Author Topic: Why we need a DHCPv6?  (Read 7270 times)

0 Members and 1 Guest are viewing this topic.

Offline mansaxel

  • Super Contributor
  • ***
  • Posts: 3558
  • Country: se
  • SA0XLR
    • My very static home page
Re: Why we need a DHCPv6?
« Reply #25 on: January 31, 2022, 06:30:18 am »
Interesting so basically I have to give you my /56 Ipv6 block and you could tell your firewall:

If "origin=Zucca IPv6" AND "Destination = mansa Ipv6 Printer" THEN "let it pass to port printer"

Exactly. This is how IP is supposed to work. We have, by thinking "NAT is good enough" conditioned at least 25 years of networking users and administrators into not expecting and requiring the end-to-end model that is arguably the most fundamental component in IP networking.

Whenever I think of this broken illusion I get really upset.  You, OTOH, are recovering into actually appreciating the original qualities of IP networking and that makes for a little better world.

Regarding the VPN discussion I agree they do not give more security, what about privacy from evil ISP sniffing data?

This mostly moves the trustpoint. So now you must trust the VPN provider.  (If it's you, that's probably easy.)  Further, you must do a threat analysis model; who are you trying to protect against, and what capabilities do they possess?

If you buy a VPN-as-a-service, then, as noted, you also have another part to trust.

If you buy a VPS in co-lo and set up VPN to it, then that part is solved (if you can trust the virtualisation separation layer to protect your data)

In both cases you still have the question of what happens to the data at the exit point; who is looking at it there, and, since it is not impossible to correlate the VPN stream with the decrypted traffic, and you've shown some kind of intent in encrypting the traffic, who now wants to look at it?

Online ejeffrey

  • Super Contributor
  • ***
  • Posts: 3922
  • Country: us
Re: Why we need a DHCPv6?
« Reply #26 on: January 31, 2022, 07:50:59 pm »
Firewall rules alone are not a great choice for protecting unsecured internal devices like printers.  While they will drastically reduce the scope of people that can access them firewall rules are not authenticated or private.  A VPN is much better.

I beg to differ. Firewall rules are excellent. Lack of routing (which VPN basically amounts to) is useful too, but not as convenient. Also, with universally routable addresses like v6 ones (yeah, I know about local scope) one needs firewall rules TOO.

No, a VPN is not about "lack of routing".  While VPNs work at the network layer and therefore involve routing they are about authentication, data integrity, and privacy not "lack of routing".

IP addresses are not secure.  If you allow access from a remote site by IP block you are open to anyone who can spoof that address which is a lot of people.  With a VPN connecting the remote networks you can actually authenticate the connection, protect the integrity of the data in transit, and prevent snooping.

Yes, a firewall rule will drastically reduce the number of people who can easily gain unauthorized access to your network but far less than a VPN would, as that would require them to take direct control of the endpoint.

Firewalls are necessary course, but mostly only in that they let you treat data on physically different networks differently.   "inside" vs. "outside" vs "DMZ".  Filtering traffic based on which physical network connection they originate on is secure and can't be spoofed without physical access or compromising a device on the private network and the firewall helps to prevent that.  A VPN gives you a "virtual private network" -- that is a connection that physically comes in on your connection to the public internet but which you can treat as an internal device.  A firewall granting access to private resources for connections coming from the public internet based on insecure data like the IP address is not a good use of firewalls.

Quote
VPN's like the ones advertised by youtubers are basically useless except for watching Netflix from another country. Secure or safe they are not.

Sure, I never suggested using one. Those systems are not VPNs in any real sense of the word.  They are encrypted proxies.  While they use VPN technology internally, a VPN is a network connection between two trusted devices/networks that takes place over an untrusted intermediate network.  Unless your desire is to communicate in a trusted fashion with NordVPN it doesn't really qualify as a VPN.

What I am saying you should do is run wireguard or openvpn or other similar technology between your hone network and your colo hosts if you want to use unsecured services like printing.  Relying on firewalls for that is better than nothing but is not real security.  It's not actually much better than simply using IPv6 and an open network since IPv6 is almost impossible to brute force scan due to the address space.  If you don't publish your printers IPv6 address only people who have the capability to sniff your network traffic will be able to find it and those are mostly the people who could also mount a spoofing attack.  Of course in this model once your printers IP address becomes public all bets are off and anyone in the world can print random stuff, so I'm not seriously recommending it.

Quote
Exactly. This is how IP is supposed to work. We have, by thinking "NAT is good enough" conditioned at least 25 years of networking users and administrators into not expecting and requiring the end-to-end model that is arguably the most fundamental component in IP networking.

I think you misunderstand.  End-to-end connectivity is great, but the goal is to treat the connectivity layer as a neutral infrastructure.  Assigning identity to certain IP addresses/ranges is fundamentally bad idea.  Part of the goal of IPv6 that goes beyond even the pre-NAT intent of IPv4 is to make addresses less meaningful -- they are tools for routing, and they are supposed to support renumbering easily when needed.  If you want identity, use a service built on top of IP, not the low level identifiers.
 
The following users thanked this post: Zucca

Offline mansaxel

  • Super Contributor
  • ***
  • Posts: 3558
  • Country: se
  • SA0XLR
    • My very static home page
Re: Why we need a DHCPv6?
« Reply #27 on: January 31, 2022, 08:40:18 pm »

No, a VPN is not about "lack of routing".
In this context it is -- it's also used to go around the problem that everyone (except me and a few others, I've got a IPv4 /24 I'm routing home) have to use useless addresses at home.

IP addresses are not secure.  If you allow access from a remote site by IP block you are open to anyone who can spoof that address which is a lot of people. 
TCP is quite hard to spoof, because you need to control routing to do it. IPP is TCP. I'd be much more wary of deploying an UDP-based insecure protocol, like SNMPv2.
A firewall granting access to private resources for connections coming from the public internet based on insecure data like the IP address is not a good use of firewalls.
My reachable services are mostly (the printer is an exception) secure as-is. Firewalls to me are a way to keep the log noise down.

There are networks at home that contain Internet-of-shit devices. Those do not even get access to the HTTP-ternet via NAT. Likewise, some infrastructure devices that are hard to secure and important to keep private are on another network segment, also without HTTP access to the Internet. Of course neither class of device are on the same segment as the ChromeCast. Hell no if I trust that one...

Quote
Exactly. This is how IP is supposed to work. We have, by thinking "NAT is good enough" conditioned at least 25 years of networking users and administrators into not expecting and requiring the end-to-end model that is arguably the most fundamental component in IP networking.

I think you misunderstand.  End-to-end connectivity is great, but the goal is to treat the connectivity layer as a neutral infrastructure.  Assigning identity to certain IP addresses/ranges is fundamentally bad idea.  Part of the goal of IPv6 that goes beyond even the pre-NAT intent of IPv4 is to make addresses less meaningful -- they are tools for routing, and they are supposed to support renumbering easily when needed.  If you want identity, use a service built on top of IP, not the low level identifiers.

I think I was unclear. I don't think we should let users ever bother with learning IP addresses -- I've spent most of my professional network career advocating the use of DNS.

What I'm advocating is that we should never have to accept duplicate IP addresses, because that flies in the face of the the essence of the IP address, that it is unique.

Offline ZuccaTopic starter

  • Supporter
  • ****
  • Posts: 4603
  • Country: it
  • EE meid in Itali
Re: Why we need a DHCPv6?
« Reply #28 on: February 01, 2022, 02:49:13 am »
Drinking my hot tea and enjoying every single words of you two. Thanks.

IMHO You both are right. It depends what are you opening up, some devices are secure, some others are calling home and throwing ropes on the other side of your firewall so somebody could enter.
Regarding a printed port open.... what they could do? worst case trash my paper....

At home in my little little island I have one WIFI called "Untrusted WIFI" because for me, the general joe's wifi whrere all the devices connects, is by definition insecure.

There all my nasty androids and Alexa (my wife, go tell her..) are living. I have then another LAN just for my Lab and there I running my "secure" stuff.

That said some questions

I don't think we should let users ever bother with learning IP addresses -- I've spent most of my professional network career advocating the use of DNS.

I do not think my ISP is giving me a static /56, so I guess I need to do some DDNS IPv6. what I do not know if I can tell my pfSense box "if IP origin is this DDSN" THEN....
I have to do my homework.

with universally routable addresses like v6 ones (yeah, I know about local scope) one needs firewall rules TOO. 

For local scope here are you referring about
Code: [Select]
fe80:: addresses? I did not setup any firewall rules for those...
Again I need to do my homework.
« Last Edit: February 01, 2022, 03:42:43 am by Zucca »
Can't know what you don't love. St. Augustine
Can't love what you don't know. Zucca
 

Offline mansaxel

  • Super Contributor
  • ***
  • Posts: 3558
  • Country: se
  • SA0XLR
    • My very static home page
Re: Why we need a DHCPv6?
« Reply #29 on: February 01, 2022, 09:36:45 am »

That said some questions

I don't think we should let users ever bother with learning IP addresses -- I've spent most of my professional network career advocating the use of DNS.

I do not think my ISP is giving me a static /56, so I guess I need to do some DDNS IPv6. what I do not know if I can tell my pfSense box "if IP origin is this DDSN" THEN....
I have to do my homework.
Yes; since you're doing DHCP-PD assignment, you can (should!) expect the network part to change. For licensing and sanity reasons, I'm running another FreeBSD firewall, but I assume there's some  support for -PD dependent rulemaking in other firewall solutions, and in end nodes.

with universally routable addresses like v6 ones (yeah, I know about local scope) one needs firewall rules TOO. 

For local scope here are you referring about
Code: [Select]
fe80:: addresses? I did not setup any firewall rules for those...
Again I need to do my homework.

No, not quite the same! In IPv6, we talk about scoped addresses; and there are have been 4 scopes:

  • Global scope, routable over the Internet.
  • Local scope, routable inside a site; not expected to be eBGP announced. Now deprecated.
  • Link-local scope; on one link only. This is FE80::/10.
  • Node-local scope; basically loopback. ::1, equivalent to 127.0.0.1/8

I was actually unaware that site-local had been deprecated; which is good. I was against standardising it as it was proposed, and never bothered once I'd lost that fight.

Look atRFC4291 for a more complete discussion of the concepts.

Offline ve7xen

  • Super Contributor
  • ***
  • Posts: 1195
  • Country: ca
    • VE7XEN Blog
Re: Why we need a DHCPv6?
« Reply #30 on: February 01, 2022, 10:27:46 am »
"Site local" addresses were deprecated way back in 2004. Since 2005 the IPv6 analogue of IPv4 'private addresses' is Unique Local Addresses as defined in RFC 4193 (fc00::/7).

If you want to use them, you will typically give hosts both a ULA and a GUA (globally unique address) by advertising multiple SLAAC prefixes (or DHCPv6). Hosts will choose the correct source address to use based on the destination they are trying to connect to (this source address selection behaviour is codified in RFC 6724).

And the use case here, where your PD block isn't static, is exactly what ULA is for. The main intent is not to 'be private' but to avoid renumbering your internal resources when your GUA prefix changes for some reason. Though it can offer some element of that as well, if you only give devices like printers or whatnot a ULA address, they won't be able to reach the Internet or vice versa.

More from APNIC: https://blog.apnic.net/2020/05/20/getting-ipv6-private-addressing-right/
« Last Edit: February 01, 2022, 10:31:22 am by ve7xen »
73 de VE7XEN
He/Him
 
The following users thanked this post: Zucca, mansaxel

Offline madires

  • Super Contributor
  • ***
  • Posts: 8175
  • Country: de
  • A qualified hobbyist ;)
Re: Why we need a DHCPv6?
« Reply #31 on: February 01, 2022, 03:50:06 pm »
When dealing with changing IPv6 prefixes (e.g. DHCPv6 PD) and linux there are some nice features. You can add a fixed interface address without the network part (called token): 'ip token set "::1:2:3:4/64" dev eth0'. For each current prefix the interface address is expanded to <prefix>:1:2:3:4/64. And for the firewall (ip6tables, not sure if nftables supports this also) you can add a matching rule using '::1:2:3:4/::ffff:ffff:ffff:ffff' as address filter.
 

Offline ZuccaTopic starter

  • Supporter
  • ****
  • Posts: 4603
  • Country: it
  • EE meid in Itali
Re: Why we need a DHCPv6?
« Reply #32 on: February 02, 2022, 03:27:32 am »
My homework:

https://datatracker.ietf.org/doc/html/rfc4193
https://datatracker.ietf.org/doc/html/rfc6724
https://www.rfc-editor.org/rfc/rfc4291

the more complicated it gets the more I am enjoying it. I wish I had all the time I wanted to learn all that stuff....

Thanks everybody!
Can't know what you don't love. St. Augustine
Can't love what you don't know. Zucca
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf