IPv6

Another thing: even if your device isn't using IPv6, e.g. it ignores the protocol, you still have a visible IPv6 address if your router has IPv6 enabled.

Am I safe?

Attached: pfsense.png (2590x1693, 352K)

>Half of the address is a unique identifier derived from your MAC address, making your device identifiable.
No shit, this was always known. MAC addresses can be faked so easily it's a joke.

>No NAT
That's fucking great. It's one of the biggest reasons IPv6 is good.
>means your ISP can count every connected device on your LAN behind your router
90% of NPCs use the ISP router anyways.
>No NAT also means proper firewalling is absolutely essential
Not really. Home routers will simply switch from "NAT on by default" to "Deny inbound by default"
In enterprise, if you can't configure your firewall you shouldn't have a job anyways
>This is all to say IPv6 just over-complicates things while offering zero benefit to the average network
That's true. Except purging the awful NAT. But we are used to it's shit by now, so who cares.

And to address everything else in your shitty posts:
You can have IPv6 for WAN and still have only IPv4 internally you mongol. You also get to keep your godawful NAT too.

Sage goes in all fields.

>Only if you're using your ISPs router
Got any good info on how to set this up properly?

If you bothered setting pfsense up already, then why do you want advice about firewalls from random anons on Jow Forums?

Go fuck yourself op.
You retarded and braindead people are what keeping networking back.
IPv4 is fucking retarded shit and it should die along with those who thought of it and made it an rfc.
If you want privacy, use a fucking vpn. that's what they are for.
Let networking be free from IPv4 evil. please.

welcome to 10 years ago, OP

This is the dumbest post I have read this year

I never assume I'm smarter than someone I haven't met and welcome any knowledge I can gain.
But seriously, I was being facetious.

you buy a new router or use an old computer
that's it
>the current state of Jow Forums

Why is everything ipv6 suddenly?

somehow get the settings from your ISP modem, apply them to your own modem, spoof your modem's MAC address to match theirs.

>No shit, this was always known
So why were privacy extensions tacked on AFTER the fact? You can spoof MAC addressees, yes, but nobody is doing that because they're not supposed to be and it disrupts a home network each time, requiring new leases, etc, as you appear as a new device. What kind of a shitty protocol allows global identifiers based on the MAC?
>90% of NPCs use the ISP router anyways.
So you have no argument.
>You can have IPv6 for WAN
Yeah, and this is most likely using a global address, your router is identifiable. And makes IPv6 completely pointless because you might as well be using IPv4.

You haven't addressed the issue of no-NAT being IPv6 de facto allowing per-device identification. I don't want my ISP and Google counting each device on my LAN and yet that's what IPv6 mandates as de facto. Your post is shitty, not mine.
Read some of the sources I linked. IPv6 is a botched and hacked protocol that is breaking modern production networks.
>vpn
Not an excuse for the protocol being broken and insecure and on top of that its own privacy amendments being deemed unusable and requiring an even less secure revision.
All of the sources I linked are recent. Windows 10 didn't use privacy addresses up to 2018, users were browsing IPv6 with all their devices identifiable globally. FreeBSD in 2017 rejects a proposal to enable them by default. 2014 and random privacy addresses, part of the IPv6 protocol and thus should usable in any situation, take down a production network. Many Linux distros don't enable them by default, which is technically correct as per the RFC. This is an issue right now as we speak, people are browsing the web on IPv6 and their devices are visible and traceable, and yet the push for IPv6 adoption continues to grow with no privacy measures in place.

>spoof your modem's MAC address to match theirs.
does the isp care if you do this?
>>the current state of Jow Forums
>everyone on Jow Forums has to know everything
cmon now, people can ask questions

>Read some of the sources I linked. IPv6 is a botched and hacked protocol that is breaking modern production networks.
I've read the post in your second post. from all I can see, it's just another braindead sysadmin who, like you, doesn't understand IPv6 and jumps to the conclusion that IPv6 is bad because they don't know how to use it.
Every argument you listed in your posts is simply wrong or not an issue, and were refuted by other anons so I won't bother

>Not an excuse for the protocol being broken and insecure and on top of that its own privacy amendments being deemed unusable and requiring an even less secure revision.
Expecting privacy from an ip address is like expecting privacy from a phone number. If you want privacy, use a vpn (burner phone).
Your argument that we should use a shitty designed internet protocol because you are delusional with your "security" claims.
If you don't like stateless config, then use DHCPv6 or static addresses. It's no worse than what you already have with IPv4

The easiest way is to buy a cheap OpenWRT-supported router. Then you probably have to bridge your ISPs router as a modem, and simply plug in the new router and use that for your network.
You just use DHCP, don't do anything manually. Why would you spoof the MAC, does your ISP whitelist gateways?

>So why were privacy extensions tacked on AFTER the fact?
Retards complained
>but nobody is doing that
Everyone and their cat was doing that at one point to get a new ID from Teamviewer. I even saw absolute idiots do it because they were reaching Teamviewer's free session limits. So you'd be wrong. Everyone with a positive IQ can do it.
>and it disrupts a home network each time
No home network uses leases user. Not even I do in mine. I just set a static on my PC and other devices can go fuck themselves.
>your router is identifiable
Your router is identifiable anyways what the fuck are you on about? Your ISP already knows who you are.
Half the world is using static WAN IPs too, so even google knows who you are too.
Unrelated: Dynamic IP country master race.
>You haven't addressed the issue of no-NAT being IPv6 de facto
NAT was a workaround for IPv4 exhaustion. Why would someone design a new protocol with a workaround in it? Workarounds are always shit. And I did address it. You can have IPv4 internally if you like it. It is easier to type after all, if you are a pleb with no internal DNS.

There is nothing wrong with IPv6. IPv4 and NAT were not designed to keep the amount of devices you have, private. It just ended up happening. If you care, you know what to do.

>expecting global addresses to not be derived from unique identifiers is unreasonable
What are you even arguing against, moron? Why shouldn't, in 2019, IPv6 support random temporary addresses out of the box by default on all applicable systems over global MAC-identifiable addresses or stable privacy addresses? This provides privacy, so it's absolute a valid expectation. IPv6 is bad compared to the perfectly fine out of the box IPv4, because it exposes your LAN by-design.
>braindead sysadmin
They were using the protocol as designed, how can you say they don't know how to use it?

I'll let you guess how i know you don't know shit about security/privacy

>Retards complained
I'm going to disregard your entire worthless post, because insinuating that MAC-based global identifiers is "retarded" and invalid to remedy makes you the retard, not anyone else.

Attached: 1424909133107.png (626x683, 265K)

i disabled ipv6 a long time ago.
i dont know a lot about computers and to me it sounded like any connected device would be able to be accessed by anyone around the world since the router wouldn't be the middle man anymore.
i never liked the idea of devices being able to be accessed from the outside world by default.
i also didnt like the idea of my server bypassing the router by default. i'm not experienced enough to secure that so i just have it behind the router with only 2 ports open.

>does your ISP whitelist gateways
many ISPs do.
en.wikipedia.org/wiki/MAC_spoofing#New_hardware_for_existing_Internet_Service_Providers_(ISP)

and some also require specific VLAN tags, MTU sizes, etc. that need to be set manually

>I'm going to disregard your entire worthless post
Of course you will. Probably because you realised that neither IPv4 nor the internet in general were designed with privacy in mind. In IPv4, every IP was supposed to be reachable just like IPv6 is now. I bet you want to remove IP addresses from TCP headers too, faggot.

>What are you even arguing against, moron? Why shouldn't, in 2019, IPv6 support random temporary addresses out of the box by default on all applicable systems over global MAC-identifiable addresses or stable privacy addresses?
IPv6 supports every possible address allocation method you want retard. It literally gives you a block of 18446744073709551616 addresses that you can assign to your clients HOWEVER THE FUCK you want.
You want dhcp? use dhcp. you want to use static addresses? fine. Don't want to bother with any config and want it to just fucking work? slap your mac address and go. Want privacy? change your suffix every single time you visit any website.
Why the fuck do you care about what the default is? If you are the network admin, then just disable stateless router advertisement and clients will request an address from dhcp. If you are a client, then disable slaac, use dhcp or set your own static address.
Are you seriously arguing that IPv4 is somehow better?
>IPv6 is bad compared to the perfectly fine out of the box IPv4, because it exposes your LAN by-design.
No, IPv6 doesn't expose your internal network and you are stupid for even thinking this. your isp has no way of knowing if you actually have 100 distinct devices on your network or if it's just a single device using 100 different addresses.
If you really want to, setup nat66 so everything passes through just one address. It will be exactly like IPv4. Then shove it up your ass while the rest of us can put nat to it's death and embrace the future of natless networking like it was always meant to be.

Your whole argument that IPv4 is better because IPv6 does 'things' is invalid because you can have every possible IPv4 configuration within IPv6, even the bad parts if you want to, since you seem retarded

Having every IP addressable is a good thing
if you're worried just get a actually decent firewall like sane people

I've been saying for years IoT can go on IPv6 and the WWW and internal legacy LANs should keep IPv4

Get a proper router and it's going to generate random identifiers. Also NAT is present to some extent. Probably even consumer grade shit routers do this by now. And stop posting uneducated shit.

This is some of the most retarded FUD I've seen in a while

eventually it will be even easier to track you specifically, since you'll be the only retard still using IPv4

I think this only applies to the modem, as the router itself has to support transparent DHCP so clients can connect, in which case you can simply plug in your own router and do double NAT and the ISP is none the wiser.

>router itself has to support transparent DHCP
In what ass-backwards ISP do they do that? First time I've ever heard of this

I have a similar issue, if i plug any device (router, laptop, desktop) directly to my ISP's ONT it'll work fine but if i spoof the MAC address on a device and connect it to the ONT then it won't get connectivity until i revert to the original MAC address, why does this happen?

How would the average normalfag connect their wireless device if the ISP router didn't do DHCP and if the router whitelisted MAC? It's only the modem, be it cable or DSL, that matters, which is why coincidentally why there's no (few?) open-source firmware support for modems.

but IPv6 is inevitable so what do we do?

Transparent DHCP means that DHCP requests and leases pass through the router to the ISP like it would from a relay. So the ISP assigns an address for each of your internal devices.
I've never heard of an ISP that does that. Now I'm not so sure that user knew what that meant though...

That's a whole lot of words just to say "turn on randomized addresses if you use IPv6"

This is how I do it.

Attached: own-router.png (1029x752, 21K)

Is the OpenBSD device doing layer 3 routing, or only filtering at layer 2? If it's pf it must be layer 3, right? I don't think pf does layer 2 you need something like ebtables for that.

I have mine set up like so

Attached: 44534.png (1017x501, 15K)

Need to learn IPv6, what are some good guides that are actually written well and not just copy paste of RFCs or pajeet plagiarism?

anybody knows
pls respond

how do i disable in debian for lesbians?

It only uses your MAC address if you configure it with SLAAC, you can use DHCP instead.

I use OpenWRT. Do I need to change any settings or are the default settings secure enough?

That's called EUI64. You can disable that if you want with privacy extensions.

The ipv6 firewall in openwrt is default deny. you can set up a rule to forward by interface ID.

In IPv6, DHCP is not typically used to get an address from the router like it is in IPv4. DHCPv6 is a much different protocol that's mostly used for your router to request a large block of IPs from your ISP.

Instead, what you want is RFC 4941 SLAAC privacy extensions. You probably don't have to configure it, it is usually the default.

On Linux, IPv6 privacy extensions are supported by NetworkManager, but are not the default. To enable it, add "ip6-privacy=2" to the config file.

Attached: sysadmin of gensokyo.jpg (1333x1000, 529K)

I have also just set up default OpenWRT 18.02. I have disabled IPv6 on my machine, so no IPv6 connections outbound from client. However, what's disturbing is, if I go to google.com/search?q=what is my ip , it shows my public router IPv6 address even though my computer isn't using IPv6. So OpenWRT is routing IPv4 outbound to IPv6, and this IPv6 address is the global one tied to the router MAC. So it's probably best to just disable IPv6 in OpenWRT if you have no need for it - at least that's what I'm doing.

>if you value your privacy
I really don't, the truth will set you free. If you want to spy on me, then so be it. You will learn what you want to learn about me.

>Half of the address is a unique identifier derived from your MAC address, making your device identifiable.

Yes, but if not websites such as Google will be able to view your mac adress and low level specs such as CPU make and motherboard make. And of course these websites will use this to serve ads. Also its dangerous for normies who dont know how to properly setup a firewall

ok normiefag. Do you use Windows 10 annon?
Do you Use Instagram annon?

>normiefag
No.
>Do you use Windows 10 annon
Yes.
>Do you Use Instagram annon?
No.

enjoy your botnet operating system

Attached: 1438066399925.jpg (2880x1800, 1.85M)

Attached: qgoK5Km.jpg (3664x2626, 906K)

In the rare event any of this GNU/FUD is true, I couldn't care less. Nothing to hide, nothing to fear.
Oh no someone might read the post I make public on the internet, or spy on me while I make commits to open source software, or read my private conversations about what American silverware is like to Chinese students. If only I had some privacy.

yes to both nigga, what's up

>nothing to say, nothing to fear
>I don't care, therefore I will drag down everyone who does with me

its nice to actaully talk to people without being intercepted by a third party.
But i mean, microsoft doesnt need to see who you follow on normiebook and doesnt need to bug your microphone to serve your ads, or even view all the programs you are running on your system. I mean the line has to be drawn somewhere.

>not changing your IP address every 30 seconds since you have a /64
sad

I don't care about you as well.

When did I say you had to use what I use?

None of it effects me which is why I really don't care. I have no problem with marketplaces knowing what I like since it makes it only makes things more convenient for me.
>but doesn't it upset you that they make money off of that data
Not in the slightest. If people like Amazon want to buy my data to find out what kind of food I like and put it in my recommended section at no cost to me, I want that.
If Google wants to buy my data to know what kind of people I like so they can do the same with video on youtube, that's more than fine by me.
>looks like user likes cute asian women, we'll push them to the front page
What a nightmare!

So naive.
You think that's all that data is good for?

got no privacy right now anyways, I'm not a Jow Forumsentooman, so I don't know how a lot of this shit works and I don't want to just start doing shit I don't know, but i've been reading a book on networking so I learn how things work.
so for now I've accepted the botnet knows too much,nothing I can do I don't wanna half ass trying to escape the botnet by doing what people tell me to do without knowing how it all works

Feel free to enlighten me, I'm not as interesting as you seem to think I am. What are you so afraid of that you must give up your personal freedom and comfort to hide.

>Go fuck yourself op.You retarded and braindead people are what keeping networking back.IPv4 is fucking retarded shit and it should die along with those who thought of it and made it an rfc.If you want privacy, use a fucking vpn. that's what they are for.Let networking be free from IPv4 evil. please.

>Go fuck yourself
>You retarded and braindead people
lol
>IPv4 is fucking retarded shit
orange protocol bad
>it should die along with those who thought of it and made it an rfc
death is the punishment for wrong think

>IF YOU WANT PRIVACY
ipv6 is anti-privacy
> IPv4 evil.
orange rfc bad

*crack* *sip*
ipv4, now that was a real protocol

Attached: cirno_boomer.jpg (1200x900, 126K)

>google can enumerate your devices
literally don't give a fuck
>your interface is identifiable
only if you use slaac
>your network is identifiable
only if your isp assigns you a fixed prefix (I wish)

internetsociety.org/resources/deploy360/ipv6/security/ipv4-engineers

sites.google.com/site/yartikhiy/home/ipv6book

ipv6.he.net/certification/

Let me guess: you are like the people about "muh do not use vaccines", right?

Why do not you also disable IPV4? Fucking retard!

Run these two to disable Ipv6
sysctl -w net.ipv6.conf.all.disable_ipv6=1
sysctl -w net.ipv6.conf.default.disable_ipv6=1

>afraid of ipv6
i bet you still use windows 7

Hello?

If there's so many issues with ipv6 why don't we just upgrade to ipv5?

This disables in-kernel, including for LAN (plus it's not persistent, you have to edit some conf). But disabling WAN6 in luci web interface appears to allow LAN IPv6 while disabling harmful WAN IPv6.

>Half of the address is a unique identifier derived from your MAC address, making your device identifiable.
Isn't making your device identifiable is the whole purpose is IP?

>Hey, look at me, I'm retarded!

Only retards oppose IPv6.
Also, not having NAT actually makes it harder to censor content and alloes true decentralized communication.
IPv6 is in no way worse for privacy than IPv4: as long as you use your real ip, you're trivial to track regardless.

Problems with NAT:
Let's say you want to encrypt an IP packet with IPSec and then send it over a NAT:ed connection.
IPSec has two modes. AH and ESP.
AH = The entire packet is verifiable that it was sent and not modified along the way.
ESP = Only the payload is verifiable.

When you send a packet in AH mode, the IP headers are included in the HMAC function. If a single bit in the packet is changed, the end device can detect it.

In ESP mode, only the payload is verifiable. This allows routers and other devices to do things such as swap out the IP header for another one (NAT:ing them) without the HMAC breaking. The drawback of this is that there are portions of the packet which can be freely modified with no way for the IPSec devices to detect it.

Another problem happens when packets are fragmented.
Let's say you have a packet that is too big and needs to be split into two in order to get sent over a link.
The source and destination number are only in the first fragment, not the second one. What happens if fragment 2 arrives at a NAT:ing device before fragment 1?
Since NAT functions by changing the port numbers, the router/firewall will not be able to do NAT:ing until the first fragment arrives, which causes delays and the need for larger buffers.
Without NAT, the router/firewall can just ignore the ports and send fragment 2 as soon as it arrives.

What if an application uses IP addresses for something? Let's say a program includes the host's IP address in the data field for some reason. If such a packet is sent over NAT, the header info and payload will not match, since the header was modified. Something in the payload might also reference the IP header, and if that changes the data inside the data field might not function as it should.

NAT also breaks routing protocols because there are quite a few of them, and they all use their own packet formats which NAT devices don't always have special formatting implemented for (and even if they did, changing the packet might break integrity checks).

NAT can also be a headache when doing firewall rules, when the firewall itself is the NAT-device. Does the NAT:ing happen before or after the firewall rules gets processed? So if a device gets translated from 10.10.10.10 to 192.168.10.10, do I write the firewall rules as "allow 10.10.10.10" or do I write it as "allow 192.168.10.10"? Minor issue, but it has caused problems for me before.

NAT also requires more configuration in the network (at least static NAT), which adds to the burden of documentation and maintenance. Moved one server? Suddenly you may need to update the NAT rules in 2-3 places.

>Problems with NAT
I'll help you user
STUN

There are more issues too, like the specifications for NAT being kind of fussy, and behavior verifying from different devices, NAT causing issues when the initiator of the traffic is on the outside of the NAT (why we need port-forwarding), and so on.

IPv6 do not use ARPs anymore.

The reason why we had ARP was to figure out the MAC address associated with a specific IP.
In IPv6, ARP has been replaced with "Neighbor Discovery" (ND). ND is like ARP but with more functions. For example it is used in the duplicate address detection (DAD) which allows for automatic assignment of IP addresses without the need for a centralized DHCP server. ND can also be used for mapping and discovering MAC addresses associated with a specific IP address.

The major benefit of using ND instead of ARP is that ND supports security extensions.
Devices can actually verify that yes, this device with this IP actually owns this MAC address like it says, using certificates.
cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/15-mt/sec-data-acl-15-mt-book/ip6-send.pdf

>symmetric NAT
*blocks your path*

I'll be honest, I've never used that for more than a simple test. Sounds like it won't work on mid-large networks though.

OP is a fag. Lack of NAT is a feature, not a bug. Learn what socket pressure is and why torrenting chokes up your router. Also learn what IPv6 privacy extensions are you triple fucking nigger.

If IPv6 is "anti-privacy", so is IPv4, except IPv6 doesn't suffer from as many potential MITM attacks due to NAT not being pretty much mandatory.
Also, you sound gay.

NAT wouldn't be a big deal if every implementation used a simple full cone mode. but cheap fucks had to come up with symmetric shit because there are only 65535 ports per ip and is easily exhausted by as few as 500 clients. But instead of adding IP addresses to support more clients, they opened the gates of hell and summoned symmetric nat, which is practically impossible to defeat without fully relaying data between parties.

Almost every NATed network, except for home networks (assuming ISP doesn't utilize cgnat) is guaranteed to be symmetric.
It's shit and breaks every form of p2p applications.
We need to move away from IPv4, IPv6 is fucking awesome. There is literally nothing wrong with IPv6 that cannot be solved by changing the default configs. OP's whole argument is that the defaults don't work for him so his solution is staying on god awful shit IPv4

>It literally gives you a block of 18446744073709551616 addresses that you can assign to your clients HOWEVER THE FUCK you want.

But it that enough.

>tfw my ISP still doesn't offer IPv6 despite bragging about it since 2011