hmm, should i get an ipv4 dhcp offer when configuring a new OS on my vps?
hmm guess not. no ipv6 RAs either
have to configure it static
yeah, would have been nice if it happened automagically
had to boot back into the previous install to get the network config
think if you log into your account there's a webpage with the IP details
personally I dislike the idea of dhcp for servers and the idea of RA at all
RA is great, if you need dynamic allocation. better than dhcp, since its stateless. for static configs, pretty much not recommended indeed.
curious... why does being stateless make it better?
a) less memory requirements on the server
b) less roundtrips to configure
c) simpler
d) quicker
so in my mind dhcp is a book wrt conversation between the client/server. RA is a tweet.
need to prod or hack myself dns into rtadvd/rtsol on OpenBSD and then life would be complete. there are rfc's that describe it, just needs implementing.
toddf: Windows also needs to implement it big time :)
windows doesn't have a RA client?
osx so I've been told has RA but no dhcp6
at least by default
toddf: RA client, but no DNS in RA
G: ah.
toddf: I think that's right wrt to OSX too
yeah, my OSX has an RA client
but it doesn't appear to have added the IPv6 NS server to /etc/resolv.conf
toddf: my other issue w/ Windows, is that it doesn't use the same EUI64 format
doesn't it do the privacy thing?
yeah, I think it still uses the MAC, but it's not as resolvable or something
my issue with windows is the closed source nature .. amongst other things.
resolvable? lower 64bits have no business in a sentence with 'resolvable'
I mean back to the MAC address
so they used their own algorithm. great. score for 'windows hacks it up,.... again ;-('
my RA'd Windows laptop, has the lower 64bits of: 39ba:ba9b:5ece:262b
where as, if I boot it into Fedora, it'll have something with fffe in the middle
which imo is actually more of a security risk, than telling the world want brand NICs you are running
"Ohhh that person must be connecting from a Windows box, lets exploit some bugs with the TCP replies"
I can tell what os you are running down to the patchlevel if you establish a tcp connection that I can access either via pf or bpf.
toddf: good point :)
so conversations about the random algorithms for EUI64 are rather moot.
in the context of security and os discovery.
yeah, a good point I guess, I was trying to add a bit of drama to it :)
OpenBSD has a privacy extension thing as well. though I've never used it, as I don't see the point.
oh, where it fuddles with the EUI64?
security through obscurity is playing russian rhoulette.
exactly
at some point you're going to be had.
lookup dropship for an example.
I laugh at the people that said that IPv6 needs NAT for security
because you shouldn't expose the public routable IPs that are internal to your network
my response is: that is what ACLs are for
don't allow external people to get that far into your network
I am angered by them. I lost a client due to someone accusing me of having a bad plan for them since they had a class C and I was subnetting it to give windos systems public IP's (behind an OpenBSD firewall of course). the client believed the other person vs me. *SHAKES FIST*
yeah, Cisco in their books have got the issue spot on imo
well in their CCNP training books anyway
nice to know. *SHAKES FIST AT CISCO FOR MAKING SOME PEOPLE BELIEVE IT IS THE ONLY NETWORK FIREWALL/VPN WORTH TRUSTING*
toddf: ahh well with that I agree
I kinda find it funny how the Cisco Press books go on abotu how good IPv6 in all their products is, but the real world half the stuff doesn't support it, or doesn't support it properly (if what people actually using and trying to implement it, are asying is true
and well, when it comes to their Linksys business
"All our commercial/business kit supports IPv6, just about all home computers support IPv6 now, but the equipment needed in between, ha good luck!"
but anywho, it's not just Cisco
G: so since you seem clueful on IPv6 and cisco, can you point me to the docs (or give the ios commands) on how to disable RA while still enabling ipv6 forwarding? (have a cisco I'd love to enable IPv6 on, but the instant I do, it starts advertising itself as the default router which is incorrect)
I find the argument that RA requires less memory a bit suspect... with DHCP the server tracks a single address per host. with RA a host may assign itself as many addresses as it likes, each of which takes up memory in the routers neighbour cache, which is far smaller and more expensive than server memory
toddf: you mean 'ipv6 unicast-routing'?
oh wait, I get you now
yeah, you want ipv6 unicast-routing, but you don't want the RA's
toddf: tried http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/ipv6_f.html#wp1056151 ?
ipv6 nd suppress-ra
nice
danka
Failover does not support IPv6. The ipv6 address command does not support setting standby addresses
for failover configurations. The failover interface ip command does not support using IPv6 addresses
on the failover and Stateful Failover interfaces.
hah!
toddf: oh gosh
carp(4) to the rescue!
I had a feeling cisco fixed that in a later version... or maybe that was only ASA and not FWSM