stop using ipv6, because assigning addresses is a nightmare !
Conversation
Notices
-
Embed this notice
mk (mk@mastodon.satoshishop.de)'s status on Tuesday, 19-Nov-2024 23:21:47 JST 
mk
-
Embed this notice
mk (mk@mastodon.satoshishop.de)'s status on Wednesday, 20-Nov-2024 00:31:13 JST
mk
you like slaac, huh?
go ahead. let your devices create their own addresses (slaac with scope:global addresses).
using ipv6 without packetfilter/firewall, in a world full of internet-of-shit devices and "it doesn't need to be secure,because its just the local network"-services, is a very bad idea.
ddos is already a big problem in the current internet.
gl hf with your ipv6 bot-army.
-
Embed this notice
Super-Mega-MAGA RonV42 ✝️ (ronv42@noauthority.social)'s status on Wednesday, 20-Nov-2024 00:31:14 JST 
Super-Mega-MAGA RonV42 ✝️
@mk Oh never ever will stop using IPv6. The issue is ISP's have screwed up home implementations give people a /56 or /60 to allow for SLACC on local segments. DHCPv6 is easy to understand. IP address is assigned mostly though advertisements of what the router configuration for subnetting, and other data like DNS. If you go fully managed and you are a consumer you are at the mercy of how device makers implement IPv6 (I am calling out, you Google/Android).
-
Embed this notice
Super-Mega-MAGA RonV42 ✝️ (ronv42@noauthority.social)'s status on Wednesday, 20-Nov-2024 00:36:16 JST
Super-Mega-MAGA RonV42 ✝️
@mk Well you still need firewall's to prevent access. But if you want you can turn off SLACC and go with Managed DHCP. I have setup rules where "managed" IPv6 addresses can have access though the firewall if I configure for it. SLACC addresses are blocked. Does cause some other issues such as devices that have three IPv6 addresses and don't bind to the static address.
-
Embed this notice
mk (mk@mastodon.satoshishop.de)'s status on Wednesday, 20-Nov-2024 00:36:16 JST
mk
"firewall's to prevent access."
how do you identifiy single devices if they slaac themselves their own addresses?
spoiler: you can't
how do you stop your internet of shit devices from sending home your user data?
-
Embed this notice
mk (mk@mastodon.satoshishop.de)'s status on Wednesday, 20-Nov-2024 00:40:36 JST
mk
"how do you identifiy single devices if they slaac themselves their own addresses?"
here's how you do it in a ipv4 world.
1. find the network-interface mac-address of your ioT device
2. create a static mapping in your dhcp server that always assigns a specific ipv4 address to the device
3. create a firewall rule that prevents access to the internet for this specific device..straight forward and easy...
now do this with ipv6 and slaac'ed devices ...
-
Embed this notice
mk (mk@mastodon.satoshishop.de)'s status on Wednesday, 20-Nov-2024 00:53:44 JST
mk
so you're answer is:
don't use slaac, use static ip-addresses..
probably works great for static devices like cameras, printers, etc..
how about mobile devices like smartphones and laptops.
are you gonna manually change their addresses very time you move between your workplace and home?
-
Embed this notice
Super-Mega-MAGA RonV42 ✝️ (ronv42@noauthority.social)'s status on Wednesday, 20-Nov-2024 00:53:45 JST
Super-Mega-MAGA RonV42 ✝️
@mk multiple ways depending on who's software you are running for a firewall. Static addresses can be all ::0000:0000:0000:xxxx and then just write a rule based on the last 4 being the host, use MAC addresses, etc.
-
Embed this notice
mk (mk@mastodon.satoshishop.de)'s status on Wednesday, 20-Nov-2024 01:15:16 JST
mk
slaaced ipv6 addresses are pretty hard to scan, because scanning /64 host-space takes forever to scan
"IPv4[..]8 bits reserved for host addressing[..]5 minutes[..]IPv6[..]64 bits reserved for host addressing[..]5 billion years to complete"
https://arxiv.org/pdf/2105.02710
but if you manually give your ioT devies static (scope:global) addresses, scaning gets pretty easy..
you better make sure your internet-of-shit devices aren't accessible with default logins from the internet..
-
Embed this notice
All GNU social JP content and data are available under the