this post was submitted on 16 Aug 2024
370 points (98.9% liked)

Technology

59641 readers
2671 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

archive

If you have the August 13, 2024—KB5041580 update. You're good.

top 50 comments
sorted by: hot top controversial new old
[–] M0oP0o@mander.xyz 85 points 3 months ago (6 children)

"Compromises all devices running .... an IPv6 address."

Oh so no one is effected. (other then network nerds, and they are not real)

[–] froh42@lemmy.world 51 points 3 months ago* (last edited 3 months ago) (1 children)

IPV6 is already rolled out in parts of the world. My provider has a Dual Stack lite architecture, the home connection is over IPV6, IPV4 is normally being tunneled via V6 through a provider grade NAT.

As I AM a network nerd, I pay for a dedicated IPV4 address every month, so I can reach my stuff from outside from old IPV4 only networks.

So when I plug in my router, connect a windows machine and just google stuff then all this traffic will be IPV6 without me configuring anything.

It's so great fun having the attack surface being doubled by dual stack setups.

[–] turkalino@lemmy.yachts 8 points 3 months ago (1 children)

Why not instead use the money to pay for a domain name and use a router with a dynamic DNS daemon?

[–] froh42@lemmy.world 19 points 3 months ago (1 children)

Because behind the carrier grade NAT I don't get a routable IPV4 at all, so no inbound connections.

With the IPV4 I use I do use dyndns now, so I can resolve it from outside.

load more comments (1 replies)
[–] primrosepathspeedrun@lemmy.world 43 points 3 months ago

they certainly don't run windows.

[–] hal_5700X@sh.itjust.works 22 points 3 months ago* (last edited 3 months ago) (4 children)

IPv6 is enabled by default on windows.

EDIT Here's how to disable it. If you can't on your modem/router. Open the network menu from the icon in bottom right of screen > right click on the network you are connected to and click "status" > In the popup click on the "Properties" button > You'll get another popup with the name of your network adapter in a top line/box and a secondary box with a list of things in it > Look for the entry "Internet Protocol Version 6 (TCP/IPv6)" and uncheck the box in front of it > click OK.

load more comments (4 replies)
load more comments (3 replies)
[–] Lemminary@lemmy.world 79 points 3 months ago (5 children)

Hah! Joke's on you. I accidentally restarted my PC and updated it without wanting to.

[–] TornadoRex@sh.itjust.works 25 points 3 months ago (2 children)

Yeah? Well I was playing a game and it rebooted in the middle of a boss fight!

[–] ivanafterall@lemmy.world 13 points 3 months ago (1 children)

I was mid-proposal. She said, "Yes, as long as this call doesn't e..." Thanks a lot, Microsoft!

load more comments (1 replies)
load more comments (1 replies)
[–] Blackmist@feddit.uk 7 points 3 months ago

Mine restarted while I was watching a movie.

Thanks Windows.

load more comments (3 replies)
[–] huquad@lemmy.ml 63 points 3 months ago

IPv6 huh? There are dozens of us!

[–] osaerisxero@kbin.melroy.org 50 points 3 months ago (11 children)

As a networking nerd, I am endlessly frustrated with how many otherwise smart people are just 'fuck ipv6 lmao'

Giving me goddamn flashbacks to this https://www.youtube.com/watch?v=v26BAlfWBm8

[–] pivot_root@lemmy.world 55 points 3 months ago

Just sayin'

[–] Joelk111@lemmy.world 32 points 3 months ago* (last edited 3 months ago) (2 children)

As a tech nerd who self hosts stuff, I'm more like "what is IPV6 and why is it causing me issues, I can't figure this out, I guess I'll disable it, wow my problems are fixed now."

I guess I can see why people don't like it, as it's caused me issues, but just because I don't understand it doesn't mean it's dumb. I'd need to understand how it works before I could say anything about it, positive or negative. I guess all I could say is that it's been way less intuitive to me, I can't memorize the numbers, and the reason it exists makes sense. Beyond that, I unno.

I should probably spend the time to learn about it, but I already have a full time job where I work on computers all day, I'd rather focus on my other hobbies while I'm at home.

[–] pivot_root@lemmy.world 11 points 3 months ago (1 children)

It's not terribly difficult to learn when you avoid trying to relate it to IPv4 concepts. Particularly: forget about LAN addresses and NAT, and instead think about a large block of public addresses being subdivided between local devices.

[–] lightnsfw@reddthat.com 8 points 3 months ago (1 children)

instead think about a large block of public addresses being subdivided between local devices.

Thinking about all my devices being exposed like that gives me the heebie jeebies. One public facing address hiding everything else on a private network is much less frightening to my monkey brain.

[–] Blaster_M@lemmy.world 9 points 3 months ago

This is what a firewall is for. Blocks inbound to the whole subnet space. Better than a NAT, which can open a port through STUN or simply a malformed packet.

load more comments (1 replies)
[–] Trainguyrom@reddthat.com 24 points 3 months ago (11 children)

IPv6 genuinely made some really good decisions in its design, but I do question the default "no NAT, no private network prefixes" mentality since that's not going to work so well for average Janes and Joes

[–] pivot_root@lemmy.world 26 points 3 months ago* (last edited 3 months ago) (27 children)

No NAT doesn't mean no firewall. It just means that you both don't have to deal with NAT fuckery or the various hacks meant to punch a hole through it.

Behind NAT, hosting multiple instances of some service that uses fixed port numbers requires a load-balancer or proxy that supports virtual hosts. Behind CGNAT, good luck hosting anything.

For "just works" peer to peer services like playing an online co-op game with a friend, users can't be expected to understand what port forwarding is, let alone how it works. So, we have UPnP for that... except, it doesn't work behind double NAT, and it's a gaping security hole because you can expose arbitrary ports of other devices if the router isn't set up to ignore those requests. Or, if that's not enough of a bad idea, we have clever abuse of IP packets to trick two routers into thinking they each initiated an outbound connection with the other.

load more comments (27 replies)
[–] r00ty@kbin.life 15 points 3 months ago (2 children)

Routers simply need to block incoming unestablished packets (all modern routers allow for this) to replicate NAT security without NAT translation. Then you just punch holes through on IP addresses and ports you want to run services on and be done with it.

Now, some home routers aren't doing this by default, but they absolutely should be. That's just router software designers being bad, not IPv6's fault, and would get ironed out pretty quick if there was mass adoption and IPv4 became the secondary system.

To be clear, this is not a reason not to be adopting IPv6.

load more comments (2 replies)
load more comments (9 replies)
load more comments (8 replies)
[–] tabular@lemmy.world 43 points 3 months ago (8 children)
[–] tpihkal@lemmy.world 28 points 3 months ago (25 children)

Just say you run Arch and move on.

[–] Zachariah@lemmy.world 38 points 3 months ago (10 children)
load more comments (10 replies)
load more comments (24 replies)
load more comments (7 replies)
[–] bruhduh@lemmy.world 32 points 3 months ago (3 children)

Yay, new Xbox jailbreak method, can't wait for new modded warfare videos about it

[–] ulkesh@lemmy.world 31 points 3 months ago (2 children)

I updated Windows so hard Linux popped out.

load more comments (2 replies)
[–] Dumbkid@lemmy.dbzer0.com 28 points 3 months ago (1 children)

Sick my isp doesn't even support ipv6

[–] Scrollone@feddit.it 7 points 3 months ago (1 children)

Be the change you want to see in the world, send an email asking for IPv6.

load more comments (1 replies)
[–] TransplantedSconie@lemm.ee 27 points 3 months ago (13 children)

Is this for Windows 11?

My windows XP laptop is good right?

[–] treadful@lemmy.zip 42 points 3 months ago (1 children)
[–] Lost_My_Mind@lemmy.world 9 points 3 months ago (3 children)

Can't tell if you're russian, or room mates.

[–] GreenAppleTree@lemmy.world 12 points 3 months ago

Could also be a joke on how there was a single XP serial number used by nearly everyone that got it from, uhh, non-official sources. FCKGW FTW.

load more comments (1 replies)
load more comments (12 replies)
[–] Blaster_M@lemmy.world 23 points 3 months ago* (last edited 3 months ago) (2 children)

To note: It shows even Windows Server 2008 as affected. Since MS is only testing against OSses they support, it is possible this has existed as a problem all the way back since IPv6 was first introduced to Windows XP.

Also, for all of you "disable IPv6 because I don't understand it" people... unless you are running Windows 8 or older, just update Windows. IPv4 has been out of addresses for so long that CGNAT is a thing, which means connectivity problems when you're hosting stuff, and more latency and packet drops from ISP routers getting saturated with NAT tasks. IPv6 is alive on the internet since 2011 and very much used on the internet, does not tie up routers by requiring NAT translation, and therefore just performs better. Plus, if you use your network printer's or network device's link-local ipv6 to connect locally, you will never have to deal with static ip address or changing ipv4 lan address pain, as link-local (non-routable on the internet) addresses don't change unless you force it.

Also don't use $35 routers for your internet. If your router does not support ipv6 firewalling, it is long since time to fix that with one that does.

[–] Emerald@lemmy.world 8 points 3 months ago* (last edited 3 months ago) (1 children)

just update Windows

I'm still on 22h2 lol

[–] Blaster_M@lemmy.world 7 points 3 months ago

Every version of 10 going back to 15.07 original release is affected.

load more comments (1 replies)
[–] LaggyKar@programming.dev 18 points 3 months ago (2 children)

This would presumably mainly be an issue for computers open to the internet. So not so much for home PCs, unless the router's firewall is opened up.

[–] r00ty@kbin.life 16 points 3 months ago (4 children)

I've not read the CVE but assuming it works on any IPv6 address including the privacy extensions addresses, it's a problem. Depending on what most routers do in terms of IPv6 firewalling.

My opinion is, IPv6 firewalls should, by default, offer similar levels of security to NAT. That is, no unsolicited incoming connections but allow outgoing ones freely.

In my experience, it's a bit hit-and-miss whether they do or not.

Now, if this works on privacy extension addresses, it's a problem because the IPv6 address could be harvested from outgoing connections and then attacked. If not, then scanning the IPv6 space is extremely hard and by default addresses are assigned randomly inside the /64 most people have assigned by their ISP means that the address space just within your own LAN is huge to scan.

If it doesn't work on privacy extension IPs, I would say the risk is very low, since the main IPv6 address is generally not exposed and would be very hard to find by chance.

Here's the big caveat, though. If these packets can be crafted as part of a response to an active outgoing TCP circuit/session. Then all bets are off. Because a popular web server could be hacked, adjusted to insert these packets on existing circuits/sessions in the normal response from the web server. Meaning, this could be exploited simply by visiting a website.

[–] Toribor@corndog.social 10 points 3 months ago

IPv6 firewalls should, by default, offer similar levels of security to NAT

I think you're probably right. We had decades of security experts saying that NAT is not a firewall and everyone on the planet treated it like one anyway. Now we're overexposed for a no-NAT IPV6 internet.

load more comments (3 replies)
load more comments (1 replies)
[–] RememberTheApollo_@lemmy.world 9 points 3 months ago

My LAN has ipv6 disabled. So there.

[–] MehBlah@lemmy.world 9 points 3 months ago

I tried to roll out ipv6 when I was sysadmin for a small ISP. ARIN gave me a /32 block with no fuss. I started handing them out only to discover most routers at the time couldn't use them. Not much has changed. No one offers them and I just turned it off at my present job. None of my windows machine have the ipv6 stack enabled.

load more comments
view more: next ›