You are not logged in.

#1 2013-03-05 22:52:27

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,217
Website

Do you IPv6?

Just a discussion point out of curiosity more than anything, considering Arch and Arch users (generally) tend to enjoy bleeding edge and the "new toys"... Where do you stand with IPv6?

Are you one of the people who still completely disable IPv6 in the kernel and ignore it?
Have you experimented but given up for one reason or another?
Do you have a complete or partial dual-stack environment (work or home)?
Are you running any IPv6-only hosts due to IPv4 exhaustion in your network?
What is the biggest stumbling block you have faced? Or still face and are waiting for a solution?

For me, I have a complete dual-stack network at home, and a partial dual-stack network at work (most desktops are still WinXP with poor IPv6 support, so pending SoE upgrade to Win7).

Biggest issue I have remaining is ISC DHCP logging of IPv6 leases:

Mar  6 07:52:41 fw1 dhcpd: Solicit message from fe80::397d:d4ff:4a00:a057 port 546, transaction ID 0xC3273B00
Mar  6 07:52:41 fw1 dhcpd: Sending Advertise to fe80::397d:d4ff:4a00:a057 port 546
Mar  6 07:52:42 fw1 dhcpd: Request message from fe80::397d:d4ff:4a00:a057 port 546, transaction ID 0xC3273B00
Mar  6 07:52:42 fw1 dhcpd: Sending Reply to fe80::397d:d4ff:4a00:a057 port 546

Who the hell just obtained that address? WHAT address did you lease them?
Compared to IPv4 where the mac address is (clearly) logged, and the hostname/interface is also logged:

Mar  6 05:04:04 fw1 dhcpd: DHCPDISCOVER from 00:24:21:a0:70:fe via bond0.15
Mar  6 05:04:05 fw1 dhcpd: DHCPOFFER on 172.xx.xx.111 to 00:24:21:a0:70:fe (PC-LabRat) via bond0.15
Mar  6 05:04:05 fw1 dhcpd: DHCPREQUEST for 172.xx.xx.111 (172.xx.xx.51) from 00:24:21:a0:70:fe (PC-LabRat) via bond0.15
Mar  6 05:04:05 fw1 dhcpd: DHCPACK on 172.xx.xx.111 to 00:24:21:a0:70:fe (PC-LabRat) via bond0.15

Offline

#2 2013-03-05 22:56:57

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,422
Website

Re: Do you IPv6?

It sounds like this question is targetted towards a depth I can't swim in, but I only disable IPv6 when I am at work as they're network does not use it, or at least not properly: I get *long* lags unless I disable it on my system.  I just use a sysctl command to disable it when I am on their network.


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#3 2013-03-05 23:17:59

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,130

Re: Do you IPv6?

I kill it as completely and comprehensively as possible. I've yet to come across a network which supports it and at least one refuses to work at all if it is enabled. Arch may be bleeding edge but the networks I use are decidedly not.


CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

#4 2013-03-05 23:47:16

elkoraco
Member
Registered: 2013-02-18
Posts: 140

Re: Do you IPv6?

I'm stoned and tired, and have a headache, so I'm not sure if I'm understanding you right, but your only issue seems to be logging, not connection problems? If so, is this of any help?

http://www.ietf.org/rfc/rfc3736.txt
http://en.wikipedia.org/wiki/DHCPv6
http://en.wikipedia.org/wiki/IPv6#State … 28SLAAC.29

Last edited by elkoraco (2013-03-05 23:48:00)

Offline

#5 2013-03-06 00:46:44

WonderWoofy
Member
From: Los Gatos, CA
Registered: 2012-05-19
Posts: 8,414

Re: Do you IPv6?

I think this is more of a poll than a help thread elkotaco, so light a J and relax...

I disable ipv4 as I too am one who finds a network that f*cks my sh*t up sometimes. Also like cfr I have yet to come across an ipv6 network in these parts (which is ridiculous since I live in the silicon valley). Also the ISP's of our local duoploly only seem to offer ipv4 throughout the bay area, though it has been over a year since I have checked.

I just got a Nexus 7 and noticed that the dhcpcd.conf has "noipv6rs" in it.

Last edited by WonderWoofy (2013-03-06 00:46:57)

Offline

#6 2013-03-06 12:02:39

hunterthomson
Member
Registered: 2008-06-22
Posts: 794
Website

Re: Do you IPv6?

I would use IPv6 if my ISP offered it. Ya, one can use a IPv4-to-IPv6 proxy for free.

Sure, a quick way to solve your problem is to use IPv6 stateless auto-configuration. Then you will always know what IP your computers have. Personally, I would only use stateless auto-configuration with IPv6 and stateless DHCPv6. Unless there is some reason that you are forced to use stateful DHCPv6.

Last edited by hunterthomson (2013-03-06 12:04:57)


OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec

Offline

#7 2013-03-06 12:08:19

HalosGhost
Forum Moderator
From: Twin Cities, MN
Registered: 2012-06-22
Posts: 2,089
Website

Re: Do you IPv6?

I setup IPv6 once on a Windows machine. I got to see Google's special IPv6 page for about 10 seconds before the entire home network committed suicide. Since switching my life over to Linux a year or so ago (save gaming, though now that is looking up as well), I've never actively used or disabled IPv6 as I've never had the need. Either my networks are not setup for it and rather quickly refuse IPv6 requests, or IPv6 functions properly and I don't really have to do anything about it (this almost never happens—count to date is once, if memory serves).

I imagine it may become more mainstream, but I kind of doubt it. Rather, I expect some other standard (IPv256?) may come about that has enough momentum to get the ISPs to switch (like with Analog to Digital TV broadcasting signal in the ᴜꜱᴀ). Till then though, IPv4 for me smile

All the best,

-HG

Offline

#8 2013-03-06 17:54:18

Strike0
Member
From: Germany
Registered: 2011-09-05
Posts: 1,429

Re: Do you IPv6?

Just IPv4 here. At work the PCs (Win) actually have dual-stack, but the whole network is 10.* and it will be quite a project to switch (it's huge).
At home our ISP actually offers v6 by now, but the dsl-modem/router that came from them a fair while ago does not :-) As they are pretty cumbersome with allowing foreign modems connecting, I made one attempt to get a new one about a year ago but the hurdle was them trying to sell IP-telephony with it. Since that entails getting new phones and stuff as well, I skipped that bleeding edge. So, for now only some (little) IPv6 configuration for the home devices to see what breaks. I have not tried to tunnel it out via IPv4.

Offline

#9 2013-03-06 20:39:07

hawaiicharles
Member
Registered: 2012-12-21
Posts: 71

Re: Do you IPv6?

I have consciously avoided IPv6.  Actually, I avoid DHCP whenever I can as well.  I like knowing what my machines' IP addresses are, and memorizing IPv6 addresses is just not something I'm ready to embrace.

Offline

#10 2013-03-06 21:09:37

Tarqi
Member
From: Ixtlan
Registered: 2012-11-27
Posts: 179
Website

Re: Do you IPv6?

If it would be possible to use native IPv6, without tunneling, full ISP support, support for all services, PXE, dyndns etc., I would use it, currently it is disabled in my whole network. IPv6 is a bit like systemd: A nice concept, but it includes some annoying things. When it is time for it, i will slash myself, however (like i did with systemd).

(Edit: Btw: your log messages are just some Link-Local acknowledges (i believe).)

Last edited by Tarqi (2013-03-06 21:12:53)


Knowing others is wisdom, knowing yourself is enlightenment. ~Lao Tse

Offline

#11 2013-03-06 22:25:19

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,217
Website

Re: Do you IPv6?

Somewhat what I expected; most people actively avoiding it which while I expected it, it kind of surprising. I did think the uptake in the Arch community would be higher than "average"... Then again, maybe it is! lol

hawaiicharles wrote:

I like knowing what my machines' IP addresses are, and memorizing IPv6 addresses is just not something I'm ready to embrace.

In a medium-business environment, manually configuring IP Addresses isn't manageable, especially on roaming devices like laptops and phones/tablets. (EDIT: I'm talking about client devices here, servers of course are still statically assigned like in IPv4)
And remembering IPv6 addresses isn't too much more difficult than IPv4; I thought the same thing when I first came across IPv6. Once you remember your prefix, as long as you use a simple system then it's fairly easy. For example:
Our prefix (sanitized) is 2001:DB8:4126:C6::/56
The next 2 nibbles after "C6" match the VLAN tag for the network:
VLAN 15 = 2001:DB8:4126:C615::/64
VLAN 20 = 2001:DB8:4126:C620::/64
Now you have the network (networks are always /64), we condense the zeros and make the last chunk match the last octet of the IPv4 address:
Host 192.0.2.123 in VLAN 2 == 2001:DB8:4126:C602::123

(Yes, this system ignores some of the "security" of having "random" addresses spread throughout your address space, but security through obscurity isn't, so I'm not concerned about that.)

Tarqi wrote:

(Edit: Btw: your log messages are just some Link-Local acknowledges (i believe).)

No, that's actually a lease. A known host in a test network, and the lease is written to the leases file, just not logged in a helpful manner.

Last edited by fukawi2 (2013-03-06 22:27:20)

Offline

#12 2013-03-07 00:13:19

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,130

Re: Do you IPv6?

fukawi2 wrote:

Somewhat what I expected; most people actively avoiding it which while I expected it, it kind of surprising. I did think the uptake in the Arch community would be higher than "average"... Then again, maybe it is! lol

Well an awful lot of people are saying that they do not have the option of using ipv6. I'm not "actively avoiding it". I've disabled it because not doing so screws up the access I do have with ipv4 and no network I've yet had access to supports ipv6. I hardly consider that "actively avoiding it" - it doesn't exist in my world so there is no question of avoiding or embracing it. Same reason I don't actively avoid sabre tooth tigers except that other people's belief in sabre tooth tigers doesn't interfere with my keeping a cat.

Last edited by cfr (2013-03-07 00:13:46)


CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

#13 2013-03-07 09:51:17

itman
Member
From: Switzerland
Registered: 2010-05-21
Posts: 124

Re: Do you IPv6?

WonderWoofy wrote:

... snip alot

I disable ipv4 ...

snipp some more

Oh dear - and how do you walk the internet now? Ah - got it, Silicon Valley dwellers are not in the need of any kind of protocol...

Offline

#14 2013-03-07 10:50:33

skanky
Member
From: WAIS
Registered: 2009-10-23
Posts: 1,847

Re: Do you IPv6?

I try to pretend that ipv6 doesn't yet exist, and I'll only have to deal with it once I've caught up on everything else - it'll probably be in my will: "to my xxx I leave the configuration of ipv6 on the home network".


"...one cannot be angry when one looks at a penguin."  - John Ruskin
"Life in general is a bit shit, and so too is the internet. And that's all there is." - scepticisle

Offline

#15 2013-03-07 11:17:32

bergersau
Member
Registered: 2012-01-19
Posts: 52

Re: Do you IPv6?

Australia's Telstra Bigpond ISP doesn't offer IPv6 to home users.

I've played with tunneling IPv6 over IPv4 using miredo but until Bigpond get their act into the 21st century - I'm stuck on IPv4.

Offline

#16 2013-03-07 11:31:28

Awebb
Member
Registered: 2010-05-06
Posts: 6,268

Re: Do you IPv6?

I used to be all hyped towards ipv6, until I started to read worrying messages about security and anonymity in connection with mobile devices. I also read, that every device is reachable from "the outside", say a router does not conceal the devices behind it with a different network, like it was the case with ipv4, so firewall configuration becomes more important again… which is the one that I do not like to do in computing.

Then again, my ISP is not exactly ipv6 ready right now. I don't have a real reason to care at the moment.

Offline

#17 2013-03-07 13:19:42

hunterthomson
Member
Registered: 2008-06-22
Posts: 794
Website

Re: Do you IPv6?

Yes, the first half of the address /64 of 128 bits is always the network address, but ISP's should be giving home users anywhere between a /48 to a /64. That allows the home user to use the remaining network bits as subnet bits. So, if you get a /48 then you have 6 bits for subnets.

Soooo, you do not have to remember any long IPv6 addresses for your LAN. You only need to remember your subnet and host bits, because the network bits are the same on all devices on the network. If you do use stateful DHCPv6 then you can hand out a host IP of just a few bits. If you use stateless DHCPv6 then you only need to remember then MAC address of the devices. Better yet, setup DNS or /etc/hosts so you can remember words instead of numbers.

Yes, you can setup and should setup your firewall/router to NAT/PAT your home network to prevent your home computers from being directly accessible from the public Internet. Just like IPv4. The deal with IPv6 is that you do not have to, because you have more then enough addresses for all your devices.

Basically, it is not up to the consumer to choose to use IPv6. It is up to the ISPs. Businesses may choose to use IPv6 for a number of reasons. Stateless auto-configuration is a good one. Then the easy implementation of anycast addresses to insure seamless fail over.

One thing that sucks if there really is no way around it is that you only have a single LocalHost address ::1. That is a problem. Like I run dnscrypt-proxy on 127.0.0.2:53 and unbound on 127.0.0.1:53 so with IPv6 I'd have to put dnscrypt-proxy on ::1 port-5353 and unbound on ::1 port-53

Last edited by hunterthomson (2013-03-07 13:33:56)


OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec

Offline

#18 2013-03-07 16:16:48

Tarqi
Member
From: Ixtlan
Registered: 2012-11-27
Posts: 179
Website

Re: Do you IPv6?

fukawi2 wrote:
Tarqi wrote:

(Edit: Btw: your log messages are just some Link-Local acknowledges (i believe).)

No, that's actually a lease. A known host in a test network, and the lease is written to the leases file, just not logged in a helpful manner.

That's strange. Isn't the FE80:... the IPv4 APIPA equivalent? (I'm just a noob on IPv6, reasons see my post above.)


Knowing others is wisdom, knowing yourself is enlightenment. ~Lao Tse

Offline

#19 2013-03-07 23:13:04

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,217
Website

Re: Do you IPv6?

bergersau wrote:

Australia's Telstra Bigpond ISP doesn't offer IPv6 to home users.

BigFail....? You really should upgrade to Internode wink tongue

hunterthomson wrote:

Yes, the first half of the address /64 of 128 bits is always the network address, but ISP's should be giving home users anywhere between a /48 to a /64. That allows the home user to use the remaining network bits as subnet bits. So, if you get a /48 then you have 6 bits for subnets.

Yes, our ISP allocates a /56 by default to all accounts (business and home), and you can request a /48.

hunterthomson wrote:

Yes, you can setup and should setup your firewall/router to NAT/PAT your home network to prevent your home computers from being directly accessible from the public Internet. Just like IPv4.

No no no no no noooo. The only (possibly) valid use of NAT in IPv6 is interception such as for transparent proxies. NAT always has and always will be a dirty hack that only came about because someone realized the problem of IPv4 exhaustion. End-to-end connectivity far outweighs any perceived security from NAT.

Tarqi wrote:

That's strange. Isn't the FE80:... the IPv4 APIPA equivalent? (I'm just a noob on IPv6, reasons see my post above.)

Yes, FE80::/10 is the link-local address; that's my point about logging being rather "lacking" wink  The global unique address being leased isn't logged (except in the leases file, which isn't really a log file)

Offline

#20 2013-03-07 23:20:19

Awebb
Member
Registered: 2010-05-06
Posts: 6,268

Re: Do you IPv6?

hunterthomson wrote:

Yes, you can setup and should setup your firewall/router to NAT/PAT your home network to prevent your home computers from being directly accessible from the public Internet. Just like IPv4. The deal with IPv6 is that you do not have to, because you have more then enough addresses for all your devices.

This means work. I do not want desktop firewalls and I do not trust the general router creator population to provide me with a bug free solution. It will boil down to IPCop/PFsense/m0n0wall/etc.pp and a lot of work. It means, that we have to think about security the other way round, it's not about allowing single things, it is about not disallowing certain things. I know… I'm just wussing, that's all.

Offline

#21 2013-03-08 05:01:24

WonderWoofy
Member
From: Los Gatos, CA
Registered: 2012-05-19
Posts: 8,414

Re: Do you IPv6?

itman wrote:
WonderWoofy wrote:

... snip alot

I disable ipv4 ...

snipp some more

Oh dear - and how do you walk the internet now? Ah - got it, Silicon Valley dwellers are not in the need of any kind of protocol...

Hell yeah!  We don't need no stinkin' ip!

Offline

#22 2013-03-08 12:09:23

zenlord
Member
From: Belgium
Registered: 2006-05-24
Posts: 1,221
Website

Re: Do you IPv6?

fukawi2 wrote:

No no no no no noooo. The only (possibly) valid use of NAT in IPv6 is interception such as for transparent proxies. NAT always has and always will be a dirty hack that only came about because someone realized the problem of IPv4 exhaustion. End-to-end connectivity far outweighs any perceived security from NAT.

Forgive me my ignorance, but how is one supposed to make a secure local network with IPv6? I hope it's not all about (manually) securing every individual device?

Offline

#23 2013-03-08 13:05:35

Ramses de Norre
Member
From: Leuven - Belgium
Registered: 2007-03-27
Posts: 1,289

Re: Do you IPv6?

My laptop uses a tunnel from SiXXs to get ipv6 connectivity and that works pretty well. I don't use ipv6 on the rest of the home network due to lack of a router that supports it.

Are there any decent home routers with full ipv6 support atm?

Offline

#24 2013-03-09 13:03:07

hunterthomson
Member
Registered: 2008-06-22
Posts: 794
Website

Re: Do you IPv6?

Awebb wrote:
hunterthomson wrote:

Yes, you can setup and should setup your firewall/router to NAT/PAT your home network to prevent your home computers from being directly accessible from the public Internet. Just like IPv4. The deal with IPv6 is that you do not have to, because you have more then enough addresses for all your devices.

This means work. I do not want desktop firewalls and I do not trust the general router creator population to provide me with a bug free solution. It will boil down to IPCop/PFsense/m0n0wall/etc.pp and a lot of work. It means, that we have to think about security the other way round, it's not about allowing single things, it is about not disallowing certain things. I know… I'm just wussing, that's all.

Well ya, Black Lists don't work. You need to White List anyway.

fukawi2 wrote:

No no no no no noooo. The only (possibly) valid use of NAT in IPv6 is interception such as for transparent proxies. NAT always has and always will be a dirty hack that only came about because someone realized the problem of IPv4 exhaustion. End-to-end connectivity far outweighs any perceived security from NAT.

Well, I guess you are right. That job should be done with a firewall.

zenlord wrote:

Forgive me my ignorance, but how is one supposed to make a secure local network with IPv6? I hope it's not all about (manually) securing every individual device?

No, you just need a network firewall.

You have always needed to secure every individual device especially with Arch Linux. With Ubuntu you have AppArmor on by default and with Red Hat you have SElinux. However, with Arch it is up to the user (you) to setup whatever security systems you want to use. Vanilla Linux is vulnerable to attack on all fronts.

I highly suggest grsecurity. It is "Really" Super easy. Don't let the Hardened Gentoo Wiki scare you off, but I would suggest spending a weekend reading it. The config that is shipped with the AUR/linux-grsec package is all good for a Desktop/KVM Host. The only thing you need to change is disabling grsecurity sysctl support. Also, add your Desktop user to the tpe-trusted group.

Last edited by hunterthomson (2013-03-09 13:24:05)


OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec

Offline

#25 2013-03-12 02:14:39

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,217
Website

Re: Do you IPv6?

zenlord wrote:

Forgive me my ignorance, but how is one supposed to make a secure local network with IPv6? I hope it's not all about (manually) securing every individual device?

Either with permiter security (eg network firewall) or individually.

Ramses de Norre wrote:

Are there any decent home routers with full ipv6 support atm?

Internode *only* sell hardware that supports IPv6. The list on this page is tested and supported by Internode, so the implementations should be fairly stable: https://secure.internode.on.net/webtools/store

Offline

Board footer

Powered by FluxBB