• henfredemars@infosec.pub
    link
    fedilink
    English
    arrow-up
    3
    arrow-down
    1
    ·
    edit-2
    7 months ago

    That sounds awesome.

    I really like stateless, but it bugs me that the router has to snoop on traffic if you want a list of devices. The good ones will actually do this, but most are blind to how your network is being used with IPv6.

    And it really bothers me that Android just refuses to support DHCPv6 in any capacity. Seems like a weird hill to die on. There are too many legitimate use cases.

    • Melody Fwygon@lemmy.one
      link
      fedilink
      English
      arrow-up
      4
      ·
      7 months ago

      I run both because of this; and because SLAAC enables features in Desktop OSes that offer some level of additional privacy.

      For example; Windows can do “Temporary IPv6 Addressing” that it will hand out to various applications and browsers. That IPv6 address rotates on a periodic basis; once every 24 hours by default; and can be configured to behave differently depending on your needs via registry keys.

      This could for example, allow you to quickly spin up a small application server for something; like a gaming session; and let you use/bind that IPv6 address for it. Once the application stops using it and the time period has elapsed; Windows drops the IP address and statelessly configures itself a new one.

      • kungen@feddit.nu
        link
        fedilink
        arrow-up
        1
        ·
        7 months ago

        I also like the privacy extensions, but how often does your prefix even change? Most places I’ve seen you get a /64 announced and it basically never changes – so somewhat elementary to “break through” that regardless.

        • Melody Fwygon@lemmy.one
          link
          fedilink
          English
          arrow-up
          2
          ·
          7 months ago

          I have a /48 that I can basically roll through.

          A /64 is more than enough though to prevent most casual attempts at entry; and does force more work / enumeration to be done to break into a network and do damage with. I’m not saying the privacy extensions are the greatest; but they do work to slightly increase the difficulty of tracking and exploitation.

          With a /48 or even a /56; I can subdivide things and hand out several /64s to each device too; which would shake up things if tracking expects a /64 explicitly.

          I actually use /55s to cordon off blocks inside the /48 that aren’t used too. So dialing a random prefix won’t help. You’d be surprised how often I get intrusive portsweeps trying to enumerate my /64s this way…and it doesn’t work because I’m not subnetting on any standard behavior.