Comcast Residential /64 Delegation
-
-
I will have to reboot pfSense later - as I work from home, and in the middle of my day here. I will lose Internet during that period of reboot.
Let you all know.
Curtis
-
@bob-dig said in Comcast Residential /64 Delegation:
Check the box: Do not allow PD/Address release
That wouldn't cause a complete loss of IPv6, only a new prefix.
-
@jknott said in Comcast Residential /64 Delegation:
That wouldn't cause a complete loss of IPv6, only a new prefix.
For me pfSense is failing when the prefix changes so that is why I gave your advice.
-
@bearhntr that analogy not actually true - but ok.. IPv6 is no more granular than IPv4 - there is just way more addresses.
Does not make it more granular.
Think of it this way vs everyone living in say an apartment complex and the mailman having to just drop off and pick up mail from the mail room at the building (nat) - and the building mailman moving the mail to apt A, B and Z, etc.. The address on the mail was granular enough to get to the building, and even has which apartment it is and who - its just the building uses a address scheme for apt that the public mailman doesn't understand
With ipv6 each apartment can just send and get mail directly to their own mailbox.
-
@johnpoz For a residential account, that does not have any option of paying more than a single dynamic public IPv4 address, IPv6 definitely feels more functional in being able to get around this, especially without NAT, and ultimately can be more granular.
Not that I have tried this, but I know I can ping clients directly from anywere over both, but IPv6 should be much cleaner and direct, where IPv4 would require dynamic DNS, NAT, and port forwards to accomplish the same. For a residential account, IPv6 feels like a way around the ISP restricting static and multiple addresses.
-
@jpvonhemel said in Comcast Residential /64 Delegation:
and ultimately can be more granular.
No it is not more granular than IPv4 - still a just an address.. To a device - think you guys need to look up what granular means ;)
His analogy of address makes no sense in comparing ipv4 to ipv6, the ability to have more addresses does not add granularity to the address itself..
Your toaster having its own address - again doesn't add granularity. And that can be done with IPv4..
The ability to not have to nat - doesn't add granularity to the address. Yes IPv6 with the huge amount of space available allows users to have more addresses to use. But that has been possible with IPv4 - you not having enough IPv4 and having enough IPv6 doesn't add granularity - it just adds more addresses.
-
I was not trying to start an argument and I appreciate the help. But I must disagree. Just about every single router sold in the US has a default IP Address of 192.168.1.1 or 192.168.10.1 (I have had numerous). If every household in America had the same IPv4 address range for their home, they would all be 192.168.1.xxx (or .10.xxx) -- INSIDE their home.
Granted every network device would have its own MAC address - providing a granular break down of those addresses (within that home). As a MAC address (short for media access control address) is the worldwide unique hardware address of a single network adapter. The physical address is used to identify a device in computer networks. So even if your neighbor's TV and your TV both have the same IPv4 address (192.168.1.15) - they would have different MAC addresses...but also their Internet gateway would most likely be different as well even if on the same ISP.
What I was alluding to was the granularity of IPv6 to IPv4
(granularity -- [ˌɡranyəˈlerədē] NOUNTechnical
the scale or level of detail present in a set of data or other phenomenon.)Was that in IPv6 -- yes while having a much larger data pool of addresses. This being said, it does have a form of granularity in that traffic has a more direct path to a device - rather than having to hit multiple translation tables (ARPs).
Again - I was not trying to start an argument, but given MAC addresses are unique, and follows a world-wide 'format' - many IPv6 addresses are based on this MAC address (in fact may be part of the IPv6 address).
I saw in an online video several years ago - that within IPv6 there are enough IP Addresses that every man, woman, their children and pets for 4 generations and their devices could be assigned a specific address - and still have millions of addresses left over. <LOL - that is a lot of addresses>. So I am just waiting for that letter from the N.W.O. telling me I have been assigned an IPv6 address and that is my new "identifier".
-
Your analogy is wrong dude just plain and simple. A different address that points to the same thing does not provide more granularity.. Not wanting to argue - just pointing out that reason to move to IPv6 doesn't make any sense. Getting rid of nat doesn't provide more detail to what you point to.
Detail - the detail does not change from an IPv4 to IPv6.. Be it that IP is natted or not - 1.2.3.4:80 gets to my webserver.. "aaaa:bbbb:: 1234:80" still gets to my webserver.
Switching to IPv6 does not provide any more granularity than the IPv4..
multiple translation tables (ARPs).
What? Are you talking about mac - again every layer 2 your traffic passes through will use different mac addresses to move the traffic. Just be cause you have IPv6 doesn't make some magic tunnel between, still lots of hops to get there.
So what if everything on the planet can have an IP - this does not add detail to what that address is.. Still points to X, be it ipv4 or ipv6..
-
One thing I've often said is there are enough addresses to give every person on earth over 4000 /48s.
-
@jknott Yup agree - doesn't mean any specific address has more "detail" over the IPv4 address.. Which was my point about why the analogy being bad.
Sure there are advantages to having really unlimited address space - the big one hey no nat, hey your phone and and ipad and laptop and watch and etc.. etc.. Can all have their own address. But this does not add "detail" So going to IPv6 does not add granularity like what planet.
To be honest with with IPv6 and devices all just using random temp IPvs to talk to something - you could say granularity in my firewall rules become more difficult. How do I allow or block device X from going to xyz, if he could use any address in the whole /64 to go there, verse if he was IPv4 I would know exactly what address he was coming from.. Its very simple and easy to set it to have only that IP address via dhcp reservation.
While this is possible with ipv6 - its not as simple, and there is a huge learning curve. And depending on the devices you might not be able to use dhcpv6, they might only support slaac. Also with something like comcast and your prefix changing - now your rules become even more difficult trying to use granularity of specific details of device X, when that could change at the drop of hat.
-
@johnpoz said in Comcast Residential /64 Delegation:
How do I allow or block device X from going to xyz
It would be easy enough if pfsense could filter on MACs, as some other firewalls do.
-
I want to wade carefully into the granularity discussion with regards to IPv6.
Both of you are correct, but you are coming to your conclusions from what I think are different directions.
First, IPv6 has 128 in the exponent. That yields a hugely, enormous, gigantic address space. It is IPv4 gone absolutely crazy. There are probably enough available IPv6 addresses to give every cell in your body its own address (perhaps many times more than enough, as I did not bother to Google how many cells are in our body ).
But the standards that define IPv6 are not really any different than those governing IPv4 space. The various sections of the address get used to coordinate routing, just like the network parts of IPv4 addresses today. So @johnpoz is correct to say IPv6 does not currently offer any more "granularity". It just offers more of the same level of "granularity" as IPv4 does today. All I can really do is identify a network and a host with IPv4 or with IPv6. IPv6 just gives me a lot more hosts, but does not inherently tell me anything about the various hosts.
However, from @bearhntr's point of view, because IPv6 offers so many more available combinations of bits for an address, the potential is there for more "granularity". Notice I said "potential", though. The current standards do not use any of that potential.
Here's what I mean. Suppose I am a major nationwide ISP. Because I have so many bits available, I could start carving up the network portion of the IPv6 addresses into much finer pieces say for geolocation (as one example). Today, with IPv4, the best you usually get is perhaps a city name based on the IPv4 subnet. That's because there aren't enough bits to start splitting that down to the individual neighborhood and street level and still leave enough bits to have unique hosts. But with IPv6, I could perhaps carve my network geolocation up down to the street level. And even up to individual buildings on that street (or apartments in a complex). So from this point of view, I can say IPv6 has more "granularity". Not that it inherently has more, but that I can give it more by purposefully using the additional address bits to help me segregate things more.
Here is another example. Because there are so many addresses, it would be feasible to create some standard that isolates some portion of the IPv6 address bits to specify maybe a device type such as toaster, refrigerator, oven, car, etc. This would require action at an international level to create and maintain, and that has not been done. But if it was, then you could say IPv6 offers additional "granularity" because you could identify what type of device you were talking to by noting some bit pattern in its address. Sort of like how MAC addresses today contain a prefix that identifies the manufacturer of the card.
So both of you are right, but you are coming at the problem from different points of view. At the moment, IPv6 does not automatically offer more granularity. That's because we are not taking advantage of some possibilities the additional number of address bits offers. However, if we did standardize on a method for sub-dividing the address bits and assigning some intelligence to those divisions, then you could argue IPv6 offers more granularity.
-
@jknott said in Comcast Residential /64 Delegation:
It would be easy enough if pfsense could filter on MACs, as some other firewalls do.
But there is no sign of doing that, am I right?
Would it be possible to assign every host according to the MAC-address one virtual IP that would act as an alias for the host, that then could be used for rules?
I hope one day they find a way, until then, every host its own vlan.
-
I thought the idea was filtering devices based on their IPv6 address. That's easy enough for incoming traffic, which normally uses the consistent address. However, outgoing, which uses random privacy addresses, cannot be filtered by a single IPv6 address. On the other hand, not only will MAC filtering do that, it will also block IPv4 (and even IPX) addressess at the same time.
-
@bmeeks Great post, but while such a thing might be possible. Such assignment is already possible and done with ipv4. Companies do it all the time while assigning public and rfc1918 space. Even can be done by floor of a building, or down to room level.
So while the much larger space of ipv6 would allow more freedom in doing something like that. Again its not something new to ipv6.
And to be honest I find it highly unlikely that isp would assign space per street or neighborhood on purpose or per specific plan, other than their normal IP plan.. But guess what - once the space is assigned that info become available - just like IPv4... A specific network is going to be used in a specific region. You don't use part of a network on one side of the city and the other part on the other side of the city. Just because some amount of space would need be assigned to area, once it is assigned - you now have the details of street/neighborhood anyway. No matter what size of network is used, that L2 that network is assigned to would be in a specific area - not like you stretch an L2 across the city, etc.
Ipv6 being broken up network/host while the space is larger - it does not provide for any more granularity than ipv4. Also broken up network/host - size of the overall amount of space, or size of the networks doesn't change anything from a detail point of view.
You could also not even with firewall rules - make a point about loss of detail with ipv6. With ipv4 assignment is always dhcp, you don't let devices just assign some random IP, well there is 169.254 link local - but this doesn't route, and there is no way to assign gateway auto, etc. So with dhcp I have detail of a client that grabbed an address even if no other traffic sent. I have mac of said device that gives detail about a client that connected to the network. With ipv6 slaac - I have no idea that some client connected to the network really. There is no "lease" that I could look up say a hostname and mac.. This is a loss of granularity ;)
-
@bearhntr My ISP (Charter) assigns IPv6 hostnames, but not at first. The device has to be online for a while and there may be some additional trigger I'm not aware of (eg: reverse lookup).
-
How did you discover this? What were you looking at to see the hostname?
Are you meaning your pfSense box got a hostname from Charter - or your devices within your network? Is pfSense your DNS and DHCP or do you use something else?
Curtis
-
I have found the DUID of the LAN interface in pfSense. Is there a way to find the IAID?
It is easy in Windows (just command prompt "ipconfig /all")
I have run the shell in pfSense and issues ifconfig -- but does not even show the DUID.
Curtis
-
@bearhntr said in Comcast Residential /64 Delegation:
but does not even show the DUID.
What exactly are you going to do with that exactly - has ZERO to do with comcast setting up PTR for you..