Conversation
Notices
-
Embed this notice
pistolero (p@fsebugoutzone.org)'s status on Monday, 22-Jul-2024 21:17:31 JST 
pistolero
Cough.
ipv6_cve--i_am_never_wrong_about_anything.gif- ✙ dcc :pedomustdie: :phear_slackware: and :caleb: dcc ✙ like this.
-
Embed this notice
Data (data@noauthority.social)'s status on Monday, 22-Jul-2024 21:17:30 JST 
Data
It recently took me 3 days to find out why Google knows my exact location despite the VPN. I deactivated all geo settings in Firefox, deactivated WebRTC etc.
In the end, it turned out that IPv6 was giving away my location. The Wireguard VPN runs over IPv4.
After deactivating IPv6 in the network settings, Google greeted me with Japanese characters :-):caleb: dcc ✙ likes this. -
Embed this notice
pistolero (p@fsebugoutzone.org)'s status on Monday, 22-Jul-2024 21:44:45 JST
pistolero
@threat @Data I think after the ISPs start caring about IPv6, we'll end up with a bunch of stupid "I gotta block IPv6 packets at the router level, all these stupid devices keep generating IPv6 addresses and side-channeling shit out through them."
problemisconnecting.gif✙ dcc :pedomustdie: :phear_slackware: likes this. -
Embed this notice
тняэдт™ (threat@ryona.agency)'s status on Monday, 22-Jul-2024 21:44:46 JST 
тняэдт™
@Data @p ran into this problem myself in earlier days of weird networking adventures. i was only able to get things to work without a leak by setting to wg interfaces (v4+v6) then dealing with the respective route tables and nftables rules. disabling ipv6 is about the only thing that makes sense since imho i doubt we will ever see adoption greater than 30% of the internet (i pulled that figure out of my cornhole) ✙ dcc :pedomustdie: :phear_slackware: repeated this. -
Embed this notice
pistolero (p@fsebugoutzone.org)'s status on Monday, 22-Jul-2024 23:49:13 JST
pistolero
@threat @Data
> but it's been nothing but a pain.
Second-system syndrome. You look at the shit in the RFCs in the 1990s and it's overly ambitious, full of shit that no one's gonna implement correctly, but they keep plodding along and yelling that their utopia is the the inevitable future and that everyone else had better get with the program, and I will give you all of my money if anyone has ever spent 30 years yelling "My utopia is the inevitable future, you cannot resist progress, we have to jump now and worry about the world not being ready after we've converted!" and their utopia actually happened and it even vaguely resembled the brochure. I think it'll end up spreading through the space where it currently lives, it'll be the freight elevator of the internet. We'll move to Tor or something before that ever happens.
> my guess is isps will continue to nat+cgnat tf out of customers. this is fine by me.
I hate NAT but I think I hate IPv6 more. But I go look at the Go mailing list and here's a CVE for that stupid "IPv4 address represented in IPv6" and I have been saying for years that no one was going to parse it correctly. Look at RFC5964: if they can't even get the BNF right on the first try, what's supposed to happen?
:chuckmoore: Chuck Moore pointed out, completely accurately, that people are shitty at writing parsers and that this is one of the biggest sources of bugs. (I can't say I agree with his conclusion that we should abandon parsers altogether.)
> in retrospect, i should have bought many /24's back in the 00's. i could be a rich man with multiple datacenters sitting back playing with servers and counting cash :franciscointensifies:
:franciscointensifies:✙ dcc :pedomustdie: :phear_slackware: likes this. -
Embed this notice
тняэдт™ (threat@ryona.agency)'s status on Monday, 22-Jul-2024 23:49:14 JST
тняэдт™
@p @Data maybe so. i liked the idea of ipv6 in the beginning when rfc was drafted. but it's been nothing but a pain. the only use-case i can make for it is an overlay network/p2p setup like yggdrasil or any other variant.
my guess is isps will continue to nat+cgnat tf out of customers. this is fine by me.
in retrospect, i should have bought many /24's back in the 00's. i could be a rich man with multiple datacenters sitting back playing with servers and counting cash :franciscointensifies:✙ dcc :pedomustdie: :phear_slackware: repeated this. -
Embed this notice
翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Tuesday, 23-Jul-2024 01:21:35 JST 
翠星石
@Data Your wireguard configuration was wrong - obviously you needed to enable IPv6 routing in wireguard to have IPv6 routed over it. -
Embed this notice
翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Tuesday, 23-Jul-2024 01:23:58 JST
翠星石
@p @Data @threat IPv6 just works on my machine.
SLAAC is far better than DHCP degeneracy and IPv6 just works unlike IPv4 for many things. -
Embed this notice
pistolero (p@fsebugoutzone.org)'s status on Tuesday, 23-Jul-2024 01:46:03 JST
pistolero
@Suiseiseki @Data @threat
> SLAAC is far better than DHCP degeneracy
I wonder why DHCPv6 exists.
Does SLAAC tell the PXE where to tftp a kernel from?
> IPv6 just works unlike IPv4 for many things.
If IPv4 doesn't work, your network is broken. If IPv6 doesn't work, nobody even notices.
:chad: My ISP doesn't do IPv6.✙ dcc :pedomustdie: :phear_slackware: likes this. -
Embed this notice
翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Tuesday, 23-Jul-2024 01:46:03 JST
翠星石
@p >I wonder why DHCPv6 exists.
Since people can't help but implement broken degeneracy for IPv6.
I always disable DHCPv6.
>Does SLAAC tell the PXE where to tftp a kernel from?
No, as that insecure method of loading up proprietary software is a bad idea.
>If IPv4 doesn't work, your network is broken.
IPv6 just works nearly immediately, while IPv4 takes a while to maybe work, as SLAAC is much faster than DHCP and sometimes IPv4 breaks, but things work fine for a while as IPv6 continues to work. -
Embed this notice
pistolero (p@fsebugoutzone.org)'s status on Tuesday, 23-Jul-2024 02:24:59 JST
pistolero
@Suiseiseki
> I always disable DHCPv6.
You can disable the entire IPv6! Nothing bad happens.
> No, as that insecure method of loading up proprietary software is a bad idea.
"Proprietary"? I've never used PXE for anything besides Linux and Plan 9 (and it is way easier to get it to work in Plan 9).
It is also moderately absurd to call it insecure. "Oh, no, it booted the wrong thing because I allowed a man with a black hat and a handlebar moustache to plug strange machines into my network! This diskless machine is now compromised! I'll have to...I guess you just reboot it and it's fine."
> IPv6 just works nearly immediately,
In the sense that you can say you have an address, maybe. I wouldn't say that a networking protocol "works" until it can get the packets to the internet.
> sometimes IPv4 breaks,
This is making me question what you mean by "broken" or "working".✙ dcc :pedomustdie: :phear_slackware: likes this. -
Embed this notice
翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Tuesday, 23-Jul-2024 02:34:49 JST
翠星石
@p >"Proprietary"? I've never used PXE for anything besides Linux
That is a proprietary kernel, full of proprietary software, so loading it consists of loading proprietary software.
The only free versions of Linux I've heard of is GNU Linux-libre and what Debian ships (although I'm not sure that's the case anymore).
>This diskless machine is now compromised! I'll have to...I guess you just reboot it and it's fine."
Some attackers love to write rootkits into whatever storage that's available, whether that's the SPI flash chip for the BIOS or UEFI, the GPU VBIOS, or another undocumented storage medium.
>In the sense that you can say you have an address, maybe. I wouldn't say that a networking protocol "works" until it can get the packets to the internet.
I can send IPv6 packets to the internet before DHCP allocates the IPv4 address.
>This is making me question what you mean by "broken" or "working".
I mean IPv4 packets are no longer being routed to the internet, while IPv6 packets are. -
Embed this notice
pistolero (p@fsebugoutzone.org)'s status on Tuesday, 23-Jul-2024 02:43:30 JST
pistolero
@Suiseiseki
> That is a proprietary kernel,
It's GPL. I haven't even tried to get the proprietary firmware blobs across the network.
> and what Debian ships (although I'm not sure that's the case anymore).
:rms: endorsed Gentoo. CRUX is source-based, you have to go way out of your way to get a proprietary thing to happen on it.
> Some attackers love to write rootkits into whatever storage that's available, whether that's the SPI flash chip for the BIOS or UEFI, the GPU VBIOS, or another undocumented storage medium.
If you can successfully carry out this attack on my network, I will not even try to get rid of you.
> I mean IPv4 packets are no longer being routed to the internet, while IPv6 packets are.
If IPv4 packets are not being routed to the internet, your network is broken.✙ dcc :pedomustdie: :phear_slackware: likes this. -
Embed this notice
翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Tuesday, 23-Jul-2024 02:56:21 JST
翠星石
@p >It's GPL.
No, it isn't "any license in the GPL family".
Its own developers note that some parts are GPLv2-only and other parts are under other license despite how daft such a claim is.
One example is this proprietary software, consisting of microprocessor instructions with no source code; https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/powerpc/platforms/8xx/micropatch.c#n43
Although it has "// SPDX-License-Identifier: GPL-2.0" on the top, that is not the license as reviewing the git log, that was added via a script.
>I haven't even tried to get the proprietary firmware blobs across the network.
I wasn't referring to the proprietary peripheral software derivative works updated in lockstep in the oh so "separate" "linux-firmware.
>If IPv4 packets are not being routed to the internet, your network is broken.
That's a big claim.
Some networks are IPv6-only and pretty much every endpoint on the internet can be reached from there except for broken endpoints that don't support IPv6.
Your network is broken if it doesn't implement IPv6 and if it implements legacy IP, that's using it via a broken method unless you're using IPv4 without NAT as it was designed to work (I've noticed that IPv4 actually works semi-decently without NAT, although not as well as IPv6). -
Embed this notice
pistolero (p@fsebugoutzone.org)'s status on Wednesday, 24-Jul-2024 22:29:18 JST
pistolero
@Suiseiseki
> No, it isn't "any license in the GPL family".
It's GPL 2.0 per the documentation and the SPDX identifiers in the files.
> One example is this proprietary software, consisting of microprocessor instructions with no source code;
That code, such as it is, is GPL'd. I don't own any PowerPC hardware (besides a PS3) so I don't run that code anyway.
> Although it has "// SPDX-License-Identifier: GPL-2.0" on the top, that is not the license as reviewing the git log, that was added via a script.
"If you run an editor to add an SPDX line, that is real. If you run a different program, that is not real."
> Some networks are IPv6-only
:shrug_akko: They're broken.
> and pretty much every endpoint on the internet can be reached from there except for broken endpoints that don't support IPv6.
I could say this about IPX/SPX networking.
> unless you're using IPv4 without NAT as it was designed to work
When people actually started attempting to use it, we ended up with RFCs 1338, 1518, 1519, 1541, 1597, 1631, 1917. It was "designed" to work with a massive hosts file, not with DNS. It was "designed" to accommodate 253 distinct networks, and then we decided to call those "Class A", and now they're "/8". The "original design" stopped being relevant before IPv6 was codified. RFC 824, written in the summer of 1982, describes bridging another network into the actual Internet (commonly called "IPv4"); "port numbers" were not part of the original design, just protocol identifiers, and hosts were expected to all speak telnet, finger, and FTP. White papers were not even solicited for IPng until December 1993.
The utopian vision, "There must only be one protocol, it must be IPng, and this design has been perfect from the beginning, and it solves all of the problems", is a complete failure based on the lies that this is the internet we're supposed to have, that eliminating "legacy" protocols is achievable or even desirable, that IPv6 has no real drawbacks, that IPv6 has no drawbacks compared to the Internet Protocol, that every improvement made to the Internet Protocol is actually a "hack", that "We want the computers to talk to each other" necessarily means that anything with a chip in it should be globally routeable, that no better protocol can exist, and so on.
Ye gods, I can suffer through someone saying they like IPv6, extolling IPv6's virtues, but failing to recognize IPv6's infelicities, pretending that it is the only way forward, pretending that every device must be globally addressable, and enough of that happens that I CANNOT BEAR YOUR WORDS, THEY ARE TOO TINY
lesson009.jpg:caleb: dcc ✙ likes this.
All GNU social JP content and data are available under the 
