Re: Homenet

["Stuart D. Gathman" <stuart gathman org>]

On Mon, 21 Mar 2016, Xen wrote:

> > "Addressable" is NOT the same thing as "exposed".  Any sane IPv6
>
> There is a fundamental issue with this and that is that this is a rather
> arbitrary "sanest method of configuration" rather than a topology feature.

So is NAT.

> There is no longer a "port to different port" mapping, now it is simply
> "open or closed".

You can still use NAT.  Ip6 NAT works just fine and dandy - it's just no
longer *needed*.

> When you cross boundaries, meanings can change. For example, I have a device
> internally running on port 22, but externally port 80. This is because I was
> located on a premises that blocked outgoing port 22 connections. And
> basically all other connections except 80 and 443. There are also other
> ports open on that router but they are all accessible through the same IP
> and domain.

IP6 NAT still works for that.  But I just use IP6 darknet.

> Now tell me, what is the advantage of IPv6, I don't see any.

I can directly address all the hundreds of boxes I have to monitor.
Configuration is so much simpler.  Protocols like SIP that are broken
behind NAT Just Work with IP6, and without an external 3rd party.  I can
have a separate IP for each logical web page.  (Yes, https is finally
being upgraded so name virtual host works - but IP6 is still better
deployed, and that's not saying much.)  I can actually talk to people
behind the same firewall via SIP.

In short, all the hundreds of daily irritations and things that just
don't work "behind NAT" go away.  NAT is great for working around
ISP braindamage via port mapping - and works OK as a default incoming
only security policy - but is a hug Pain in the rear the rest of the
time.  Anytime you are using NAT to work around lack of additional
public IP4s (because you aren't made of money), you really want IP6.

> I'm sure the mapping is a feature that is on IPv6 routers as well. But are
> you telling me that I am going to need a different domain to access every
> local device (because they use each a different public IP address)?.

No, a different host name.

> What advantage do I have if I have addressable (but per the configuration of
> the firewall) inexposed IP addresses for each internal device, including
> possibly the router?
>
> Can you tell me that?

Things work the same internally as externally.  One fixed IP per device
that is the same internally and externally.  Situations (like mobile
devices) where you have 7 billion devices but only 4 billion IP4
addresses.

> The question is: WHY DO YOU WANT or feel the need or desire for (RANDOM)
> 64-bit addresses on an internal network?

You don't want or need them on an internal network.  It is an optional
IP6 privacy feature, in case you don't want outside parties tracking
your device by its MAC - which is used in the original SLAAC.  When the
internal network has a server or DHCP6 capable router, then DHCP6 is
better and simpler IMO, and works with subnets smaller than /64.

> First of all, a random non-reusable address is clearly a bag of nonsense, as
> you indicate. That's no sane method of doing anything. Think of a
> programming stack, queue or list. You want the queue, stack or list to
> remain in an elegant state, for instance that indices keep starting at 0 and
> that the first element is at index 0. You don't want a runaway system where
> the indices become higher and higher constantly but you expect not to run
> into trouble because you have reserved 64-bit for them.
>
> Maybe I'm assuming, perhaps. Then enlighten me.

The privacy feature is optional.  When used, it is used only for
outgoing connections from the device.  There is still a fixed IP6 that
can be given out to things that need to connect to it.  It is generally
a good idea not to use SLAAC if privacy is a concern, as that exposes
your MAC and can be tracked across multiple locations (e.g. if coffee
shops all had IP6 but no DHCP6, then your device would be recognized
at each coffee shop).

> But of course you recognise this, but as you say, or as I feel, this system
> you've just shown me is just the output of a ludicrous mind. Instead of a
> small set of understandable addresses with a fixed scope of a certain

"small set".  Yes, that is the *critical* problem with IP4.  You do
realize that we ran out of IP4 addresses years ago everywhere except
Africa, and the bandaids (like NAT) to keep things sort of running
are getting cumbersome?

> My apologies if I'm not well enough versed in this to really discuss this.
> But what you've just shown is me is just more stupid than what I already
> thought...........

Let me blow your mind with my favorite application of IP6: CGA -
CryptoGraphic Addressing.  One huge problem with both IP4 and
conventional IP6 is that you IP (/64 subnet in the case of IP6) is
essentially assigned by the government (through IANA) and can be taken
away at any time.  And can be spoofed.  In the CJDNS protocol, the
128-bit IP6 address of a device is the truncated hash of the public key
of the device.  No central address assignment.  No spoofing.

https://github.com/cjdelisle/cjdns/

> A random 64-bit address is 8 bytes. A byte is 2 hexadecimal digits. That
> means if these addresses are really random in the entire range, you need 16
> digits to write them down. Currently, I can remember every device with one
> decimal number between 1 and 254. So where is the advantage here? People in
> the past used to directly access public IPs by IP. By heart. I never did
> much of that, but it happened. I do use a domain service for my IP and don't
> remember it.

Now you have a different private IP4 for every location.  That is even more
confusing.  Even worse, you get private IP4s that conflict, because there is
no central allocation of your private IPs, and the address space is too
small for CGA.  It's a real bummer when you add a client whose already
existing internal IPs conflict with another clients, and you need to
directly address both.  At least, it used to be a bummer until I
switched to IP6.

However, when you aren't using privacy extensions (which aren't
*supposed* to be remembered) or CGA, then IP6 addresses are also easy to
remember.  E.g. my personal mail server is 2001:470:5:c85::10.  The CJDNS
(CGA) IP of my mail server is fcd9:7f8a:e050:4b48:7fd6:7fa:5509:6e26 - and
yes, that is hard to memorize - and I don't.  That's what DNS (and other
decentralized naming systems like Namecoin) are for.

> Often times I still manually write them in to some "host" program call or
> something of the kind. There can be DNS issues and it is often helpful to
> directly attempt IP addresses instead of domains to troubleshoot that.
> Sometimes.

Yep.  Still works just fine in IP6.  When using hierarchical addressing,
most of those 128 bits are 0, and written as "::".

> "Firewalls that restrict incoming connections may be used to prevent
> exposure, however, this reduces the efficacy of end-to-end connectivity that
> IPv6 has the potential to restore."
>
> So basically they want full exposure, but recognise that this is not
> actually desirable, so they introduce a firewall that will block incoming
> connections, when at first the whole reason for having individual addresses
> was in large part to solve the problem of not being reachable.

You need a firewall for NAT as well.  You only want to block incoming
by default for clueless users that don't know any better.  The first
thing a knowledgable user does is turn *off* the default "block all
incoming", or replace the default firmware on the router with OpenWRT,
or replace the router with a linux box.

> So they *wanted* all devices to be reachable, but now recognise that such a
> thing is not actually desirable. There is no point to having addresses if
> you can't do anything with it. That means you STILL need UPnP to open ports.
> Nothing has changed.

It *is* desirable - but too dangerous by default for unskilled users running
Windows.  A gun is a valuable and essential tool - but you don't give it
to a four year old to play with unsupervised.

> Except everything has become a 1000 times more complex, apparently.

1000 times more simple.  Hence, why I don't even bother with IP4 anymore
except to configure a 6in4 tunnel when the ISP is still living in the
'90s.

--
              Stuart D. Gathman <stuart gathman org>
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.