***: _Ehtyar has quit IRC (Remote host closed the connection)
kingedgar has joined #arpnetworks
_Ehtyar has joined #arpnetworks
_Ehtyar has quit IRC (Remote host closed the connection)
_Ehtyar has joined #arpnetworks
__Ehtyar has quit IRC (Remote host closed the connection)
LT has joined #arpnetworks
ivan-kanis has joined #arpnetworks
ivan-kanis has quit IRC (Ping timeout: 258 seconds)
phreak has quit IRC (Quit: sleep)
phreak has joined #arpnetworks
stamps: hmm, should i get an ipv4 dhcp offer when configuring a new OS on my vps?
hmm guess not. no ipv6 RAs either
***: phreak has quit IRC (Quit: sleep)
LT: have to configure it static
stamps: yeah, would have been nice if it happened automagically
had to boot back into the previous install to get the network config
LT: think if you log into your account there's a webpage with the IP details
personally I dislike the idea of dhcp for servers and the idea of RA at all
toddf: RA is great, if you need dynamic allocation. better than dhcp, since its stateless. for static configs, pretty much not recommended indeed.
LT: curious... why does being stateless make it better?
toddf: a) less memory requirements on the server
b) less roundtrips to configure
c) simpler
d) quicker
so in my mind dhcp is a book wrt conversation between the client/server. RA is a tweet.
need to prod or hack myself dns into rtadvd/rtsol on OpenBSD and then life would be complete. there are rfc's that describe it, just needs implementing.
G: toddf: Windows also needs to implement it big time :)
toddf: windows doesn't have a RA client?
osx so I've been told has RA but no dhcp6
at least by default
G: toddf: RA client, but no DNS in RA
toddf: G: ah.
G: toddf: I think that's right wrt to OSX too
yeah, my OSX has an RA client
but it doesn't appear to have added the IPv6 NS server to /etc/resolv.conf
toddf: my other issue w/ Windows, is that it doesn't use the same EUI64 format
toddf: doesn't it do the privacy thing?
G: yeah, I think it still uses the MAC, but it's not as resolvable or something
toddf: my issue with windows is the closed source nature .. amongst other things.
resolvable? lower 64bits have no business in a sentence with 'resolvable'
G: I mean back to the MAC address
toddf: so they used their own algorithm. great. score for 'windows hacks it up,.... again ;-('
G: my RA'd Windows laptop, has the lower 64bits of: 39ba:ba9b:5ece:262b
where as, if I boot it into Fedora, it'll have something with fffe in the middle
which imo is actually more of a security risk, than telling the world want brand NICs you are running
"Ohhh that person must be connecting from a Windows box, lets exploit some bugs with the TCP replies"
toddf: I can tell what os you are running down to the patchlevel if you establish a tcp connection that I can access either via pf or bpf.
G: toddf: good point :)
toddf: so conversations about the random algorithms for EUI64 are rather moot.
in the context of security and os discovery.
G: yeah, a good point I guess, I was trying to add a bit of drama to it :)
toddf: OpenBSD has a privacy extension thing as well. though I've never used it, as I don't see the point.
G: oh, where it fuddles with the EUI64?
toddf: security through obscurity is playing russian rhoulette.
G: exactly
toddf: at some point you're going to be had.
lookup dropship for an example.
G: I laugh at the people that said that IPv6 needs NAT for security
because you shouldn't expose the public routable IPs that are internal to your network
my response is: that is what ACLs are for
don't allow external people to get that far into your network
toddf: I am angered by them. I lost a client due to someone accusing me of having a bad plan for them since they had a class C and I was subnetting it to give windos systems public IP's (behind an OpenBSD firewall of course). the client believed the other person vs me. *SHAKES FIST*
G: yeah, Cisco in their books have got the issue spot on imo
well in their CCNP training books anyway
toddf: nice to know. *SHAKES FIST AT CISCO FOR MAKING SOME PEOPLE BELIEVE IT IS THE ONLY NETWORK FIREWALL/VPN WORTH TRUSTING*
G: toddf: ahh well with that I agree
I kinda find it funny how the Cisco Press books go on abotu how good IPv6 in all their products is, but the real world half the stuff doesn't support it, or doesn't support it properly (if what people actually using and trying to implement it, are asying is true
and well, when it comes to their Linksys business
"All our commercial/business kit supports IPv6, just about all home computers support IPv6 now, but the equipment needed in between, ha good luck!"
but anywho, it's not just Cisco
toddf: G: so since you seem clueful on IPv6 and cisco, can you point me to the docs (or give the ios commands) on how to disable RA while still enabling ipv6 forwarding? (have a cisco I'd love to enable IPv6 on, but the instant I do, it starts advertising itself as the default router which is incorrect)
LT: I find the argument that RA requires less memory a bit suspect... with DHCP the server tracks a single address per host. with RA a host may assign itself as many addresses as it likes, each of which takes up memory in the routers neighbour cache, which is far smaller and more expensive than server memory
G: toddf: you mean 'ipv6 unicast-routing'?
oh wait, I get you now
yeah, you want ipv6 unicast-routing, but you don't want the RA's
toddf: tried http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/ipv6_f.html#wp1056151 ?
toddf: ipv6 nd suppress-ra
nice
***: nuke` has quit IRC (Read error: Operation timed out)
shmget_ has joined #arpnetworks
toddf: danka
***: nukefree has joined #arpnetworks
shmget has quit IRC (Read error: Operation timed out)
toddf: Failover does not support IPv6. The ipv6 address command does not support setting standby addresses
for failover configurations. The failover interface ip command does not support using IPv6 addresses
on the failover and Stateful Failover interfaces.
hah!
G: toddf: oh gosh
toddf: carp(4) to the rescue!
LT: I had a feeling cisco fixed that in a later version... or maybe that was only ASA and not FWSM
***: nerdd_ has joined #arpnetworks
Nigel_ has joined #arpnetworks
freedomcode has joined #arpnetworks
milki_ has joined #arpnetworks
nerdd has quit IRC (*.net *.split)
milki has quit IRC (*.net *.split)
reardencode has quit IRC (*.net *.split)
G has quit IRC (*.net *.split)
Nigel_ is now known as G
shmget_ has quit IRC (Read error: Connection reset by peer)
ziyourenxiang has joined #arpnetworks
shmget has joined #arpnetworks
crazed has quit IRC (Read error: Connection reset by peer)
crazed has joined #arpnetworks
crazed has quit IRC (Changing host)
crazed has joined #arpnetworks
kingedgar has quit IRC (Quit: Ex-Chat)
ziyourenxiang has quit IRC (Quit: ziyourenxiang)
ivan-kanis has joined #arpnetworks
LT has quit IRC (Quit: Leaving)
ziyourenxiang has joined #arpnetworks
ivan-kan` has joined #arpnetworks
ivan-kan` has quit IRC (Remote host closed the connection)
ivan-kan` has joined #arpnetworks
freedomcode is now known as reardencode
ivan-kan` has quit IRC (Remote host closed the connection)
cubelogic has joined #arpnetworks
ziyourenxiang has quit IRC (Quit: ziyourenxiang)
HighJinx has quit IRC (Ping timeout: 250 seconds)
HighJinx has joined #arpnetworks
ivan-kan` has joined #arpnetworks
ivan-kan` has quit IRC (Remote host closed the connection)
RandalSchwartz has quit IRC (Ping timeout: 248 seconds)
ivan-kanis has quit IRC (Remote host closed the connection)
phreak has joined #arpnetworks
ikariW has left
milki_ is now known as milki
RandalSchwartz has joined #arpnetworks
RandalSchwartz has quit IRC (Changing host)
RandalSchwartz has joined #arpnetworks
cubelogic has quit IRC (Ping timeout: 276 seconds)
HighJinx has quit IRC (Ping timeout: 246 seconds)
baklava has quit IRC (Ping timeout: 258 seconds)
HighJinx has joined #arpnetworks