>IPv6 addresses Who the fuck thought this would be a good

At least it will keep newfags like you out when people can't memorize the IPv6-address for 4chan

>>58354409
better than IPv4

>>58354435
You're dumb as fuck. That's literally what DNS is for.

It's almost like you don't even like an unfathomable amount of addresses, weird
>>58354409

>>58354447
Nah man, nobody got the time for IPv6 reverse DNS lookup zones.

>>58354409
Because we ran out of easily remembered numbers. Why? Because (((certain groups))) want every device in your home to be internet connected and have a microphone.

Enjoy the telescreens, citizen

>tfw when to intelligent to use DNS for ipv6

>>58354501
Nothing to hide, nothing to fear. :^)

>>58354501
>want every device in your home to be internet connected
my toaster doesn't have an IPv6 address. even my iPhone connected to my ((home network)) has an IPv4 address.

>>58354409
The addresses are still just numbers. You can display an ip4 address as a hex string, and you can use dotted-decimal notation for ip6 if you really want to. Makes no difference, a number is a number.

The notation does make sense to me but if you dont like it, dont use it. Start a notation convention revolution :)

>>58354501
This is definitely NOT why we ran out of ip4 addresses. Your home has 1 IP address, the devices in your home dont consume additional addresses.

>>58354501
The weird thing is that I know literally (in the sense of the word) not a single person who thinks that IoT is a good idea that we desperately need.
Given, I live in a bubble of IT people, most of which are sporting a huge beard, but to me it feels like this wouldn't be even a thing if it wasn't for *the industry* aggressively pushing this shit because they ran out of ideas what to sell.

>>58354531
now_we_have_three_standards.png

>>58354501
Spotted the person that knows fuck all about networking

>>58354447
>he doesn't type in the IP
Hah, I bet you use a package manager as well

>>58354409
ipv6 is nightmare

i always disable ipv6 on my server boxes because having ipv4 and ipv6 causing me lot of problems

>>58354590
Well, tell me the true reason then.

>>58354618
I compile everything from source, which I type in by hand!

>>58354409
>easy to remember numbers
>easy to remember
Sure, I bet you also know the IP of 4chan.org by heart

>>58354546
Yes, but it's why we need more

>>58354656
IPv6 is only a nightmare because people don't understand it

it's too different from just “IPv4 with more numbers”, so all the networking admins have to re-evaluate their knowledge about networking. Of course, sturgeon's law applies to network operators.

>>58354409
i have 0 problems memorizing it. you're just dumb, OP

>>58354660
See >>58354546

>>58354697
Whatever, I just want NAT gone.

>>58354711
I have the IPv6 prefix of my old server memorized by heart, but not of my new server. Fuck me :(

>>58354409
so you can build grey goo robots and not run out of adresses

>>58354546
There are ISPs forced to do CGN because of muh ipv4.
Every ISP should have already ipv6 implemented but due to incompetent ISPs and muh money they are holding it back.
Of course I understand the money problem but it's retarded because we mostly talking about ISPs that have millions of money.

>>58354719
Personally, I don't really care about NAT removal all that much; for me the biggest draw to IPv6 are the architectural improvements like SLAAC, link-local addresses and most importantly privacy extensions

Because the 128-bit space is so gigantic, it's no longer possible to enumerate devices on the internet by brute force scanning. Stuff like XSS attacks on "192.168.1.1" are no longer possible because the link-local router address will be 128 bits wide. (Although routers with built-in DNS that resolve special addresses to their own IPs will still be an issue)

Enumerating IoT devices that are connected purely over IPv6 is nontrivial, so it makes botnets much harder to form unless you have a reliable source of devices connected to a given network. And thanks to privacy extensions and temporary addresses, stuff like IP logs will not be usable for this purpose because most of the IPs will be invalid by that point.

>>58354715
The very long term plan is getting rid of NAT though. Which is entirely possible with enough space.

>>58354501
>>58354546
To be more precise, we ran out of IPv4 addresses *long* before IoT became a thing.

If you want to know when we ran out of IPv4 addresses in practice, just look at the timeframe of when NAT became common in households.

>>58354449
>>58354501
this

we were running out, something had to be done

and yes, unfortunately everything is steadily going to shit. I know this is old news but have you guys already stopped to realize that certain smart tv models have cam/mic in them now? the telescreen is an actual thing now

i honestly would not be surprised if during our lifetime we witness the end of the age

>>58354710
You are right I don't know shit about ipv6

But it is certainly not my fault that someone who designed ipv4 was not more far-sighted

I will keep using strictly ipv4 only for as long as possible

>>58354869
>someone who designed ipv4 was not more far-sighted

4.3 billion addresses sounded like enough back in the 80s when you had tens of thousands of machines linked up.

>>58354806
>Because the 128-bit space is so gigantic, it's no longer possible to enumerate devices on the internet by brute force scanning.

but AS are propagating their active IP ranges
anyone can get this info and scan them

why are you not using ipv6 yet, anon?

>>58354869
>he doesn't use both
God you're retarded.

>>58354941
Is there any kind of advantage to IPv4 in a homenetwork? Honest question, but I don't think so.

>>58354941
But I am, even my Gopherhole is dual-stack

>>58354526
is your home network jewish?

>>58354955
I just don't like new non-proven technology

I only jump in when shit is extensively tested by millions

>>58354941
why haven't you bought an ipv6 block yet? even the lowest /64 with one subnet will give you 2^64 adresses for relatively low price

>>58354409
IPv4 adressing will end soon, there is no enough IP combinations for the amount of connections around the world. So IPv6 was created to adress that, we probably will have enough combinations to the whole fucking Solar System.

>>58354938
And? 128 bits are 128 bits

>>58354546
They will with IPv6.

>>58355671
Then future-/g/ can complain about how complicated IPv8 addresses are when quantum-ping'ing from Alpha Centauri.

>>58355671
>let's move to an incomprehensible, designed by committee security nightmare so that everyone can use their shitty insecure IOT devices with a public address

File: 001101010010101110101001010000110101.jpg (20KB, 648x348px) Image search: [Google]

20KB, 648x348px

>>58354677
With this keyboard.

I don't mind my devices being visible to the outside world. My firewall blocks everything anyway.
Besides, I fucking hated port forwarding in the ol' IPv4 days.

>>58354941
Because my ISP are dickheads and don't support it.

>>58354834
Why would you want that?

>>58356068
Because NAT introduces complexities and issues that shouldn't need to exist.

>>58354409
what's your problem exactly?
I don't see anything wrong with IPv6

>>58354409
>IPv6 addresses
>Who the fuck thought this would be a good idea?
People much smarter than you.

>>58354409
> Who the fuck thought this would be a good idea?

And how exactly would you represent a 128-bit address space in a way that is easy to remember?

>>58354409
if only we had the technology to map some easy to remember names to these numbers

>>58355029
>muh icuck

>>58356838
Of course! We'll call it the Difficult Number Simplifier!

>>58356068
useless overhead

>>58354941
My ISP doesn't offer it

>>58356807
>easy to remember

How is this a concern with DNS?

>>58354409
Can't you just do something like
http://sophiedogg.com/funny-ipv6-words/

>>58354583
>>>58354531 (You)
>now_we_have_three_standards.png

We always had them:
Binary
Octal
Decimal
Hex
Cut marks on an animal bone
Etc...

>>58354960
1. It's compatible with IPv4-only devices

2. Since you still need IPv4 support, adding IPv6 support is generally just extra overhead. (Although for most cases, IPv6 uses SLAAC, so you don't have to manually configure it except for special requirements)

>>58354941
How would I benefit from having IPV6?

>>58354501
Thank you, Friend Computer.
What is an internet?

Regards, Anon-R-AID-5

>>58354409
>Who the fuck thought this would be a good idea?

MUH IoT @!@@!@@!!!!!!

>>58356891
Well played, anon.

>>58355029
And IPv6 has been

You realize IPv6 is 20 years old and is used by about 20% of the internet already (according to google's public IPv6 stats), including about half of the top domains?

>>58354501
>>58356973
PS: Death to the commie mutant traitors.

>>58355785
>reading comprehension

>>58355791
>security nightmare
please tell me more about how IPv6 is a security nightmare in your expert opinion

>>58354409
The people who designed IPv6 actually thought about the future though so while the addresses are not as friendly as IPv4 it should be pretty much the last address system any living person will have to work with. The address space is so huge you can give every person on earth millions of addresses as still have more available than you have assigned.

>>58356091
I like the idea of a LAN though. And the overhead is negligible >>58356907

>>58354531
>>58356961
The most annoying thing about the notation is that you often need to escape it in [] to distinguish it from the port number, for stuff like HTTP URLs involving a raw IP

>>58357030
That is literally what they thought about hard drives in thr Megabyte range one day...

>>58356972
1. Connectivity with IPv6-only services
2. No more NAT -> no more port forwarding
3. Future readiness, so you don't get left stuck in the water when services start dropping off the IPv4 radar
4. Significantly improved privacy and security (your device won't constantly be hammered by chinese botnets trying to ssh in, your IP will automatically rotate on a regular basis to obfuscate the relationship between devices and IP)
5. Greatly simplified configuration thanks to completely automatic configuring of link-local addresses (aka private networks), router advertisements and so on
6. Preferential treatment by many services, as IPv6 is usually preferred over IPv4 to encourage and reward migration

>people blame IoT
It expedited it, but < 4 billion IPv4 addresses wasn't going to last in a world of > 7 billion people anyway.

>>58357032
>I like the idea of a LAN though.
What makes you think you won't have a LAN with IPv6?

>>58354941
Don't mobile phones often use ipv6 addresses? We should have plenty of them thanks to phoneposters.

>>58357074
Yes, but this is quite a different situation, we are talking about physical things that may have a single address. Unless we begin to make molecules connect to the Internet we won't be needing another address system in at least 300 years.

>>58357098
IoT didn't expediate jackshit, we ran out of IPv4 addresses a good 10+ years ago

>>58357113
Most smaller carries and ISPs pretty much use IPv6 exclusively since they simply can't purchase the IPv4 addresses required these days

>>58357087
Okay so I gain nothing. Gotcha
I haven't had to fiddle with port forwarding since 2004 with Xbox Live.

>>58357074
>someone fucked up futureproofing once therefore no one can ever get it right
There are roughly 340,282,366,920,938,000,000,000,000,000,000,000,000 potential ipv6 addresses. That's enough for every single person on this planet to have roughly 48,611,766,702,991,200,000,000,000,000 addresses to themselves. If the human population increased by 1,000,000,000x each person would still have 48,611,766,702,991,200,000 addresses to themselves.

It's enough.

>>58357074
not the same thing at all.

>>58357126
Buying glasses is useless if you keep your eyes shut, yes

>>58357074
2^128 = roughly 10^38. For comparison, the number of atoms in Earth is roughly in the order of 10^49.

Can someone explain to me why we can't just recycle old addresses?

>>58356972
>>58357126
As expected, the luddite who doesn't understand the hacker culture is a closet >>>/v/ fag

I bet you also ask yourself what you gain from switching to HTTPS. True geeks don't need to ask, they do it for the fun, the nerd cred and the spirit of advancing technology.

Now get off my lawn

>>58357176
They are all used

>>58357176
That's already being done at the ISP level. And sure, big companies have tons of IP addresses sitting unused, but those really wouldn't make a very big difference.

>>58357176
I think there are already more internet connected devices than there are ipv4 addresses. The only thing that's kept it alive for this long is copious amounts of NAT.

>>58357115
Wait until smaller and smaller more or less intelligent machines become the norm. To save on cost you'll only give them the required computing power to communicate with distributed computers. Think terminals + timesharing system. Each needs an address.

>>58357139
> a book consists of x amount of characters, so we could store 10000 copies of every book in existence on this one hard drive; it's enough

>>58357103
Because how LAN is currently is set up, NAT is needed to havr LAN and a connection to the outside world. But now that I think of it that could be fixed by having a LAN and an IP per device.

>>58357199
>nerd cred
Cringe

>>58357176
1. Most addresses are physically in use. The only large address blocks you could reclaim are stuff like university or military blocks which were assigned broadly during the early days, and good luck convincing those places to let you pull their addresses out from under their feet.

2. That would be delaying the inevitable. Why put effort into forcibly reclaiming a measly few address blocks when you're going to have the same issue in half a year again? The internet usage is exploding, and that explosion is still ongoing. The mobile phone market is nowhere near saturation, and most of the world is still just gaining an internet connection. We ran out 10 years ago and now we're way over the top and hungrily fighting over scraps and leftovers. “Recycling” will get you like what, 5%-10% of the address space at best? Why do that when you could just switch to IPv6 and get 7922816251426433759354395033600% of the address space instead?

>>58357224
There are enough IPv6 addresses for every single bacterium on earth.

>>58354795
Business ISP guy here. We offer IPv6 for free, as many subjects as you'd like (within reason ofc), but nobody wants IPv6.

All the servers that need to be reachable by everyone are the problem. We have exactly twenty customers who accepted IPv6.

RIPE has one /8 left (185.0.0.0), from which about 70% have already been allocated. America's equivalent is already out of IPv4, there's a waiting list for surprise finds (some who got /8s back in the early days are selling their range back because they dont need as much)

It's not about cost for ISPs, IPv6 is cheap af. Buying an IPv4 subnet is horribly expensive these days, and you've got to justify it to RIPE before you're allowed to (this takes a lot of bureaucracy). Also, the subnet might be tainted (-> the IPs are on every spamblock list available), in which case you can forget running mail from servers with those IPs.


>>58356183
There are actually some design errors in IPv6. For example, if you want to surf to a webpage by its IP on a special port, it looks like https://[co:ff:ee::12:34:56]:8080. This sucks, they shouldn't have used colons

>>58357224
>comparing ten thousand to 48 nonillion
please reference >>58357170

>>58357224
there isnt enough material on earth to actually make enough devices to exhaust the IPv6 address space.

as to your hdd comparison you can store 10,000 copies of every book that has ever existed on a hdd today. pretty easily infact. the issue with data storage is totally different to address space. so unless we start to give every cell in our bodies nano wifi devices we dont need to worry about address space.

>>58357275
This is reason enough to stick to ipv4, it's bad enough I have to worry about getting sick from someone coughing, now they'll just be able to transmit disease via SIK packets.

I still don't understand people arguing against ipv6.

There are zero draw backs..... DNS is there so you don't have to remember v6 addresses ( though you just need to memorize part of it since you will own the subnet, and just need to remember the last few numbers for your devices)

Everything will be easier. VoIP, video calls, gaming, filesharing, home nas servers/your own cloud ( only reason this hasn't taken off is because of NAT)

Stuff like phone numbers won't even be needed when your cellphone has a unique internet reachable address. Cellphone.someanon.com is how we reach you now.

People against ipv6 are either old fags (waaaa I took my Cisco course and now I gotta lrn sumthin new!? Dis hard!!) or dumb.

Get with the program guys, ipv6 isn't even fucking new it's old at this point ISPs are just lazy and cheap - I would say they are against it because the possibility of empowering their users and mass connectivity killing many of their services but they aren't that wise.

>>58357087
>your IP will automatically rotate on a regular basis to obfuscate the relationship between devices and IP

sounds like great free solution for data scrapers and service abusers. You simply will not be able to block anyone

>>58357241
1. You are very confused. The LAN is a manifestation of your physical connection. The devices that are connected to your local network (i.e. your switch) constitute your LAN. That is true even if you publicly map every single machine. At my university, for example, every machine has a public IPv4. But that doesn't change the fact that we talk about our LAN as being a distinct thing, because it is. It's simply the local area network. For example, one switch might have its own /24, and we'd treat our X.Y.Z.0/24 just as you would treat your 192.168.0/24 when it comes to stuff like firewall rules.

2. NAT is not a security feature. Repeat this until you get it. UPnP, STUN hole punching, internal XSS attacks etc. have proven time and time and time again that NAT does not even provide you with any form of protection, either against external or internal threads. Your LAN shouldn't be trusted more than any other internet-connected host, because devices on your LAN *will* be used to attack your network. NAT is not a security feature, unless you combine it with a strict firewall - and there's no part of IPv6 that says you're not allowed to use a firewall.

3. If what you want is private addresses for your home network, IPv6 gives you these - and in fact, it gives it to you automatically. In fact, you're part of one right now, assuming your PC is older than 15 years. Go check your ifconfig (or $OS equivalent) and look for this line:

inet6 fe80::4429:e1ff:fe7f:d20b  prefixlen 64  scopeid 0x20<link>

This address (fe80::4429:e1ff:fe7f:d20b) is my device's LAN address, and I didn't even configure it or turn it on. This is because IPv6 is primarily driven by device autoconfiguration without assistance from the user. You have an IPv6 link-local address as well, and you can use it to talk to any other host that supports IPv6 on your LAN (aka all of them). Go try a ‘ping6’ to another PC of yours, for example. (Or a `ip -6 neighbour show`)

>>58357170
>>58357139
if we populated every spot from the sun to the jupiter's orbit with ipv6 adresses, we'd have 17 adresses for every cubic meter
if that isn't enough, we can always use subnets (for every nanobot in your body or something)

>>58357374
>You simply will not be able to block anyone
Yes you will. Just block the subnet. An IPv6 /64 is essentially the equivalent of an IPv4 /32.

All it does is make it so that you can't really tell which device *in* that house did the request, so it's sort of similar to NAT in that respect.

>>58357381
Thanks fot the explanation. I knew about 2.

#1 explained to me how my university network works.

>>58357432
>All it does is make it so that you can't really tell which device *in* that house did the request, so it's sort of similar to NAT in that respect.
More importantly, it makes it so you can't build a map of legal IPv6 addresses. In essence, the addresses constantly shifting makes it completely and uttely impossible to “scan the internet” like you could in the past.

It will simply no longer be feasible within the lifetime of the universe to ping or port scan every single host.

>>58357381
>PC is older than 15 years
newer*

>>58356946
It's not, which also makes OP's argument a non-argument by itself.

>>58357391
>subnets
i meant the internal adresses

So how long until Mozilla takes out IPv4 support to reduce vectors for attack?

>>58357074
Someone buy this guy a book.

File: 1417374733198-4.gif (1MB, 255x195px) Image search: [Google]

1MB, 255x195px

>>58357391
>>58357475
>ipv6 with a massive amount of IPs
>let's also add private network to it
This adds a shitload of magnitudes to the already big ipv6.

>>58357545
Humans are pretty bad at comprehending scale, so they don't realize exactly how much bigger 2^128 is compared to 2^32

It's exactly 2^96 times as big as the address range of the IPv4 address range.
Or, 79,228,162,514,264,337,593,543,950,336 times as big

>>58357074
The upgrade from IPv4 to IPv6 is like the upgrade from a 1 MB hard drive to a 19,342,813,113,834,066,795,298,816 EB hard drive.

>>58357623
The IPv4 address range has 4,294,967,296 possible addresses

The IPv6 address range has 79,228,162,514,264,337,593,543,950,336 TIMES 4,294,967,296 addresses

Think about that.

>>58357476
I giggled

>>58354409
it was made by "scientists" and it doesn't answer to industry needs
like, no, fuck you and your simple way to convert adresses and fuck you and your UDP overhead.

it's CS professor saying that O(10^40*n^2) is better than O(n^3) because the exponent is smaller, completely disregarding the size of constant

>>58357432
128-bit space let's give everyone /64 or /56 subnet.
great adress saving m8 so why ipv6 wasn't 64 bit in the first place?

>>58357678
not sure if convincing troll or genuinely clueless

>>58357678
>>58357707
Actually, I think it's a cleverly disguised troll. The O(10^40*n^2) bit gives it away.

Well played

>>58357087
>2. No more NAT -> no more port forwarding
Cool, skiddie port scanning will be effective against normalfags again.

>4. Significantly improved privacy and security (your device won't constantly be hammered by chinese botnets trying to ssh in, your IP will automatically rotate on a regular basis to obfuscate the relationship between devices and IP)
I've seen some argue that IPv6 will harm your privacy because dynamic IP addresses came about from ISPs needing to deal with the low number of IP addresses they could assign. With IPv6's huge address space, they would be less enticed to do this.

My ISP doesn't offer IPv6 yet so I don't know. Do you have any further information on it? I'd appreciate it.

>>58357678
There are 2^64 possible /64 subnets though, which is equivalent to the entire ipv4 address space squared.

>>58357721
You think port scanning is going to be effective when the amount of addresses you have to brute force explodes through the roof?

>>58354409
> same address
> same address
> same address
> same address
> different address
WHY

>>58354941

Because it's full of vulnerabilities. Maybe in 10 or 15 years when it's mature.

>>58357721
>Cool, skiddie port scanning will be effective against normalfags again.
If it becomes an issue for normies (it won't, normies will just hook up their shitty IoT devices and not give a fuck about hackers constantly talking their lighting and central heating offline), it would be trivial to add default-on firewalls to routers forcing you to add port exceptions.

>I've seen some argue that IPv6 will harm your privacy because dynamic IP addresses came about from ISPs needing to deal with the low number of IP addresses they could assign. With IPv6's huge address space, they would be less enticed to do this.
IPv4-style dynamic addressing is possible with IPv6, where IPs would be obfuscated between households in addition to between devices. As for whether or not ISPs will care about it, I suppose it depends on whether or not customers will care to pay for it.

I guess at worst, privacy will become a thing you pay some extra for, like you already do with VPNs, or for static IPv4 addresses.

>>58357759
He's talking about shit like normies posting their IP online and epik hackers known as 4chan nmapping their boxen to check for lulzy ports

>>58357354
Funny, I'm taking my cisco course right now and we're learning about IPv6 extensively. Older network admins who won't adapt will be completely outclassed in a few years once the new crop of admins arrive on the job market.

>>58357790

>hehe I was just pretending to be retarded

Either 0/10 or get your eyes checked.

>>58357721
>>58357759
Also, what do you think precludes people from blocking traffic by default with their routers, like they currently do anyway?

ip6tables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -i eth0 -j DROP

>>58357678
>>58357707
>>58357720

>it's like CS professor saying that one algorith that is O(n^2.3) for n=10^40, is better than O(n^3) because the exponent is smaller

the easiest way to compare ipv4 and ipv6 is like this:
let's convert both adresses to binary. for example this adress:
255.255.255.255 becomes
11111111.11111111.11111111.11111111 - 32 1's
now this one:
0000:0000:0000:0000:0000:0000:FFFF:FFFF
0000000000000000.0000000000000000.0000000000000000.0000000000000000.0000000000000000.0000000000000000.1111111111111111.1111111111111111
notice the same amount of 1's in both. the entire v4 adress fits in these last two groups of v6

>>58357721
I always thought of NAT as an extra layer in security because it basically erects a fuckhuge wall except for services that have already been initiated/requested from behind the wall or explicitly allowed by admin. Kind of like the guest list at a club.

Will every single device then have to have software firewalls with IPV6 and no subnetting?

>>58357831
Not him but he's right

2001:DB8:0:0:8:8000::417A is the same thing as 2001:db8::8:8000:0:417a

2001:db8::8:8000:0:417a
and
2001:db8::8:8000:417A (the last example) are very different

they probably just forgot an extra :0

>>58357883
NAT is not a layer of security, it's a layer of obfuscation.

>>58357837
this so much. All firewalls use connection tracking, so it's trivial to just allow outgoing connection attempts and drop non-established incomming packets (all the “security benefits” of NAT with none of the downsides)

>>58357831
They are different addresses.

The second is the same as the first, just with leading 0's left out

The third is the same as the first, with the two blocks of 0000 denoted with ::

The fourth is different and invalid, :: implies there is more than one block of 0000, which would mean it has at least 9 blocks

The fifth is different but valid, there's no 0000 block between 8000 and 417A.

>>58357883
1. See >>58357837. This is a trivial iptables rule, no NAT required
2. NAT is easily bypassed. UPnP, STUN, XSS etc. will all laugh at your “fuckhuge wall”. It's really not any amount of security in practice

Hell, even an <iframe src="http://192.168.1.1"/> with default credentials and some fishy POST is enough to pwn most routers. Or replace any other internal address. So much for that NAT

3. Especially with the rise of IoT, most attacks will come from inside the network

>>58357831
The last one has three implied 0000 groups in the double colon, so the 0008:8000 is farther right than in the rest.

In all the others there's a 0000 between the 0008 and the 417A, but in the last address they're next to each other.

>>58357883
Most consumer routers literally just use embedded linux with a couple of iptables rules that do this:
>>58357837

What it says is:
Check if the incoming packet belongs to an existing session (that was initiated LAN side). If it does, accept it.
Otherwise, drop the packet.

The rules are literally the same for iptables and ip6tables.

>>58357917
>The fourth is different and invalid
Are you sure? ping6 takes it just fine. I thought :: just signified any number of 0.

you can drop zeroes freely in ipv6 as long as they're the leading zeroes

>>58357960
It does, but they're not in the same position in the last address. The string of 0 is moved from near the end of the address to the :: block.

>>58357837
>>58357958
In fact, these exact rules are generally already in place. This is what my router's iptables rules look like: (essentially)

ACCEPT     all  --  anywhere             anywhere             ctstate ESTABLISHED
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED helper match "ftp"
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED helper match "irc"
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED helper match "sip"
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED helper match "pptp"
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED helper match "proto_gre"
ACCEPT     tcp  --  anywhere             anywhere             tcp spts:1024:65535 dpt:12345 ctstate NEW,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere             ctstate RELATED
NFLOG      all  --  anywhere             anywhere             limit: avg 1/sec burst 5 nflog-prefix  "IN-world:"
DROP       all  --  anywhere             anywhere            

>>58357983
Yes, but I was commenting on >>58357917's claim of the fourth being invalid.

>>58357883
NAT is a pain in the ass for development in my experience, you have to go out of your way to make sure you can break NAT programatically or centralize the service in a way so end users don't have to forward anything. It'd be much simpler to just have people past ip's to each other and have them connect directly in a lot of my cases, instead of dealing with all this relaying and other shit.

>>58357283
Informative post, thanks!

>>58357960
You're right, it's valid but a "non-canonical" way of representing them according to https://tools.ietf.org/html/rfc5952#section-4.2

>>58357979
You can drop any concurrent set of zeroes in an IPv6 address, no matter where they appear, but you can only do it one time.
Otherwise there will be no way to tell how many zeroes you need to add back to each shortened section to get the full address.

>>58358019
ping6 actually does the conversion to the canonical representation for you:

% ping6 2001:DB8:0:0:8:8000::417A
PING 2001:DB8:0:0:8:8000::417A(2001:db8::8:8000:0:417a) 56 data bytes
^C
--- 2001:DB8:0:0:8:8000::417A ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

See the bit in ()

>>58357797
>If it becomes an issue for normies (it won't, normies will just hook up their shitty IoT devices and not give a fuck about hackers constantly talking their lighting and central heating offline)
That's why it will be effective
>it would be trivial to add default-on firewalls to routers forcing you to add port exceptions.
I agree, but it given that "No port forwarding" is a selling point for IPv6, I doubt as to whether or not IPv6 routers will typically implement such a feature, at least before the issue is exploited a few times.

>As for whether or not ISPs will care about it, I suppose it depends on whether or not customers will care to pay for it.
Do you know whether or not your ISP allows you to cycle through IPv6 addresses?

I suppose if the ISP is handing out IP address for each device, you could always trick your ISP into thinking your computer is a new device fairly trivially

>>58357759
I'm not talking about port scanning random addresses. I'm referring to port scanning an address you already know is valid and finding out a specific person's IP address will still be just as easy with IPv6 and IPv4.

>>58357837
Not people, normalfags. Do you think your mother is going to bother configuring a firewall? No, they aren't.

>>58358007
Oh shit, yeah you're right. 4th one is valid, what I said only applied to the 5th. My bad.

File: 1381353060269.jpg (8KB, 249x200px) Image search: [Google]

8KB, 249x200px

>>58354409
get fucked, idiot

>>58358034
You can also drop all leading zeros from each section, for example:
fe80:0001:0001:0001:0001:0001:0001:0001

can be shortened to
fe80:1:1:1:1:1:1:1

>>58354941
my ISP does not support it

I use it on my VPS though

>>58358069
> Not people, normalfags. Do you think your mother is going to bother configuring a firewall? No, they aren't.
99.9% of consumer routers will already be configured with those exact rules out of the box.

>>58358069
>Do you know whether or not your ISP allows you to cycle through IPv6 addresses?
My ISP doesn't support IPv6 for business connections yet, so I can' tell you. (They use IPv6 for “regular” customers, but I'm on a business line for obvious reasons)

>>58358069
>I suppose if the ISP is handing out IP address for each device, you could always trick your ISP into thinking your computer is a new device fairly trivially
That's not really how it works. At most, the ISP is going to be in control of your router. What your router does and what your devices do is going to be completely different, just like in the past.

The ISP has fuck all power over what IP you choose inside your /64. The only thing it can do is choose what bits to set in the RA (router advertisement), e.g. by specifically turning SLAAC or privacy extensions off by default. But there's precisely nothing stopping your PC from ignoring the RA bits and just doing whatever the hell it wants, or you just statically picking any address inside that /64 of your choosing.

The worst thing they could do is blacklist every address exept a carefully tuned list of whitelisted addresses that have to be given to your devices via DHCPv6 running on the router, but I can't think of any reason for why an ISP would ever _want_ to do this, as well as it being a potential issue for them (whitelist tables can be exhausted, potentially DoSing their core routers)

>>58358069
>Do you think your mother is going to bother configuring a firewall? No, they aren't.
My mother uses Ubuntu

>>58358112
That's good to know. I suppose then it isn't really fair to say IPv6 (practically) circumvents the need for port forwarding since the firewalls will still usually be in place.

>>58358145
Thanks for the information, anyway.

>>58358178
Ah, thanks for clearing that up. I'm admittedly fairly ignorant as to the workings of IPv6 other than "more addresses"

So, would the privacy aspect of being able to use any address in your /64 be moot as long as someone could figure out which block you were assigned by your ISP? What schemes do ISPs typically take to prevent this, if any?

>>58358187
8 years ago I set up my family's computer to dual boot with Ubuntu and my mother deleted everything and re-installed Windows XP on the grounds that "Ubuntu is obviously a virus."

File: motherknowsbest_web.jpg (10KB, 405x228px) Image search: [Google]

10KB, 405x228px

>>58358365
forgot image

>>58358365
Port *forwarding* only applies to NAT, but port whitelisting is still something that you might need to do. But you can do it on a per-IP basis.

>>58358365
>That's good to know. I suppose then it isn't really fair to say IPv6 (practically) circumvents the need for port forwarding since the firewalls will still usually be in place.
I think a gradual transition to firewalls being controlled by the endpoint would be something to strive for; because people are comfortable with stuff like firewall prompts in windows, but they aren't comfortable with having to open up a router control panel and log in.

Maybe in the future, the equivalent of UPnP will be used to instead signal to the router that you're capable of managing your own firewall instead of having to rely on the built-in one? Who knows. I'd love to know what current-generation ISP routers do, for ISPs that use IPv6 natively. Mind doesn't, so I can't tell.

>>58358365
>Ah, thanks for clearing that up. I'm admittedly fairly ignorant as to the workings of IPv6 other than "more addresses"
Most people are, unfortunately. “IPv6 is just IPv4 with a bigger address space” is a pretty widespread myth. It's basically more like a complete overhaul of the IP protocol.

>>58358542
>IP protocol
>Internet protocol protocol

>>58358534
Whoever is able to PROPERLY manage their own firewall will also be able to log into their router and turn the builtin firewall off.
People are comfortable with Windows firewall prompts because they can just click "Let it through" and be done with it; however this is not desirable, and either way as an ISP I wouldn't trust my customers with this.

>>58358365
>So, would the privacy aspect of being able to use any address in your /64 be moot as long as someone could figure out which block you were assigned by your ISP?
Yes and no. I mean, the basic principle behind obfuscation inside the /64 is to eliminate the external visibility of networks (just like NAT did). This makes IPv6 no less bad than IPv4 in this regard.

But having a static /64 routed to your house is essentially going to be the same thing as having a static IPv4 address assigned to your house. No more evading bans, unless you can convince your ISP to adopt privacy extensions and give you a different /64 every time you connect and/or based on a time.

One of the important things you have to realize about IPv6 is that in IPv6, it's normal for a device to have many addresses. For example, you might have one public static address configured by the administrator (e.g. :1), a public static address autoconfigured by the device (SLAAC), a handful of public temporary addresses for outgoing connections (you generate new ones automatically, and the old ones stick around for however long they need to in order to not interrupt your active connections), and of course also a link-local address for every device.

So you can have something like a public static well-known incoming IPv6 address on which you host a server, while simultaneously having a randomly generated short-lived dynamic address from which you connect to outbound services like facebook. This is a concept that's completely alien to IPv4 network administrators. (Even though it's technically possible with IPv4 as well, as I love to abuse)

In principle, I imagine it would be possible to even shift the /64 that gets assigned to your house router on an interval basis, while keeping the old ones around for a week or whatever.

>>58358587
well shit

>>58354501
>(((certain groups))) want every device in your home to be internet connected and have a microphone.
this

>>58358615
>People are comfortable with Windows firewall prompts because they can just click "Let it through" and be done with it; however this is not desirable, and either way as an ISP I wouldn't trust my customers with this.
Yes, but that's the point, isn't it? People see a prompt “game XYZ wants to access the internet” and they click accept because they're currently running that game and trying to play with their friends.

Having firewall prompts in the OS makes connection attempts visible. Heck, normies constantly think ordinary software bugs or flashing prompt windows during installations are “viruses”, don't you think they would begin to freak the fuck out if some random .exe started asking for connection attempts?

Anyway, I guess it doesn't really matter, since at the end of the day, the main problem are the completely unsecured IoT devices, not the windows PCs.

>>58358638
>Even though it's technically possible with IPv4 as well, as I love to abuse
How did you implement this?

>>58358688
>How did you implement this?
There are three main mechanisms:

1. You can add an alias device (e.g. eth0:1) with its own IP but operating on the same link

2. You can use TUN/TAP overlay devices to simulate having multiple NICs. I do this to have multiple LANs on the same switch so I can save costs. In particular, my router only has a single NIC. I just have the ISP network and the LAN operating on the same switch, with the router using TUN overlay devices to be in both simultaneously (the reason I don't use aliases etc. for this is because I need separate iptables and tc rules for each interface, which requires a TUN)

3. You can just go the direct approach and literally

ip addr add X.Y.Z.W dev eth0

. The interface will simply have multiple addresses now. No further questions asked.

It all just wurkz, because TCP/IP implementations are fucking magic. They support all of this stuff one way or the other because of shit like VMs/containers, software bridges, userspace networking, VPNs and the need to support multiple IPv6 addresses as well.

I do it for stuff like aliasing my control interface into multiple private subnets at the same time (one for AMT, one for BMCs, one for SSH etc.)

>>58355098
Tell me more.. How do I Jew?

>>58354710
Even if you understand IPv6 there's a zillion gotchas to watch out for which is why almost everybody disables it (see all those VPNs that were insecure due to IPv6).

BTW IPv6 is purposely complex and impossible to work with, look who sat on the standards body when they came up with it (hint: 3 letter agency).

There were all kinds of sensible alternatives proposed by experts such as DJ Bernstein but nope, we got that pile of shit. We also got HTTPS/2 (a pile of shit) and DNSSEC (another pile of insecure shit) all over strong objections of every preeiminent computer scientist and shoved through by intel agency shills.

>>58354510
Post history and desktop now.

EXTREME MODE ENABLED: No clearing allowed. All devices.

>>58357381
>2. NAT is not a security feature. Repeat this until you get it. UPnP, STUN hole punching, internal XSS attacks etc. have proven time and time and time again that NAT does not even provide you with any form of protection

Just gonna quickly disagree here. NAT makes many attacks either more difficult or not possible. In practice a network behind NAT is much much more secure than one without, by virtue of the one-way nature that connections must initiate.

Yes there are ways around it, and the question of whether it is a "security feature" is semantically debatable. But there is no question in practice: a network behind NAT is far more protected than an equivalent network that is exposed.

>>58357940
>2. NAT is easily bypassed. UPnP, STUN, XSS etc. will all laugh at your “fuckhuge wall”. It's really not any amount of security in practice

LOL, if you are located outside of the wall you cant actually use any of those things to get in. Those things only work if they're somehow initiated from the inside (by mistake, or by tricking someone).

>>58360122
http://www.internetsociety.org/deploy360/resources/how-to-get-ipv6-addresses/

>>58361336
hit enter too early
...write to them, depending on where you live, and ask about details

>>58354447
>Implying DNS will always be there

>>58355811
The keyboard drivers are proprietary and were made by fascists

>I'm too retarded to understand basic hex
Thanks, maybe I'll finally get a job doing netcode and networking since you're too much of a fat headed idiot to learn something so basic

What kind of fucking retard needs to remember an IP address in the first place.