Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  


Welcome to Hurricane Electric's forums!

Pages: 1 2 [3] 4 5 ... 10
 on: November 17, 2019, 11:10:04 PM 
Started by rahulparekh - Last post by rahulparekh
Thanks kumowoon1025 to confirm !
These are basic routers and only used for simple ipv6 which uses one ready made /64 route.
We cant expect /48 PD delegations.

On your other suggestion to terminate at the deepest router, it is possible but it goes against the protocol of delegation :)
With these routers, I can best do a first router termination of a single /64 branch and bridge all rest routers till end so the end device use the first router's DHCP (Slaac ) for IPV6.

 on: November 17, 2019, 08:17:56 AM 
Started by born2host - Last post by born2host
I got what you mean, but in the same time this is easy to override. will say "we will try to ssh you from IP 2001:xxxx:xxxx:xxxx::x", so everyone can leave this IP in hosts.allow, everything else hosts.deny/ipsec/ipfw/pf/... -> deny. It`s not that hard to allow 1 IP for 2min test, but for some ppl will be hard to config the sshd to accept connections only through IPv6 especially if the port is different than the default.
Anyway. I leave the decision to

 on: November 17, 2019, 08:06:23 AM 
Started by born2host - Last post by snarked
As a concept, I could agree.  However, that particular service isnít practical.  SSH is one of the most attacked services that exists, and the security implications are too great.  Many administrators do not leave the service available to all, having restricted it in some way.  Although the test could be opened to just the IPv6 range of 2001:470::/48 and only during the test, you all would be counting on HE not getting hacked.  Knowledge of the test being from that IPv6 subnet would get out to the public and HE become a greater target.

On my collocated systems, those attempting SSH without the proper sequence go straight to my TCP tarpit (level 1).  I typically have about 800 systems via IPv4 in level 1, which times out, and 200 in level 2, which clears on reboot or manual intervention only, at any one time. Level 2 is entered when a system (by IP) has misbehaved over a certain count of actions.  Actions include accessing closed (or protected) ports, Xmas-tree TCP packets, TCP to multicast addresses, etc....  I also get a handful or 2 of IPv6 bad actors, but most hacks come via IPv4.

Find another service to test.

 on: November 16, 2019, 01:07:45 PM 
Started by gungthar - Last post by born2host
Ok. I tried to pass the exam on 3 different installs - 1: Raspberry Pi 3 Model B with Debian, 2: HP ProLiant N54L - CentOS 7, 3: TragicServers VPS - with Ubuntu, but on all of them I failed because of filtering. I just asked a friend of mine who owns a hosting company to give me a KVM server with a free of filtering IP and in 15min I passed all the tests. Now I`ve got the Sage level. Thanks to everyone who helped.

 on: November 16, 2019, 11:27:46 AM 
Started by born2host - Last post by born2host
Hi all,

Why not make a test in which the user needs to set up his/her SSH server to accept connections only over IPv6 ?
I know that`s not a big deal, but it`s a step ahead to set up a server to work fully and only with IPv6.

 on: November 16, 2019, 06:53:46 AM 
Started by rockrockenhaus - Last post by snarked
Did you tell the HE servers via about your IPv6 delegation?  Sometimes, the zone itself must list the NS records for HE before itís pulled, else the zone never gets loaded.

 on: November 16, 2019, 06:50:16 AM 
Started by mbpkg - Last post by snarked
Not certain, but HE does periodically ping the client tunnel endpoint to see if itís still there using the tunnel /64 ...::2 address.  Upon sufficient failure, a tunnel may be marked inactive, but itís not returned to the pool.

 on: November 16, 2019, 12:52:10 AM 
Started by rockrockenhaus - Last post by kumowoon1025
No 2602:fde2:0000::/48 network as far as I can tell either, and 2602:fde2:0::/36 just has the entire block rdns delegated to the HE dns servers. If you add the whole thing it would have no error but you want to create that specific network 2602:fde2:0000::/48 (i.e. assignment/allocation with new handle, id, poc's if applicable, etc) first probably. I don't know if it's possible to just add rdns delegation record by specifying if it is you might need to make the request specifically?

 on: November 15, 2019, 11:13:27 PM 
Started by mbpkg - Last post by kumowoon1025
Probably just the bindings for that server's pool being too sticky right...? Does HE automatically reap tunnels that are not used at all for years and years?

 on: November 15, 2019, 11:08:44 PM 
Started by Kendalbeefcake - Last post by kumowoon1025
I think you could count the number of cables to the continent of Australia on your fingers, if not one hand, and a lot of those are so badly managed&maintained that a moon bounce could get better distance metrics

Pages: 1 2 [3] 4 5 ... 10