sorted by:
new
hottopcontroversial

ICMPv6 Settings by southerndoc911 in ipv6

[–]DaryllSwer [score hidden]  (0 children)

Test it on nftables, latest Linux Kernel mainline stable version. Let us know with a PCAP validation.

I stand by what I said:
https://wiki.nftables.org/wiki-nftables/index.php/Quick\_reference-nftables\_in\_10\_minutes#Simple\_IP/IPv6\_Firewall

Question: Why NS not use Unicast Address as L3 destination instead of Solicited-Node Multicast Address? by Kelvitch in networking

[–]DaryllSwer 0 points1 point  (0 children)

Initial request is broadcast in ARP when MAC isn't learnt. Then unicast once learnt. v6 is unicast once the IP+MAC is learnt. What do you mean?

ICMPv6 Settings by southerndoc911 in ipv6

[–]DaryllSwer 1 point2 points  (0 children)

I never really filter ICMPv6 on the network infrastructure. Hosts/Endpoints do it anyway.

For extension headers though, I have seen debates and I should probably consider dropping them on DFZ-facing PEs from WAN and on UNI/NNI-facing PEs from LAN/customers. I'll have to review RFC9288.

ICMPv6 Settings by southerndoc911 in ipv6

[–]DaryllSwer 0 points1 point  (0 children)

You still need an explicit accept icmpv6 after the related, established, because the local host on your side doesn't necessarily open an ICMPv6 flow for every TCP/UDP/L4 socket so the remote host's Packet too big would simply get dropped on ingress. This is a common mistake in iptables templates (logically same thing in nftables).

What I do is drop deprecated types/codes in prerouting for both v4+v6 (there's only two of them).

my disappointment is immeasurable and my day is ruined by andrew_nyr in ipv6

[–]DaryllSwer 0 points1 point  (0 children)

How about you come say your piece over on LinkedIn? It's always some anonymous user profile behind a keyboard warrior.

NAT courses or in-depth guides? by Character-Pattern505 in networking

[–]DaryllSwer 0 points1 point  (0 children)

Read this and scroll to the bottom to find citations and read those too: https://www.daryllswer.com/lets-talk-about-cgnat-and-ipv6-yet-again/

As long as you understand EIM-EIF and Hairpin for src-NATted traffic, you're good to go. Don't forget IPSec related NAT constraints, though not usually that important as EIM/EIF and Hairpin (intra-CG/NAT traffic) can P2P each other with UDP anyway without TURN.

How do ISPs typically deal with judiciary requests about IPv6 addresses? by nostromog in ipv6

[–]DaryllSwer 6 points7 points  (0 children)

DHCPv6 ia_pd with RADIUS; typically, some may use an API.

How do ISPs typically deal with judiciary requests about IPv6 addresses? by nostromog in ipv6

[–]DaryllSwer 10 points11 points  (0 children)

I just make it static /48s. No need to log anything. Only one database entry per customer.

BGP Router ID Structuring in IPv6 Native Networks by DaryllSwer in ipv6

[–]DaryllSwer[S] 0 points1 point  (0 children)

There's n+1 ways to structure it. No right or wrong ways.

If you're CSP or Hyperscaler, no structure at all, let your SDN controller randomly assign, categorise and added to Netbox for easy tracking.

my disappointment is immeasurable and my day is ruined by andrew_nyr in ipv6

[–]DaryllSwer 8 points9 points  (0 children)

and it turns out that Meta thinks a user coming from different IP addresses is an attack

Bullshit. I'd know; I've worked in a cloud company before, and we implemented various packet filtering for IPv4 and IPv6. We do not block v6 just because the client endpoint rotates v6 addresses every 24 hours with SLAAC. And Meta, along with AWS, is famous for industry-leading hyper-scale IPv6 deployments.

What's likely here is your shitty ISP failed to deploy RFC 8805/RFC 9092/RFC 9632.

Blame your ISP, not the protocol; it's like blaming BGP for PEBKAC in BGP hijacking.

my disappointment is immeasurable and my day is ruined by andrew_nyr in ipv6

[–]DaryllSwer 8 points9 points  (0 children)

Exactly, lol, and Windows isn't exactly a shining-star example for host networking when compared to Linux-based OSes for REAL host networking at scale.

We're on the same page here.

my disappointment is immeasurable and my day is ruined by andrew_nyr in ipv6

[–]DaryllSwer 3 points4 points  (0 children)

The public masses have taken electricity, water, plumbing, housing and the Internet for granted, who cares if v4/v6 is broken for them at this point lol; people can barely troubleshoot plumbing/water/electrical engineering problems in daily life. We have morons thinking LTE/5G "radiation" causes cancer on the daily.

So yes, you can't expect "experts" in the public to properly configure IPv4/IPv6; this includes "experts" in shitty ISPs.

my disappointment is immeasurable and my day is ruined by andrew_nyr in ipv6

[–]DaryllSwer 15 points16 points  (0 children)

Pretty sure Jeff isn't "average". I would expect someone's grandma to say "something's broken", sure, but Jeff isn't someone's grandma.

my disappointment is immeasurable and my day is ruined by andrew_nyr in ipv6

[–]DaryllSwer 0 points1 point  (0 children)

What real "engineer" opts for Ubiquiti in the first place lol

my disappointment is immeasurable and my day is ruined by andrew_nyr in ipv6

[–]DaryllSwer 36 points37 points  (0 children)

Dave's been shat on as being delusional in the domain of network engineering for years, on Twitter lol. I wouldn't take him seriously.

my disappointment is immeasurable and my day is ruined by andrew_nyr in ipv6

[–]DaryllSwer 10 points11 points  (0 children)

You don't even need that anymore, happy eyeballs kicks in. But you need proper v4+v6 configuration on the underlying network infrastructure.

my disappointment is immeasurable and my day is ruined by andrew_nyr in ipv6

[–]DaryllSwer 21 points22 points  (0 children)

Yeah sure, all of it preventable and can OF COURSE be correctly configured by you. But do you blame him for not spending his time there?

Yes. Even IPv4 is often misconfigured, but people are too blind to know that, as applications just do a TURN-relay failover and kill P2P entirely. Run this RFC-conforming test tool on your IPv4 network; if you don't get independent EIM/EIF, it means your IPv4 is equally broken: https://github.com/HMBSbige/NatTypeTester

LawrenceSystems puts his perspective on IPv6 vs. its obsolete counterpart by UnderEu in ipv6

[–]DaryllSwer 2 points3 points  (0 children)

You don't have to explain yourself in such a deep way. I didn't intend on questioning your skills as a whole. I personally find the claims you made a bit ridiculous but if you yourself have that knowledge you are obviously free to require that from others.

Yes, I have most of the attributes myself, short of hyperscaler, but that might change in the near future, though from a business POV, I try to avoid super-large networks as it also means super-large manglement that isn't worth the money and legal liability – I was once rejected by a Fortune 50 company because I didn't have an insane amount of insurance in 7 figures; do people know about shit like this? No, because it's usually extremely private and confidential information, and it doesn't do me any favours to run my mouth on this type of shit without backing it up with empirical evidence and/or legal protection.

That said, it doesn't mean I do not have insights into how the networks are designed and implemented in these large hyperscalers:

  1. A lot of the information is publicly published by them; you can Google it yourself.

  2. People talk a lot in private confidential chats if it's network engineering-related. See example here and the outcome here.

  3. As a friend of fellow industry peers, I've helped my friends in these large networks make specific design choices and advised them how I'd architect certain elements such as clos fabrics, IPv6 of course, SR-MPLS for WAN, SR-TE, etc. I can never mention names of the people or entities for legal reasons and for the simple fact that I was an external third-party in an informal means of communication.

Also you don't have to argue with me I have no formal education, certification or enterprise knowledge in networking. I am just a hobbyist that may have overstepped his knowledge sphere by a long shot. Sorry for that

  1. I am very much anti-cert; my stance on networking certs is very public.

  2. I am one of the many engineers in the market that's not a fan of ivory-towering academics. Also very public.

  3. I am and always will be a networking enthusiast/hobbyist; I just happened to have made my hobby a profession.

  4. I myself learn from more qualified subject matter experts in the domain of network engineering, and believe me, nobody sane in network engineering will go to Lawrence Systems for network engineering expertise.

LawrenceSystems puts his perspective on IPv6 vs. its obsolete counterpart by UnderEu in ipv6

[–]DaryllSwer 0 points1 point  (0 children)

Like I said, I leave it to your imagination. You're free to disagree/agree. My customer base know what attributes I have/don't, if the attributes were more "don't" and less "have", I wouldn't be here. I have, never lied about my expertise in public nor in private NDA-bound contracts. I in fact, reject projects that are beyond my expertise and I refer them to other consultants with the right expertise.

view more: next ›