I object to this statement. You can buy name brand routers today that don’t implement it properly. Sure, they route packets, but they have broken stateless auto configuration or don’t respect DHCPv6 options correctly, and the situation is made worse because you don’t know how your ISP implements IPv6 until you try it.

God help you if you need a firewall where you can open ports on v6. Three years ago I bought one that doesn’t even properly firewall IPv6.

I tested a top-of-the-line Netgear router to find that it doesn’t support opening ports and once again doesn’t correctly support forwarded IP DHCPv6, which even if that works correctly, your Android clients can’t use it 🫠 Decades later there’s no consensus on how it should function on every device. This is a severe problem when you are a standard.

The state of IPv6 on consumer hardware is absolute garbage. You have to guess how your ISP implements it if at all, and even then you’re at the mercy of your limited implementation. If you’re lucky it just works with your ISP router. If you’re not, it’s a PITA.

EDITs: spell corrections and clarification.

[–] Melody@lemmy.one 7 points 5 months ago* (last edited 5 months ago) (5 children)

This is why I use PFSense and Hurricane Electric as a v6 tunnelbroker. I have working functional IPv6 with SLAAC and DHCPv6 and full Routing Advertisements on my LAN running side-by-side so that no matter which the device implements how poorly; it gets an IPv6 address and it works and is protected by the firewall.

[–] henfredemars@infosec.pub 2 points 5 months ago* (last edited 5 months ago) (4 children)

That sounds awesome.

I really like stateless, but it bugs me that the router has to snoop on traffic if you want a list of devices. The good ones will actually do this, but most are blind to how your network is being used with IPv6.

And it really bothers me that Android just refuses to support DHCPv6 in any capacity. Seems like a weird hill to die on. There are too many legitimate use cases.

[–] Melody@lemmy.one 4 points 5 months ago (1 children)

I run both because of this; and because SLAAC enables features in Desktop OSes that offer some level of additional privacy.

For example; Windows can do "Temporary IPv6 Addressing" that it will hand out to various applications and browsers. That IPv6 address rotates on a periodic basis; once every 24 hours by default; and can be configured to behave differently depending on your needs via registry keys.

This could for example, allow you to quickly spin up a small application server for something; like a gaming session; and let you use/bind that IPv6 address for it. Once the application stops using it and the time period has elapsed; Windows drops the IP address and statelessly configures itself a new one.

[–] kungen@feddit.nu 1 points 5 months ago (1 children)

I also like the privacy extensions, but how often does your prefix even change? Most places I've seen you get a /64 announced and it basically never changes -- so somewhat elementary to "break through" that regardless.

[–] Melody@lemmy.one 2 points 5 months ago

I have a /48 that I can basically roll through.

A /64 is more than enough though to prevent most casual attempts at entry; and does force more work / enumeration to be done to break into a network and do damage with. I'm not saying the privacy extensions are the greatest; but they do work to slightly increase the difficulty of tracking and exploitation.

With a /48 or even a /56; I can subdivide things and hand out several /64s to each device too; which would shake up things if tracking expects a /64 explicitly.

I actually use /55s to cordon off blocks inside the /48 that aren't used too. So dialing a random prefix won't help. You'd be surprised how often I get intrusive portsweeps trying to enumerate my /64s this way...and it doesn't work because I'm not subnetting on any standard behavior.

load more comments (2 replies)

load more comments (16 replies)