Why #IPv6 #security is so hard - structural deficits...
Best IPv6 presentation I have read in quite a while - makes a powerful point about IPv6’s complexity.
Slow IPv6 adoption is a GOOD THING as IETF plans privacy boost
(Careful, there is a wrong reference to RFC 4860 in the Register article - where they probably mean 4862)
What’s more interesting though are the 50+ comments, of which a big chunk revolves around the NAT subject and IPv6 design (failures).
The irony is true however, that "one of the reasons it took such a long time to nail down IPv6 was the amount of effort that went in to the mobility problem - making sure your address (and the traffic routed to it) followed you round as you moved."
Self-Hosting, IPv6 and carrier-grade NAT
Since IPv4 addresses have become sparse internet access providers tend to keep users inside a carrier-grade NAT prison . Here are some informations on how to re-establish connections to your home-server.
How to use IPv6 on an Android phone anywhere
How to contact your home-server in spite of carrier-grade NAT (#auf_deutsch)
How to create a restricted SSH user for port forwarding?
Citrix-Blog about DS-Lite and other technologies
Today, I disabled IPv6 at home. Yes, it’s a shame.
But until Google changes its restrictive policies on IPv6 senders, I have no other choice.
Of course, some people pointed out to me that I might just change to another Internet access provider. But this is bullshit. I’ve got one of the geekiest ISP in Europe… the only thing they are not doing right in this, is not giving me the possibility to set a rDNS on my IPv6 (for now, this is still only possible for my IPv4 address; I understand that this is probably not high priority at the moment…)
What other choices do I have then?
I could try to find an even geekier ISP and switch to franciliens the Paris-area DIY-ISP. But even if they are geekier, they don’t enable IPv6 at the moment.
The other solution would be to get some special service (...)
“Each #RIPE_Atlas probe has at least one #DNS resolver, indicated by a DHCP reply on the local network of the probe. Irrespective of the IP address of the resolver, this server may have IPv4 and #IPv6 connectivity or only IPv4 connectivity. What is the percentage of IPv6-enabled resolvers among RIPE Atlas probes?”
#Google now seeing 2% #IPv6 traffic – the #Internet is changing !
Note the weekly cycle with week-end peaks: IPv6 adoption is led by home users... Enterprise environments are lagging as usual.
Bad idea: Gmail now discriminates against mail servers without an IPv6 reverse
This new gem is from the SMTP Gmail FAQ at ▻https://support.google.com/mail/answer/81126?hl=en
(Fun note: they call it the “Bulk Senders Guidelines”… hence apparently anyone running their own personal mail server falls in that category…)
“Additional guidelines for IPv6
The sending IP must have a PTR record (i.e., a reverse DNS of the sending IP) and it should match the IP obtained via the forward DNS resolution of the hostname specified in the PTR record. Otherwise, mail will be marked as spam or possibly rejected.
The sending domain should pass either SPF check or DKIM check. Otherwise, mail might be marked as spam.”
Alternative to dumb port scanning, leveraging reverse DNS to discover a subnet’s IPv6 hosts. Supposes that reverse DNS is correctly configured… ▻http://www.reddit.com/r/netsec/comments/1bfu76/how_are_we_going_to_port_scan_for_open_hosts_on/c96p936
Very good analysis of the current situation of the #ITU after the Dubai meeting, and why the “ITU-phobia” is wrong (because the ITU is a weak dying dinosaur and certainly not the big threat so many lobbyists see).
Now watch ITU-phobia turn these drab words into a fearsome threat. A commentator on our blog who was in Dubai as part of the UK delegation writes: “5A needs to be read along with ITU Standard Y.2770 which makes it mandatory to implement deep packet inspection…to all ‘next generation networks’ which could be easily interpreted as the IPv6 network. As a standard it is far from mandatory. But 5A and 5B bring this much closer to make it mandatory – and you’ll notice that the language in Y.2770 is very close to the language of 5A and 5B.”
There are so many irrational leaps of logic in this statement it is hard to know where to begin. The author of that comment is implying that ITR section 5A must be read in conjunction with an ITU-T standard that he has picked arbitrarily out of the air, a standard not mentioned anywhere in the ITRs and not mentioned in any of the discussions of 5A. The section 5A does not mention the Internet, IPv6, NGNs or DPI, yet this person believes that it could be “easily interpreted” to REQUIRE the use of DPI in IPv6 networks. And when one points out this huge gap between what is actually in the ITRs and what they are contending it would do, the response is filled with dark warnings about “the power of general language” and how the evil demons at the ITU will be able to stretch whatever language is in their to suit their purposes.
Ah, le pouvoir des grandes « notions générales » ! ça me rappelle des passages de la Démocratie en Amérique de Tocqueville.
60 % des noms de domaine .fr sont compatibles #IPv6, une hausse de 19 points ! Découvrez le chiffre clé de novembre de la nouvelle édition en ligne de l’Observatoire 2012 du marché des noms de domaine en France !
60% of .fr domain names are IPv6 compliant, an increase of 19 points in one year ! Discover the November key figure of the new online edition of the Report 2012 of the French #Domain Name Industry !
How to maintain reliable IPv6 in IPv4 tunnel connectivity when your Internet access provider inflicts a dynamic IPv4 address on you: ▻http://serendipity.ruwenzori.net/index.php/2012/06/06/how-to-maintain-reliable-ipv6-in-ipv4-tunnel-connectivity-whe
My Internet access provider has such miserable IPv4 peerings that I get better throughput using IPv6 through HurricaneElectric: http://img2.ipv6-test.com/speedtest/result/2012/05/25/2bc5203dd141ef8e64390aabb5a1cdff.png
Numericable, also known as Misericable.
Lancement de la 2ème enquête « Toile de fond technologique » #Afnic
Répondez à notre #enquete sur :
Launch of the second edition of AFNIC’s "Technology Backdrop" survey
Answer our #survey in english on :
Yes, that is one of the main points of this presentation - it also mentions RAguard (L2 Protection on the switch - RFC 6105) and SeND (RFC 3971 - secure ND using cryptography) as remedial methods. The first one is quite easy given a smart switch, but the second one is said to be very hard to deploy.