dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
5
share rss forum feed
« Service in Richmond Hill[Outages] out in London »
page: 1 · 2 · next
This is a sub-selection from IPv6 beta


Mersault

join:2007-10-26
Toronto, ON
reply to squircle

Re: IPv6 beta

Honestly, a dependency on private address space leads to lazy security. The difference between private addresses and a default deny firewall is not much, except I'll bet that in most instances the default deny firewall will be more secure.



squircle

join:2009-06-23
Oakville, ON

Well, I'm not trying to say it's for security, but I don't really want to argue. I know it's an IPv4 mindset, but do things that will never communicate outside of the LAN really need globally-routable IP addresses?

I'll shut up now.



theboyk

join:2004-10-04
Toronto, ON
reply to Mersault

said by Mersault:

Honestly, a dependency on private address space leads to lazy security. The difference between private addresses and a default deny firewall is not much, except I'll bet that in most instances the default deny firewall will be more secure.

Are you talking about a firewall on the router between the WAN and LAN, or individual FWs on each device?


Mersault

join:2007-10-26
Toronto, ON

said by theboyk:

said by Mersault:

Honestly, a dependency on private address space leads to lazy security. The difference between private addresses and a default deny firewall is not much, except I'll bet that in most instances the default deny firewall will be more secure.

Are you talking about a firewall on the router between the WAN and LAN, or individual FWs on each device?

Yes.


theboyk

join:2004-10-04
Toronto, ON

Yes, to both?


mactalla

join:2008-02-19
kudos:1

What's important is that you have a wall between the source of possible trouble and the destination where you don't want said trouble. One wall, two walls, where the wall is, doesn't matter.

The router is a choke point between you and the internet. So if you absolutely trust everything on your LAN side (including possibly weak WiFi) then a firewall on your router is going to be just as good as a firewall on each device. This is no different than IPv4.



theboyk

join:2004-10-04
Toronto, ON

I'm more thinking of work where I have 40+ computers, 5 servers, 4 printers, etc. and right now I trust my Cisco (enterprise class) security device for that wall. And I'm just trying to figure out how to deal with IPv6 where all of these devices have accessible IPs. Don't want to manage firewalls on all the computers, and some devices, that wouldnt even be possible. Just starting to look into this whole thing, so lots to learn...



Mersault

join:2007-10-26
Toronto, ON

Well, it's pretty simple. Block everything. Then, selectively open for only the traffic you know you want. The difference between a default-deny firewall and NAT - for security purposes - is nil. And I would argue that the firewall is superior in that it forces you to at least think about it and consider it.


scbenoit

join:2012-01-28
Barrie, ON

Hey Folks

Great discussion here, I especially appreciated "roast's" July 2011 post on Cisco config. Where and how do I request my IPv6 user credentials, when I signed up and asked for IPv6 I was given one PPPoE user name and password (an @dslinternet.ca) and only a /64 IPv6 address. It appears I require an hsiservice account and my /56 still.

I understand this is a beta so didn't expect them to have the details - just need to know where I should be asking ?

Thanks

Steve


scbenoit

join:2012-01-28
Barrie, ON

TSI Joel set me up, thanks, I'm good to go

Now to test my rtr's and cfgs - Cisco 1841 w/DSL, Dlink 615 with original 3.2x firmware, and a Juniper SSG5

Thanks

Steve


34764170

join:2007-09-06
Etobicoke, ON

said by scbenoit:

Now to test my rtr's and cfgs - Cisco 1841 w/DSL, Dlink 615 with original 3.2x firmware, and a Juniper SSG5

I'd check for any newer firmware for the equipment mentioned above.


theboyk

join:2004-10-04
Toronto, ON
reply to scbenoit

said by scbenoit:

Now to test my rtr's and cfgs - Cisco 1841

I'd be interested in hearing how this goes. What are the details on your 1841? What IOS are you running, etc.?

I'm going to need to upgrade my 1841, which I haven't been super happy with, to support IPv6 and just trying to decide if I'm going to upgrade it or go with another security device (been thinking about switching back to a SonicWALL, but that's another story).

mattvmotas
Premium
join:2010-09-04
Amherstburg, ON
reply to scbenoit

said by scbenoit:

TSI Joel set me up, thanks, I'm good to go

Now to test my rtr's and cfgs - Cisco 1841 w/DSL, Dlink 615 with original 3.2x firmware, and a Juniper SSG5

Thanks

Steve

I've been pretty happy with my 1841 WIC1-ADSL setup. Very stable. Just wish I had an HWIC so I could get the higher DSL packages when they hit my area.
--
Matt


TSI Gabe
Premium,VIP
join:2007-01-03
Chatham, ON
kudos:7

I've looked at getting HWICs as well for at home. But they are so damn expensive. Can't justify spending 500$ per card for home use...



theboyk

join:2004-10-04
Toronto, ON

So, I put in a new (old) router last night (at home) - a D-Link DIR825 - and it seems to be running IPv6 quite well. It lacks an IPv6 firewall, so going to have to upgrade eventually, but for now, for testing, it's doing the trick.

Anyway - when I run the test-ipv6 tests, I get 10/10 and 10/10, but, when I test something like ipv6test.google.com, it says "no problems", but under that, it says "you don't have ipv6, but you shouldn't have problems with sites that add ipv6 support".

Can anyone explain what this means?

Thanks,
Kristin.



SimplePanda
Go Habs Go
Premium
join:2003-09-22
Toronto, ON
Reviews:
·TekSavvy DSL

1 recommendation

Few things: Are you using a Mac? Latest Mac's have basically broken IPV6 support. Apple would argue it's "working" in that IPV6 works and is rock solid, but the issue is how Apple chooses IPV6 vs IPV4 for connectivity. While the standard / accepted practice (in Windows 7 / Linux for example) is to favour IPV6 when present, Apple has chosen to implement a scheme where by the first DNS record returned is the protocol used.

Second possibility: you're caching the IP from a previous lookup. Try flushing your DNS caches (router and computer) and try again.



theboyk

join:2004-10-04
Toronto, ON

1 recommendation

Good to know!

At home, all Macs (desktop/portables), various iOS devices and old Windows XP box (so, I'll run a test from there and compare the results). At work, which I'll be eventually rolling IPv6 out to, is 99% Macs (40+ desktop/portables/Xserves) & iOS devices, with only a handful of Windows machines.

So, that said, if a particular website was IPv6 only, then it would still work, correct (as IPv4 wouldn't be present for that connection), but in a situation with both IPv4 and IPv6, the Mac will default to IPv4?



SimplePanda
Go Habs Go
Premium
join:2003-09-22
Toronto, ON
Reviews:
·TekSavvy DSL

1 recommendation

Not quite.

If there is only IPV6, Mac OS will always access it over IPV6 without issue.

Likewise for IPV4.

If both IPV4 and IPV6 are available for a given site, the operating system dispatches two DNS lookup requests, one for the A record and one for the AAAA (IPV6). Whichever answer comes back first is the protocol the Mac chooses to use. This generally means that it's hit and miss as to which protocol the Mac chooses to use. This is why I call it 'broken'. It's not that it doesn't work - it's that it's wildly unpredictable and totally inconsistent.

For example, I just went to:

»whatismyipv6.com/

I was given my IPV4 address as Lion decided IPV4 was "faster". I hit refresh 4 or 5 times. Same result. 6th time around, I got connected via IPV6. A few more forced refreshes, back to IPV4.

Windows 7 and Ubuntu, on the other hand, are IPV6 on first and every access (as it should be).

Hopefully with IPV6 Launch Day coming Apple will get it's act together and update their V6 support. iOS and Lion both seem to be broken in the same way so it's clearly a Darwin / low level issue. Past versions of OS X weren't broken this way so fixing it shouldn't be an issue for them.

Apple has their reasons for doing this and I can understand -why-. I just wish they let you toggle it (even by sysctl) so that it worked in a more consistent way.

More info:
»www.ietf.org/mail-archive/web/v6···805.html

Hope this helps.



theboyk

join:2004-10-04
Toronto, ON

Yea, something must be "broken" if you can't even toggle it or force it via terminal. Funny, I've only been testing on iOS and Lion, so I didn't realize it "worked" in pre-Lion. I'll also test that on an older box when I get home tonight.

Anyway, thanks for the information — that explains a lot!!!



Mersault

join:2007-10-26
Toronto, ON

Are you sure it's a mac thing and not a browser thing? I know some browsers were playing with different algorithms for choosing whether to be IPv4 or IPv6. It's considered a better user experience since IPv6 is a bastard child on most networks. Even on TekSavvy going with IPv6 can add 50ms to some round trips, due to crappier peering, peers, and routes in general.



theboyk

join:2004-10-04
Toronto, ON

I am in no authority to answer, but this thread adds some credence to that idea (and this is an old hint, back from 10.3 days)...

»hints.macworld.com/article.php?s···04026573

Edit: just tested multiple browsers, and results are the same as Safari (and on 2 of 6 reloads, IPv6 is used vs IPv4). Not definitive testing, but doesn't look like it's exclusively a browser issue.


34764170

join:2007-09-06
Etobicoke, ON
reply to Mersault

said by Mersault:

Are you sure it's a mac thing and not a browser thing? I know some browsers were playing with different algorithms for choosing whether to be IPv4 or IPv6. It's considered a better user experience since IPv6 is a bastard child on most networks. Even on TekSavvy going with IPv6 can add 50ms to some round trips, due to crappier peering, peers, and routes in general.

The specific implementation he is referring to is an OS X 10.7/Lion issue as Apple has implemented a Happy Eyeballs implementation right in the OS's v6 stack for all apps to use
as opposed to built into the browser like Chrome/Firefox 10 and up.

34764170

join:2007-09-06
Etobicoke, ON
reply to theboyk

said by theboyk:

I am in no authority to answer, but this thread adds some credence to that idea (and this is an old hint, back from 10.3 days)...

»hints.macworld.com/article.php?s···04026573

Edit: just tested multiple browsers, and results are the same as Safari (and on 2 of 6 reloads, IPv6 is used vs IPv4). Not definitive testing, but doesn't look like it's exclusively a browser issue.

That's another issue. Older OS X releases had other bugs with the resolver. For example anything older than 10.6.8 had a bug that prevents OS X from being used on a v6-only network as the resolver will randomly return a v4 address for a site that has a AAAA record.

34764170

join:2007-09-06
Etobicoke, ON
reply to theboyk

said by theboyk:

Good to know!

At home, all Macs (desktop/portables), various iOS devices and old Windows XP box (so, I'll run a test from there and compare the results). At work, which I'll be eventually rolling IPv6 out to, is 99% Macs (40+ desktop/portables/Xserves) & iOS devices, with only a handful of Windows machines.

IMO I'd hope your Windows side is only Vista/7 and for Mac you're using 10.6.8 or preferably 10.7.x.


Mersault

join:2007-10-26
Toronto, ON
reply to 34764170

Yeah, doing happy eyeballs on the stack sounds like something Apple would do. And honestly, I don't see a problem with it. If my IPv6 connectivity is crappy I really would rather have my stuff go over IPv4. I like IPv6, but I don't want to have to put up with a slow and unresponsive internet for it.

ICMP (default options, 10 packets) to my colo in Seattle:
IPv4: round-trip min/avg/max/stddev = 63.192/63.759/64.550/0.393 ms
IPv6: round-trip min/avg/max/std-dev = 78.003/78.432/78.708/0.194 ms

ICMP (default options, 10 packets) to my colo in Dallas:
IPv4: round-trip min/avg/max/stddev = 40.789/41.073/41.411/0.196 ms
IPv6: round-trip min/avg/max/std-dev = 55.062/55.619/56.070/0.285 ms

ICMP (default options, 10 packets) from Dallas to Seattle colos:
IPv4: round-trip min/avg/max/stddev = 48.486/48.674/48.939/0.150 ms
IPv6: round-trip min/avg/max/std-dev = 86.967/87.462/88.387/0.465 ms

The real problem isn't a happy eyeballs algorithm implemented on the network stack, it's that IPv6 transit is so terrible these days.



SimplePanda
Go Habs Go
Premium
join:2003-09-22
Toronto, ON
Reviews:
·TekSavvy DSL

My preference: Apple implements the way everyone else does so it's predictable. At that point, after June 6th if Youtube performance is poor we can start complaining to TSI that they need better V6 peering to Youtube, for example.

This is really the only way V6 is going to get rolled out and done so with good performance. Falling back on V4 every time V6 is a little slow will just drag this out.



Mersault

join:2007-10-26
Toronto, ON

You're making the assumption that Apple cares about IPv6. They don't. They aren't hostile to it or anything, it's just that IPv4 vs. IPv6 is totally irrelevant to their goals. They want their customers to have the best experience possible so that they keep coming back and buying more Apple products. There is a reason for the existence of Apple "fanboys" and it has very much to do with Apple's understanding of this. Apple is generally at their best when they're technology agnostic. Apple will be quite happy when after June 6th someone on Windows or Linux is struggling with a stuttering Youtube and the Mac user turns and says "it's working fine here". They will consider that a success.

It's up to the networking guys to make sure that the successful connections are over IPv6. It's not Apple's responsibility.


roast

join:2011-07-21
H0H0H0

1 edit
reply to TSI Gabe

said by TSI Gabe:

I've looked at getting HWICs as well for at home. But they are so damn expensive. Can't justify spending 500$ per card for home use...

Yeah, ADSL2+ HWICS are still too expensive. The problem is the older ISR's really can't push a lot of traffic through so by the time HWICs are "affordable" the routers we'll be using are severely outdated and pretty much useless if you (edit: if you can!) saturate your connection...

roast

join:2011-07-21
H0H0H0
reply to mattvmotas

said by mattvmotas:

I've been pretty happy with my 1841 WIC1-ADSL setup. Very stable. Just wish I had an HWIC so I could get the higher DSL packages when they hit my area.

The 1841 falls flat on its face using dual stack. Once you start pushing some ipv6 data through the router, the cpu pins at 100%... I will say, the WIC-ADSL card is superb though and fantastic for a 5MB DSL connection without ipv6.

mattvmotas
Premium
join:2010-09-04
Amherstburg, ON

said by roast:

The 1841 falls flat on its face using dual stack. Once you start pushing some ipv6 data through the router, the cpu pins at 100%... I will say, the WIC-ADSL card is superb though and fantastic for a 5MB DSL connection without ipv6.

Not true, I have dual stack and have had no issues at all. I see no CPU issues on the router and I have used it to externally access servers on the inside using IPv6. I even have v6 enabled on all my internal clients.
--
Matt