←back to thread

The IPv6 Transition

(www.potaroo.net)
215 points todsacerdoti | 3 comments | 20 Oct 24 05:54 UTC | HN request time: 0.014s | source
1. TacticalCoder ◴[20 Oct 24 22:14 UTC] No.41898934[source]
One of my biggest issue is: how do you even detect exfil when ICMP is mandatory in IPv6 for the other protocols to even just work?

IPv6 looks so Rube-Goldbergy to my eyes that if I squint just a little tiny bit and put a very thin thinfoil hat on, I could nearly swear this complexity is there by design. For example so backdoors allowing exfil through ICMP are impossible to detect.

IPv6 is chatty. So chatty.

There are networks where a single unaccounted for packet means something abnormal is going on (and at the very least requires enquiry): how does that work with IPv6?

An issue with these big design-by-committee thinggies is that often one or two in the committees are little rats working for the man.

replies(1): >>41899409 #
2. kstrauser ◴[20 Oct 24 23:32 UTC] No.41899409[source]
ICMP is required for IPv4 to work correctly, too. It's often completely blocked by cargo culting net admins who then wonder why their things fail that ICMP would have fixed.
replies(1): >>41901693 #
3. jiggawatts ◴[21 Oct 24 07:48 UTC] No.41901693[source]
I have a laundry list of issues like this:

Firewalls stopped sending RST packets (or any other kind of error) by default on all ports more than a decade ago. This is great for Internet-facing security, but has converted from easily diagnosed instant failures on internal networks to 30 second timeouts... which are indistinguishable from "host is down".

Don't worry! Just ping the host... err... can't do that either because of overly paranoid admins like you mentioned.

Next, spend a week trying to figure out why packets seem to go only one way through a cloud VPN only to discover that Path MTU Discovery uses ICMP and without which VPNs are basically broken.

Fun.