this post was submitted on 24 Jun 2024
667 points (98.0% liked)

Programmer Humor

31183 readers
186 users here now

Post funny things about programming here! (Or just rant about your favourite programming language.)

Rules:

founded 4 years ago
MODERATORS
[email protected]
[email protected]
667
Basically the extent of my IPv6 knowledge (lemmy.world)
submitted 4 days ago by renzev to c/[email protected]
95 comments fedilink hide all child comments
 

Template source: https://web.archive.org/web/20210304000634/https://www.government.nl/topics/coronavirus-covid-19/visiting-the-netherlands-from-abroad/checklist

you are viewing a single comment's thread
view the rest of the comments
[–] eclipse 10 points 4 days ago (34 children)

It also means you no longer need the kludge that is NAT. Full E2E connectivity is really nice -- though I've found some network admins dislike this idea because they're so used to thinking about it differently or (mistakenly) think it adds to their security.

[–] ikidd 14 points 4 days ago (14 children)

NAT still has its place in obfuscating the internal network. Also, it's easier to think about firewall/routing when you segregate a network behind a router on its own subnet, IMO.

[–] eclipse 9 points 4 days ago (5 children)

Given how large the address space is, it's super easy to segregate out your networks to the nth degree and apply proper firewall rules.

There's no reason your clients can't have public, world routeable IPs as well as security.

Security via obfuscation isn't security. It's a crutch.

[–] efstajas 8 points 4 days ago* (last edited 4 days ago) (1 children)

There's no reason your clients can't have public, world routeable IPs as well as security.

There are a lot of valid reasons, other than security, for why you wouldn't want that though. You don't necessarily want to allow any client's activity to be traceable on an individual level, nor do you want to allow people to do things like count the number of clients at a particular location. Information like that is just unnecessary to expose, even if hiding it doesn't make anything more secure per se.

[–] [email protected] 12 points 4 days ago

Well good news. Because ipv6 has a thing called privacy extensions which has been switched on by default on every device I've used.

That generates random ipv6 addresses (which are regularly rotated) that are used for outgoing connections. Your router should block incoming connections to those ips but the os will too. The proper permanent ip address isn't used for outgoing connections and the address space allocated to each user makes a brute force scan more prohibitive than scanning the whole Ipv4 Internet.

So I'm going to say that using routable ipv6 addresses with privacy extensions is more secure than a single Ipv4 Nat address with dnat.

load more comments (3 replies)
load more comments (11 replies)
load more comments (30 replies)