• M0oP0o@mander.xyz
    link
    fedilink
    English
    arrow-up
    3
    arrow-down
    1
    ·
    3 months ago

    “Compromises all devices running … an IPv6 address.”

    Oh so no one is effected. (other then network nerds, and they are not real)

  • MehBlah@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    3 months ago

    I tried to roll out ipv6 when I was sysadmin for a small ISP. ARIN gave me a /32 block with no fuss. I started handing them out only to discover most routers at the time couldn’t use them. Not much has changed. No one offers them and I just turned it off at my present job. None of my windows machine have the ipv6 stack enabled.

      • SRo@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        0
        ·
        3 months ago

        IP4 is running out, that’s the problem. Or better, IP4 is hoarded by companies and they don’t give them up. The insane amount of network devices every human being uses on a daily basis doesn’t make the situation better. It exploded the last 10 years and only gets worse. The fuckery ISPs are doing to solve it without IP6 is insane, fuck cgnats and co. The whole networking world would be so much better to get it over with and adopt IP6 everywhere and let the hoarders drown in their mountain of IP4.

        • lightnsfw@reddthat.com
          link
          fedilink
          English
          arrow-up
          0
          arrow-down
          1
          ·
          3 months ago

          My ISP gave me a IPV6 router. I have it bridged (or whatever the right term is) to another router that serves IPV4 addresses to all my devices. Worked well so far with the added bonus that the ISP can’t see what’s going on within my network.

    • Trainguyrom@reddthat.com
      link
      fedilink
      English
      arrow-up
      0
      ·
      3 months ago

      IPv6 genuinely made some really good decisions in its design, but I do question the default “no NAT, no private network prefixes” mentality since that’s not going to work so well for average Janes and Joes

      • pivot_root@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        3 months ago

        No NAT doesn’t mean no firewall. It just means that you both don’t have to deal with NAT fuckery or the various hacks meant to punch a hole through it.

        Behind NAT, hosting multiple instances of some service that uses fixed port numbers requires a load-balancer or proxy that supports virtual hosts. Behind CGNAT, good luck hosting anything.

        For “just works” peer to peer services like playing an online co-op game with a friend, users can’t be expected to understand what port forwarding is, let alone how it works. So, we have UPnP for that… except, it doesn’t work behind double NAT, and it’s a gaping security hole because you can expose arbitrary ports of other devices if the router isn’t set up to ignore those requests. Or, if that’s not enough of a bad idea, we have clever abuse of IP packets to trick two routers into thinking they each initiated an outbound connection with the other.

        • ᕙ(⇀‸↼‶)ᕗ@lemm.ee
          link
          fedilink
          English
          arrow-up
          0
          ·
          3 months ago

          can you tell me if any device in an IPv6 LAN can just assign itself more IP v6 adresses and thereby bypass any fw rule?

            • ᕙ(⇀‸↼‶)ᕗ@lemm.ee
              link
              fedilink
              English
              arrow-up
              0
              ·
              3 months ago

              so back to the beginning of this thread: ipv6 in home lans is likely to be unsafe due to the defaults in some/many/most routers? and those ipv6 devices can in these szenarios escalate their permissions be spawning new ip adresses that would overcome lazy output fw rules?

              thanks for all the explaining here so far!

              or if i upload a malicious apk to some smartTV and have a it spawn a dhvpv6 server and then spawn a new virtual device that would be given an IP by my fake dhcpv6 to bypass. and we all can use macaddresschanger.

              so you say with macfiltering the router would still prevent unwanted direct connections between my c&c server and some malicious virtual device? that’d be cool, but i dont understand how.

              • 2xsaiko@discuss.tchncs.de
                link
                fedilink
                English
                arrow-up
                2
                ·
                3 months ago

                ipv6 in home lans is likely to be unsafe due to the defaults in some/many/most routers?

                no

                and those ipv6 devices can in these szenarios escalate their permissions be spawning new ip adresses

                yes and this is not “escalating their permissions”, it is in fact the expected behavior with Privacy Extensions (RFC 4941) where devices will probably have multiple addresses at the same time that are used for outgoing connections

                that would overcome lazy output fw rules?

                any router that doesn’t have deny as the default rule for WAN->LAN traffic (probably not many) is trash, and if you’re filtering LAN->WAN traffic (not really usual for a home network) then you want default deny there too, but at that point that is not an ipv6 problem

                or if i upload a malicious apk to some smartTV and have a it spawn a dhvpv6 server and then spawn a new virtual device that would be given an IP by my fake dhcpv6 to bypass. and we all can use macaddresschanger.

                rogue dhcp is not an ipv6 exclusive problem

                so you say with macfiltering the router would still prevent unwanted direct connections between my c&c server and some malicious virtual device? that’d be cool, but i dont understand how.

                yes, firewall rules can work based on mac addresses, not sure exactly what you mean

          • pivot_root@lemmy.world
            link
            fedilink
            English
            arrow-up
            0
            ·
            edit-2
            3 months ago

            IPv6 has two main types of non-broadcast addresses to think about: link-local (fe80::) and public.

            A device can self-assign a link-local address, but it only provides direct access to other devices connected to the same physical network. This would be used for peer discovery, such as asking every device if they are capable of acting as a router.

            Once it finds the router, there are two ways it can get an IP address that can reach the wider internet: SLAAC and DHCPv6. SLAAC involves the device picking its own unique address from the block of addresses the router advertises itself as owning, which is likely what you’re concerned about. One option for ensuring a device can’t just pick a different address and pretend to be a new device is by giving it a subset of the router’s full public address space to work with, so no matter what address it picks, it always picks something within a range exclusively assigned to it.

            Edit: I butchered the explanation by tying to simplify it. Rewrote it to try again.

            • r00ty@kbin.life
              link
              fedilink
              arrow-up
              0
              ·
              3 months ago

              In most cases, the router advertises the prefix, and the devices choose their own IPv6. Unless you run DHCPv6 (which really no-one does in reality, I don’t even think android will use it if present).

              It doesn’t allow firewall bypass though, as the other commenter noted.

              • Trainguyrom@reddthat.com
                link
                fedilink
                English
                arrow-up
                0
                ·
                3 months ago

                Unless you run DHCPv6 (which really no-one does in reality)

                Question for you since I have very little real world IPv6 experience: generally you can provide a lot of useful network information to clients via DHCP, such as the DNS server, autoconfig info for IP phones, etc. how does a network operator ensure that clients get this information if it’s not using DHCPv6?

                • r00ty@kbin.life
                  link
                  fedilink
                  arrow-up
                  0
                  ·
                  3 months ago

                  You can include some information in router advertisements, likely there will be rfcs for more. Not sure of the full list of stuff you can advertise.

                  For sure I’m quite sure I had dns servers configured this way. I’ll check when not on a phone to see what options there are.

    • Joelk111@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      edit-2
      3 months ago

      As a tech nerd who self hosts stuff, I’m more like “what is IPV6 and why is it causing me issues, I can’t figure this out, I guess I’ll disable it, wow my problems are fixed now.”

      I guess I can see why people don’t like it, as it’s caused me issues, but just because I don’t understand it doesn’t mean it’s dumb. I’d need to understand how it works before I could say anything about it, positive or negative. I guess all I could say is that it’s been way less intuitive to me, I can’t memorize the numbers, and the reason it exists makes sense. Beyond that, I unno.

      I should probably spend the time to learn about it, but I already have a full time job where I work on computers all day, I’d rather focus on my other hobbies while I’m at home.

      • pivot_root@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        3 months ago

        It’s not terribly difficult to learn when you avoid trying to relate it to IPv4 concepts. Particularly: forget about LAN addresses and NAT, and instead think about a large block of public addresses being subdivided between local devices.

        • lightnsfw@reddthat.com
          link
          fedilink
          English
          arrow-up
          1
          arrow-down
          1
          ·
          3 months ago

          instead think about a large block of public addresses being subdivided between local devices.

          Thinking about all my devices being exposed like that gives me the heebie jeebies. One public facing address hiding everything else on a private network is much less frightening to my monkey brain.

          • Blaster M@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            3 months ago

            This is what a firewall is for. Blocks inbound to the whole subnet space. Better than a NAT, which can open a port through STUN or simply a malformed packet.

  • Blaster M@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    3 months ago

    To note: It shows even Windows Server 2008 as affected. Since MS is only testing against OSses they support, it is possible this has existed as a problem all the way back since IPv6 was first introduced to Windows XP.

    Also, for all of you “disable IPv6 because I don’t understand it” people… unless you are running Windows 8 or older, just update Windows. IPv4 has been out of addresses for so long that CGNAT is a thing, which means connectivity problems when you’re hosting stuff, and more latency and packet drops from ISP routers getting saturated with NAT tasks. IPv6 is alive on the internet since 2011 and very much used on the internet, does not tie up routers by requiring NAT translation, and therefore just performs better. Plus, if you use your network printer’s or network device’s link-local ipv6 to connect locally, you will never have to deal with static ip address or changing ipv4 lan address pain, as link-local (non-routable on the internet) addresses don’t change unless you force it.

    Also don’t use $35 routers for your internet. If your router does not support ipv6 firewalling, it is long since time to fix that with one that does.

  • Phoenixz@lemmy.ca
    link
    fedilink
    English
    arrow-up
    0
    arrow-down
    2
    ·
    3 months ago

    Switch to Linux, be done with all of this Microsoft software nonsense

      • Zetta@mander.xyz
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        3 months ago

        Actually it is 100% that simple, proton has fixed gaming on Linux.

        It doesn’t work for a few rare games that install a rootkit on your Windows PC, but that’s already silly and irresponsible of you to allow a game to do anyway, in my opinion.

        • Random123@fedia.io
          link
          fedilink
          arrow-up
          1
          ·
          3 months ago

          Nearly all the games i play run worse on linux than windows. Counterstrike, the finals, vrising. Im sure at least one of them dont have rootkit installed. Even got glorious egg proton profiles and still no luck.

          • Zetta@mander.xyz
            link
            fedilink
            English
            arrow-up
            1
            ·
            3 months ago

            Counterstrike 2 is native to Linux, doesn’t use proton so should have 0 preforman impact

      • Derin@lemmy.beru.co
        link
        fedilink
        English
        arrow-up
        2
        ·
        3 months ago

        I used to agree with this statement, but I’m no longer that sure.

        I built a new PC a week ago, installed windows first then Linux. The idea was that I needed Windows for gaming.

        Thought I’d try proton + Steam, regardless, just to see how it stacks up.

        No performance difference. HDR works through gamescope. The window manager of the DE isn’t insane and I can alt tab around my OS without problem.

        Pretty good stuff. Still have windows for work and Valorant, but otherwise I play all my games on Linux these days. The only part that’s lacking, in my opinion, is hot plugging controllers. Annoying that that doesn’t work.