Internet > General Internet
IPv6 the selling point everyone missed.
Chrysalis:
Got involved in a security discussion on another forum. They had a few hacked accounts so enabled 2FA for everyone.
The argument I put forward is I consider forced rotation of passwords and forced expiry of login sessions a lazy approach to security that also causes inconvenience.
There is one security method that has always been very strong and that is IP based ACL's.
IPv6 allows every internet device out there to have its own routable IP, ISP's would have to get used to proper allocations not temporary DHCP one's sorry BT/sky. The big problem though is the privacy features implemented, these have the side affect that makes this not workable, privacy has in effect been prioritised over security.
If we was in a IPv6 global enabled internet with no privacy randomisation of the address, then every service out there could utilise a automated ACL, that when you login, you dont need to reauthenticate providing you have valid session date on the client device and the IP is in the ACL, if either of these mismatches, you then require 2FA. This would kill all the database account compromises dead which probably account for 99% of compromised accounts out there.
Some companies already do this, especially datacentres, if I login to linode, soyoustart, hetzner and my ip has changed, I have to redo 2FA. Some even let you configure static IP whitelists as well. I think its the way forward and its that killer IPv6 feature, albeit without the privacy randomisation.
Additional note I think AAISP also do this, if they detect an IP change, then its 2FA time.
meritez:
I still remember MoDaCo being hacked, that killed that community.
Weaver:
Chrys makes a good point. My iPad’s IPv4 address is globallly routs or and static, so could use that, but as Chrys mentioned, it’s iPadOS that’s in control of IPv6 addressing, not me. I could have an ACL on the /64 with a wildcard on the rightmost 64 bits, that would work.
Alex Atkin UK:
Its quite ironic, considering one of the big reasons I rolled back IPv6 on my network is because I can't monitor how much traffic is going to each client on pfSense for IPv6.
I've recently been rolling it out on its own VLAN (dual-stack with a different IPv4 subnet) and discovered the Xbox STILL insists on re-creating its UUID every time it boots, so you cannot assign it a static IP.
Ultimately my plan is to upgrade my TV cabinet switch to smart-managed Pro (apparently Netgear in their infinite wisdom allow SNMP on their Pro Switches but not on their Plus) and just monitor traffic over the ports instead.
Chrysalis:
Yeah I am not a fan of the UUID dynamically create IP nonsense, and as I think you already mentioned Alex, The Xbox you cannot set a static IPv6 at all. This makes auditing and security more difficult.
What is recreating the UUID, pFSense? there should be an option there to make it only generated once, and then preserve across reboots.
Navigation
[0] Message Index
[#] Next page
Go to full version