Mailing List Archive

On Mon, Feb 19, 2024 at 9:29?AM Mike Hammett <nanog@ics-il.net> wrote:
> "In IPv6's default operation, if Joe has two connections then each of
> his computers has two IPv6 addresses and two default routes. If one
> connection goes down, one of the routes and sets of IP addresses goes
> away."
>
> This sounds like a disaster.

You know, I thought so too, until I deployed it and it worked fine.

I have done it twice now, once on MikroTik RouterOS and once on
Ubiquiti EdgeOS. You just have to make sure the timers are pretty
short, and that the router will stop sending RAs for the route if it's
not working. This is definitely something that a COTS SOHO dual WAN
router, that Joe would buy, could and should do by default (hopefully
they do; I just haven't checked).

--
Hunter Fuller (they)
Router Jockey
VBH M-1C
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Network Engineering

mdns can still be "fun" in a wide variety of situations.

https://www.reddit.com/r/k12sysadmin/comments/9yghdx/chromebooks_and_peer_to_peer_updates_can_be/

I do not know to what extent the upgrade to unicast feature long
gestating in the IETF has been adopted.

On Mon, Feb 19, 2024 at 11:10?AM Hunter Fuller via NANOG
<nanog@nanog.org> wrote:
>
> On Mon, Feb 19, 2024 at 9:17?AM William Herrin <bill@herrin.us> wrote:
> > There's also the double-ISP loss scenario that causes Joe to lose all
> > global-scope IP addresses. He can overcome that by deploying ULA
> > addresses (a third set of IPv6 addresses) on the internal hosts, but
> > convincing the internal network protocols to stay on the ULA addresses
> > is wonky too.
>
> In the real world today, most applications seem to use mDNS and
> link-local addresses to keep this connectivity working. (I am guessing
> Joe's Taco Shop uses something like Square, and just needs his
> register to talk to his printer. This already works with mDNS and
> link-locals today.)
>
> --
> Hunter Fuller (they)
> Router Jockey
> VBH M-1C
> +1 256 824 5331
>
> Office of Information Technology
> The University of Alabama in Huntsville
> Network Engineering



--
40 years of net history, a couple songs:
https://www.youtube.com/watch?v=D9RGX6QFm5E
Dave Täht CSO, LibreQos

On Mon, Feb 19, 2024 at 11:13?AM Hunter Fuller via NANOG
<nanog@nanog.org> wrote:
>
> On Mon, Feb 19, 2024 at 9:29?AM Mike Hammett <nanog@ics-il.net> wrote:
> > "In IPv6's default operation, if Joe has two connections then each of
> > his computers has two IPv6 addresses and two default routes. If one
> > connection goes down, one of the routes and sets of IP addresses goes
> > away."
> >
> > This sounds like a disaster.
>
> You know, I thought so too, until I deployed it and it worked fine.

Years ago we made "source specific routing" the default in openwrt.
This means all hosts get both sets of prefixes, and naturally retry
other src addresses.

To what extent anyone else has adopted this is unknown. The popular
mwan3 code is kind of hairy vs a vs ipv6 here.



> I have done it twice now, once on MikroTik RouterOS and once on
> Ubiquiti EdgeOS. You just have to make sure the timers are pretty
> short, and that the router will stop sending RAs for the route if it's
> not working. This is definitely something that a COTS SOHO dual WAN
> router, that Joe would buy, could and should do by default (hopefully
> they do; I just haven't checked).
>
> --
> Hunter Fuller (they)
> Router Jockey
> VBH M-1C
> +1 256 824 5331
>
> Office of Information Technology
> The University of Alabama in Huntsville
> Network Engineering



--
40 years of net history, a couple songs:
https://www.youtube.com/watch?v=D9RGX6QFm5E
Dave Täht CSO, LibreQos

On Mon, Feb 19, 2024 at 8:08?AM Hunter Fuller <hf0002+nanog@uah.edu> wrote:
> On Mon, Feb 19, 2024 at 9:17?AM William Herrin <bill@herrin.us> wrote:
> > There's also the double-ISP loss scenario that causes Joe to lose all
> > global-scope IP addresses. He can overcome that by deploying ULA
> > addresses (a third set of IPv6 addresses) on the internal hosts, but
> > convincing the internal network protocols to stay on the ULA addresses
> > is wonky too.
>
> In the real world today, most applications seem to use mDNS and
> link-local addresses to keep this connectivity working. (I am guessing
> Joe's Taco Shop uses something like Square, and just needs his
> register to talk to his printer. This already works with mDNS and
> link-locals today.)

Hi Hunter,

Yes and no. The client application has to be programmed to understand
link-local addresses or it can't use them at all. You can't just say
"connect to fe80::1." Even if there's an fe80::1 on your network, it
doesn't work. The client app has to also carry the interface identity
into the stack (e.g. fe80::1%eth0) in order to use it.

IPv6 link local addresses can't be expressed as a regular DNS target
the way ULA and RFC1918 addresses can. No way to add that "%eth0" to
the AAAA record. They only work with multicast DNS because the
matching interface is known based on which interface was used to send
the multicast query.

And of course link local is -strictly- link local. If you want one
subnet to communicate with another, you have to do it with global
scope or ULA addresses.

Regards,
Bill Herrin


--
William Herrin
bill@herrin.us
https://bill.herrin.us/

On Mon, Feb 19, 2024 at 10:22?AM William Herrin <bill@herrin.us> wrote:
> Yes and no. The client application has to be programmed to understand
> link-local addresses or it can't use them at all. You can't just say
> "connect to fe80::1." Even if there's an fe80::1 on your network, it
> doesn't work. The client app has to also carry the interface identity
> into the stack (e.g. fe80::1%eth0) in order to use it.

Sure, you and I know this, as a network engineering fact. But, all
over the US, thousands of taco trucks (Joe's or otherwise) are using
Square and similar solutions, and I happen to know from pcaps that
they are (at least some of the time) using the method I described. So
everything else we discuss is kind of academic; Joe will continue
printing receipts for taco orders over link local addresses just fine,
since it works in production today.

We can talk all day about how it's not optimal, has limitations if you
have 4000 Chromebooks, etc., but Joe won't care, because he is selling
tacos. Businesses (not enterprises) that need dual WAN will fall into
this category 99.9% of the time.

I guess the point I'm making is, the methods we are using today for v6
dual WAN, work fine for most people. There isn't really an advantage
to using v4 NAT. That was the original topic I was responding to... as
it is visible fuzzily in the rearview mirror currently.

On Mon, Feb 19, 2024 at 9:00?AM Hunter Fuller <hf0002+nanog@uah.edu> wrote:
> I guess the point I'm making is, the methods we are using today for v6
> dual WAN, work fine for most people.

Hi Hunter,

I accept that point. It's wobbly on some of the details, but you're
talking "most" people, not everyone.


> There isn't really an advantage to using v4 NAT.

I disagree with that one. Limiting discussion to the original security
context (rather than the wider world of how useful IPv6 is without
IPv4), IPv6 is typically delivered to "most people" without border
security, while IPv4 is delivered with a stateful NAT firewall. If
ISPs got diligent about providing an IPv6 firewall to customers even
though they don't need to do so for the customer to use more than one
computer, there'd still be a security difference between internal
hosts that are externally addressable (a stateful firewall without
NAT) and internal hosts which are not. Security doesn't deal with
"most people," it deals with people savvy enough to find and exploit
the openings and errors in the software most people use.

Regards,
Bill Herrin


--
William Herrin
bill@herrin.us
https://bill.herrin.us/

On Mon, Feb 19, 2024 at 11:16?AM William Herrin <bill@herrin.us> wrote:
> > There isn't really an advantage to using v4 NAT.
> I disagree with that one. Limiting discussion to the original security
> context (rather than the wider world of how useful IPv6 is without
> IPv4), IPv6 is typically delivered to "most people" without border
> security, while IPv4 is delivered with a stateful NAT firewall.

Maybe this is the disconnect. Who delivers v6 without a firewall?

I've done a lot of T-Mobile and Comcast business connections lately,
and those certainly both provide a firewall on v4 and v6. I'll admit
I'm not currently well-versed in other providers (except ones that
don't provide v6 at all...).

It is possible to order Comcast without a firewall for v6, in which
case you receive a public v4 address without protection too.

What common scenario leads to your average person being unprotected on
the v6 Internet?

On Mon, Feb 19, 2024 at 9:23?AM Hunter Fuller <hf0002+nanog@uah.edu> wrote:
> On Mon, Feb 19, 2024 at 11:16?AM William Herrin <bill@herrin.us> wrote:
> > > There isn't really an advantage to using v4 NAT.
> > I disagree with that one. Limiting discussion to the original security
> > context (rather than the wider world of how useful IPv6 is without
> > IPv4), IPv6 is typically delivered to "most people" without border
> > security, while IPv4 is delivered with a stateful NAT firewall.
>
> Maybe this is the disconnect. Who delivers v6 without a firewall?
>
> I've done a lot of T-Mobile and Comcast business connections lately,
> and those certainly both provide a firewall on v4 and v6. I'll admit
> I'm not currently well-versed in other providers (except ones that
> don't provide v6 at all...).

Hi Hunter,

You may be right. I haven't ordered SOHO service in a long time and in
fairness you were talking about Joe's Taco Shop not Joe's home
network.

I -suspect- that the wifi router provided for Joe's home network
doesn't do much more than plain routing on the IPv6 side but I do not
know that for a truth. I ordered my wave and comcast services without
a router and I didn't keep the centurylink router long enough to test
whether it did any filtering on IPv6. I noticed no knobs for IPv6
filtering or port forwarding, so I suspect it did not.

Regards,
Bill Herrin


--
William Herrin
bill@herrin.us
https://bill.herrin.us/

On Mon, 19 Feb 2024 09:16:00 -0800
William Herrin <bill@herrin.us> wrote:

> I disagree with that one. Limiting discussion to the original security
> context (rather than the wider world of how useful IPv6 is without
> IPv4), IPv6 is typically delivered to "most people" without border
> security, while IPv4 is delivered with a stateful NAT firewall.

How is v6 being delivered without a stateful firewall while v4
is secured with one?

FWIW, in the decade we have been providing dual-stack by default, I
have made a bit of a hobby out of testing every CPE and SOHO router
that I get may hands on in my PON lab. I've never once seen a device
that has v6 support and didn't have a stateful v6 firewall on by
default (if v6 was "on").

By whom and how is this being delivered?

--TimH

OpenWrt, from which much is derived, is default deny on ipv4 and ipv6.

The ipv6 firewall on most cable devices prior to the XB6 is very, very limited.

On Mon, Feb 19, 2024 at 12:44?PM William Herrin <bill@herrin.us> wrote:
>
> On Mon, Feb 19, 2024 at 9:23?AM Hunter Fuller <hf0002+nanog@uah.edu> wrote:
> > On Mon, Feb 19, 2024 at 11:16?AM William Herrin <bill@herrin.us> wrote:
> > > > There isn't really an advantage to using v4 NAT.
> > > I disagree with that one. Limiting discussion to the original security
> > > context (rather than the wider world of how useful IPv6 is without
> > > IPv4), IPv6 is typically delivered to "most people" without border
> > > security, while IPv4 is delivered with a stateful NAT firewall.
> >
> > Maybe this is the disconnect. Who delivers v6 without a firewall?
> >
> > I've done a lot of T-Mobile and Comcast business connections lately,
> > and those certainly both provide a firewall on v4 and v6. I'll admit
> > I'm not currently well-versed in other providers (except ones that
> > don't provide v6 at all...).
>
> Hi Hunter,
>
> You may be right. I haven't ordered SOHO service in a long time and in
> fairness you were talking about Joe's Taco Shop not Joe's home
> network.
>
> I -suspect- that the wifi router provided for Joe's home network
> doesn't do much more than plain routing on the IPv6 side but I do not
> know that for a truth. I ordered my wave and comcast services without
> a router and I didn't keep the centurylink router long enough to test
> whether it did any filtering on IPv6. I noticed no knobs for IPv6
> filtering or port forwarding, so I suspect it did not.
>
> Regards,
> Bill Herrin
>
>
> --
> William Herrin
> bill@herrin.us
> https://bill.herrin.us/



--
40 years of net history, a couple songs:
https://www.youtube.com/watch?v=D9RGX6QFm5E
Dave Täht CSO, LibreQos

On Mon, Feb 19, 2024 at 9:44?AM Tim Howe <tim.h@bendtel.com> wrote:
> FWIW, in the decade we have been providing dual-stack by default, I
> have made a bit of a hobby out of testing every CPE and SOHO router
> that I get may hands on in my PON lab.

Hi Tim,

I have not, so I'll defer to your experience.

> I've never once seen a device
> that has v6 support and didn't have a stateful v6 firewall on by
> default (if v6 was "on").

Acknowledged.

So when the user wants to run a home server, their IPv4 options are to
create a TCP or UDP port forward for a single service port or perhaps
create a generic port forward for every port to a single internal
machine. Protocols other than TCP and UDP not supported. They might
also have the option of a "bridge" mode in which only one internal
host is usable and the IPv4 functions of the device are disabled. The
bridge mode is the only "off" setting for the IPv4 firewall.

Correct?

Their IPv6 options *might* include these but also include the option
to turn the IPv6 firewall off. At which point IPv4 is still firewalled
but IPv6 is not and allows all L4 protocols, not just TCP and UDP.

Also correct?

Regards,
Bill Herrin



--
William Herrin
bill@herrin.us
https://bill.herrin.us/

Some responses below.

On Mon, 19 Feb 2024 10:01:06 -0800
William Herrin <bill@herrin.us> wrote:

> > I've never once seen a device
> > that has v6 support and didn't have a stateful v6 firewall on by
> > default (if v6 was "on").
>
> Acknowledged.
>
> So when the user wants to run a home server, their IPv4 options are to
> create a TCP or UDP port forward for a single service port or perhaps
> create a generic port forward for every port to a single internal
> machine. Protocols other than TCP and UDP not supported.

OK, but I'm not sure what you are getting at by saying this is
TCP and UDP exclusive... I don't know why it would be; what's the
example you think is typically being denied?

> They might
> also have the option of a "bridge" mode in which only one internal
> host is usable and the IPv4 functions of the device are disabled. The
> bridge mode is the only "off" setting for the IPv4 firewall.
>
> Correct?
>
> Their IPv6 options *might* include these but also include the option
> to turn the IPv6 firewall off. At which point IPv4 is still firewalled
> but IPv6 is not and allows all L4 protocols, not just TCP and UDP.
>
> Also correct?

This isn't how I would characterize any of this, to be honest.
I think what you are trying to say is that a v6 firewall can be "off"
while IPv6 connectivity remains unhindered, but turning "off" an IPv4
firewall means no hosts behind NAT will continue to have connectivity.
The assumption being that a guardrail for someone being really
self-destructive is removed.

OK. So someone really wanted connectivity and really wanted to
disable security. Maybe.
I still believe that the statement "IPv6 is typically delivered
to "most people" without border security" to be demonstrably false.

--
TimH

On Mon, Feb 19, 2024 at 10:31?AM Tim Howe <tim.h@bendtel.com> wrote:
> On Mon, 19 Feb 2024 10:01:06 -0800
> William Herrin <bill@herrin.us> wrote:
> > So when the user wants to run a home server, their IPv4 options are to
> > create a TCP or UDP port forward for a single service port or perhaps
> > create a generic port forward for every port to a single internal
> > machine. Protocols other than TCP and UDP not supported.
>
> OK, but I'm not sure what you are getting at by saying this is
> TCP and UDP exclusive... I don't know why it would be; what's the
> example you think is typically being denied?

Hi Tim,

NATs don't generally process protocols like GRE, ESP (IPSEC), SCTP and
most of the hundred fifty or so other protocols that sit atop IPv4.
They don't have code that would make it possible to process those
packets. They're generally TCP, UDP, and ICMP. Anything else is
necessarily dropped.


> The assumption being that a guardrail for someone being really
> self-destructive is removed.

In more sophisticated scenarios where subtler errors are possible, I
described it as a "security layer" rather than a "guardrail." But yes:
we're talking about the same thing.


> I still believe that the statement "IPv6 is typically delivered
> to "most people" without border security" to be demonstrably false.

I concede the claim. I am satisfied with your evidence that I was in error.

Regards,
Bill Herrin


--
William Herrin
bill@herrin.us
https://bill.herrin.us/