Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 12 submissions in the queue.
posted by takyon on Saturday January 19 2019, @01:19AM   Printer-friendly
from the ICUP dept.

A Swiss VM hosting provider has a technical blog post about how to kill IPv4 completely on FreeBSD. That is to say, turning it completely off, not just preferring IPv6. They then solicit concrete solutions describing, along with a proof of concept, how to turn IPv4 completely off in other operating systems and allowing them to communicate with IPv6 only.

Earlier on SN:
Vint Cerf's Dream Do-Over: 2 Ways He'd Make the Internet Different (2016)
You have IPv6. Turn it on. (2016)
We've Killed IPv4! (2014)


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1, Insightful) by Anonymous Coward on Saturday January 19 2019, @03:10AM (22 children)

    by Anonymous Coward on Saturday January 19 2019, @03:10AM (#788529)

    The quicker IPv4 dies, the better. NAT can DIAF.

    Starting Score:    0  points
    Moderation   +1  
       Insightful=1, Disagree=1, Total=2
    Extra 'Insightful' Modifier   0  

    Total Score:   1  
  • (Score: 4, Funny) by Azuma Hazuki on Saturday January 19 2019, @03:25AM (4 children)

    by Azuma Hazuki (5086) on Saturday January 19 2019, @03:25AM (#788534) Journal

    You can NAT in IPv6 you know...

    --
    I am "that girl" your mother warned you about...
    • (Score: 5, Interesting) by VLM on Saturday January 19 2019, @02:49PM (3 children)

      by VLM (445) on Saturday January 19 2019, @02:49PM (#788638)

      When old timers talk about NAT in ipv6 they usually don't mean NAT, they mean a stateless FW instead.

      You can stateless firewall in ipv6 pretty easily:

      ip6tables -A OUTPUT -o your_isp_interface -j ACCEPT

      ip6tables -A INPUT -i your_isp_interface -m state --state ESTABLISHED,RELATED -j ACCEPT

      NAT on ipv4 in the olden days was merely the above, for ipv4 obviously, plus an extra line:

      iptables -t nat -A POSTROUTING -o your_isp_interface -j MASQUERADE

      You don't need to "fake" and remap the addrs for ipv4 like you do for ipv6, so you'd not include the ipv6tables equivalent of the line above.

      As with most linux type things, a lot of effort has been put into making impossible to use "simpler" systems so on systemd-redhat non-unix-like OSes, god only knows what layers of hell you'd have to go thru to avoid one or two straightforward lines of clear and obvious ip6ables from the old days.

      • (Score: 2) by VLM on Saturday January 19 2019, @02:50PM

        by VLM (445) on Saturday January 19 2019, @02:50PM (#788639)

        Disclaimer entire post above was from memory and might work and might be secure for some values of "work" and "secure" you'd best hit up the mighty Google search bar if you're doing this for realzies but for discussion purposes its mostly accurate enough in the sense of hand grenades being close enough and so forth.

      • (Score: 2) by Deeo Kain on Sunday January 20 2019, @04:18PM (1 child)

        by Deeo Kain (5848) on Sunday January 20 2019, @04:18PM (#789063)

        ip6tables -A INPUT -i your_isp_interface -m state --state ESTABLISHED,RELATED -j ACCEPT

        Of course you know that the rule you wrote define a state*ful* FW, do you?

        • (Score: 2) by VLM on Monday January 21 2019, @10:09PM

          by VLM (445) on Monday January 21 2019, @10:09PM (#789804)

          Yeah I know... caffeine levels too low etc. Heart was in the right place at least.

  • (Score: 0) by Anonymous Coward on Saturday January 19 2019, @03:42AM (7 children)

    by Anonymous Coward on Saturday January 19 2019, @03:42AM (#788540)

    Cause you just need your office printer to have a direct line to China.

    • (Score: 3, Informative) by janrinok on Saturday January 19 2019, @09:26AM

      by janrinok (52) Subscriber Badge on Saturday January 19 2019, @09:26AM (#788594) Journal

      Firewalls still work with IPv6 you know? If you have identified an IP address that you don't want your boxes to access, it is simple to block it. What do you do now?

      --
      I am not interested in knowing who people are or where they live. My interest starts and stops at our servers.
    • (Score: 2, Disagree) by VLM on Saturday January 19 2019, @02:35PM (5 children)

      by VLM (445) on Saturday January 19 2019, @02:35PM (#788632)

      A lot of ipv4 old timers seem to confuse the concept of a stateless firewall with the concept of NAT, because cheap ipv4 appliances have always marketed them as a package deal for a quarter century now.

      Believe me, a stateless ipv6 fw has not been much of a hassle for most of that quarter century.

      • (Score: 4, Informative) by TheGratefulNet on Saturday January 19 2019, @03:18PM (4 children)

        by TheGratefulNet (659) on Saturday January 19 2019, @03:18PM (#788650)

        you DO mean stateful and not stateless, right?

        a firewall has to keep track of the state of the tcp connection so that it can allow incoming pkts that are 'part of' previously outgoing-init'd comms.

        yeah?

        --
        "It is now safe to switch off your computer."
        • (Score: 0) by Anonymous Coward on Saturday January 19 2019, @06:46PM (1 child)

          by Anonymous Coward on Saturday January 19 2019, @06:46PM (#788729)

          thank you. that was making me think i had fallen into some opposite world.

          • (Score: 2) by VLM on Sunday January 20 2019, @04:07PM

            by VLM (445) on Sunday January 20 2019, @04:07PM (#789060)

            thank you. that was making me think i had fallen into some opposite world.

            Yeah the blood percentage in my caffeine system was too high when I wrote that. TheGratefulNet is correct.

        • (Score: 0, Disagree) by fakefuck39 on Saturday January 19 2019, @09:24PM (1 child)

          by fakefuck39 (6620) on Saturday January 19 2019, @09:24PM (#788771)

          no, he means stateless. no one is talking about TCP here. we are talking about IP.

          • (Score: 2) by Deeo Kain on Sunday January 20 2019, @04:23PM

            by Deeo Kain (5848) on Sunday January 20 2019, @04:23PM (#789065)

            no, he means stateless. no one is talking about TCP here. we are talking about IP.

            No, he means stateful. The rules he wrote are TCP, not IP:

            ip6tables -A INPUT -i your_isp_interface -m state --state ESTABLISHED,RELATED -j ACCEPT

  • (Score: 0) by Anonymous Coward on Saturday January 19 2019, @08:49AM (8 children)

    by Anonymous Coward on Saturday January 19 2019, @08:49AM (#788591)

    And you expect thousands of net providers will just give their customers public IPs for free? They will pay more for something not much useful for everyone except geeks.

    • (Score: 5, Insightful) by janrinok on Saturday January 19 2019, @09:29AM (5 children)

      by janrinok (52) Subscriber Badge on Saturday January 19 2019, @09:29AM (#788595) Journal
      I live in France, I have a whole bunch of IPv6 addresses which my ISP has given me for free, and I can have more simply by asking for them. I'm guessing that you live in the US, where is seems the rule is to gouge every last cent out of your customers.
      --
      I am not interested in knowing who people are or where they live. My interest starts and stops at our servers.
      • (Score: 3, Interesting) by TheGratefulNet on Saturday January 19 2019, @03:22PM (1 child)

        by TheGratefulNet (659) on Saturday January 19 2019, @03:22PM (#788651)

        in the US (perhaps its wider than that) there is an expression "leaving money on the table". meaning, if you negotiate a deal, did you get the very best deal you could have gotton, or did you get less than you could have, if you were a more skilled bargainer.

        that says a whole lot about our (US) culture. if you are don't charge your customers for every little thing, you are not 'doing it right'.

        I completely disagree with that, but then again, I'm an engineer and not a businessman. those are the guys who are ruining things, not us. we don't care if we leave a few microfarads on the table, here and there ;)

        --
        "It is now safe to switch off your computer."
        • (Score: 2) by captain normal on Saturday January 19 2019, @06:30PM

          by captain normal (2205) on Saturday January 19 2019, @06:30PM (#788723)

          There is no "bargaining" with a monopoly, near monopoly nor dictator for that matter.

          --
          "If men were angels, government would not be necessary." James Madison
      • (Score: 1, Interesting) by Anonymous Coward on Saturday January 19 2019, @08:08PM

        by Anonymous Coward on Saturday January 19 2019, @08:08PM (#788748)

        Not France, but also EU. NATted networks with hundreds of customers are ultra-popular here as the opinion about Internet is that it's Google and FB. Yes, the Internet :(.
        There is a nice question for a network test: How many NAT routers are between you and the world? I traced my network and there are 5. One is mine, so I can configure it as I want. One is from my provider. Third one is from provider of my provider, fourth and fifth are in computational center being the proper "provider" of Internet. Summing up: 5 NATs to pinch a hole in.
        When I wanted to get a single-port pass-through (my computation machine returned its state... by periodically throwing strings through netcat, I'm lazy) I had to go to 3 people and the hole disappeared a few months later when computational center upgraded their routers.

        The problem is that you may get a really poor telecommunication-grade Internet (fortunately not a famous 9600/8/n/1, but it started this way), with world IP but expensive and really slow, or faster and cheaper one without IP.

      • (Score: 0) by Anonymous Coward on Saturday January 19 2019, @09:19PM (1 child)

        by Anonymous Coward on Saturday January 19 2019, @09:19PM (#788769)

        IPV4 is 'filled up'.

        I have a /60 for IPV6 from my provider. My router asks for a /64 from that.

        That is the state of the 'US'.

        • (Score: 2) by hendrikboom on Wednesday January 23 2019, @11:06PM

          by hendrikboom (1125) Subscriber Badge on Wednesday January 23 2019, @11:06PM (#790892) Homepage Journal

          I can never remember if /60 indicates the number of bits you get to play with, or the number of bits that are fixed for the entire subnet.

    • (Score: 1, Interesting) by Anonymous Coward on Saturday January 19 2019, @01:10PM

      by Anonymous Coward on Saturday January 19 2019, @01:10PM (#788610)

      I live in Germany. I have a free /62 assigned to me. But I don't have an IPv4 at all. I only connect to these legacy networks via an ISP tunnel

      There is as much reason for using IPv4 on internal network as there is for having an yeast infection.

    • (Score: 2) by rleigh on Saturday January 19 2019, @05:28PM

      by rleigh (4887) on Saturday January 19 2019, @05:28PM (#788696) Homepage

      Yes. It's common practice for IPv6 to give every customer a /64 allocation. This is used for SLAAC on your internal network, and you can use any address within that range as you see fit.