this post was submitted on 08 Jun 2024
479 points (97.4% liked)
Memes
45719 readers
1057 users here now
Rules:
- Be civil and nice.
- Try not to excessively repost, as a rule of thumb, wait at least 2 months to do it if you have to.
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I also like the privacy extensions, but how often does your prefix even change? Most places I've seen you get a /64 announced and it basically never changes -- so somewhat elementary to "break through" that regardless.
I have a /48 that I can basically roll through.
A /64 is more than enough though to prevent most casual attempts at entry; and does force more work / enumeration to be done to break into a network and do damage with. I'm not saying the privacy extensions are the greatest; but they do work to slightly increase the difficulty of tracking and exploitation.
With a /48 or even a /56; I can subdivide things and hand out several /64s to each device too; which would shake up things if tracking expects a /64 explicitly.
I actually use /55s to cordon off blocks inside the /48 that aren't used too. So dialing a random prefix won't help. You'd be surprised how often I get intrusive portsweeps trying to enumerate my /64s this way...and it doesn't work because I'm not subnetting on any standard behavior.