018-03-05 08:39:09 PM  

agent00pi: MightyPez: agent00pi: I had IPv6 set up on my home network, but the way SLAAC + RA was implemented meant that if I wanted my PiHole to work, i had to send all my outbound traffic through it.

Needs better DHCPv6 options.

Yeah, pihole is funny that way. I ended up setting up stateless DHCPv6 on my server to get it to block ipv6 ads (see: YouTube) and it works, but I setup a second pihole instance as a failover because every now and then dnsmasq on pihole decides to turn itself off depending on the update

Ads on YouTube aren't a concern for me, because I have a Play Music subscription. As far as I could tell, clients on my network were preferring my router for DNS(v6, and therefore my ISP) as that had the RA flag.

From a skim of literature, even the pro-grade (Cisco) stuff doesn't necessarily have options to configure DNS the way you want, though I'm really at the edge of my understanding with how a lot of this stuff is implemented.


That's why I had to change my primary DHCP server to my Windows server instead of my router. The router would advertise itself as the DNS for IPv6 when it was the DHCP server, whereas The Windows DHCp service would advertise what you specified.

So far Pfsense is the only gateway software I've found to do stateless ipv6 well
 
2018-03-05 08:41:32 PM  

derpes_simplex: Aww, that's too easy.


It's actually not.

The point about not needing NAT any more is a good one though.  Local nets and the need for NAT always annoyed me but I always figured it was more of a feature than a bug for most people.
 
2018-03-05 08:46:29 PM  

MightyPez: agent00pi: MightyPez: agent00pi: I had IPv6 set up on my home network, but the way SLAAC + RA was implemented meant that if I wanted my PiHole to work, i had to send all my outbound traffic through it.

Needs better DHCPv6 options.

Yeah, pihole is funny that way. I ended up setting up stateless DHCPv6 on my server to get it to block ipv6 ads (see: YouTube) and it works, but I setup a second pihole instance as a failover because every now and then dnsmasq on pihole decides to turn itself off depending on the update

Ads on YouTube aren't a concern for me, because I have a Play Music subscription. As far as I could tell, clients on my network were preferring my router for DNS(v6, and therefore my ISP) as that had the RA flag.

From a skim of literature, even the pro-grade (Cisco) stuff doesn't necessarily have options to configure DNS the way you want, though I'm really at the edge of my understanding with how a lot of this stuff is implemented.

That's why I had to change my primary DHCP server to my Windows server instead of my router. The router would advertise itself as the DNS for IPv6 when it was the DHCP server, whereas The Windows DHCp service would advertise what you specified.

So far Pfsense is the only gateway software I've found to do stateless ipv6 well


Yeah, okay - I had the PiHole running as the DHCPv6 server, but with that, the clients seemed to prefer the ISP.

Maybe the PiHole DHCPv6 implementation is kinda flaky. I just rolled back to IPv4 internally, and my ISP does the dual stack thing.
 
2018-03-05 08:49:30 PM  

derpes_simplex: Boy, IPv4 could sure use a fifth octet.  They could call it IPv4.5

Aww, that's too easy.  Let's just create a whole new protocol that assumes that every device on the planet has to have a unique address and won't be using NAT.  Then let's turn it on by default.


They invented IPv6 before private addressing became a thing and we were getting seriously close to running out of IP addresses.

Also they have out class As like candy in the beginning.
 
2018-03-05 08:53:58 PM  

agent00pi: MightyPez: agent00pi: MightyPez: agent00pi: I had IPv6 set up on my home network, but the way SLAAC + RA was implemented meant that if I wanted my PiHole to work, i had to send all my outbound traffic through it.

Needs better DHCPv6 options.

Yeah, pihole is funny that way. I ended up setting up stateless DHCPv6 on my server to get it to block ipv6 ads (see: YouTube) and it works, but I setup a second pihole instance as a failover because every now and then dnsmasq on pihole decides to turn itself off depending on the update

Ads on YouTube aren't a concern for me, because I have a Play Music subscription. As far as I could tell, clients on my network were preferring my router for DNS(v6, and therefore my ISP) as that had the RA flag.

From a skim of literature, even the pro-grade (Cisco) stuff doesn't necessarily have options to configure DNS the way you want, though I'm really at the edge of my understanding with how a lot of this stuff is implemented.

That's why I had to change my primary DHCP server to my Windows server instead of my router. The router would advertise itself as the DNS for IPv6 when it was the DHCP server, whereas The Windows DHCp service would advertise what you specified.

So far Pfsense is the only gateway software I've found to do stateless ipv6 well

Yeah, okay - I had the PiHole running as the DHCPv6 server, but with that, the clients seemed to prefer the ISP.

Maybe the PiHole DHCPv6 implementation is kinda flaky. I just rolled back to IPv4 internally, and my ISP does the dual stack thing.


Yeah, I didn't care for their DHCP implementation. Though playing around with different pieces of software nobody has a very good implementation.
 
2018-03-05 08:58:50 PM  

sturnus vulgaris: themindiswatching: You do realize that a lot of mobile carriers now use IPv6 by default, right? Hell, T-Mobile doesn't even give individual phones an IPv4 address anymore, which breaks a fair number of apps on the iPhone that depend on one.

/ask me how I know

How do you know?

\ no, really, it sounds interesting


From what I remember, I was getting "no IP address on interface" errors from the Cisco VPN client when I wasn't on Wi-Fi. I believe there were other apps that had issues too.

/work is IPv4 only and the app either had no idea about the IPv6->IPv4 tunneling T-Mobile does or can't handle it.
 
2018-03-05 09:03:51 PM  
I have an IPv6 tunnel from he.net at home. It mostly works, but Netflix gets pissy because it thnks I'm trying to use a VPN to access foreign content.
 
2018-03-05 09:12:54 PM  
As a nerd, I keep wanting to enable IPv6 on my home network. But every time I look into it, implementations are flaky and a pain in the ass. Plus, there seems to be absolutely no benefit whatsoever to doing so.

I can also easily memorize the IP addresses to all my local machines... IPv6, not so much.
 
2018-03-05 09:23:00 PM  

trialpha: I can also easily memorize the IP addresses to all my local machines... IPv6, not so much.


Multicast DNS solves that problem. You can use names like "raspberrypi.local" without needing to memorize any addresses.
 
2018-03-05 10:09:25 PM  
The benefit is "not needing NAT".

OS implementations are pretty well debugged at this point, it's the routers that are sometimes dodgy.
 
2018-03-05 10:12:56 PM  

Mike: The benefit is "not needing NAT".


Given that everything I have works perfectly with NAT, what does not having it get me, anyway?
 
2018-03-05 10:20:22 PM  

trialpha: Mike: The benefit is "not needing NAT".

Given that everything I have works perfectly with NAT, what does not having it get me, anyway?


Unique public IP addresses for your fridge and coffeepot?
 
2018-03-05 10:22:35 PM  

trialpha: Mike: The benefit is "not needing NAT".

Given that everything I have works perfectly with NAT, what does not having it get me, anyway?


It lets hackers directly access all your Internet-enabled devices directly from the Internet.

For people who have the know-how to maintain a firewall even when they don't need NAT, it lets them directly access all their Internet-enabled devices directly from the Internet, which is nice because then they don't have all kinds of arcane port-forwarding rules to their router.
 
2018-03-05 10:28:39 PM  

trialpha: Mike: The benefit is "not needing NAT".

Given that everything I have works perfectly with NAT, what does not having it get me, anyway?


Don't use SIP?

I'm excited for IPv6 just for that.
 
2018-03-05 10:32:12 PM  

aerojockey: For people who have the know-how to maintain a firewall even when they don't need NAT, it lets them directly access all their Internet-enabled devices directly from the Internet, which is nice because then they don't have all kinds of arcane port-forwarding rules to their router.


There are people who want to access local machines directly from the internet, without openvpn or similar? I assume they've either a) properly hardened these machines and placed them in a DMZ, or are b) mad
 
2018-03-05 10:33:47 PM  

trialpha: Mike: The benefit is "not needing NAT".

Given that everything I have works perfectly with NAT, what does not having it get me, anyway?


bwahahahah lolno.  You've never tried to use SIP through NAT, obviously...  or the trainwreck that's IPSec with NAT traversal...
 
2018-03-05 10:41:27 PM  

aerojockey: It lets hackers directly access all your Internet-enabled devices directly from the Internet.


I can't see how that will not be a disaster.
 
2018-03-05 10:42:18 PM  

TheManofPA: I'm secretly on IPv10.


Haha! I'm on ipx!
 
2018-03-05 10:42:59 PM  

gingerjet: FTFA network engineers are getting their IPv6 networks up first and then worrying about locking down security later.

So network engineers are being network engineers.  The more things change the more they stay the same.


More like lazy engineers are being lazy.  At work, our IPv6 flows and services go thru the same security review as our IPv4 ones.  Even here at home, my router/firewall device has the same "deny by default" policy set for both IPv4 and IPv6.  It was stupidly simple to lock things down.
 
2018-03-05 10:44:01 PM  

trialpha: aerojockey: For people who have the know-how to maintain a firewall even when they don't need NAT, it lets them directly access all their Internet-enabled devices directly from the Internet, which is nice because then they don't have all kinds of arcane port-forwarding rules to their router.

There are people who want to access local machines directly from the internet, without openvpn or similar? I assume they've either a) properly hardened these machines and placed them in a DMZ, or are b) mad


How cute, you think everything is remote desktop and/or copying files around.
 
2018-03-05 10:45:49 PM  

jaytkay: aerojockey: It lets hackers directly access all your Internet-enabled devices directly from the Internet.

I can't see how that will not be a disaster.


It probably will be.  It may be the real reason ISPs have been slow to deploy IPv6 for home use.
 
2018-03-05 10:48:03 PM  

Mike: bwahahahah lolno. You've never tried to use SIP through NAT, obviously... or the trainwreck that's IPSec with NAT traversal...


My SPA112 ATA and Android VOIP app(s) don't seem to have any issues. Nor have I experienced any problems with any VPN clients. Sure, the implementations behind those are probably all horrible, but it's not like IPv6 itself is all that pretty.

That's the thing - IPv6 took so damn long to get rolled out that people pretty much solved all the issues with NAT. Horribly, but solved.
 
2018-03-05 10:51:00 PM  

BMFPitt: derpes_simplex: Boy, IPv4 could sure use a fifth octet.  They could call it IPv4.5

Aww, that's too easy.  Let's just create a whole new protocol that assumes that every device on the planet has to have a unique address and won't be using NAT.  Then let's turn it on by default.

They invented IPv6 before private addressing became a thing and we were getting seriously close to running out of IP addresses.

Also they have out class As like candy in the beginning.


Yeah no kidding on that last bit.  I worked for a company of less than 30 employees and a few measly million in revenue, and we were sitting on over 90 Class As.  We didn't sell most of them off until 2014 or so.  They were pretty valuable in the end.  Kept the company afloat a few more months.  Old school bitcoin.
 
2018-03-05 10:51:49 PM  

aerojockey: How cute, you think everything is remote desktop and/or copying files around.


For a home user? Pretty much. I'm honestly curious as to what the hell somebody could be doing on their home connection that requires public IPs for each device.
 
2018-03-05 11:04:04 PM  

trialpha: Mike: bwahahahah lolno. You've never tried to use SIP through NAT, obviously... or the trainwreck that's IPSec with NAT traversal...

My SPA112 ATA and Android VOIP app(s) don't seem to have any issues. Nor have I experienced any problems with any VPN clients. Sure, the implementations behind those are probably all horrible, but it's not like IPv6 itself is all that pretty.

That's the thing - IPv6 took so damn long to get rolled out that people pretty much solved all the issues with NAT. Horribly, but solved.


The basic problem with rolling such a big network is that to "fix" the address space and migrate you had to "fix" most of the NAT problems.  Which meant that the need to migrate suddenly got significantly further away in time.  And we all know how eager network programmers are to redo something that's working...

I do have to say that the nay-sayers at the adoption of IPv6 were wrong.  It wasn't a decade before it was adopted... it was much longer.

What doesn't get addressed (yes, pun intended) with a NAT solution is polling large numbers of IOT sensors.  Generic any to any solutions in fact are borked with NAT, but since you can fake most of that with centralized servers doing application level gateways... well the general public doesn't notice how screwed up your application actually is.

One of these days we'll get back to actual peer to peer deployments, instead of some half bastardized client-server application claiming it's peer to peer.  But given the slowness of some broadband carriers in rolling out v6, and the general lack of quality v6 tooling on consumer grade gear... I'm not yet getting excited.

/Moving from one broadband carrier in NJ to another - neither do IPv6.  Fortunately I'm not doing anything at home that makes me care... and when I care there is Hurricane Electric.
 
2018-03-05 11:06:26 PM  

aerojockey: jaytkay: aerojockey: It lets hackers directly access all your Internet-enabled devices directly from the Internet.

I can't see how that will not be a disaster.

It probably will be.  It may be the real reason ISPs have been slow to deploy IPv6 for home use.


I've never seen a consumer IPv6-enabled router that didn't deny by default.
 
2018-03-05 11:12:57 PM  

trialpha: aerojockey: How cute, you think everything is remote desktop and/or copying files around.

For a home user? Pretty much. I'm honestly curious as to what the hell somebody could be doing on their home connection that requires public IPs for each device.


v6 + IPSEC + LDAP was supposed to make deploying a VPN a snap.  We'd have gotten to zero trust networks (and with some tweaks be able to do hop by hop flow validation - Multipoint SA for your AH header, End to End SA for the ESP header) that could discard known bad packets before even trying to forward them.  Setting up trust relationships would have been trivial, discovery of devices would have been trivial, and everyone would participate in a global namespace.  No clients to get back to your DVR, no need to register your cameras with some cloud platform to gain access to them, and the costs of running game servers, VoIP, etc... would be a fraction of what it is today.  But we got to defer a few hundred million in capital for a bunch of broadband providers, so all good.
 
2018-03-05 11:41:50 PM  

derpes_simplex: BMFPitt: derpes_simplex: Boy, IPv4 could sure use a fifth octet.  They could call it IPv4.5

Aww, that's too easy.  Let's just create a whole new protocol that assumes that every device on the planet has to have a unique address and won't be using NAT.  Then let's turn it on by default.

They invented IPv6 before private addressing became a thing and we were getting seriously close to running out of IP addresses.

Also they have out class As like candy in the beginning.

Yeah no kidding on that last bit.  I worked for a company of less than 30 employees and a few measly million in revenue, and we were sitting on over 90 Class As.  We didn't sell most of them off until 2014 or so.  They were pretty valuable in the end.  Kept the company afloat a few more months.  Old school bitcoin.


*90* Class As? There were only 126 Class A blocks in the entire IPv4 numbering plan (back when we cared about classes, that is...we've been simply calling them "/8"s since the early 2000s). MIT selling off *half* of their /8 was a big deal.

I think you're actually thinking of /16 (formerly "Class B") or /24 ("Class C").
 
2018-03-05 11:48:05 PM  

rekoil: derpes_simplex: BMFPitt: derpes_simplex: Boy, IPv4 could sure use a fifth octet.  They could call it IPv4.5

Aww, that's too easy.  Let's just create a whole new protocol that assumes that every device on the planet has to have a unique address and won't be using NAT.  Then let's turn it on by default.

They invented IPv6 before private addressing became a thing and we were getting seriously close to running out of IP addresses.

Also they have out class As like candy in the beginning.

Yeah no kidding on that last bit.  I worked for a company of less than 30 employees and a few measly million in revenue, and we were sitting on over 90 Class As.  We didn't sell most of them off until 2014 or so.  They were pretty valuable in the end.  Kept the company afloat a few more months.  Old school bitcoin.

*90* Class As? There were only 126 Class A blocks in the entire IPv4 numbering plan (back when we cared about classes, that is...we've been simply calling them "/8"s since the early 2000s). MIT selling off *half* of their /8 was a big deal.

I think you're actually thinking of /16 (formerly "Class B") or /24 ("Class C").


Sorry, yes they were /16s cut out for a former hosting operation.  Memory is a funny thing.
 
2018-03-06 12:01:10 AM  
What did they do, try to exhaust the IPv6 address pool?
 
2018-03-06 12:53:54 AM  
Sorting my IP spreadsheet databases is gonna be a nightmare.
 
2018-03-06 12:56:47 AM  

Dinjiin: aerojockey: jaytkay: aerojockey: It lets hackers directly access all your Internet-enabled devices directly from the Internet.

I can't see how that will not be a disaster.

It probably will be.  It may be the real reason ISPs have been slow to deploy IPv6 for home use.

I've never seen a consumer IPv6-enabled router that didn't deny by default.


So what's your point?  You think the the ISPs were like, "Nah we're fine, all the routers are deny by default so we don't have to worry about hackers using our network to take over IPv6 devices?"  Well they might have been, because they're stupid.

If you think the NAT isn't a layer of protection above the firewall I think you are very, very mistaken.  It's pretty much an opt-in/opt-out difference and it matters.  Some slacking teenager who wants to host a game server would probably go into the router and just disable the firewall.  Can't turn off the firewall if you need it for NAT, though; the slacker doesn't have that easy out.  You can actively thwart it but the damage is far less.  I still say NAT is a feature, not a bug, for most home users.

Also, I'm pretty sure this consumer IPv6 enabled router does not deny by default:
telcoantennas.com.auView Full Size
 
2018-03-06 01:15:03 AM  

aerojockey: derpes_simplex: Aww, that's too easy.

It's actually not.

The point about not needing NAT any more is a good one though.  Local nets and the need for NAT always annoyed me but I always figured it was more of a feature than a bug for most people.


+1 - it was better than a bare PC, but double NAT killed inexperienced users often.
 
2018-03-06 01:17:29 AM  

BMFPitt: derpes_simplex: Boy, IPv4 could sure use a fifth octet.  They could call it IPv4.5

Aww, that's too easy.  Let's just create a whole new protocol that assumes that every device on the planet has to have a unique address and won't be using NAT.  Then let's turn it on by default.

They invented IPv6 before private addressing became a thing and we were getting seriously close to running out of IP addresses.

Also they have out class As like candy in the beginning.


Should be interesting to see peak IPv4 in terms of pricing. The idea is that when people get to the crunch due to lacking addresses it will, then as almost everyone is on v6 it will get worthless IIRC.
 
2018-03-06 01:22:08 AM  

Dr. Bogenbroom: TheManofPA: I'm secretly on IPv10.

Haha! I'm on ipx!


I'm on SPX!
 
Displayed 50 of 65 comments


Oldest | « | 1 | 2 | » | Newest | Show all


View Voting Results: Smartest and Funniest

This thread is archived, and closed to new comments.

Continue Farking

On Twitter





Top Commented
Javascript is required to view headlines in widget.
  1. Links are submitted by members of the Fark community.

  2. When community members submit a link, they also write a custom headline for the story.

  3. Other Farkers comment on the links. This is the number of comments. Click here to read them.

  4. Click here to submit a link.

Report