matthewsteeples
Dialled in
Joined 9 years ago
User Profile
User Widgets
Contributions
Re: IPv6 support on Virgin media
2 problems with that 1) They're running NAT64 which is basically another form of carrier grade NAT (so no different to DS-Lite) 2) This is a guest network for a corporate environment, so no one is going to be running servers on it or other things that you'd typically do on a home network, and people are going to be using relatively new and updated devices... And they still only got to 85%. Good luck convincing VM to implement something that will cause at least 900,000 customers to need to contact support! When they get round to it, I'd bet on them offering DS-Lite to all, and then a real IPv4 address for a monthly extra. They win both ways then. Majority of customers are happy, minority of customers pay a bit more to do whatever they want a public address for, and they sell the majority of their addresses.1.9KViews1like2CommentsRe: IPv6 support on Virgin media
ChrisJenkins wrote: This second point seems quite definitive to me... That would also be explained perfectly by the hub theory though, because all the hub would see is the VPN connection and it wouldn't be able to tell that protocol 41 is in use or need to do any processing to cater for it1.7KViews0likes13CommentsRe: IPv6 support on Virgin media
@shanematthews You say that, but Virgin have a mere 9.5 million IPv4 addresses. With (As of December 2012) 4.2 million home subscribers (from a footprint of 15 million homes), 3 million mobile subscribers, plus business (who may want more than 1 IP address), internal infrastructure (do a traceroute and you find a handful of public IPs before you hit "the internet", mailservers, dns etc) they're probably not sitting on as many as they'd like to be! They certainly don't have enough to sign up every property in their current catchment area, and they're looking at expanding too20KViews0likes106CommentsRe: IPv6 support on Virgin media
ksim wrote:I told you, "the security" is always an excuse for not implementing IPv6, you will hear the same from VM in 10 years, IPv6 is "not secure" because it doesn't have NAT. I have no idea why everyone is saying this, IPv6 miles more secure. Your local network is open to any javascript from your browser, that's why I have authentication enabled on any service even accessed locally; and try to build a system which handles around 5million simultaneous connections and tell me how you will scale to billions of devices and then to trillions. The fact that your local network is open to any javascript from your browser is exactly why you don't want devices accepting incoming connections unless there is no alternative, and why IoT devices should always make connections out instead. It's not because of IPv4 or IPv6. You've proved Microsoft's point there! You're going to have exactly the same scalability problems whether your trillion simultaneous connections are inbound or outbound. However you can handle the load better with outbound connections (from the device to the cloud service) because you can use DNS or AnyCast to make sure that the connections are spread out geographically and handled "at the edge". You can then scale based on region, and this works exactly the same on IPv4 as it does on IPv6.1.6KViews0likes0CommentsRe: IPv6 support on Virgin media
ksim wrote: 2) I do not think you understand IoT if you are saying that every device will open and maintain a connection to a cloud, that means the cloud have to maintain trillions of open and non-active connections, a total waste of resources and unscalable. This is not how it is working. You might want to let Microsoft know that they don't understand it as well then: https://docs.microsoft.com/en-us/azure/iot-fundamentals/iot-security-ground-up Additional connection security features include: In order to protect devices from unsolicited inbound connections, Azure IoT Hub does not open any connection to the device. The device initiates all connections. On a serious note, I think we're going to have to respectfully disagree with each other. There isn't a single right method to do everything that we're talking about, and I don't think it's worth going backwards and forwards over the same points. We all want IPv6, and that's enough really :)1.7KViews0likes0CommentsRe: IPv6 support on Virgin media
ksim wrote: 1) NAT != SECURITY !!!! it is a **bleep**ty workaround for the addresses shortage. You still need proper firewall rules!!!! UPnP is a security nightmare. 2) IoT requires access from outside world as devices are managed from cloud services, they register themselves in cloud and after the cloud makes calls to them. Surprise they do not need DNS for this. There is no security issue also, port forwarding and IPv4 has no advantage in this, even port scanning on IPv4 is easier. 3) You do not need complex firewall rules, as connectivity and authentication is managed on the device itself. 4) Stop show examples of **bleep**ty implementations and workarounds done for IPv4, all this is not needed on IPv6. SIP phones with STUN is IPv4 nightmare! 5) Ads are not using IPs to track users, most of consumer IPs are dynamic and not reliable (laptops/ mobile phones), they are using browser fingerprinting, IPv6 won't stop then and won't help them. 1) Partially agree. NAT is not equal to security but in its default configuration it blocks all incoming TCP connections (and only allows UDP connections in if one has been made out) which is how you want things to be configured 2) They don't need DNS because this is the other way around. Devices open the connection to the cloud service and keep it open for 2 way communication, rather than the cloud service opening the connection. Granted IoT covers a broad array of devices, but the vast majority of consumer products work this way (and are more secure because they do so). I'm willing to accept that I'm wrong if you have some examples, but this is how my devices work 3) "Managed on the device itself" is a security risk. There are countless flaws in software (that are sometimes patched) that allow you to either DoS a device or gain access to it by sending it data that it's not prepared for. If you have devices that could accept connections, you want these stopped at the perimeter (even on a home network) which means you're going to want to configure ports on a "whitelist" basis (which configuration equivalent to port forwarding for the average user), otherwise you've got exactly the same functionality (and flaws) as uPNP! 4) These devices aren't going to change when IPv6 is widespread. Nest/Hive are still going to have the hub talk to their system, and the app on your phone talk to their system. This allows them to diagnose issues easier, gather metrics, deal with latency issues, reduce the security footprint etc. It's not a workaround for IPv4. Yes, SIP phones will work better, and anything else that requires a direct connection, but that's not the vast majority of devices. Even IM and non-SIP calls run on centralised architectures now, more to guarantee network connection quality than for any "direct connection" issues (Skype had P2P pretty much solved) 5) I can't specifically speak for ads, but Google/YouTube certainly do. If my step-daughter browses stuff on YouTube (not signed in) then recommendations based on those videos appear on other (also not signed in) devices on our network.1.7KViews0likes0CommentsRe: IPv6 support on Virgin media
VMCopperUser wrote: The biggest benefit is User to User hosting. Something that Content providers, Broadband providers, and most of the monetized industry out there cant benefit from. I have no doubt that User-Tracking/Ad services are also pushing back against IPv6. Creative IP changes could see that industry get stung. I look forward to NAT going away. But it's difficult when no one wishes to lay the egg, or hatch it. That poses its own problems though. What are you going to be hosting that is going to be better on your VM upload bandwidth than on a server/CDN somewhere? It'll be fine for text pages, but all you'd need is 3-4 people streaming a video at once and your connection would grind to a halt. Any more than that and your users are going to be faced with buffering. If you want user to user hosting to take off, then we need to start looking at technologies such as https://ipfs.io which don't require IPv6 to work (as they punch holes and do lots of clever stuff) but would obviously benefit slightly from it. Also, your IP address isn't currently a reliable tracking mechanism, as a) multiple people in a household share it and b) not every provider offers static (or "sticky" in the case of VM) addresses. Combine that with GDPR and I bet that advertisers aren't that bothered about it. If anything, IPv6 helps them because each user (for a given session) is guaranteed to not be sharing that address with anyone else. And if their OS doesn't cycle addresses for privacy reasons (defaults to on in Windows, but can be disabled) then they will always have the same IP address (assuming ISP keeps the prefix the same)2.3KViews0likes2CommentsRe: IPv6 support on Virgin media
ksim wrote: My point: IPv6 is needed now in our homes for IoT devices. I already have around 10-15 devices/services. It is an easy plug and play with IPv6, but requires a lot of knowledge to make NAT/PROXY/Forwarding work with IPv4. IPv4 is how VM creates a bad user experience today. Want Nest secure? -> learn tunnels, and VM will cap you. Want to access CCTV footage without exposing it to somebody else servers? -> learn port forwarding and proxy. Simple things become 100 times more complex. The problem is that a) we're in a majority and b) IPv6 won't change a lot of the things you're complaining about. Don't get me wrong, I want IPv6 and believe it's the future, but I disagree with the reasons you're saying. I've currently got (according to the Hub) 20 devices connected to the internet, for 3 humans. 1 of them is a manufactured camera which works with their app inside and outside the house without any port forwarding required (no account required, and I assume it goes via a server, I've not checked the traffic. There's a slim chance it could be opening a port). 1 is a smart thermostat which works with their app without any port forwarding required (which I'd be amazed if your Nest Protect doesn't do too). 3 of them are "smart speakers"; again no config required n of them are Raspberry Pis (which do require config, but they'd require config on IPv6 too) IPv6 makes "inbound" connections a lot easier, but the majority of IoT doesn't want inbound connections because it's a massive security risk. IPv6 isn't going to change any of the communication pathways for the average user: the thermostat is still going to go through their web service, which is what it should do (at least when you're outside the house). If you think port forwarding is hard to configure, wait until you have to explain to someone that they need to update the firmware on their lightbulbs because all of a sudden it's passively sniffing their network traffic and relaying information out to China. So on to the bits that we want. It's still going to require some configuration, but rather than port forwarding we're going to have to configure some form of DNS settings (unless you're memorising or hardcoding 128 bit values) and firewall rules (how do you control whether a device is accessible outside of your network, as everything would have a public address by default). It makes no difference to me whether I have to forward a port for a Raspberry Pi or whether I have to have a DNS record for it. As I'm most likely on IPv4 when out and about (public hotspots etc) I'd need to do both for a while anyway (that's hypothetical, I actually use ZeroTier)2.3KViews0likes0Comments