Follow

IPv6 means I can use Let's Encrypt certs in my home LAN with their standard validation method without resorting to port forwarding bullshit.

End-to-end connectivity is so nice. It is how the internet was meant to be before our collective lack of foresight gave us NAT.

@staticsafe TBF, Let's Encrypt on the LAN is pretty straightforward with DNS authorization too (at least if you run your own authoritative NS, never had to do this with 3rd-party DNS). :3

But yes, IPv6 connectivity is gooooood :3

@kellerfuchs yeah I know abut DNS validation, I use it with acme.sh + DNSMadeEasy in other places but it's nice not to worry about setting that up and just use the letsencypt package from the Ubuntu repositories

@staticsafe Do you have native v6, or are you using some transition mechanism?

@clacke I'm using a BGP tunnel from Hurricane Electric, no native connectivity from my ISP yet unfortunately

@staticsafe My ISP does support v6 (aa.net.uk/) but the ADSL modem/router they sold me for it is a puzzle to configure (ZyXEL) and didn't work with my Ubuntu or Raspian systems (they don't get routeable addresses). I realise you don't need one yourself but do you happen to know of any decent consumer ADSL/VDSL modems/routers for v6?

@edavies I don't know of any but I'll boost your questions because others may

@staticsafe Ta. Did see somebody else asking before about this (forget where) and just getting a shrug from A&A but worth another go when I've time to dive into it a bit.

@staticsafe it all fell apart with the consumerization of IT around 2008... standards were tossed aside for iPhones and iPad. Fragmentation became king...

It is shit now.

@thegibson @staticsafe Lol...it was all jammed together with Elmer's glue and duct tape long before that.

@Miller_Geek @staticsafe

Nowhere near as bad.

Things got needlessly complex at that point.

@thegibson @staticsafe from where I'm sitting, things are getting simpler, but maybe that's just my expertise growing.

@Miller_Geek @staticsafe tools are getting simpler to use... especially in informed. THAT sector has improved significantly.

The user experience and enterprise management tools have gone straight to shit in many cases.

@thegibson @staticsafe oh, I hear what you're saying. Ultimately in that space we're not solving the same problems any more, and we need new tools for the new problems. I think Google is doing better at this than others, but ultimately we're working with much more heterogeneous environments than we used to, which creates difficulty. There's a business opportunity there somewhere.

@Miller_Geek @staticsafe totally agreed. I have a client that is a gsuite shop. And it usually is pretty easy to work with. I wish their event auditing was a little better, but it is certainly usable.

@Miller_Geek @staticsafe

Also, as an aside... managing Macs in an enterprise environment is like herding cats.

A hodge podge of management tools that do what they should 80% of the time.

Apple doesnit to themselves though. They need a Group Policy equivalent, and none of the 3rd party tools quite get there.

@Miller_Geek @staticsafe don't get me wrong, some areas have improved, but a lot has not.

@staticsafe IPv6 was drafted so long ago and has been so intensely tested for so long that little room remains for a lack of foresight explanation.

It's been really a political decision to slow down and impair IPv6 wherever IPv6 could deliver more freedom and decentralisation.

@staticsafe TBH, I feel like the lack of IPv6 rollout support is, like, 85% about making it harder for people to self host stuff.

@ajroach42 @staticsafe You're *so* close.

The failure to roll out IPv6 was more due to ISPs simply not wanting to sink investment in upgrading their infrastructure until the very last minute, and not so much due to malice. Malice came later once opportunists saw how they could exploit their new-found scarcity.

The ability of the Internet to "route around failures" is fundamentally predicated on the end-to-end argument being valid. You cannot have true E2E as long as you must depend on NAT.

@vertigo @staticsafe At first, sure, it was cost.

Today, though, it's about taking away the ability to do things.

@ajroach42 @staticsafe You just re-iterated my bit about the opportunists capitalizing on the false scarcity.

@vertigo
I clarified a point that you had muddied, yeah.

That's how discussion work, unless something has changed in the last 24 hours of which I was unaware.

@ajroach42 Just wanted to make sure we were on the same page. :)

@ajroach42 @staticsafe Or the way it is rolled out. My ISP here offers IPv6 with changing prefixes by default, v4 behind CG-NAT...

@staticsafe From a technical standpoint I very much agree, but I can't help but think that block-everything NAT firewalls being the default for every consumer network is the only thing truly saving us from the IoT nightmare

@elomatreb eh NAT didn't stop things like the Mirai botnet from happening

@staticsafe Didn't stop it from happening entirely, but I shudder to think how much worse (and more common) it would be.

Admittedly scanning the entire internet/address ranges is harder with v6 simply due to the larger amount, but still

@elomatreb searching the entirety of IPv6 address space is basically impossible currently due to the numbers involved

granted there are some methods that can reduce the search radius but that is not guaranteed to work with things like IPv6 Temporary Addresses and randomizing identifiers. It's like searching for needles that are moving in a very large haystack.

@staticsafe Problem is, that won't do any good unless we ever get to a point where v6-only connectivity is feasible. My ISP currently doesn't even give me v6 at all (and does weird stuff that breaks tunnels), and yet I can still use everything

@staticsafe I've got a lot of stuff running internally which I simply haven't bothered to secure against internet access, though. To be on the safe side, I've basically just firewalled all incoming IPv6 at my router, aside from a few whitelisted services on particular machines.

With a setup like this, stuff like ICE is still needed to get a 2-way path through the stateful firewall, even if I'm not using NAT.

@staticsafe but some ISP's IPv6 implementation still aren't ideal. Telus, blocked ports and a dynamic prefix, and most firewalls still don't gracefully handle prefix changes.

@jtl blocked ports? you mean the CPE they provide has some sort of default-deny ruleset?

@staticsafe No, this is upstream :/

I only use their CPE for IPTV boxes. It's FTTH with a WAN ethernet handoff to my switch. No NAT or anything else.

All important servers are hosted in a DMZ network which is IPSec tunneled to a box 5ms away with no such restrictions, other than MTU 1434, it works.

gist.github.com/jtl999/28f3e07

mastodon.social/media/xsx5yYSD

@staticsafe They unblocked port 80 for IPv6, and 443 for both v4 and v6

lool

@jtl I have Bell FTTH, took the SFP out of their provided CPE and using it with my Mikrotik CRS, Bell still uses PPPoE for auth and IP assignment, thankfully I don't take a MTU hit because they do support 1500MTU on their PPPoE

@jtl aye, AFAIK Telus provides residential service in BC only

Toronto is basically divided up between Bell and Rogers and the various TPIAs like TekSavvy

@staticsafe
Alberta too! And very isolated pockets of Quebec.

So I've heard

Sign in to participate in the conversation
Zombocom

staticsafe's personal Mastodon instance.