• Melody Fwygon
    link
    fedilink
    English
    arrow-up
    7
    ·
    edit-2
    7 months ago

    This is why I use PFSense and Hurricane Electric as a v6 tunnelbroker. I have working functional IPv6 with SLAAC and DHCPv6 and full Routing Advertisements on my LAN running side-by-side so that no matter which the device implements how poorly; it gets an IPv6 address and it works and is protected by the firewall.

    • henfredemars@infosec.pub
      link
      fedilink
      English
      arrow-up
      3
      ·
      edit-2
      7 months ago

      That sounds awesome.

      I really like stateless, but it bugs me that the router has to snoop on traffic if you want a list of devices. The good ones will actually do this, but most are blind to how your network is being used with IPv6.

      And it really bothers me that Android just refuses to support DHCPv6 in any capacity. Seems like a weird hill to die on. There are too many legitimate use cases.

      • Melody Fwygon
        link
        fedilink
        English
        arrow-up
        4
        ·
        7 months ago

        I run both because of this; and because SLAAC enables features in Desktop OSes that offer some level of additional privacy.

        For example; Windows can do “Temporary IPv6 Addressing” that it will hand out to various applications and browsers. That IPv6 address rotates on a periodic basis; once every 24 hours by default; and can be configured to behave differently depending on your needs via registry keys.

        This could for example, allow you to quickly spin up a small application server for something; like a gaming session; and let you use/bind that IPv6 address for it. Once the application stops using it and the time period has elapsed; Windows drops the IP address and statelessly configures itself a new one.

        • kungen@feddit.nu
          link
          fedilink
          arrow-up
          1
          ·
          7 months ago

          I also like the privacy extensions, but how often does your prefix even change? Most places I’ve seen you get a /64 announced and it basically never changes – so somewhat elementary to “break through” that regardless.

          • Melody Fwygon
            link
            fedilink
            English
            arrow-up
            2
            ·
            6 months ago

            I have a /48 that I can basically roll through.

            A /64 is more than enough though to prevent most casual attempts at entry; and does force more work / enumeration to be done to break into a network and do damage with. I’m not saying the privacy extensions are the greatest; but they do work to slightly increase the difficulty of tracking and exploitation.

            With a /48 or even a /56; I can subdivide things and hand out several /64s to each device too; which would shake up things if tracking expects a /64 explicitly.

            I actually use /55s to cordon off blocks inside the /48 that aren’t used too. So dialing a random prefix won’t help. You’d be surprised how often I get intrusive portsweeps trying to enumerate my /64s this way…and it doesn’t work because I’m not subnetting on any standard behavior.