IPv6 means I can use Let's Encrypt certs in my home LAN with their standard validation method without resorting to port forwarding bullshit.
End-to-end connectivity is so nice. It is how the internet was meant to be before our collective lack of foresight gave us NAT.
@staticsafe TBF, Let's Encrypt on the LAN is pretty straightforward with DNS authorization too (at least if you run your own authoritative NS, never had to do this with 3rd-party DNS). :3
But yes, IPv6 connectivity is gooooood :3
@kellerfuchs yeah I know abut DNS validation, I use it with acme.sh + DNSMadeEasy in other places but it's nice not to worry about setting that up and just use the letsencypt package from the Ubuntu repositories
@clacke I'm using a BGP tunnel from Hurricane Electric, no native connectivity from my ISP yet unfortunately
@staticsafe My ISP does support v6 (https://aa.net.uk/) but the ADSL modem/router they sold me for it is a puzzle to configure (ZyXEL) and didn't work with my Ubuntu or Raspian systems (they don't get routeable addresses). I realise you don't need one yourself but do you happen to know of any decent consumer ADSL/VDSL modems/routers for v6?
@edavies I don't know of any but I'll boost your questions because others may
There is also the aa.net.uk IRC if you want to ask there:
@staticsafe Ta. Did see somebody else asking before about this (forget where) and just getting a shrug from A&A but worth another go when I've time to dive into it a bit.
@staticsafe it all fell apart with the consumerization of IT around 2008... standards were tossed aside for iPhones and iPad. Fragmentation became king...
It is shit now.
@thegibson @staticsafe oh, I hear what you're saying. Ultimately in that space we're not solving the same problems any more, and we need new tools for the new problems. I think Google is doing better at this than others, but ultimately we're working with much more heterogeneous environments than we used to, which creates difficulty. There's a business opportunity there somewhere.
Also, as an aside... managing Macs in an enterprise environment is like herding cats.
A hodge podge of management tools that do what they should 80% of the time.
Apple doesnit to themselves though. They need a Group Policy equivalent, and none of the 3rd party tools quite get there.
@staticsafe IPv6 was drafted so long ago and has been so intensely tested for so long that little room remains for a lack of foresight explanation.
It's been really a political decision to slow down and impair IPv6 wherever IPv6 could deliver more freedom and decentralisation.
@staticsafe TBH, I feel like the lack of IPv6 rollout support is, like, 85% about making it harder for people to self host stuff.
The failure to roll out IPv6 was more due to ISPs simply not wanting to sink investment in upgrading their infrastructure until the very last minute, and not so much due to malice. Malice came later once opportunists saw how they could exploit their new-found scarcity.
The ability of the Internet to "route around failures" is fundamentally predicated on the end-to-end argument being valid. You cannot have true E2E as long as you must depend on NAT.
I clarified a point that you had muddied, yeah.
That's how discussion work, unless something has changed in the last 24 hours of which I was unaware.
@ajroach42 Just wanted to make sure we were on the same page. :)
@staticsafe From a technical standpoint I very much agree, but I can't help but think that block-everything NAT firewalls being the default for every consumer network is the only thing truly saving us from the IoT nightmare
@elomatreb eh NAT didn't stop things like the Mirai botnet from happening
@staticsafe Didn't stop it from happening entirely, but I shudder to think how much worse (and more common) it would be.
Admittedly scanning the entire internet/address ranges is harder with v6 simply due to the larger amount, but still
@elomatreb searching the entirety of IPv6 address space is basically impossible currently due to the numbers involved
granted there are some methods that can reduce the search radius but that is not guaranteed to work with things like IPv6 Temporary Addresses and randomizing identifiers. It's like searching for needles that are moving in a very large haystack.
@staticsafe Problem is, that won't do any good unless we ever get to a point where v6-only connectivity is feasible. My ISP currently doesn't even give me v6 at all (and does weird stuff that breaks tunnels), and yet I can still use everything
@staticsafe I've got a lot of stuff running internally which I simply haven't bothered to secure against internet access, though. To be on the safe side, I've basically just firewalled all incoming IPv6 at my router, aside from a few whitelisted services on particular machines.
With a setup like this, stuff like ICE is still needed to get a 2-way path through the stateful firewall, even if I'm not using NAT.
@staticsafe but some ISP's IPv6 implementation still aren't ideal. Telus, blocked ports and a dynamic prefix, and most firewalls still don't gracefully handle prefix changes.
@jtl blocked ports? you mean the CPE they provide has some sort of default-deny ruleset?
@staticsafe No, this is upstream :/
I only use their CPE for IPTV boxes. It's FTTH with a WAN ethernet handoff to my switch. No NAT or anything else.
All important servers are hosted in a DMZ network which is IPSec tunneled to a box 5ms away with no such restrictions, other than MTU 1434, it works.
@staticsafe They unblocked port 80 for IPv6, and 443 for both v4 and v6
@jtl oh jeez that's annoying
@jtl I have Bell FTTH, took the SFP out of their provided CPE and using it with my Mikrotik CRS, Bell still uses PPPoE for auth and IP assignment, thankfully I don't take a MTU hit because they do support 1500MTU on their PPPoE
@staticsafe This is Telus in BC
@jtl aye, AFAIK Telus provides residential service in BC only
Toronto is basically divided up between Bell and Rogers and the various TPIAs like TekSavvy
Alberta too! And very isolated pockets of Quebec.
So I've heard
staticsafe's personal Mastodon instance.