Re: IPv4 v IPv6

[Gene Heskett <gheskett@shentel.net>]

On Monday 17 June 2019 10:54:19 am Dan Ritter wrote:

> Gene Heskett wrote:
> > But that opens yet another container of worms. If I arbitrarily
> > assign ipv6 local addresses, and later, ipv6 shows up at my side of
> > the router, what if I have an address clash with someone on a
> > satellite circuit in Ulan Bator.  How is that resolved, by
> > unroutable address blocks such as 192.168.xx.xx is now?
>
> Sort of.
>
> IPv6 has a concept of "scope" that says: this address space is
> purely local. This address space is global. This address space
> is for a link.
>
> If you fire up 'ip -6 address' on a stock Debian machine with
> IPv6 enabled (which is the default these days), you will see
> something like this:
>
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1
>     inet6 ::1/128 scope host
>        valid_lft forever preferred_lft forever
>
> 3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen
> 1000
>         inet6 2001:570:1c07:ff7:d63d:7eff:fe93:e318/64 scope
> global
>        valid_lft forever preferred_lft forever
>     inet6 fe80::a2d3:c1ff:ce24:b122/64 scope link
>        valid_lft forever preferred_lft forever
>
> Your loopback interface has one address with scope host: it's only on
> this machine.  The eth0 has two addresses: one is scope global,
> and can be used for routing to your machine from the outside
> world, and one is scope link, and should only be used to talk to
> your local network. IPv6 routers should never forward those
> packets.

That's if ipv6 is even propagated thru my router, running a semi-current 
dd-wrt. I've not seen a thing about ipv6 in its configuration.
 
>
> If you don't get an address block from your ISP, you won't have
> a scope global address.

I have for eth0, two scope global addresses in a new stretch install of 
an r-pi-3b, one from avahi and one from e/n/i.d/eth0, but the instant it 
goes global, it sends from the avahi address 169.etc. Since thats out of 
my local/24 domain, it of course doesn't work for global access as my 
router doesn't pass it.  As this is a hosts file local network, how can 
I turn off the avahi stuff forever?  It's screwing me up.

> > What I've read so far has not addressed this serious security
> > concern. Or even mentioned it.  If in the future all addressing is
> > by dhcpd6, how do the other machines on my local net, advertise
> > their presence to the other machines on my local net. So I can still
> > ssh -Y vna.coyote.den for instance, if I can ever make ssh work to a
> > win-10-home edition box. Thats a rarely used hookup at best.
> > Presently the hosts file duplicated on all machines fill's this
> > requirement.
>
> Most IPv6 boxes don't use dhcpd6; they use SLAAC: stateless
> automatic address configuration. But you're asking about local
> naming, and that's done the same way on IPv4 and 6: zeroconf,
> aka Rendezvous, Bonjour or Avahi.

I'd rather nuke avahi. Not the first time its been a problem child but 
usually I've been able find the right knife to neuter it. Not this 
time...

> Try (installing avahi-utils if needed)_  avahi-browse-domains -a
>
> -dsr-

Thats the entire point, with a hosts file based local net, its a 
hindrance that has become a showstopper. And short of commenting every 
line in /e/i.d/avahi-* out, I don't know how to stop that PITA from 
screw that machine up. Apparently systemctl disable avahi-daemon is NOT 
sufficient. systemctl, spit. If it can't do what its told to do, what 
good is it?

Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
If we desire respect for the law, we must first make the law respectable.
 - Louis D. Brandeis
Genes Web page <http://geneslinuxbox.net:6309/gene>