You can't just assume linear growth. Your link acknowledges this, and the "prediction" you refer to has the right caveat: "we can look at the time series shown in Figure 1 and ask the question: 'If the growth trend of IPv6 adoption continues at its current rate, how long will it take for every device to be IPv6 capable?'". It's using such a naïve model to illustrate that we're still nowhere close to completing the transition, not to say that we'll be done in 20 years at most as you suggest.
Adoption will slow down and my guess is that we'll be stuck with a long tail forever, and only time will tell if that happens at 50% adoption or 90% adoption.
> Adoption will slow down and my guess is that we'll be stuck with a long tail forever, and only time will tell if that happens at 50% adoption or 90% adoption.
But that long tail will probably look like figure 4 of that link, only reversed: IPv4 running mostly as tunnels over a core IPv6 network. Some large cellphone networks are already at that stage, using things like 464XLAT to run IPv4 with NAT over an IPv6 network.
I'm not talking about a long tail of systems and networks which still have working IPv4 support. I'm talking about a long tail of systems and networks which still don't have working IPv6 support.
I would agree with you were it not for the fact that I'm personally investing my time into a FLOSS project to make sure the growth does not slow down by making “tomorrow NOT like today”, but gets a kick in the butt once we reach the 50% deployment inflection point instead. Stay tuned ;-)
Whatever you're cooking up, I wish you luck! My life would be significantly easier if I could just completely ignore one network protocol, be that v4 or v6. So far I have mostly just ignored v6 and everything I do uses v4, but I have no strong preference (except that v4 addresses fit in my brain while v6 addresses do not, which is honestly a not-insignificant reason why v6 is hard)
Here's to hoping, but I agree one way or another one stack needs to go :-)
BTW: Contact info is in my profile if anyone wants the inside scoop. The project just isn't fully ready for public launch yet, but we're well into the cooking.
I've been really impressed with Mox, an all-in-one monolithinc mail system written in go: https://www.xmox.nl
Trivial to setup, guides you through configuring SPF, DKIM, DMARC, MTA-STS, DANE and DNSSEC. Handles certificates by itself through ACME, comes out-of-the-box with IP/domain reputation based and bayesian spam filtering.
While I've come to appreciate how much tweaking you can do with something like exim I'm starting to see the advantage of not having to spend time doing any of that :)
Mox also has some really cool (and AFAICT) novel features stemming from the fact that it's so tightly integrated. Have a look at the "Rejects" mailbox, or the nuanced way it rejects spam at SMTP time to prevent the dilemma between causing backscatter or potentially dropping mails (like gmail likes to do). I've also never heard of REQUIRETLS before seeing it exposed right there in Mox's built-in webmail.
> [...] we grant you a [...] license to access and use the code solely for the purposes of review, compilation and non-commercial distribution.
> We may suspend, terminate or vary the terms of this license and any access to the code at any time, without notice, for any reason or no reason, in respect of any licensee, group of licensees or all licensees including as may be applicable any sub-licensees.
A more appropriate solution to the problem of cloned FLOSS apps is establishing a trademark.
I mean he says it right before the proprietary apologism, the problem is pointing people in the direction of the project by name only for them to find malware ridden clones. Well. The problem here isn't the software being cloned, the problem is the same name being used by the attackers.
You can use ip-token(8) on Linux to define a static interface-id, the part of the IP usually auto-generated based on MAC address when using SLAAC instead of making the whole IP static.
In ifupdown I usually just add something like the following
pre-up ip token set ::cafe dev $IFACE
This way when you get a new GUA there's no need to "renumber" your network manually as everything will just happen automatically. When your router includes a new prefix in the router advertisement all hosts on the LAN generate new addresses for this prefix.
Couple of gotchas. 1) The ip-token call has to happen before the interface is marked up (as in ip link set dev $IFACE up, not link presence) so if you want to change it you have to take it down first. 2) If your ISP's router doesn't cleanly announce the old prefix to be deprecated (due to a reboot say) it may remain in use by hosts until it's lifetime expires. See RFC4192 for how renumbering is supposed to work.
FYI: I'm working on a small daemon that will monitor RA and deprecated the prefix to handle broken ISP routers.
Well dnsmasq has --dynamic-host for this use-case. Example:
dynamic-host=cafe.dxld.at,::cafe,lan0
Firewalls tend to support DNS, use it :)
I know for a fact nftables and pfSense allow this, worst case you need a cronjob to periodically reload your ruleset to refresh the DNS data as it's evaluated at ruleset load time (for nftables). Incidentally another TODO project of mine is a daemon to allow running scripts when RA information (such as the prefix) changes, this would come in handy here too.
For anyone interested in making IPv6 bettter come talk to me in #ipv6:ungleich.ch (Matrix).
Sad to say I'm surprised the proprietary vendors are lagging behind here, but there should be no architectural reason you can't deploy a more reasonable firewall.
In particular I've learned from that doc that there's special handling for putting a vlan device on top of a bridge (br0.123) even if the bridge is vlan unaware.
OP's approach looks cool but a bit baroque. I'm also hacking around EDID issues and it turns out there's a nice GUI program to decode and (lightly) patch it: https://packages.debian.org/unstable/utils/wxedid
I have to do more involved full EDID reconstruction surgery tho since I need to add DTD entries rather than just change existing ones. So I'm looking at [edid-generator] together with [cvt12]. The latter can calculate xrandr modelines for VESA standard timings that all seem to work with my TV. cvt12 adds the option to calculate NTSC (1/1.001) timings over regular cvt which is already in Debian.
I genuinely take the baroque comment as a complement. There's many paths to a solution and this was a fun one that ended up working for me.
Thanks for the pointers for those programs. Someone else pointed out Kaitai Struct could help me do the hex editing which I'm planning on taking a look at later
Hacking the NFC comms is fun and all, but it turns out you can just rip out the orange flatflex PCB under that metal ring with a screwdriver and the brush doesn't care :)
Stops it from beeping at you when your allotted product lifetime is up though.
I was looking into this some years back when I was considering building a high-availability IRC bouncer that can pass the TLS IRC connections around with this.
There isn't anything out of the box that I could find, but there was some discussion/prototyping around adding an API for exporting all the necessary key material and metadata to the mbedtls API. With that it would have been "relatively" "easy" to do the TLS bits :)
I just use a cron job that calls openssl s_client. The trick is to use faketime to check if the certificate would be valid in the future, like so:
check_tls () {
# Check two weeks in the future to give us time to fix certs
faketime +14days \
openssl s_client -showcerts -verify_return_error "$@" \
</dev/null || exit 1
}
The -verify_return_error option makes s_client return an exit code on cert validation failure. Then just loop over the hosts/ports you want to check, wrap the whole script in cronic/chronic to ignore output when it doesn't fail and bam no need for a service to do this. Just have to be able to interpert s_client output ;)
An example with dual stack IPv4/v6 https/smtp/imap support:
for af in -4 -6; do
for connect in \
www.example.org:443 \
\
mail.example.org:465 \
mail.example.org:993 \
;
do
check_tls $af -connect $connect
done
check_tls $af -starttls smtp -connect mail.example.org:25
check_tls $af -starttls smtp -connect mail.example.org:587
check_tls $af -starttls imap -connect mail.example.org:143
done
https://labs.apnic.net/index.php/2024/10/19/the-ipv6-transit...