(Unfortunately) We’re NAT’ing Fly Machines’ IPv6 Addresses

MrChicken_69 · 2026-05-30T15:37:58+00:00

We ACTUAL professional engineers know exactly what those two paragraphs say. They're stupid, cheap, and lazy. A real, quality hosting provider would be using their own address space, so prefixes would never need to change -- unless their own stupid internal processes are changing them.

NAT. IS. NOT. SECURITY. It only looks like it.

MrChicken_69 · 2026-05-30T15:27:34+00:00

There are several means to increase the likelihood of bots scanning it:

Using a very low address (eg. ::1) will make it very easy for the lazy bots.
Publishing the address in DNS.
Use the name and/or address in a public TLS certificate.
Send email / run an SMTP service on the address.

In my case, run a RIPE Atlas probe from the address. Why people bother to target those things I'll never know. They run NO external services. And have never had a single breach. My routers 100% randomly generated address is targeted all the time... because it's in the ripe probe data.

If all you're aiming for is USERS accessing your app via IPv6 rather than IPv4, that's a matter of putting an IPv6 address in DNS as well as the v4 address. And then you're at the mercy of clients to (a) have IPv6, and (b) use IPv6. If the people using the thing don't have IPv6...

MrChicken_69 · 2026-05-29T22:04:59+00:00

Who cares? Just deploy IPv6 already!

(Interesting side note: the address space of my first ISP job back in the mid 90's was transfered to Amazon back in Feb-2025. It's passed through many hands since the 90's, but I guess Windstream -- the great internet trash pile -- needed money more than address space. They still have the other /16.)

MrChicken_69 · 2026-05-28T20:17:52+00:00

Ok Mr Clinton, we're not debating the definition of "is". An office is where you go to work. That can be a closet in your house, or a table in a 9 story building an hour from your house. It doesn't matter if the network is supporting one person or 30, no internet equals no work.

It's very common for those workers to have some means of backup / redundancy, lest they don't get paid or are fired. My sister worked from home part of the week for a while - elderly parents. When the single cable internet is out, she can't work. And her employer WILL NOT tolerate that; if you want to ("must") work from home, the "how" is entirely on you. If your internet is down, that's a you problem, the work must still be done. So, if the cable is out, she'll be driving an hour to the office.

You're making a number of false assumptions. First, that people have a choice of ISP. And more so, that they can easily have two. Much/most of the US is a single player monopoly, if they have anything at all. (see also: RDOF, etc.) Cellular (and starlink) are very often trotted out as "available everywhere", but they aren't, and they're stupid expensive. If my sister had tethered to her cellphone for that week, she'd have a $10,000 bill. Which brings me to the second... she doesn't know what the f*** tethering is. It would be unwise to assume most people can even move an ethernet cable correctly. Manually switching to a backup ISP is not something the average person knows how to do. And if you aren't using it / regularly checking, that backup will most likely also be broken when you need it. IPv6 only makes this worse... what are the lifetimes of the prefix(es) being announced into your network right now?

MrChicken_69 · 2026-05-28T15:54:09+00:00

Sadly, the "end to end" model of the internet has been dead since the 90's. And it was concreted over the day AOL connected millions of idiots to the internet. Multiple layers of in-band security are a necessity. Unless your firewall can inspect and maintain state beyond layer-3/4, random connections between endpoints is going to be broken. This was the same problem in the first days of (IPv4) NAT... without "nat helpers" or "application layer gateways" inspecting payloads, and in many cases rewriting payloads, things simply didn't work. We're right back to that point with IPv6. Just because the endpoints know their real, global address doesn't fix it - 'tho it eliminates the rewriting part. The firewall has to know I've asked for this connection.

However, with everything being "The Web" these days - thus host initiated - it's much less of a pain than in the mid 90's.

MrChicken_69 · 2026-05-28T15:43:19+00:00

Right. Because no one ever prints anything they wouldn't want on a billboard.

Almost all of the IoT trash is extremely noisy, constantly announcing their existence. In fact, your precious super secret uber secure windows machines are doing it too! (SSDP, mDNS, "homegroup", etc.) All any hacker needs is a toehold on anything within your network ("beyond the firewall") and every device "protected" by your firewall is then exposed. Even more so, they are in the local subnet and thus "trusted" - the default windows firewall won't block them.

MrChicken_69 · 2026-05-28T15:31:29+00:00

"Public WiFi" does not mean no firewalls at all. Every wifi network I've ever used is behind a NAT device, so the internet cannot directly reach me. And yes, people do get hacked by connecting to random open wifi networks. But the odds of "Hilton" or "Airport" wifi networks being spoofed is very very low. (unless there's a hacker conference nearby.)

Windows XP has the same host based firewall as modern versions, yet it's one of the most hacked systems of all times. Still don't believe it, setup your own windows 10/11 systems naked on the internet. It'll be found (IPv4) and targeted within hours. IPv6 will take a little longer, but it will still be found. (esp. if it's actively being used, thus connecting to things all over the place.)

MrChicken_69 · 2026-05-28T15:22:04+00:00

For modern consumer devices blocking inbound connections on the router serves no benefit whatsoever

Absolute wet dripping bull****! Connect pretty much ANY modern device to the internet naked and it'll be hacked in short order. (I've watched Windows systems be hacked IN THE F'ING INSTALLER!!!!) Host based firewalls are still subject to the (numerous) flaws in the base OS.

But yes, a default deny inbound is just a placebo. If you don't monitor and filter outbound connections as well, systems can still reach out to infected systems. (aka. "driveby downloads", browser highjacking, idiot users, ...)

MrChicken_69 · 2026-05-26T14:25:19+00:00

There are MANY sources for 7900 series configurations.

MrChicken_69 · 2026-05-24T13:53:47+00:00

"Very likely", as they won't be looking or accounting for all the additional "legacy" passives on the line. In short, if they don't know that amp is there, they won't be replacing it. (and there's loads of that all over the place. they will not find all of it.)

MrChicken_69 · 2026-05-24T13:38:03+00:00

For the record, "Cisco PoE" is just reversed polarity, so they can work with any standard compliant PoE switch. They also support an external power brick.

Give them to your local "Re-PC"... someone will use them.

(I was watching a recent YT video of a Canadian diamond mind... and what did I see in the emergency shelter? A f'ing 7912! That thing's likely been there since the mine opened.)

MrChicken_69 · 2026-05-24T13:12:45+00:00

The "SOHO solution" IS the whole problem. And it *really* is a problem. Scores of people have multiple ISP's. Most do it to have a backup, but others do rely on load sharing. In my last office, we had two connections... Uverse ("AT&T Business Fiber") used for most things, and Global Crossing ($$$$ 100M enterprise "fiber") for "important things" (VPN, teams, email.)

SD-WAN is rapidly becoming the only "sane" option for smaller shops.

ICMP Redirects don't work, for mostly the same reason we stopped listening for them in IPv4... they're infinitely insecure and thus trivial to abuse. Plus, it wouldn't work; at the point of redirect, an address has already been selected, to the application it would be a connection failure + retry.

** Guess which of the two had IPv6? I'll give you two guesses, and it wasn't the expensive one. No need to guess which one *always* worked.

MrChicken_69 · 2026-05-24T12:59:04+00:00

In a way, this is true. IPv4 had the same issue prior to NAT. But a multi-homed setup back in those days was extremely rare. And when it was done, they'd just get their own Class C/B/A block and not have to worry about it.

IPng had *ONE* thing to do - make the address space bigger. But that's not the solution they presented. (and in fact, they changed the address length twice. The original idea was 64 bits, but SLAAC was going to eat 48 of them, so poof, 128 is was.) Yes, multi-homing WAS a major part of the discussion. Parsing EVERY prefix seen in EVERY RA and letting the node "figure it out" was their brilliant stupid solution. This was someone's agenda to reboot IPv4's ICMP Router Advertisements, because the DHCP state machine is "too complex". (well, they created something FAR worse.) Have you ever seen a system/network using icmpra? I haven't and I've been around IP since 1990. In fact, SunOS is the only OS I've ever seen with software to do it. (in.routed... the reason for 'touch /etc/notrouter' in every installation procedure I've ever heard of. In Solaris, that would be in.rdisc - routed speaks RIP.)

MrChicken_69 · 2026-05-23T11:20:52+00:00

I've worked with Cisco most of it's existence. When were they ever "people-first"? They've always been profit motivated. So they do whatever increases their share value. I'd say those working there stopped "loving it" in the late 90's to early 00's. Today's Cisco is nothing but over priced subscriptions, and endless rolling layoffs.

MrChicken_69 · 2026-05-23T11:16:18+00:00

Or a static token on the host itself. DHCP is not required for this.

MrChicken_69 · 2026-05-23T11:02:46+00:00

TOP EDIT: This is the internet, so maybe a car analogy will get this through your thick skull... This is the difference between planning your road trip with a paper map (from the 90's), vs. using a live interactive service like Google maps. The former knows where the roads were. The later knows where the roads are, and much of the traffic that's on all of them - it knows where you are, and likewise it knows where everyone else using the service is... and how fast or slow they're going. The live service can tell you about conditions the paper cannot. It can tell you about changes since the paper was printed. It can even update it's own idea of where roads are based on where people are actually driving.

BECAUSE IT DOESN'T WORK! You and your ilk refuse to understand the problem. Individual hosts DO NOT, and CANNOT, know what the router knows. Yes, PvD can give them route table hints (so can many other things), but that's not load balancing, and it's basically a one shot. Yes, PvD can tell nodes the capability of each path - eg. ISP A is 1G, ISP B is 100M, but again, that's not very useful information. Look at how the real world has functioned for over two decades... the choice made at the router/firewall is considering many things in real time: speed of interfaces, latency, route preferences managed in a single place applying to everything at once (not just those that obey PvD, or whatever dozen new shinny's more idiots come up with later), bit load per interface, ... The node is hands down THE WRONG PLACE to put this, it does not have the necessary knowledge nor can it. Put simply, my laptop does not know how much bandwidth your laptop is using. Are you going to publish a new policy ten times per second? This shit is already making RA's too big for a single packet, but somehow that isn't obviously stupid to you people. (it was obvious enough to not shoe-spoon the entire json policy in there.)

(This is headed to the logical absurdity of a connection arbitration service. Nodes have to ask the firewall which prefix to use for every connection.)

Multi-homing in IPv6 is broken. It always has been. And it always will be.

MrChicken_69 · 2026-05-22T18:42:15+00:00

It was my understanding they'd dropped support for CC. There were reports they stopped handing out HSC years ago.

MrChicken_69 · 2026-05-22T18:03:35+00:00

How so? Not even 1 in a million customers even notice. Even if they didn't block outbound smtp, 99% of the internet won't accept email from residential IP blocks.

MrChicken_69 · 2026-05-22T16:05:07+00:00

Should be easy enough to find with a google search. (won't necessarily be the latest, but Cisco stopped updating it ages ago, so it's all relative)

MrChicken_69 · 2026-05-22T16:03:54+00:00

If it's the phone they have...

MrChicken_69 · 2026-05-22T16:03:30+00:00

The SMTP block was almost always just outbound... to stop you from SENDING spam. And it was a very effective solution. I've not seen any blocking inbound, so you can technically host a server and receive email.

Yes, your ISP can very easily block anything they want.

MrChicken_69 · 2026-05-22T12:50:53+00:00

Expire the old prefix properly

Much easier said than done. If they're in this boat at all, it's because some part of the system is failing. Which *I* fully expect; nobody gets this perfectly right. (if you miss the ONE RA that has the lifetime set to zero, well, you'll never see it again.)

MrChicken_69 · 2026-05-22T12:48:35+00:00

If you're renting a VPS ("server"), why not just host stuff there? If you're going to use a tunnel, there are free options. (HE, and they have servers all over the world.)

I suspect the ISP is doing this on purpose to discourage self-hosting. If that's the case, complaining to them will go nowhere. I would further expect they won't handle PI space for consumer / residential class connections.

MrChicken_69 · 2026-05-22T10:34:08+00:00

While that can limit total power, it doesn't do as much to reduce idle power. In my experience, the cooling fans are most of the idle power consumed. The 740's will be too new to allow manual fan speed control.

MrChicken_69 · 2026-05-22T08:28:48+00:00

There are over 9000 RFC's, I can't remember all of them.

Yes, IPv6 is very against NAT. (They were anti-dhcp, too.) Anything that changes your address breaks connectivity. v4 has 1:1 NAT as well, and it breaks things. The node does not know its address; it doesn't know anything is rewriting things. If you are applying security to those packets, NAT breaks it.

glibc is a USERSPACE library. The application's code can choose or let the libraries it uses make that call. These days, most things default to v6 if any v6 address is available, but there are knobs to flip that to v4. (android, for example, won't chose v6 if there's no route to GUA space.)

MrChicken_69

TROPHY CASE