Folks
I have been following the IPV6 comments.
What concerns me with the loss of NAT are the following issues:
1) My friend from half-way around the world comes to visit. He turns on his IPV6 enabled device (think Ipad), and wants to use my ISP's connection. What IP address does he get? If it's his home address, that makes routing difficult. If he dynamically gets one of "my" addresses a) Did my ISP give me enough? b) Do I get charged by my ISP on a per-device basis?
2) Today, my ISP doesn't know (or doesn't care) how many devices I have in my home -- my Linux gateay with DHCP and NAT hides all of that. With IPV6, what is to prevent my ISP from charging me a per-device fee?
3) When I connect my IPV6 refrigerator with its automatic inventory system tracking every RFID-enabled carrot I use, won't I be making my shopping habits visible to all those annoying advertisers? Or, in other words, am I compromising my privacy? Actually, although such dissemination of information can be blocked by a correctly designed firewall, I suspect the "Free IPv6 DSL Modem and Router, Sponsored by <your-favorite-commercial-site>" that comes with your ISP contract, would err on the side of promiscuity.
Concerned Linux/Windows/Mac/Wii/Iphone/Ipod/Ipad/Xbox user
David
On Tuesday, December 07, 2010 08:57 AM, David wrote:
Folks
I have been following the IPV6 comments.
What concerns me with the loss of NAT are the following issues:
- My friend from half-way around the world comes to visit. He turns
on his IPV6 enabled device (think Ipad), and wants to use my ISP's connection. What IP address does he get? If it's his home address, that makes routing difficult. If he dynamically gets one of "my" addresses a) Did my ISP give me enough?
Let's see...if you apply for ipv6, you get a /48 network or as David put it, 65k worth of /64 subnets.
b) Do I get charged by my ISP on a per-device basis?
Heh, if they want to micromanage...
- Today, my ISP doesn't know (or doesn't care) how many devices I
have in my home -- my Linux gateay with DHCP and NAT hides all of that. With IPV6, what is to prevent my ISP from charging me a per-device fee?
I don't know...a bridging firewall?
- When I connect my IPV6 refrigerator with its automatic inventory
system tracking every RFID-enabled carrot I use, won't I be making my shopping habits visible to all those annoying advertisers? Or, in other words, am I compromising my privacy? Actually, although such dissemination of information can be blocked by a correctly designed firewall, I suspect the "Free IPv6 DSL Modem and Router, Sponsored by <your-favorite-commercial-site>" that comes with your ISP contract, would err on the side of promiscuity.
Concerned Linux/Windows/Mac/Wii/Iphone/Ipod/Ipad/Xbox user
See above.
On Dec 6, 2010, at 7:51 PM, Christopher Chan wrote:
On Tuesday, December 07, 2010 08:57 AM, David wrote:
Folks
I have been following the IPV6 comments.
What concerns me with the loss of NAT are the following issues:
- My friend from half-way around the world comes to visit. He turns
on his IPV6 enabled device (think Ipad), and wants to use my ISP's connection. What IP address does he get? If it's his home address, that makes routing difficult. If he dynamically gets one of "my" addresses a) Did my ISP give me enough?
Let's see...if you apply for ipv6, you get a /48 network or as David put it, 65k worth of /64 subnets.
b) Do I get charged by my ISP on a per-device basis?
Heh, if they want to micromanage...
I'm still waiting for the day I get a home ISP that doesn't nickel and dime me. I agree that this is a potential concern. What's sad is that if they decide to do this, there's little I can do about it since ipv6 doesn't support NAT.
Don't get me wrong. Now I've reviewed the spec, I agree NAT isn't required, but unless all the end user ISPs turn into benevolent Oligopolies, it is a potential issue.
On Tuesday, December 07, 2010 11:08 AM, Todd Rinaldo wrote:
On Dec 6, 2010, at 7:51 PM, Christopher Chan wrote:
On Tuesday, December 07, 2010 08:57 AM, David wrote:
Folks
I have been following the IPV6 comments.
What concerns me with the loss of NAT are the following issues:
- My friend from half-way around the world comes to visit. He turns
on his IPV6 enabled device (think Ipad), and wants to use my ISP's connection. What IP address does he get? If it's his home address, that makes routing difficult. If he dynamically gets one of "my" addresses a) Did my ISP give me enough?
Let's see...if you apply for ipv6, you get a /48 network or as David put it, 65k worth of /64 subnets.
b) Do I get charged by my ISP on a per-device basis?Heh, if they want to micromanage...
I'm still waiting for the day I get a home ISP that doesn't nickel and dime me. I agree that this is a potential concern. What's sad is that if they decide to do this, there's little I can do about it since ipv6 doesn't support NAT.
Don't get me wrong. Now I've reviewed the spec, I agree NAT isn't required, but unless all the end user ISPs turn into benevolent Oligopolies, it is a potential issue.
Ah, I must pity you who have to live with what you've got in the United States being under the rule of these tyrants. You guys probably can only dream of getting a 100MB fibre connection for 13USD/mnth or a 1GB fibre connection for 30 or so USD/mnth. I hesitate to keep the chaps in Australia on the list to be pitied now that Telstra is being dismantled.
On 7/12/10 8:33 PM, Christopher Chan wrote:
Ah, I must pity you who have to live with what you've got in the United States being under the rule of these tyrants. You guys probably can only dream of getting a 100MB fibre connection for 13USD/mnth or a 1GB fibre connection for 30 or so USD/mnth. I hesitate to keep the chaps in Australia on the list to be pitied now that Telstra is being dismantled.
It's okay, soon we'll have a new monopoly to whinge about: NBN Co. ;)
The real problem here is the quotas on broadband connections, although that is in part due to the cost of hauling almost all the data half-way around the globe.
The even more horrendous problem, which is so pervasive it affects everyone, is the insistence on asymmetric connections. Even when Australia does get this fabled fibre-to-the-home, it still won't be symmetric. *sigh*
Regards, Ben
On Wednesday, December 08, 2010 03:11 AM, Ben McGinnes wrote:
On 7/12/10 8:33 PM, Christopher Chan wrote:
Ah, I must pity you who have to live with what you've got in the United States being under the rule of these tyrants. You guys probably can only dream of getting a 100MB fibre connection for 13USD/mnth or a 1GB fibre connection for 30 or so USD/mnth. I hesitate to keep the chaps in Australia on the list to be pitied now that Telstra is being dismantled.
It's okay, soon we'll have a new monopoly to whinge about: NBN Co. ;)
The real problem here is the quotas on broadband connections, although that is in part due to the cost of hauling almost all the data half-way around the globe.
Thanks Ben, you just gave me another thing to coo about that I had forgotten. What quotas? :-p
The even more horrendous problem, which is so pervasive it affects everyone, is the insistence on asymmetric connections. Even when Australia does get this fabled fibre-to-the-home, it still won't be symmetric. *sigh*
Fibre connections that are not symmetric...sure going out of the way that.
On 8/12/10 2:37 PM, Christopher Chan wrote:
On Wednesday, December 08, 2010 03:11 AM, Ben McGinnes wrote:
Thanks Ben, you just gave me another thing to coo about that I had forgotten. What quotas? :-p
Damn you, damn you to Heck. :)
The even more horrendous problem, which is so pervasive it affects everyone, is the insistence on asymmetric connections. Even when Australia does get this fabled fibre-to-the-home, it still won't be symmetric. *sigh*
Fibre connections that are not symmetric...sure going out of the way that.
Kind of. The spec they're using (I've forgotten which one it is) supports a 2:1 ratio, I think the current maximum is supposed to be around 2.5Gb/s download and 1.25Gb/s upload. The plans being offered by the wholesaler (NBN Co.) to ISPs for resale are currently 25Mb/2Mb, 50Mb/4Mb and 100Mb/8Mb. I don't know how they expect to encourage local content like that, let alone local innovation, but that's what they're doing.
Anyway, I've been drooling over the sort of connections that are only available in the corporate world here and in more civilised parts of the world for a long time. I don't really expect that to change now.
Regards, Ben
On Wednesday, December 08, 2010 05:10 PM, Ben McGinnes wrote:
The even more horrendous problem, which is so pervasive it affects everyone, is the insistence on asymmetric connections. Even when Australia does get this fabled fibre-to-the-home, it still won't be symmetric. *sigh*
Fibre connections that are not symmetric...sure going out of the way that.
Kind of. The spec they're using (I've forgotten which one it is) supports a 2:1 ratio, I think the current maximum is supposed to be around 2.5Gb/s download and 1.25Gb/s upload. The plans being offered by the wholesaler (NBN Co.) to ISPs for resale are currently 25Mb/2Mb, 50Mb/4Mb and 100Mb/8Mb. I don't know how they expect to encourage local content like that, let alone local innovation, but that's what they're doing.
Local content as in ISP provided content?
Anyway, I've been drooling over the sort of connections that are only available in the corporate world here and in more civilised parts of the world for a long time. I don't really expect that to change now.
/me wonders if he should get started with the charges for corporate connections too...:-p
All HK ISPs are IPv6 connected. I wonder if I should get an IPv6 allocation for the school...nah, probably got other things to cook.
On Tuesday, December 07, 2010 10:37:02 pm Christopher Chan wrote:
On Wednesday, December 08, 2010 03:11 AM, Ben McGinnes wrote:
The even more horrendous problem, which is so pervasive it affects everyone, is the insistence on asymmetric connections. Even when Australia does get this fabled fibre-to-the-home, it still won't be symmetric. *sigh*
Fibre connections that are not symmetric...sure going out of the way that.
Not really, once you realize that more optical power is required for greater bandwidths at the same distance. It is rather safer and less expensive at the CPE to have a broad receiver and a narrow transmitter. Fiber still obeys power density rules. Not to mention that passive splitting of the downstream and driving with high power lasers couple with either Raman or Erbium-doped fiber amplifiers saves money for the carrier.
And there is of course single fiber RX/TX muxing, where the upstream is DWDM on a 1550nm window wave at a low power, and the downstream is a high power 1310nm single wave, or CWDM even. Running a dedicated fiber pair to each customer is expensive; CATV fiber supertrunk digital systems are well-tested at high (>+30dBm optical) powers and are much less expensive for the carrier, meaning they are much less expensive for the subscriber, too. Even if they *are* oversubscribed.
While it is easy to believe in an 'asymmetric/no servers/ I got all the content/ mwahahaha!' conspiracy, simple economics and physics explain most of the reasons that oversubscribed high bandwidth downstream coupled with less oversubscribed low bandwidth upstream is the norm for consumer links. Even fiber.
Or would you prefer paying kilobucks per month for a tariffed OC3/12/48 or Gigabit provisioned Metro E? (that's all I can get, and it does cost kilobucks to get it).
On Wednesday, December 08, 2010 11:11 PM, Lamar Owen wrote:
On Tuesday, December 07, 2010 10:37:02 pm Christopher Chan wrote:
On Wednesday, December 08, 2010 03:11 AM, Ben McGinnes wrote:
The even more horrendous problem, which is so pervasive it affects everyone, is the insistence on asymmetric connections. Even when Australia does get this fabled fibre-to-the-home, it still won't be symmetric. *sigh*
Fibre connections that are not symmetric...sure going out of the way that.
Not really, once you realize that more optical power is required for greater bandwidths at the same distance. It is rather safer and less expensive at the CPE to have a broad receiver and a narrow transmitter. Fiber still obeys power density rules. Not to mention that passive splitting of the downstream and driving with high power lasers couple with either Raman or Erbium-doped fiber amplifiers saves money for the carrier.
And there is of course single fiber RX/TX muxing, where the upstream is DWDM on a 1550nm window wave at a low power, and the downstream is a high power 1310nm single wave, or CWDM even. Running a dedicated fiber pair to each customer is expensive; CATV fiber supertrunk digital systems are well-tested at high (>+30dBm optical) powers and are much less expensive for the carrier, meaning they are much less expensive for the subscriber, too. Even if they *are* oversubscribed.
While it is easy to believe in an 'asymmetric/no servers/ I got all the content/ mwahahaha!' conspiracy, simple economics and physics explain most of the reasons that oversubscribed high bandwidth downstream coupled with less oversubscribed low bandwidth upstream is the norm for consumer links. Even fiber.
Or would you prefer paying kilobucks per month for a tariffed OC3/12/48 or Gigabit provisioned Metro E? (that's all I can get, and it does cost kilobucks to get it).
Is this residential? One can get 1G symmetric fibre from HKBN for less than 30USD/mnth if you live in a block of apartments. See below. (Please note troll hat on my head)
---------------------- FibreHome 1000 Basic Plan - installation fee waiver ‧ Basic monthly fee $199 ‧ Contract duration 24 months ‧ Maximum bandwidth (local access) 1000Mbps Upload/Download ‧ Maximum bandwidth (overseas access) 20Mbps Upload/Download ‧ Installation fee $0 Basic Gifts 4 UA Movie Vouchers (Apply to online registration only) NOD32 Anti-virus software(Worth: $238)(Apply to online registration only) Successfully register to this plan and install FibreHome1000 Broadband Service on or before December 31, you will be entitled to receive the gifts for free. ----------------------
As for my current location, I guess I can get the same if I am willing to pay for the cable laying...
*takes off troll hat* ps: Thanks for the info on long distance fibre tech.
On Thursday, December 09, 2010 06:00:58 am Christopher Chan wrote:
On Wednesday, December 08, 2010 11:11 PM, Lamar Owen wrote:
Or would you prefer paying kilobucks per month for a tariffed OC3/12/48 or Gigabit provisioned Metro E? (that's all I can get, and it does cost kilobucks to get it).
Is this residential?
No. This is committed full rate non-oversubscribed dedicated symmetric bandwidth guaranteed to the provider's upstream handoff at the AS border (and the provider has multiple 10G links). I'm running right now on a 1000Base-LX/LH transport from a Cisco 12008 router to the ISP, where I've purchased X Mb/s of connectivity across their SONET backbone to their core, and through their core to their upstream(s). Up until April I had a T1 over fiber for backup and a protected OC-3; I cut my costs by a factor of ten going Metro-E, thanks to the tariff the OC-3 was under.
Also, I'm about 19 kilofeet by fiber from the remote office/SLIC, and about 20 miles from the CO in the nearest town; while I could have lit a ZX link if I had needed to, it was nice that I was within 10km of the EoSONET bridge at the remote office.
Yeah, the boonies. I'm the only fiber customer this far out on this system; we have six fibers, two of which are currently lit. We have 75 strand-miles of fiber on-campus, some of which I'm lighting with 1550nm waves due to high attenuation (old fiber). And I'm using surplus CATV supertrunk equipment to do it; fun stuff to work with.
On Thursday, December 09, 2010 10:59 PM, Lamar Owen wrote:
On Thursday, December 09, 2010 06:00:58 am Christopher Chan wrote:
On Wednesday, December 08, 2010 11:11 PM, Lamar Owen wrote:
Or would you prefer paying kilobucks per month for a tariffed OC3/12/48 or Gigabit provisioned Metro E? (that's all I can get, and it does cost kilobucks to get it).
Is this residential?
No. This is committed full rate non-oversubscribed dedicated symmetric bandwidth guaranteed to the provider's upstream handoff at the AS border (and the provider has multiple 10G links). I'm running right now on a 1000Base-LX/LH transport from a Cisco 12008 router to the ISP, where I've purchased X Mb/s of connectivity across their SONET backbone to their core, and through their core to their upstream(s). Up until April I had a T1 over fiber for backup and a protected OC-3; I cut my costs by a factor of ten going Metro-E, thanks to the tariff the OC-3 was under.
Also, I'm about 19 kilofeet by fiber from the remote office/SLIC, and about 20 miles from the CO in the nearest town; while I could have lit a ZX link if I had needed to, it was nice that I was within 10km of the EoSONET bridge at the remote office.
Yeah, the boonies. I'm the only fiber customer this far out on this system; we have six fibers, two of which are currently lit. We have 75 strand-miles of fiber on-campus, some of which I'm lighting with 1550nm waves due to high attenuation (old fiber). And I'm using surplus CATV supertrunk equipment to do it; fun stuff to work with.
Fiber over here for the school, 50MB up/down at around 650USD/mnth with a /28 subnet. Probably also the only fiber customer way up this hill the school is situated on but we have nothing laid out in the contract regarding actual bandwidth overseas. Not that a primary/grade school needs anything substantial...
On Thursday 09 December 2010 11:00:58 Christopher Chan wrote:
On Wednesday, December 08, 2010 11:11 PM, Lamar Owen wrote:
Or would you prefer paying kilobucks per month for a tariffed OC3/12/48 or Gigabit provisioned Metro E? (that's all I can get, and it does cost kilobucks to get it).
Is this residential? One can get 1G symmetric fibre from HKBN for less than 30USD/mnth if you live in a block of apartments. See below. (Please note troll hat on my head)
FibreHome 1000 Basic Plan
installation fee waiver
‧ Basic monthly fee $199 ‧ Contract duration 24 months ‧ Maximum bandwidth (local access) 1000Mbps Upload/Download ‧ Maximum bandwidth (overseas access) 20Mbps Upload/Download ‧ Installation fee $0
[snip]
Sorry, I fail to understand how is this a 1G link? It clearly says that you have only 20Mbps uplink to the rest of the world (I guess that's what "overseas" mean).
Granted, the cabling may be able to withstand a 1000Mbps throughput (for whatever "local" network may be). But it's not the same thing as having a real 1G uplink, which would be much more expensive. Especially if it is symmetric.
Or have I misunderstood something here?
Btw, what part of the world are you in, geographically? That would probably clear up my understanding of "overseas" and "local" accesses... :-)
Best, :-) Marko
On Friday, December 10, 2010 03:12 AM, Marko Vojinovic wrote:
On Thursday 09 December 2010 11:00:58 Christopher Chan wrote:
On Wednesday, December 08, 2010 11:11 PM, Lamar Owen wrote:
Or would you prefer paying kilobucks per month for a tariffed OC3/12/48 or Gigabit provisioned Metro E? (that's all I can get, and it does cost kilobucks to get it).
Is this residential? One can get 1G symmetric fibre from HKBN for less than 30USD/mnth if you live in a block of apartments. See below. (Please note troll hat on my head)
FibreHome 1000 Basic Plan
installation fee waiver
‧ Basic monthly fee $199 ‧ Contract duration 24 months ‧ Maximum bandwidth (local access) 1000Mbps Upload/Download ‧ Maximum bandwidth (overseas access) 20Mbps Upload/Download ‧ Installation fee $0[snip]
Sorry, I fail to understand how is this a 1G link? It clearly says that you have only 20Mbps uplink to the rest of the world (I guess that's what "overseas" mean).
Residential link...we don't care that much about overseas bandwidth, not unless we are into the DOSing business :-p
Granted, the cabling may be able to withstand a 1000Mbps throughput (for whatever "local" network may be). But it's not the same thing as having a real 1G uplink, which would be much more expensive. Especially if it is symmetric.
Or have I misunderstood something here?
One gets 1G to hosts local to Hong Kong. Like the local Centos mirrors.
Btw, what part of the world are you in, geographically? That would probably clear up my understanding of "overseas" and "local" accesses... :-)
Hong Kong.
b) Do I get charged by my ISP on a per-device basis?
Heh, if they want to micromanage...
This is no science fiction. Some big providers in some countries limit the number of device that can connect to internet. You have to register the MAC address of your single PC (which, by the way, is expected to run Windows or MacOS)
In that case, a NAT router sending the MAC address expected by the provider could have (maybe, possibly...) been very handy. (I won't tell more, even though I have left the country and the provider in question)
On Tuesday, December 07, 2010 07:23 PM, Mathieu Baudier wrote:
b) Do I get charged by my ISP on a per-device basis?Heh, if they want to micromanage...
This is no science fiction.
Never said it was.
Some big providers in some countries limit the number of device that can connect to internet. You have to register the MAC address of your single PC (which, by the way, is expected to run Windows or MacOS)
Not news to me. Netvigator over here had single computer in its terms and conditions and single user/multiple user accounts. And only they had such terms but they never did try to enforce them. Not with all the competition around.
In that case, a NAT router sending the MAC address expected by the provider could have (maybe, possibly...) been very handy. (I won't tell more, even though I have left the country and the provider in question)
/me does not care. Not sure about other folks though...do them a service :-p
/me does not care. Not sure about other folks though...do them a service :-p
In theory, a lot of residential routers (not provided by the ISP) will allow to set the sent MAC address via their web interface.
And on a full fledged Linux OS: ifconfig ethX hw ether MY:MA:CA:DD:RE:SS (or something like that, see man ifconfig)
I just did not say whether I have ever tried in real...
On 12/07/2010 12:53 PM, Mathieu Baudier wrote: ...
And on a full fledged Linux OS: ifconfig ethX hw ether MY:MA:CA:DD:RE:SS (or something like that, see man ifconfig)
I just did not say whether I have ever tried in real...
You just add the following line to /etc/sysconfig/network-scripts/ifcfg-eth0:
MACADDR=MY:MA:CA:DD:RE:SS
It works.
Mogens
Can a machine with only an IPV6 address communicate with a machine that only has an IPV4 or are they separate?
On 07/12/10 13:22, John Thomas wrote:
Can a machine with only an IPV6 address communicate with a machine that only has an IPV4 or are they separate?
They are separated. It's two different protocols, even though they are similar in many aspects.
There are some projects trying to bridge that for single-stack IPv6 networks. But I've concluded running dual-stack with both IPv4 and IPv6 is less error prone, as such a proxy solutions will not always work 100% perfect.
The IPv4 addresses needs to be translated into a IPv6 addresses by a local DNS service, and the proxy anyway need IPv4 access to reach the IPv4 host.
David S.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Mathieu Baudier said the following on 07/12/10 12:23:
Some big providers in some countries limit the number of device that can connect to internet.
FastWeb does this in Italy.
They configure their router (to which you do NOT have access) giving the LAN side a 192.168.x.x/24 but only the first 'n' IPs ('n' depends on how much you pay) of the subnet are NATted.
Ciao, luigi
- -- / +--[Luigi Rosa]-- \
Biggest Black Hole ever Found in Nearby Galaxy. EVERYBODY PAN..I....................C --fark.com
On 12/07/2010 06:56 AM, Luigi Rosa wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Mathieu Baudier said the following on 07/12/10 12:23:
Some big providers in some countries limit the number of device that can connect to internet.
FastWeb does this in Italy.
They configure their router (to which you do NOT have access) giving the LAN side a 192.168.x.x/24 but only the first 'n' IPs ('n' depends on how much you pay) of the subnet are NATted.
That is easily defeated by putting a Linux box behind the provided router to do natting.
Ciao, luigi
/ +--[Luigi Rosa]-- \
Biggest Black Hole ever Found in Nearby Galaxy. EVERYBODY PAN..I....................C --fark.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkz+IPkACgkQ3kWu7Tfl6ZTJkgCgk5Ze9QBWePuH0IHkFcIp/drk ve8An1LO9CW88BE2+lH+U598H1OZunDt =hWDc -----END PGP SIGNATURE----- _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Tue, Dec 07, 2010 at 12:23:08PM +0100, Mathieu Baudier wrote:
b) Do I get charged by my ISP on a per-device basis?
Heh, if they want to micromanage...
This is no science fiction. Some big providers in some countries limit the number of device that can connect to internet. You have to register the MAC address of your single PC (which, by the way, is expected to run Windows or MacOS)
In the old days (5-6 years ago?), you were being sneaky if you used a router--this is in the US, with Roadrunner. They acknowledged, eventually, that it was common, and their terms of service specifically allow it. Verizon used to (don't know what they do now), provide a modem-cum-wireless-router when you got their service---this was with DSL, I assume they do the same with FIOS.
On 07/12/10 12:23, Mathieu Baudier wrote:
b) Do I get charged by my ISP on a per-device basis?Heh, if they want to micromanage...
This is no science fiction. Some big providers in some countries limit the number of device that can connect to internet. You have to register the MAC address of your single PC (which, by the way, is expected to run Windows or MacOS)
For a lot of people, it is always possible to vote with your wallet.
If a provider is too restrictive for you, choose another one. I pay my fees to the ISP I feel is worthy to have me as customer. So if they want my money, they must please me. But I am also willing to pay a bit more to a competitor who can fulfil my demands if my current provider does not deliver according to the agreement and my expectations
Of course this is not possible in places where there are only one option. But then try to approach, if possible, other ISPs anyway, to see what they can offer you.
kind regards,
David Sommerseth
On Tue, Dec 7, 2010 at 6:23 AM, Mathieu Baudier mbaudier@argeo.org wrote:
b) Do I get charged by my ISP on a per-device basis?
This is no science fiction. Some big providers in some countries limit the number of device that can connect to internet. You have to register the MAC address of your single PC (which, by the way, is expected to run Windows or MacOS)
In that case, a NAT router sending the MAC address expected by the provider could have (maybe, possibly...) been very handy. (I won't tell more, even though I have left the country and the provider in question)
I've had such a provider. This is why you can assign a MAC address to a dsl router's WAN interface.
David wrote:
Folks
I have been following the IPV6 comments.
What concerns me with the loss of NAT are the following issues:
- When I connect my IPV6 refrigerator with its automatic inventory
system tracking every RFID-enabled carrot I use, won't I be making my shopping habits visible to all those annoying advertisers? Or, in other words, am I compromising my privacy? Actually, although such dissemination of information can be blocked by a correctly designed firewall, I suspect the "Free IPv6 DSL Modem and Router, Sponsored by <your-favorite-commercial-site>" that comes with your ISP contract, would err on the side of promiscuity.
Why yes, yes you are giving up some of your privacy. And unless you have the time and are willing and able to learn how to configure firewalls for each device and application you use, or have the money to pay someone else you trust to do it for you, there is very little to protect you from the rest of the world.
I just finished reviewing my firewall logs for last week. There are 127MiB with ipmon reports of rejected connection attempts. That's actually on the low side for any seven day period. I have some weeks that are half again that much. Somebody out there is pounding on that firewall pretty hard, trying to break in. I'm certain they don't have my best interests at heart. Most of the ports attacked are linked to well known services and worms on one particular OS, which I don't happen to have running on my network. But this log tells me that it is important to make it as difficult as possible for whomever is knocking on the door. I don't see that IPv6 helps improve that protection. In fact, it appears to eliminate some of the protection I have now.
Somebody mentioned that NAT broke several protocols when it was introduced. That suggests those protocols needed to be fixed or replaced. In particular, FTP should have been trashed decades ago. It was designed when every system administrator could be held responsible for his actions or inaction. That requirement disappeared more than 20 years ago. Protocols that depended on it should have disappeared with it.
Bob McConnell N2SPP
On Mon, Dec 06, 2010 at 08:55:17PM -0500, Bob McConnell wrote:
- When I connect my IPV6 refrigerator with its automatic inventory
system tracking every RFID-enabled carrot I use, won't I be making my shopping habits visible to all those annoying advertisers? Or, in other words, am I compromising my privacy? Actually, although such dissemination of information can be blocked by a correctly designed firewall, I suspect the "Free IPv6 DSL Modem and Router, Sponsored by <your-favorite-commercial-site>" that comes with your ISP contract, would err on the side of promiscuity.
Why yes, yes you are giving up some of your privacy. And unless you have the time and are willing and able to learn how to configure firewalls for each device and application you use, or have the money to pay someone else you trust to do it for you, there is very little to protect you from the rest of the world.
That's at least overstated, and at worst complete FUD. Generic modems and routers will be configured as they are now - with stateful firewalls blocking all incoming traffic, except for streams initiated internally. Outgoing connections that would have worked before via NAT continue to work, but without NAT. Stateful firewalls are still stateful firewalls.
Where are you giving up some of your privacy? The number of hosts on your internal network? So allocate 256 ips (or 65k, if you like) to every host and use a random ip from that set for every distinct service or outgoing connection.
There _is_ more information leakage with ipv6, in the sense that you are using a real ip from an internal machine on the connection. But the point is that the security benefit of that is largely illusory, security by obscurity.
Cheers, Gavin
Gavin Carr wrote:
On Mon, Dec 06, 2010 at 08:55:17PM -0500, Bob McConnell wrote:
- When I connect my IPV6 refrigerator with its automatic inventory
system tracking every RFID-enabled carrot I use, won't I be making my shopping habits visible to all those annoying advertisers? Or, in other words, am I compromising my privacy? Actually, although such dissemination of information can be blocked by a correctly designed firewall, I suspect the "Free IPv6 DSL Modem and Router, Sponsored by <your-favorite-commercial-site>" that comes with your ISP contract, would err on the side of promiscuity.
Why yes, yes you are giving up some of your privacy. And unless you have the time and are willing and able to learn how to configure firewalls for each device and application you use, or have the money to pay someone else you trust to do it for you, there is very little to protect you from the rest of the world.
That's at least overstated, and at worst complete FUD. Generic modems and routers will be configured as they are now - with stateful firewalls blocking all incoming traffic, except for streams initiated internally. Outgoing connections that would have worked before via NAT continue to work, but without NAT. Stateful firewalls are still stateful firewalls.
Where are you giving up some of your privacy? The number of hosts on your internal network? So allocate 256 ips (or 65k, if you like) to every host and use a random ip from that set for every distinct service or outgoing connection.
There _is_ more information leakage with ipv6, in the sense that you are using a real ip from an internal machine on the connection. But the point is that the security benefit of that is largely illusory, security by obscurity.
No, it is not FUD, it is a real concern by people with much to lose. Those of you evangelizing this new, and still unproven technology can't seem to recognize this simple fact.
I consider that information leakage to be very significant. It advertises the presence of another computer with explicit information on where to reach it. Regardless of the firewall, none of which are perfect, this increases the exposure of my systems in an adverse fashion. It increases my risk of being penetrated by someone I probably don't want rummaging around in my files. But I don't see any additional protection being offered to replace what is being taken away.
Bob McConnell N2SPP
On Tue, 2010-12-07 at 10:49 -0500, Bob McConnell wrote:
There _is_ more information leakage with ipv6, in the sense that you are using a real ip from an internal machine on the connection. But the point is that the security benefit of that is largely illusory, security by obscurity.
No, it is not FUD,
It is FUD.
it is a real concern by people with much to lose. Those of you evangelizing this new, and still unproven technology can't seem to recognize this simple fact.
Calling IPv6 "unproved" is absurd. It is widely deployed and used extensively. Security is/was taken very seriously in the design.
I consider that information leakage to be very significant.
You have a huge address pool - periodically change your address if you feel that is significant. That certainly adds more obfuscation than IPv4 NAT ever did.
It advertises the presence of another computer with explicit information on where to reach it.
You already do that with every e-mail message and HTTP request. Do you obscure the User-Agent string in all your traffic? (Your not using Thunderbird 2.0.0.24 in X-Windows?) Because that information is just as [if not more] valuable to a potential attacker than your firewalled address.
It increases my risk of being penetrated by someone I probably don't want rummaging around in my files. But I don't see any additional protection being offered to replace what is being taken away.
You are on a network - you can always disconnect the drive. If you really feel *NAT* is really that critical to hiding your data this seems a very reasonable option. Because NAT is providing only an extremely trivial additive to security you feel you need.
On 07/12/10 16:49, Bob McConnell wrote:
Gavin Carr wrote:
On Mon, Dec 06, 2010 at 08:55:17PM -0500, Bob McConnell wrote:
- When I connect my IPV6 refrigerator with its automatic inventory
system tracking every RFID-enabled carrot I use, won't I be making my shopping habits visible to all those annoying advertisers? Or, in other words, am I compromising my privacy? Actually, although such dissemination of information can be blocked by a correctly designed firewall, I suspect the "Free IPv6 DSL Modem and Router, Sponsored by <your-favorite-commercial-site>" that comes with your ISP contract, would err on the side of promiscuity.
Why yes, yes you are giving up some of your privacy. And unless you have the time and are willing and able to learn how to configure firewalls for each device and application you use, or have the money to pay someone else you trust to do it for you, there is very little to protect you from the rest of the world.
That's at least overstated, and at worst complete FUD. Generic modems and routers will be configured as they are now - with stateful firewalls blocking all incoming traffic, except for streams initiated internally. Outgoing connections that would have worked before via NAT continue to work, but without NAT. Stateful firewalls are still stateful firewalls.
Where are you giving up some of your privacy? The number of hosts on your internal network? So allocate 256 ips (or 65k, if you like) to every host and use a random ip from that set for every distinct service or outgoing connection.
There _is_ more information leakage with ipv6, in the sense that you are using a real ip from an internal machine on the connection. But the point is that the security benefit of that is largely illusory, security by obscurity.
No, it is not FUD, it is a real concern by people with much to lose. Those of you evangelizing this new, and still unproven technology can't seem to recognize this simple fact.
This is FUD. IPv6 has been talked about and worked on for about 15 years, the early talks about IPv6 started in the early 1990's. It's been implemented in most OSes over the last 10 years. It's been available to users for a long time. But a reluctant market who is not willing to change until it's absolutely needed have delayed the implementation. Now we're running out of IPv4 addresses pretty soon, and system admins and network implementers begins to feel the heat.
http://datatracker.ietf.org/wg/ipv6/
Notice that the IETF IPv6 Working Group concluded their work Jun 2007. For more information, also check out:
http://www.ipv6actnow.org/info/statement/
Based on the list of supporters, it also seems to quite proven. I meet every day more and more Internet services which provides both IPv4 and IPv6 services. IPv6 is in production many places already. Did you know that these sites already provide IPv6?
http://ipv6.google.com http://www.v6.facebook.com http://www.heise.de
None of them are small. A-Pressen, a Norwegian media group, is looking into rolling out IPv6 to the vast majority of on-line newspapers. That IPv6 is unproven, is simply a false statement.
I consider that information leakage to be very significant. It advertises the presence of another computer with explicit information on where to reach it. Regardless of the firewall, none of which are perfect, this increases the exposure of my systems in an adverse fashion. It increases my risk of being penetrated by someone I probably don't want rummaging around in my files. But I don't see any additional protection being offered to replace what is being taken away.
There is no more information leakage in IPv6 compared to IPv4. In IPv4 and IPv6 you still have to use public IP addresses to communicate with the rest of the world. The only difference with IPv4 + NAT is that all computers on the inside uses your firewalls public IP address. That's actually an even worse situation in my opinion. As that tells an attacker where your firewall is. With IPv6, you can have your firewall with whatever IPv6 address you want, and an attacker don't know if he is hitting a firewall or the destination host. Which means the attacker will know *less* about the attack vector than with IPv4.
And due to the enormous address space IPv6 gives each single site, doing a brute-force attack against more IP addresses will be a never-ending story. Try to double 4.294.967.296 32 times, and you'll have the number of addresses available *only to you* in *one* /64 subnet. If you then even introduce IPv6 Privacy Extensions, which will randomise and change the IPv6 address regularly, an attacker will shoot at a moving target. Then put this "moving target" behind a firewall which doesn't provide access from the outside to the inside (only from inside to outside), and the attacker will not know if he hits or not.
(This is seen from an IPv6 client side perspective, as for the server side perspective, the situation is more or less identical to IPv4)
And if you're afraid if you're firewall "drops its pants", then place two ore more firewalls in cascade. If one of them fails, the second or the following one(s) will cover it.
If you have a need for a totally "secret network", each network adapter can be assigned with as many IPv6 addresses you would like, so those machines you like to give access to the rest of the world may have that and those who are purely internal may be that as well, on a separate subnet not being routed outside your network. You can even put them in a separate VLAN which is not routed to the outside at all, thus keeping that network only to yourself.
And if you insist on having all clients using *one* IP address out to the world, you have network proxies, like Squid [1]. This is a more proper way to do what you want, instead of abusing NAT as a security feature. NAT was not created for security. It was created to prolong the lifetime for IPv4.
kind regards,
David Sommerseth
On 8/12/10 4:12 AM, David Sommerseth wrote:
On 07/12/10 16:49, Bob McConnell wrote:
No, it is not FUD, it is a real concern by people with much to lose. Those of you evangelizing this new, and still unproven technology can't seem to recognize this simple fact.
This is FUD.
Agreed, but I'm not adding more to the pro-IPv6 chorus, because it's already being covered very well, both here and on NANOG (and ipv6-ops).
And due to the enormous address space IPv6 gives each single site, doing a brute-force attack against more IP addresses will be a never-ending story. Try to double 4.294.967.296 32 times, and you'll have the number of addresses available *only to you* in *one* /64 subnet.
Anyone wanting a nice clear explanation of the numbers of IPv6 address space:
http://www.ripe.net/info/info-services/addressing.html
If you then even introduce IPv6 Privacy Extensions, which will randomise and change the IPv6 address regularly, an attacker will shoot at a moving target. Then put this "moving target" behind a firewall which doesn't provide access from the outside to the inside (only from inside to outside), and the attacker will not know if he hits or not.
This coupled with statefull firewalling should cover everyone's needs.
No doubt there will still be people like Bob who will remain unconvinced until everyone around them become the proof. If they really want to deliberately break things to retain their NAT-like world, they can configure a single box with 6to4 and 4to6, give it a /128 and then run their existing v4 NAT space behind that. They'll get very little sympathy when it breaks other things, though.
Regards, Ben
On Mon, 2010-12-06 at 20:55 -0500, Bob McConnell wrote:
David wrote:
Folks I have been following the IPV6 comments. What concerns me with the loss of NAT are the following issues 3) When I connect my IPV6 refrigerator with its automatic inventory system tracking every RFID-enabled carrot I use, won't I be making my shopping habits visible to all those annoying advertisers? Or, in other words, am I compromising my privacy? Actually, although such dissemination of information can be blocked by a correctly designed firewall, I suspect the "Free IPv6 DSL Modem and Router, Sponsored by <your-favorite-commercial-site>" that comes with your ISP contract, would err on the side of promiscuity.
Why yes, yes you are giving up some of your privacy. And unless you have the time and are willing and able to learn how to configure firewalls for each device and application you use, or have the money to pay someone else you trust to do it for you, there is very little to protect you from the rest of the world. I just finished reviewing my firewall logs for last week. There are 127MiB with ipmon reports of rejected connection attempts. That's actually on the low side for any seven day period. I have some weeks that are half again that much. Somebody out there is pounding on that firewall pretty hard, trying to break in. I'm certain they don't have my best interests at heart. Most of the ports attacked are linked to well known services and worms on one particular OS, which I don't happen to have running on my network. But this log tells me that it is important to make it as difficult as possible for whomever is knocking on the door. I don't see that IPv6 helps improve that protection. In fact, it appears to eliminate some of the protection I have now.
It does *NOT* help with that situation; nobody credible says it does.
It also does *NOT* "eliminate some of the protection I have now".
You apparently *believe* that NAT is about "protection" You are wrong.
NAT [at best, and not really] adds obfuscation to the source / destination. Obfuscation is not security.
On Dec 6, 2010, at 6:57 PM, David wrote:
- When I connect my IPV6 refrigerator with its automatic inventory
system tracking every RFID-enabled carrot I use, won't I be making my shopping habits visible to all those annoying advertisers? Or, in other words, am I compromising my privacy? Actually, although such dissemination of information can be blocked by a correctly designed firewall, I suspect the "Free IPv6 DSL Modem and Router, Sponsored by <your-favorite-commercial-site>" that comes with your ISP contract, would err on the side of promiscuity.
Set your refrigerator to fe80:0001:: and it's now only accessible on the local subnet.
Quoting http://www.litech.org/~jeff/private/ipv6primer/html/
Two prefixes are set aside for link-local and site-local addresses. Link-local addresses, in prefix fe80::/64, are valid and unique only on the local network directly connected to each interface card (usually the local Ethernet segment) and are never routed. They are automatically assigned to every interface and are primarily used to obtain configuration information. Site-local addresses, in prefix fec0::/48, may be used however a site sees fit, and the IP addresses may be assigned to networks just like any global address allocation. Site-local addresses are never routed onto the Internet.
- When I connect my IPV6 refrigerator with its automatic inventory
system tracking every RFID-enabled carrot I use, won't I be making my shopping habits visible to all those annoying advertisers? Or, in other words, am I compromising my privacy? Actually, although such dissemination of information can be blocked by a correctly designed firewall, I suspect the "Free IPv6 DSL Modem and Router, Sponsored by <your-favorite-commercial-site>" that comes with your ISP contract, would err on the side of promiscuity
Set your refrigerator to fe80:0001:: and it's now only accessible on the local subnet. Quoting http://www.litech.org/~jeff/private/ipv6primer/html/ Two prefixes are set aside for link-local and site-local addresses.
site-local addresses are officially deprecated.
If you want a device to only be available locally - block the traffic to/from that device. Or block if from acquiring a public address and leave it as link-local only [most people will, I think, just choose the first options - like they do now when they want to block a device].
On 12/7/10 9:07 AM, Adam Tauno Williams wrote:
site-local addresses are officially deprecated.
If you want a device to only be available locally - block the traffic to/from that device.
So security will depend on every connection owner having a high level of knowledge about ipv6 internals? Is this being designed by people planning careers as consultants?
On Tue, 2010-12-07 at 10:01 -0600, Les Mikesell wrote:
On 12/7/10 9:07 AM, Adam Tauno Williams wrote:
site-local addresses are officially deprecated. If you want a device to only be available locally - block the traffic to/from that device.
So security will depend on every connection owner having a high level of knowledge about ipv6 internals?
Yes. Exactly like IPv4! (given that network security professionals have existed for a long time)
Install a stateful firewall just like with IPv4! Stateful firewalls being things created by people "having a high level of knowledge about ... internals".
Problem solved [for 99.44% of the population], just like IPv4!
And to add a nice sprinkling of obscurity - every time your computer reboots [or interface resets] it generates a different ["random"] IPv6 address within your *HUGE* subnet.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Les Mikesell said the following on 07/12/10 17:01:
So security will depend on every connection owner having a high level of knowledge about ipv6 internals? Is this being designed by people planning careers as consultants?
A network protocol should not be designed to accommodate for the flaws of some OSes.
If an OS is full of bug and if certain OS installations out of the box cannot survive longer than few hours exposed to a direct Internet connection, it's not a failure of the network protocol, but is a failure of the OS.
Let's try not to build an infrastructure in a way to make easier to develop and distribute bogous OSes
Ciao, luigi
- -- / +--[Luigi Rosa]-- \
Those who do not understand Unix are condemned to reinvent it, poorly. --Henry Spencer
On Tue, Dec 7, 2010 at 6:01 PM, Les Mikesell lesmikesell@gmail.com wrote:
On 12/7/10 9:07 AM, Adam Tauno Williams wrote:
site-local addresses are officially deprecated.
If you want a device to only be available locally - block the traffic to/from that device.
So security will depend on every connection owner having a high level of knowledge about ipv6 internals? Is this being designed by people planning careers as consultants?
--
Yes, I can see where you're coming from with this argument. We supply ADSL to our clients and could offer them security on a network level. I know some mobile operators already do this on their networks on IPV4. Basically, if I want remote access to a machine connected to the internet via their network I have to apply for permission to have the security removed. The contract states that I know what I'm doing and will take full responsibility for anything that goes wrong on my side. They're basically covered legally (if one could call it that) if something goes wrong with my connection.
We have some measures in place where we block, at a client's request, all ports except 23, 25, 80, 110 and 443. So, I'm sure many other ISP's could do the same thing?
-
Adam Tauno Williams -
Ben McGinnes -
Bob McConnell -
Christopher Chan -
David -
David Sommerseth -
Gavin Carr -
John Thomas -
Lamar Owen -
Les Mikesell -
Luigi Rosa -
Marko Vojinovic -
Mathieu Baudier -
Mogens Kjaer -
Rudi Ahlers -
Scott Robbins -
Steve Clark -
Todd Rinaldo -
Tom H