this post was submitted on 16 Aug 2024
691 points (98.9% liked)
Technology
59605 readers
3434 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
can you tell me if any device in an IPv6 LAN can just assign itself more IP v6 adresses and thereby bypass any fw rule?
IPv6 has two main types of non-broadcast addresses to think about: link-local (fe80::) and public.
A device can self-assign a link-local address, but it only provides direct access to other devices connected to the same physical network. This would be used for peer discovery, such as asking every device if they are capable of acting as a router.
Once it finds the router, there are two ways it can get an IP address that can reach the wider internet: SLAAC and DHCPv6. SLAAC involves the device picking its own unique address from the block of addresses the router advertises itself as owning, which is likely what you're concerned about. One option for ensuring a device can't just pick a different address and pretend to be a new device is by giving it a subset of the router's full public address space to work with, so no matter what address it picks, it always picks something within a range exclusively assigned to it.
Edit: I butchered the explanation by tying to simplify it. Rewrote it to try again.
In most cases, the router advertises the prefix, and the devices choose their own IPv6. Unless you run DHCPv6 (which really no-one does in reality, I don't even think android will use it if present).
It doesn't allow firewall bypass though, as the other commenter noted.
Question for you since I have very little real world IPv6 experience: generally you can provide a lot of useful network information to clients via DHCP, such as the DNS server, autoconfig info for IP phones, etc. how does a network operator ensure that clients get this information if it's not using DHCPv6?
You can include some information in router advertisements, likely there will be rfcs for more. Not sure of the full list of stuff you can advertise.
For sure I'm quite sure I had dns servers configured this way. I'll check when not on a phone to see what options there are.
If I recall correctly, you can do stateless DHCPv6 to just hand down a DNS server without also managing the devices' IP addresses.
You can, and there's a specific flag to set on nd/ra to tell the client to get other information from djcpv6. But so far I've not made it work and also, it likely won't work on android.
Really the way forward is for routers and devices to implement the same options as exist on dhcp. But, time will tell how that gets on.
This is a weakness of ipv6 but it's really the lack of widespread implementation that's behind this. If we were all using it, there would be more onus to get this stuff working.
What exactly does Google do for Android, then? Hardcode the IPv6 address of their own DNS service, or fall back to pulling AAAA records over IPv4?
Say that you can use prefix delegation. No, really, you can look at the bug report: https://issuetracker.google.com/issues/36949085?pli=1 . It’s absolutely infuriating. Especially when iOS does support it
DHCPv6 is very definitely used with ipv6 and isps, as DHCPv6-PD is needed anyway to send prefix allocations to the router
DHCPv6 does the same thing DHCP does, just for v6 addresses. This includes pushing domain suffix and dns servers.
There is also Router Advertisement, which tells the discovering client that it is a router, what the prefix is, if there is a DHCPv6 server, and what the DNS is. As an alternative to DHCPv6, the client can set their own address based on the combination of the prefix and their MAC address, the SLAAC address. The way IPv6 routing tables are built, the router can always find a route by asking upstream on the address, and upstream only has to forward downstream on an address.