Conversation

Notices

1. Embed this notice
   🇺🇦 haxadecimal (brouhaha@mastodon.social)'s status on Thursday, 09-Mar-2023 18:47:15 JST 🇺🇦 haxadecimal

   My router isn't cutting me any SLAAC.

   • Embed this notice
     Paul_IPv6 (paul_ipv6@infosec.exchange)'s status on Thursday, 09-Mar-2023 18:46:56 JST Paul_IPv6

     in reply to

     • John-Mark Gurney
     • BillStewart415
     • tasket

     @billstewart415 @encthenet @tasket @brouhaha

     i still remember the PGP source code and 3DES being classed as munitions. there were t-shirts w pgp code as one workaround.

     a company i was working for (UUNET) was doing a 3DES encrypted tunnel box at the time. we had to get registered as arms dealers with the state dept. two cool results:

     1) we got the auction catalog with used tanks, etc. seemed like the perfect DC commuting vehicle
     2) i got to call my parents and tell them that they didn't have to worry about me working on that weird/shifty thing, the internet. i was now an arms dealer.

     clacke likes this.
   • Embed this notice
     BillStewart415 (billstewart415@infosec.exchange)'s status on Thursday, 09-Mar-2023 18:47:04 JST BillStewart415

     in reply to

     • Paul_IPv6
     • John-Mark Gurney
     • tasket

     @encthenet @tasket @brouhaha @paul_ipv6
     The computing and internet environments have a much different scale than they did in the early 90s, and encrypted protocols were still a big fight with the NSA/FBI to get implemented.
     Even DNS with RSA signatures on it got blocked by anti-Communism export control laws, and getting IPSEC implemented required Gilmore hiring a bunch of non-US people to develop it outside the US.
     Phone networks weren't allowed to use decent encryption.
     NAT was also controversial because it broke the end-to-end principle that had made it easy to develop applications across the net.

   • Embed this notice
     John-Mark Gurney (encthenet@flyovercountry.social)'s status on Thursday, 09-Mar-2023 18:47:05 JST John-Mark Gurney

     in reply to

     • Paul_IPv6
     • tasket

     @tasket
     Better thing to say is that the white men running the ietf didn't see privacy as important because they didn't "need" it.

     This is the same group of people that didn't think that encrypted protocols were needed beyond credit card transactions.

     @brouhaha @paul_ipv6

   • Embed this notice
     🇺🇦 haxadecimal (brouhaha@mastodon.social)'s status on Thursday, 09-Mar-2023 18:47:12 JST 🇺🇦 haxadecimal

     in reply to

     • Paul_IPv6

     @paul_ipv6 The only reason I would want NAT66 is address privacy. If Ididn't need each host to have a fixed IPv6 address for use inside the network, then RFC4941 would be sufficient. NAT66 looks like it would be an easier solution to get both external address privacy and internal fixed addresses, compared to having the hosts have to do both SLAAC and DHCPv6.
     If I get anything working I'll post about it. It's not a high priority at the moment.

   • Embed this notice
     tasket (tasket@infosec.exchange)'s status on Thursday, 09-Mar-2023 18:47:12 JST tasket

     in reply to

     • Paul_IPv6

     @brouhaha @paul_ipv6

     This is what I thought when someone recently berated me for wanting NAT beyond IPv4: "OK, here are all my IPv6 devices and they are not doing privacy extensions... its up to me to make that happen??"

     I even thought it might be just a Network Manager thing, but then I looked at non-Linux devices and they were single-address IPv6 as well.

     The IPv6 privacy extensions were an afterthought that came over a decade later. Here is what The Internet Society says:

     "When IPv6 was conceived in the mid-90s the Internet wasn't composed of so many mobile devices like it is today. Also, the combination of the words 'privacy' and 'computer' weren't as salient nor contentious as they are today."

     Yeesh. The Internet was conceived as being resilient to hostile attacks. But they seem to be saying here that the effusive 90s mindset made them naive. We could re-name IPv6 "Internet Vista" and tell everyone we're waiting for the upgrade to "Internet 7".

   • Embed this notice
     🇺🇦 haxadecimal (brouhaha@mastodon.social)'s status on Thursday, 09-Mar-2023 18:47:14 JST 🇺🇦 haxadecimal

     in reply to

     The "experts" all say to never use NAT66 because it's EEEEEVIL, but it would solve my use case in a much simpler manner than having to do both SLAAC and DHCPv6 on all my subnets and both protocols on each client node. I'm pretty sure I could more easily get NAT66 working on my gateway router, but I'll try doing this the hard way, just to learn how to do it.

   • Embed this notice
     Paul_IPv6 (paul_ipv6@infosec.exchange)'s status on Thursday, 09-Mar-2023 18:47:14 JST Paul_IPv6

     in reply to

     @brouhaha

     for the same reason that having 1918 space & NAT as one layer of your security is frequently useful (though not enough in and of itself), NAT66 does solve some problems and make things harder for attackers.

     it does up the complexity of debugging on your part, which is one reason i'm not a huge NAT fan in general. but security is all about risk/benefit/complexity tradeoffs.

     be interested to see what you wind up with, assuming you can share.

   • Embed this notice
     🇺🇦 haxadecimal (brouhaha@mastodon.social)'s status on Thursday, 09-Mar-2023 18:47:15 JST 🇺🇦 haxadecimal

     in reply to

     I want to use DHCPv6 to assign static IPv6 addresses for many of my machines, and put their addresses in my private DNS, but also have the machines use SLAAC/RFC4941 privacy addresses for communication with the outside world. Along with SLAAC, the router advertisements will be for ::/0, while DHCPv6 will provide a default route for my local networks.
     From a command line, I think I can configure a client machine to do both, but I haven't figured out how do do it with NetworkManager.

   • Embed this notice
     BillStewart415 (billstewart415@infosec.exchange)'s status on Thursday, 09-Mar-2023 18:47:20 JST BillStewart415

     in reply to

     • Paul_IPv6
     • John-Mark Gurney
     • tasket

     @paul_ipv6 @encthenet @tasket @brouhaha
     Matt Blaze once took an AT&T encrypted phone on a plane to somewhere outside the US, doing all the ITAR paperwork required to do so, which was entertaining for all concerned.

     clacke likes this.
   • Embed this notice
     🇺🇦 haxadecimal (brouhaha@mastodon.social)'s status on Thursday, 09-Mar-2023 18:47:21 JST 🇺🇦 haxadecimal

     in reply to

     • Paul_IPv6
     • Andrew "Ace" Arsenault
     • tasket

     @AceArsenault @tasket @paul_ipv6 My machines do have unique globally routable IP addresses, and I do use a firewall, but security isn't a single issue. A firewall isn't sufficient to handle the security concern of tracking based on IP addresses. While NAT isn't the only way to deal that, it is a simple and effective way. While it's true that NAT has some undesirable properties, they may not be a significant concern in all cases.

     clacke likes this.
   • Embed this notice
     Andrew "Ace" Arsenault (acearsenault@fosstodon.org)'s status on Thursday, 09-Mar-2023 18:47:22 JST Andrew "Ace" Arsenault

     in reply to

     • Paul_IPv6
     • tasket

     @tasket @brouhaha @paul_ipv6

     NAT was a stop gap measure for the limits of IPv4.

     In the perfect utopian world every device would have it's own IP address and the security happens on the gateway router before reaching that device.

     In the real world, 95% of business network I see are running IPv4 internally behind a NAT with a single IPv4 external address and using the NAT as a type of port->device firewall. *lol*