IPv6: To disable or not to disable it?

Should I use IPv6 or make sure it is disabled, Jow Forums?

Attached: 20120131ipv6logo.jpg (275x276, 25K)

Other urls found in this thread:

f5.com/services/resources/white-papers/the-myth-of-network-address-translation-as-security
dslreports.com/forum/r32136440-Networking-IPv6-working
google.com/intl/en/ipv6/statistics.html
forum.openwrt.org/t/default-network-address/27429
everything-is-a-bot.net/
webserver/
twitter.com/NSFWRedditGif

What reason would you have to disable it?

cause hes retarded

Up to you, but there is no reason not to use it unless you believe the retarded brainlets that think it's akin to running without a firewall.

Attached: 2018-12-26 16_55_21.png (1411x1127, 252K)

Because I don't have any clue how to filter it ;_;

>gives no reason I should keep IPv6

What are you attempting to do?

YOU CAN BE DIRECTLY TRACED AS A HOST IN IPV6 SINCE THERE IS NO PRIVATE AND PUBLIC IP ADDRESSES LIKE ON IPV4 SO YOU CAN'T SAY ANYMORE THAT YOU NEIGHBOR USED YOUR WI-FI ROUTER TO WATCH LOLI PORN !

You're a retard and don't understand how IPv6 works.

You fall into this category.
>unless you believe the retarded brainlets that think it's akin to running without a firewall.

Got any proofs?

If you’re using automatic link local I think it uses your MAC + some predefined bits to address to make up the last 32 bits of your IP. Essentially allowing other people to track your computer across local networks.

No, this hasn't been true since 2007 when they revised the standard for security concerns.


It CAN be set up to do that, but that isn't the default.

>Essentially allowing other people to track your computer across local networks
Even if this were true, and as the other user said, i'm pretty sure they fixed this concern. It shouldn't really matter much.

Local network is all owned by me, no one else is using it. So meh. Who cares if my other local networked devices can see traffic to my main PC? I control all the devices in question, and they all go through my PFsense router before hitting the internet.

the problem with IPv6 is that I don't have any reason to spent any time setting it up. It doesn't get me anything. Sure, sure, it's good for the internet in some vague way by reducing the dependence on limited v4 addresses and NAT. But as someone with a publicly-routable v4 address and working, already-set-up NAT, what exactly does IPv6 get me that IPv4 alone does not? Other than access to a handful of "test your IPv6" websites?

literally nothing

but he is right tho, goy. With ipv6 there is no NAT required, so if his ip is used tmfir shady shit, there is no "deniability"

I don't know how to do anything with it, is the problem. That makes it far easier to simply disable it, since it doesn't break anything to do so.

they now use random number generator fie the host portion.

Citation needed

But what are you TRYING to do with it?

Windows cucks are stopping this from becoming a reality. I didn't know this until last night, but did you know that a Windows application can't log an IPv6 address to event viewer? Windows actually won't allow it! WTF

Presumably one would use it in a similar fashion to ipv4. I would be using it to communicate with the outside world, allow most traffic from inside out, but very little from outside in.

then it already does that by default.

Are you actually retarded or do you know ANYTHING about networking?

It just knows what services/daemons/etc are running where and who I want accessing them?

An IPv6 address can be treated the same way you'd treat an IPv4 address when it comes to your routing.

nat is not utilized in ipv6
it COULD be utilized, but its not

Do you think NAT is what keeps your loli habits hidden currently?

NAT is security through obscurity, and therefore, isn't secure.

did you even read what i was replying to?
it was in response to this: and hes right.
i didnt say anything about security and you butt burglars started sperging out about it.
learn to read the thread next time

I'm not sure why I'd opt for the obnoxiously long hex address over simple octets.
I have no idea of the address space I'd be wanting to filter.
Yes, I could probably look it up. It works as it is. Why should I bother? Why do everything twice?

neither one protects lolis either.
i was only referencing nat and direct network connections.
nothing more or less

Because if you ever want to access an IPv6 only domain, you wont be able to unless you have IPv6 enabled.

It isn't an issue for 99.9999999% of people currently, but it certainly isn't going away, since IPv4 address depletion happened a few years ago, they aren't going to magically get more of them.

being superior to ipv4 in every way is not a reason?

NAT
IS
NOT
A
SECURITY
FEATURE

i-still-bit/10

>if
Stop giving third worlders food and cellular phones and the problem of address exhaustion magically goes away.

That's not happening, many of those countries are going through major growth. Cell phones, computers, tablets, etc are a natural extension of that growth.

>I'm not sure why I'd opt for the obnoxiously long hex address over simple octets.
this is the most retarded argument.
1. IPv6 addresses are not hard to remember. You are just not used to it
2. v6 supports local host lookup by default

its not a security feature but it is not secuirty through obscurity either there is a very real layer of security that nat gives you and i think you know what it is, you just dont want to acknowledge it so ill give you an example
a web server is behind nat
it gets hacked
hacker opens a nc on port 60000 piped to a bash shell
although the listening port is open it can not be exploited because there is no way to connect to it from the public side (without configuring port forwarding in the nat device of course)
this is not security through obscurity because nothing has been obscured. the listening port is there, but you can not connect to it from the unprotected (public nat) side

do not mix up NAT and firewalls. Kys now.
NAT is not secure. period. You can't say it is, because it's not. It's just a stupid hack that he adopted.

So it adds security as a by-product of what it is.

It in and of itself however is not a security feature, it is not designed as such, nor is it implemented to act as such.

>So it adds security as a by-product of what it is.
yes
>It in and of itself however is not a security feature, it is not designed as such, nor is it implemented to act as such.
agreed
>do not mix up NAT and firewalls. Kys now.
nobody has except you , you literal retard. port forwarding is a nat feature not a firewall feature.
shut up and let the adults talk

Brexit.
The UK have claimed sovereignty over all traditional ipv4 addresses and banished the globalist ipv6 usurpers to their self-created quagmire

>NAT and firewalling are completely orthogonal concepts that have nothing to do with each other. Because some NAT implementations accidentally provide some firewalling, there is a persistent myth that NAT provides security. It provides no security whatsoever. None. Zero.

>For example, a perfectly reasonable NAT implementation might, if it only had one client, forward all inbound TCP and UDP packets to that one client. The net effect would be precisely the same as if the client had the outside address of the NAT device.

>Don't think that because most NAT devices have some firewalling built in by design or do some by accident that this means NAT itself provides any security. It is the firewalling that provides the security, not the NAT. The purpose of NAT is to make things work.

>You must not assume a machine is not outside accessible just because it's behind a NAT device. It's not outside accessible if some device is specifically configured not to permit it to be accessed from the outside, whether that device does NAT or not.

>Every machine having an outside address but with a stateful firewall that's properly configured, managed, and monitored is vastly superior to a cheap SoHo NAT box.

>Many actual SoHo NAT boxes forward traffic to inside hosts despite no inside host having ever sent traffic to the source of the forwarded traffic. Permissive NAT does really exist.

You can have NAT with IPv6 just fine.
If you want just selective ingress, you can also set it up the same way you'd do NAT but without address masquerading.

>For example, a perfectly reasonable NAT implementation might, if it only had one client, forward all inbound TCP and UDP packets to that one client
then there is no need for nat! this is retarded, its describing a firewall.
there is not a single NAT device out there that does this without configuring every port to be forwarded to the interior host and i would like you to prove me wrong just so i can see such a device
>Every machine having an outside address but with a stateful firewall that's properly configured, managed, and monitored is vastly superior to a cheap SoHo NAT box.
yup
>Many actual SoHo NAT boxes forward traffic to inside hosts despite no inside host having ever sent traffic to the source of the forwarded traffic. Permissive NAT does really exist.
yes its called port forwarding its very common

>yes
>agreed

I guess my argument would then be, it's closer to security through obscurity than it is to actual security.

>For example, a perfectly reasonable NAT implementation might, if it only had one client, forward all inbound TCP and UDP packets to that one client.
this is the dumbest thing ive ever heard and never seen in real life
there is no reason to have a device that does this

f5.com/services/resources/white-papers/the-myth-of-network-address-translation-as-security

>there is not a single NAT device out there that does this
Most standard consumer routers call it "DMZ".

he's just quoting some random mouth breather from stack exchange.

>it's closer to security through obscurity than it is to actual security.
it is not. there is no way on the public side to unobscure that listening port in the example i gave you here it would require defeating the nat's securty controls in its admin's panel and configuring port forwarding
so its not obscurity, because it can not be unobscured without administrative network configuration.

IPv6 causes cancer

sorry i meant to say it was close to it yes, but it is not security through obfuscation because nothing has been obfuscated

Imagine this
a webserver is behind nat
it gets hacked
hacker opens nc and connects to a server listening on port 60000 and pipes it to a shell
although the server is behind nat, it doesn't matter because the connection request was originated from inside the nat. your """security""" is now out the window

>f5
Into the trash it goes

>although the server is behind nat, it doesn't matter because the connection request was originated from inside the nat.
lol you have no idea what your talking about. if i get basic RCE on a nat'ed web server and try to get a shell by using nc to listen on a port, piping it to a shell, i have no way to access it. every request i make to access this service will be from outside the nat.
i cant operate a nc shell from a form box on a web page that doesnt validate input properly

YOU IMBECILE, YOUR MAC ADDRESS IS VISIBLE ALL OVER THE FUCKING INTERNET BECHAUSE YOUR IPV6 ADDRESS IS HALF COMPOSED FROM YOUR ISP'S PREFIX AND THE OTHER HALF FROM YOUR MAC ADDRESS USING EUI 64, I AM LEARNING CCNA AND I KNOW WHAT I AM TALKIN' ABOUT, YOU FAGGET !

>it doesn't matter because the connection request was originated from inside the nat
how would this imaginary attacker suddenly appear behind the nat to connect to this service?

>what is RFC 4941

>YOU IMBECILE, YOUR MAC ADDRESS IS VISIBLE ALL OVER THE FUCKING INTERNET BECHAUSE YOUR IPV6 ADDRESS IS HALF COMPOSED FROM YOUR ISP'S PREFIX AND THE OTHER HALF FROM YOUR MAC ADDRESS USING EUI 64, I AM LEARNING CCNA AND I KNOW WHAT I AM TALKIN' ABOUT, YOU FAGGET !
well, half of the mac at least.
besides, now you can change your mac and have your ipv6 address end in hex encoded ascii such as 4a4557

Actually, you are the one who has no idea what you are talking about. you can use nc to connect to other listening servers outside the nat, there is no reason to use nc to wait for outside connections, a hacker can setup a listening server on his end and then connect to it from insidde the nat

It was assumed there is a web server with forwarded port that had a remote code execution vulnerability

...ok and that's bad how?
You privacy nuts are retarded I swear to God.

>you can use nc to connect to other listening servers outside the nat, there is no reason to use nc to wait for outside connections, a hacker can setup a listening server on his end and then connect to it from insidde the nat
so you admit that if the service is set up as listening it cant be connected to from the outside
that wasnt so hard, was it?

i have it disabled, no idea whats the point of having it enabled

I'm telling you it doesn't matter if it can't be connected from outside. the system is just as vulnerable as if it was connectable from the inside
You should refrain from voicing your opinion on nat in the future given that you clearly have no idea what you are talking about.
Maybe one day you'll understand

Shell shoveling dipshit. nat defeating isn't hard. STUN, TURN abd most of the neo tls standards make using unecrypted information or mitm bullshit unworkable. NATs are basically cucking people into stupid arachic and cloud oriented web services and technologies.

>4a4557

rubbity rub :DDD

Attached: 1782 - cloud comic computing jew.png (760x960, 30K)

>from the inside
outside*

wtf I love windows now

lol

lowering attack surface

heh

If your ISP does not route IPv6 traffic you can disable it, as they will do any conversions for you, so you wont miss out on any ipv6-only websites etc.

If you dont have an IPv6 router you can disable it as you will have no need of it

In fact the only scenario where you want IPv6 enabled is if your ISP uses IPv6 and you have an IPv6 enabled router, theres no other reason to enable it at all

Since there are very few ISP's who actually have IPv6 traffic on their networks you can probably disable it

>Since there are very few ISP's who actually have IPv6 traffic on their networks you can probably disable it
wut?

Most ISPs have IPv6 at this point.

like who?

>Most
hahahahahahahahahahahahahahaha


sadly not

Every mobile ISP in the US.

Comcast, Cox, Spectrum, AT&T, Google fiber, etc.

Verizon has been beta testing IPv6 deployment as well pic related

yes, beta testing it with only invited testers, who have been selected based on their suitability to understand what they are doing with IPv6. So around 0.00001% of their users, if that

Not true at all, it's 100% random.
dslreports.com/forum/r32136440-Networking-IPv6-working

here's some statistics that actually matter
google.com/intl/en/ipv6/statistics.html

22% is a massive amount.

IPv6 is juz raisus n sheit to keep the crackas in charge of dems compootahs

Attached: 1520112612840.jpg (460x460, 34K)

the only sane one in this thread

My ISP hasn't even rolled out IPV6 yet and no idea when they will.

There's no reason to use both at the same time, give me one good fucking reason.
You either switch to IPv6 only (yeah good fucking luck have fun with that), or disable it until IPv4 is gone for good and you have no other choice, and let's be real here, that's not gonna happen any time soon.
I'm not saying it's a bad idea or bad tech, but if you have it enabled you're a fucking bloated guinea pig so there's that. It's pick one or the other, there is no good reason to have both enabled at the same time.

IPv6 tends to leak on Debian/Ubuntu and other related Linux distros when using a VPN. Disabling it can be a good idea when using some VPNs.

for some lulz read the posts by "OugCPC"

forum.openwrt.org/t/default-network-address/27429

Only if your vpn doesn't support ipv6
Get a better vpn

NAT != reverse proxies

There are resources on the internet that only use IPv4
There are resources on the internet that only use IPv6
That's why you should have a dual stack and have no reason to limit yourself to one or the other at least for the foreseeable future.

It is 2019 and we are still having "people don't understand that NATs aren't firewalls" threads. Great.

Because nothing any of us use takes advantage of IPv6

>If I write all in caps I might not seem as stupid as I am!

>NAT is security
>reverse shells can't be popped through reverse proxies
>EUI64 is the only way IPv6 addresses are generated
>what do you mean I should have a firewall? I'm behind NAT!

Attached: 1323677014489.png (692x485, 249K)

I think we have NAT to thank for the freedom we now enjoy on the internet. That sharing of ip addresses made people have to tolerate things they'd rather crack down on or ban.

big fuckin doy theyre not firewalls m8
point is k
youve got layers ya dingus
layers m8 thats tWO layers
ok
thats beter than 1
youve got the firewall
n youve got nat right
if ya goddamn firewalls not encrypted,
i mean that's it isnt it
totally fukt m8 call it in
but with nat see
ya get past the firewall n its all like
uh oh
where do i go now????
you gotta pivot!
where do i go? where do i send my
my fuckin uh
where do i send my nigerian malwarebytes?
ya know
extral ayers m8 you see what im sayin

I am not saying tracking is impossible or even impractical nowadays but I think NAT was instrumental in shaping internet culture over the years.

brainlet here, i get that a "NAT isnt a firewall" but what the fuck is the difference between, say, blocking port 22 from outside traffic in pf or just not forwarding port 22 with the NAT? How is blocking a port with a firewall more secure than not forwarding a port? or are you autists just arguing over terminology?

which ISP?

Most likely on your home network you have a router that gets the one ip your network has to the outside world.

If you have your router set up to accept any incoming connections, then they are forwarded to one of the machines on your network via NAT.

Suppose you have 3 machines

Machines you set up in your router to have static ips ( you need a static mac and you tell your router to always assign that mac the same ip )

webserver (192.168.1.10 )
laptop1 ( 192.168.1.42 )

laptop2 ( assigned a random IP 192.168.0.x )

Perhaps you run a small website using webserver. (like you and family can upload/view family photos). You own everything-is-a-bot.net and everything-is-a-bot.net/ goes to where webserver/ ends up on your local network. Maybe server does a bunch of local things too, such as running pihole and other things.

Even though you don't have a static IP from your isp you use DynDNS so it works anyway.

How does the https request get from that external ip to the webserver machine? Why doesn't it go to laptop1?

It's because your router uses NAT to send incoming https to that machine.

Maybe you want to get into your home network via port 22. But you leave laptop1 on all the time ( it's used more like a desktop ) and when you do:

ssh [email protected]

You want to end up logged into laptop1 instead of webserver.

You can have your router forward port 22 to laptop1 If you want to get to webserver you have to ssh to webserver from laptop1 ( another hop)

You should block everything you aren't using. You have to nat the stuff you are to the right host.

Your router NATS 192.168.1.X addresses to the external ip when you make an outgoing connection regardless.