Remember when the basic operating mode of the internet was to connect one computer to another so that they could communicate with only routers as intermediaries?
Am I remembering that right? /s
I’m fairly sure the poor deployment of IPv6 isn’t only to do with its horrifically long IP addresses.
(Not funny story)… My “ISP”, Rogers (a media company, really, piggybacking cable on IP infrastructure), doesn’t do IPv6 without (put your coffee on the table, finish your mouthful, and sit down) issuing you a dynamically allocated /64 every time you connect.
“Dynamic IPv6”, not just the punchline to a bad joke, it’s reality, but I digress…
The point being that lousy and broken internet services serve other interests.
The safest info is the stuff you either don’t collect or don’t keep.
Given that Signal doesn’t see or store any of the information, I think a more apt meme would be:
Does anyone know if Cory ever went ahead with the FOI…?
Well, dynamic allocation is the way it should work. If you want static naming use DNS. That said, if you are only getting a single /64 that is not great. Better ISPs use prefix delegation to give you a /56 or even a /48 which you can partition into multiple /64 subnets. That is the real advantage of IPv6 for the end-to-end internet, it has the address space and protocols to delegate multiple subnets of globally routable addresses to edge nodes so we can build our networks without the need for NAT and related NAT tunneling protocols.
Firewall and security concerns are still an issue. That is more of a fundamental challenge of maintaining end-to-end connectivity on the modern internet.
My name is Robinson, my rank is Mrs, and I do not have a serial number.
Mark, small correction: HSI is the investigating group. Not FBI.
So all DHS has to do is hand over their Everlasting Gobstopper and Signal will give them the keys to the whole thing?
I wonder how long it will be until someone proposes legislation to prohibit encryption altogether.
Good encryption systems make the encrypted text look like random bits, so whoever does that will also have to outlaw random bit streams, which might be something of a challenge.
Well, dynamic allocation is the way it should work.
Um… IP address is baked in at Layer 3 of the network. DNS is an overlay service on IP.
IP “scarcity” and its illegitimate offspring, NAT and dynamic addressing, does not serve the user, it serves other interests.
If you can rely on a service always being at an IP or within an IP range then firewalling can be rock solid. Intermediary computers could become irrelevant. Nobody would even think to ask a third party for communication information, you would have to get the legal equivalent of a wiretap.
Bonus: SolarWinds type attacks would be much, much harder. My kids’ school’s fixed IP range could be set as the only computers they get to talk to from 8:30 to 3… I challenge you to rigorously firewall off Instagram. I have relatives who are pro networking gurus for public school boards and it’s a perpetual PITA. Ask for a dynamic address on my network… … go on… I dare you…
Whoever it is will have to get past the banks, so it will never happen. Without encryption money can’t move safely.
Picking on the poors is fine for political and , but nothing in Anglosphere political or legal realms is allowed to interfere with banking and the wealth of the bankers. Ant politician who tries to ban encryption will inevitably run into a brick wall.
Anyone with half a brain knows that banning encryption is a bad idea. Which is exactly why I think some congresscritter will attempt to do that.
If you outlaw encryption, only mathematicians (and mathematically minded outlaws) will have encryption.
will also have to outlaw random bit streams
Including ones embedded in otherwise innocuous looking photographs of my last camping trip… …Insert steganography link here…
The real fun begins when you statistically profile your network activity then program computers on your network to always generate the same level of activity embedded within a high rate of random packets to arbitrary but innocuous destinations…
Professor Moriarty was both.
DNS is not an “overlay” on IP, it is a distributed database that maps services to addresses. IP is indeed at layer 3, the “network layer.” It contains information for transferring packets from nodes on different networks. That means the IP address is tied to routing and network topology, not node identity. Conflating IP address with identity is a huge mistake.
Dynamic addressing has nothing to do with IP scarcity. Dynamic addressing is the only sane way to manage large, changing deployments of devices. Even if you use static assignment it is best to do so (whenever possible) by using DHCP to facilitate renumbering when necessary. One of the best parts of IPv6 is that it extends dynamic addressing to allow not just endpoints but also edge routers to be automatically configured via prefix delegation.
But you can’t. IP addresses change whether you explicitly use DHCP or not. Unless you are a big enough organization to participate in BGP and have your IP address block and routing information announced and remembered by all routers on the internet – which you absolutely are not. Even then, if you are not confined to one site, you are going to deal with things moving between networks or multiply homed.
The fact that you can’t effectively firewall instagram (which probably does use mostly statically assigned addresses) by IP address should serve as pretty good evidence that you also will not be effective at allowlisting your school by IP. It works – as long as you still allow DNS, and the school hosts all of their servers in their IP block, don’t use any third party services, don’t use any web pages that load elements from other locations, don’t share any hosting with services you want to block, and don’t use a content distribution network. And maybe all of that is a good idea, so lets say they do it and it works – until they change their IT and have to have all of the kids get all their parents to change their network configuration.
At least for client side, application level access control (layer 7) is a much better way to go. Especially with HTTPS and anything layered on top of that where the hostname is now the authoritative identifier. You can configure your browser to block instagram or only allow access to services in your schools domain (regardless of their physical location). It’s still a hard problem, because cross-site linking is commonly used, but at least it would have a better chance than IP based firewalls. Since domain names remain under the authoritative control of their owner, they can be mapped to services independently of network topology.
For server side it is harder. Clients don’t necessarily have useful hostnames, most protocols don’t provide a client side hostname if it exists, and reverse lookup names are controlled by the IP address owner not the computer manager. For the most part, servers that want to be secure should also be using higher level authentication, but to protect against pre-authentication bugs in the server stack it can be useful to filter off large blocks of the internet by IP, especially since they are assigned geographically. This shouldn’t be confused as a primary mechanism of access control, but it can cut down on log noise and exploit scanners, at least to some extent.
Don’t worry, I have no interest in connecting to your network.
I’m a huge supporter of end-to-end connectivity. I hate NAT and ISP firewalls and other things that make it hard for us to use end-to-end connectivity and force everyone into garbage cloud services that only exist to get around NAT but then lock us in. Dynamic addressing is not the problem, and railing on your ISP (which I am sure is terrible) for doing dynamic addressing just makes you look like a troll from the 90s.