• Lemminary@lemmy.world
    link
    fedilink
    English
    arrow-up
    206
    arrow-down
    1
    ·
    4 months ago

    Hah! Joke’s on you. I accidentally restarted my PC and updated it without wanting to.

    • Trainguyrom@reddthat.com
      link
      fedilink
      English
      arrow-up
      50
      arrow-down
      5
      ·
      4 months ago

      IPv6 genuinely made some really good decisions in its design, but I do question the default “no NAT, no private network prefixes” mentality since that’s not going to work so well for average Janes and Joes

      • pivot_root@lemmy.world
        link
        fedilink
        English
        arrow-up
        57
        arrow-down
        2
        ·
        edit-2
        4 months ago

        No NAT doesn’t mean no firewall. It just means that you both don’t have to deal with NAT fuckery or the various hacks meant to punch a hole through it.

        Behind NAT, hosting multiple instances of some service that uses fixed port numbers requires a load-balancer or proxy that supports virtual hosts. Behind CGNAT, good luck hosting anything.

        For “just works” peer to peer services like playing an online co-op game with a friend, users can’t be expected to understand what port forwarding is, let alone how it works. So, we have UPnP for that… except, it doesn’t work behind double NAT, and it’s a gaping security hole because you can expose arbitrary ports of other devices if the router isn’t set up to ignore those requests. Or, if that’s not enough of a bad idea, we have clever abuse of IP packets to trick two routers into thinking they each initiated an outbound connection with the other.

        • ᕙ(⇀‸↼‶)ᕗ@lemm.ee
          link
          fedilink
          English
          arrow-up
          4
          arrow-down
          1
          ·
          4 months ago

          can you tell me if any device in an IPv6 LAN can just assign itself more IP v6 adresses and thereby bypass any fw rule?

          • pivot_root@lemmy.world
            link
            fedilink
            English
            arrow-up
            10
            ·
            edit-2
            4 months ago

            IPv6 has two main types of non-broadcast addresses to think about: link-local (fe80::) and public.

            A device can self-assign a link-local address, but it only provides direct access to other devices connected to the same physical network. This would be used for peer discovery, such as asking every device if they are capable of acting as a router.

            Once it finds the router, there are two ways it can get an IP address that can reach the wider internet: SLAAC and DHCPv6. SLAAC involves the device picking its own unique address from the block of addresses the router advertises itself as owning, which is likely what you’re concerned about. One option for ensuring a device can’t just pick a different address and pretend to be a new device is by giving it a subset of the router’s full public address space to work with, so no matter what address it picks, it always picks something within a range exclusively assigned to it.

            Edit: I butchered the explanation by tying to simplify it. Rewrote it to try again.

            • r00ty@kbin.life
              link
              fedilink
              arrow-up
              6
              ·
              4 months ago

              In most cases, the router advertises the prefix, and the devices choose their own IPv6. Unless you run DHCPv6 (which really no-one does in reality, I don’t even think android will use it if present).

              It doesn’t allow firewall bypass though, as the other commenter noted.

              • Blaster M@lemmy.world
                link
                fedilink
                English
                arrow-up
                3
                ·
                edit-2
                4 months ago

                DHCPv6 is very much in use with large ISPs. SLAAC only lets you get a single /64 (one network) from the ISP, but if you use DHCPv6, which is also provided ISP side, you can often request a /60 to get you 16 networks to use. Also, DHCPv6 doesn’t base the IPv6 address off the MAC address like SLAAC does, so it is better for device privacy.

                Why Android does not support DHCPv6 is beyond me. It’s honestly quite ridiculous as it makes configuring LAN-side DNS and other things a lot easier.

                • r00ty@kbin.life
                  link
                  fedilink
                  arrow-up
                  4
                  ·
                  4 months ago

                  Dhcpv6-pd is used by isps for prefix delegation, which most routers support now (not so when my isp first started with it).

                  But for advertising prefixes on a lan most networks use router adverts.

                  They’re different use cases though.

                • r00ty@kbin.life
                  link
                  fedilink
                  arrow-up
                  3
                  ·
                  4 months ago

                  Best thing to do to test the firewall is run some kind of server and try to connect to your ipv6 on that port.

                  Like I’ve said in other posts, routers really should block incoming connections by default. But it’s not always the case that they do.