IRC log for #gllug on 20110315

`00:21.34`	`*** join/#gllug MessedUpHare (~stewart@cpc8-acto3-2-0-cust6.4-2.cable.virginmedia.com)`
`02:38.33`	`*** join/#gllug sabinef72 (~sabinef72@sabinef72.ipv6.popipo.fr)`
`02:42.54`	`*** join/#gllug Leeds (~richardc@www.scorefive.com)`
`03:31.22`	`*** join/#gllug sabinef72 (~sabinef72@ns.popipo.fr)`
`03:53.23`	`*** join/#gllug Azundris (callisto@tatiana.azundris.com)`
`09:01.37`	`*** join/#gllug PcSett (~Don@host81-159-128-230.range81-159.btcentralplus.com)`
`09:21.17`	`boudiccas`	`Beware the Ides of March!`
`09:22.31`	`morsing`	`So, www.tickets.london2012.com has no IPv6 addresses...`
`09:33.12`	`wethrin`	`No, most places still don't`
`09:39.30`	`morsing`	`I am aware, but it's seriously disappointing, especially after the Chinese Olympics IPv6 success`
`09:39.53`	`morsing`	`And "most places" = 99.997%`
`09:40.28`	`morsing`	`And bear in mind that IPv4 address space will actually run out before the Olympic games start...`
`09:44.16`	`hali`	`sort of`
`09:44.28`	`hali`	`i just put in a RIPE application for some space`
`09:44.50`	`hali`	`its harder than it used to be but they still have a fair amount of spare space for "real" business use`
`09:45.55`	`morsing`	`hali: Yes, let's squeeze the last bit out of a dying standard instead of planning for the future... Have worked since 1200 BC`
`09:47.03`	`hali`	`we've had IPv6 space and IPv6 peering enabled for about 2 years now`
`09:47.09`	`hali`	`NONE of our clients does`
`09:47.13`	`hali`	`so it's pretty pointless so far`
`09:47.42`	`hali`	`but it's there if they want it`
`09:48.02`	`hali`	`i think most of our ISPs have had it for 5+ years ... close to no traffic though`
`09:48.04`	`morsing`	`I'm not saying it's your fault - the ISPs need to be the main drive behind it and it doesn't help that consumer routers don't do IPv6`
`09:48.21`	`hali`	`i agree with you, it's an impeding problem`
`09:48.30`	`hali`	`did you read the customer router ipv6 study?`
`09:48.37`	`morsing`	`No?`
`09:48.41`	`hali`	`done by ARIN or someone like that`
`09:48.54`	`hali`	`they tested loads of home routers and something like 5% passed their tests`
`09:49.13`	`hali`	`another good example is MacOS X .. even the new lion version doesn't have full ipv6 dhcpd support`
`09:49.20`	`hali`	`dhcpcd*`
`09:49.27`	`morsing`	`Debian is actually pretty crap at IPv6`
`09:49.42`	`morsing`	`IPv6 shouldn't use DHCP anyway`
`09:49.53`	`morsing`	`That's what router advertiments are for`
`09:51.24`	`morsing`	`Out of our Ricoh printer, X-box, Wii, PS3 and D-link print server, guess how many supports IPv6?`
`09:52.46`	`morsing`	`My laptop and our PC at home is on IPv6 but I can't disable IPv4 because traffic that doesn't go through the proxy can't be translated.`
`09:59.09`	`*** join/#gllug zooz (~zooz@host86-163-12-128.range86-163.btcentralplus.com)`
`10:25.58`	`antiphase`	`RA is horseshit`
`10:26.14`	`antiphase`	`which is why DHCPv6 is happening`
`10:41.12`	`*** join/#gllug flips_and_rails (~stu@2001:630:12:1058:218:feff:fe6a:be1b)`
`10:53.01`	`*** join/#gllug Nafallo_ (~nafallo@ubuntu/member/nafallo)`
`11:29.35`	`jpds`	`morsing: Blame Akamai anyway.`
`11:41.19`	`Cope`	`is going to the 'Move Over IPv4' party next week`
`11:43.45`	`morsing`	`Cope: The one which website isn't on IPv6?`
`11:44.08`	`Cope`	`why would you expect eventbrite to be on IPv6?`
`11:44.15`	`Cope`	`you are a wanker sometimes, morsing`
`11:44.26`	`morsing`	`?`
`11:47.02`	`Cope`	`sorry, morsing`
`11:47.07`	`Cope`	`un-called-for`
`11:47.11`	`Cope`	`http://bringonipv6.com/`
`11:47.13`	`morsing`	`'tis ok. Beer?`
`11:47.15`	`Cope`	`is what you mean`
`11:47.17`	`Cope`	`isn't it`
`11:47.21`	`morsing`	`Oh, I see. Yes`
`11:47.48`	`morsing`	`What's Move over IPv4 then? And what's eventbrite?`
`11:48.11`	`AndyMillar`	`problem is, ipv6 sucks`
`11:48.19`	`Cope`	`it's just an event about ipv4 / ipv6 stuff`
`11:48.31`	`antiphase`	`http://lmgtfy.com/?q=move+over+ipv4`
`11:48.50`	`Cope`	`i don't know much about it, but a friend of mine is on the panel, so i'm going along too`
`11:49.32`	`Cope`	`I mean - I don't know much about IPv6 implementation, advantages, disadvantages etc`
`11:49.42`	`Cope`	`interested to get some perspectives`
`11:50.16`	`antiphase`	`It's the same as IPv4 with more bits`
`11:50.37`	`Cope`	`rolls eyes`
`11:51.09`	`antiphase`	`They added some more bells and whistles that are mostly no longer relevant because it's not 20 years ago any more`
`11:51.49`	`antiphase`	`It sounds flippant to compare them so glibly, but realistically the implementations will be very similar`
`11:51.58`	`antiphase`	`People like familiarity`
`11:52.03`	`Cope`	`nods`
`11:53.51`	`Cope`	`is hungry`
`11:56.20`	`morsing`	`IPv6 is easier to implement and use but more difficult to remember the addresses unfortunately`
`12:00.49`	`AndyMillar`	`it also doesn't have NAT`
`12:00.52`	`AndyMillar`	`which is a pain`
`12:01.12`	`antiphase`	`Fail`
`12:01.18`	`antiphase`	`NAT is for gaylords`
`12:01.26`	`AndyMillar`	`I don't want to put windows machines on the internet`
`12:01.31`	`antiphase`	`Use a firewall then`
`12:01.35`	`antiphase`	`NAT isn't a firewall`
`12:01.35`	`AndyMillar`	`especially as rhel5/centos5 doesn't have conntracking working`
`12:02.58`	`morsing`	`NAT is nice sometimes... And it's annoying you can't do intercepting proxies with IPv6`
`12:04.37`	`antiphase`	`The only use for NAT is in alleviating address shortage, and it should DIAF`
`12:04.58`	`antiphase`	`Anyone caught implementing NATv6 is likely to have their internet licence revoked`
`12:05.51`	`antiphase`	`wonders if he has made his point`
`12:05.57`	`morsing`	`antiphase: They need to implement some other form of prerouting then`
`12:06.06`	`antiphase`	`What does that mean?`
`12:06.16`	`*** join/#gllug Leeds (~richardc@pcd253019.netvigator.com)`
`12:06.17`	`morsing`	`To support intercepting proxies`
`12:06.31`	`antiphase`	`Do you mean transparent web proxying, for example?`
`12:06.43`	`morsing`	`? Yes...`
`12:06.55`	`antiphase`	`I don't see why the situation would be any different with IPv6`
`12:07.03`	`morsing`	`?`
`12:07.06`	`morsing`	`Try it, then`
`12:07.15`	`morsing`	`IPv6 can't do it`
`12:07.25`	`antiphase`	`wtfs a bit`
`12:07.59`	`antiphase`	`Are you suggesting that people with routable IPv4 addresses are currently unable to use transparent proxies?`
`12:08.05`	`morsing`	`No`
`12:08.24`	`morsing`	`I'm saying IPv6 can't do it`
`12:08.31`	`antiphase`	`Or that an HTTP proxy is unable to make a request on behalf of another machine for some reason`
`12:08.37`	`morsing`	`?`
`12:08.48`	`morsing`	`PREROUTING is essentially a NAT thing`
`12:08.53`	`antiphase`	`You also think that SLAAC is a good idea and that DHCPv6 shouldn't exist`
`12:08.53`	`morsing`	`So not supported`
`12:09.10`	`antiphase`	`gives up`
`12:09.22`	`morsing`	`I understand it can be tricky to understand`
`12:09.31`	`antiphase`	`Evidently`
`12:10.06`	`wethrin`	`don't see why you couldn't use a transparent proxy`
`12:10.47`	`wethrin`	`just tell your router to redirect any requests from an appropriate set of IP addresses to your proxy`
`12:11.09`	`wethrin`	`same way certain ISPs do proxying`
`12:11.12`	`antiphase`	`Transparent proxying is usually done with policy routing in the network`
`12:11.34`	`antiphase`	`It's nothing to do with iptables NAT chains`
`12:12.15`	`antiphase`	`wonders how the crusty old AIX-using men would do it`
`12:12.31`	`antiphase`	`Steam powered proxies!`
`12:13.31`	`hali`	`AIX has actually had decent ipv6 support since version 4.something :)`
`12:27.09`	`AndyMillar`	`antiphase: ok, given you seem to like the idea of bridging firewalling and all that jaz; fancy explaining why my stateful firewall doesn't work? :-p`
`12:32.14`	`*** join/#gllug dick_turpin (~dick_turp@host217-34-163-30.in-addr.btopenworld.com)`
`12:32.27`	`antiphase`	`You need more cowbell`
`12:32.39`	`dick_turpin`	`Release the hounds!`
`12:45.47`	`*** join/#gllug gmarkall (~graham@dyn1214-109.wlan.ic.ac.uk)`
`12:51.54`	`Cope`	`use pf, hth, hand`
`12:51.59`	`wethrin`	`yay for pf`
`12:52.32`	`Cope`	`pf is very good indeed :)`
`12:53.12`	`wethrin`	`indeed`
`12:54.39`	`antiphase`	`pff`
`12:54.56`	`Cope`	`antiphase <3 ipchains`
`12:55.02`	`AndyMillar`	`ok, given I'm running centos 5.6`
`12:55.18`	`AndyMillar`	`no, 5.5`
`12:55.30`	`Cope`	`run openbsd in a kvm?`
`12:55.46`	`Cope`	`chuckles, sorry antiphase`
`12:55.47`	`Cope`	`gah`
`12:55.48`	`Cope`	`AndyMillar:`
`12:56.44`	`Cope`	`I just wouldn't start from there... I prefer pf or even ipfilter to iptables, so I wouldn't build a firewall using linux`
`12:57.33`	`wethrin`	`indeed`
`12:57.48`	`antiphase`	`I found pf horribly confusing on the single occasion I tried to use it about 5 years ago`
`12:57.54`	`antiphase`	`iptables ftw`
`12:58.15`	`wethrin`	`I've found iptables/ipchains/ipOMGWTFBBQ to be horribly confusing`
`12:58.26`	`Cope`	`i think pf has improved a lot; when I first used it... 7 years ago? whenever wethrin showed it to me... the docs were ropey`
`12:58.30`	`Cope`	`they're very good now`
`12:58.44`	`Cope`	`and the dsl (for want of a better word) is very clear`
`12:58.49`	`wethrin`	`7 years ago is probably about when they switched from ipf to pf`
`12:58.58`	`Cope`	`nods at wethrin`
`12:59.29`	`Cope`	`anyway! none of this helps AndyMillar`
`12:59.34`	`Cope`	`AndyMillar: what's the actual problem?`
`12:59.42`	`antiphase`	`iptables seems to win on account of the commands just being a set of conditions to match, rather than some weird language that implies things`
`12:59.50`	`antiphase`	`I can't really say though because I know fuck all about pf :P`
`12:59.55`	`Cope`	`nods at antiphase`
`13:00.09`	`Cope`	`yes - pf is a packet filtering DSL`
`13:01.47`	`Cope`	`iptables/netfilter is more like setting up a series of logic gates to achieve pseudo-stateful packet inspection into the linux kernel`
`13:01.57`	`Cope`	`if that makes sense`
`13:03.22`	`Cope`	`pass log on $ext_if inet proto tcp from any to $loadbalancers port $webports keep state (max-src-conn 100, max-src-conn-rate 15/5, overload <abusive_hosts> flush)`
`13:03.40`	`antiphase`	`goes blind`
`13:03.49`	`Cope`	`try doing that in iptables and making it readable`
`13:04.02`	`antiphase`	`That looks nearly as horrible as tc`
`13:05.01`	`Cope`	`yeah that's kinda long`
`13:05.03`	`Cope`	`pass on $ext_if inet proto { udp tcp } from $ldap_allowed to $ldapservers port 389`
`13:05.03`	`antiphase`	`I wonder if anyone has tried to write a converter`
`13:05.15`	`wethrin`	`Yes.`
`13:05.20`	`wethrin`	`I don't think it worked wonderfully, though`
`13:05.53`	`Cope`	`plus carp and pfsync are just amazing`
`13:06.05`	`Cope`	`god only knows how you'd do that with iptables`
`13:06.28`	`antiphase`	`Maybe no-one has ever needed to`
`13:06.49`	`Cope`	`no-one has ever needed to implement failover firewalls with an implementation of VRRP?`
`13:07.07`	`Cope`	`yes maybe thats' because no-one in their right mind would use iptables for serious firewalling?`
`13:07.10`	`Cope`	`</troll>`
`13:07.40`	`antiphase`	`There's always a difficult decision for people to make; by the time you really need proper networking stuff, it seems common for people to buy commercial solutions`
`13:07.49`	`Cope`	`yeah`
`13:08.13`	`Cope`	`i actually started using pf properly becuase our not inexpensive cisco firewalls sucked balls`
`13:08.14`	`antiphase`	`Rather than rely on some crackpot system dreamt up by someone who subsequently leaves`
`13:08.43`	`Cope`	`i've used and quite liked checkpoint ng`
`13:08.50`	`Cope`	`but that's just ipfilter really`
`13:09.04`	`Cope`	`i've used juniper netscreens - they're great`
`13:09.10`	`Cope`	`but they're also ipf under the hood`
`13:09.26`	`Cope`	`i've used ciscos and hated them`
`13:10.18`	`Cope`	`but pf was very cost effective, performed well, and could be nicely managed by puppet`
`13:14.02`	`AndyMillar`	`Cope: problem: stateful ip6tables rules aren't matching, so I can't block unbound connections via ipv6`
`13:14.36`	`Cope`	`AndyMillar: you in the centos channel ever?`
`13:14.45`	`AndyMillar`	`sometimes`
`13:14.59`	`AndyMillar`	`what have I missed?`
`13:15.54`	`Cope`	`Pretty sure centosian said something about ip6tables and statefulness a month or two ago; he knows iptables really well, if you want to hit someone up who is likely to help rather than troll like me.`
`13:16.50`	`Cope`	`z00dax: you remember? ...`
`13:22.17`	`z00dax`	`there is/was a problem with state/ip6tables a while back in centos5`
`13:23.59`	`antiphase`	`You could use Debian instead :P`
`13:26.04`	`*** join/#gllug dick_turpin (~dick_turp@host217-34-163-30.in-addr.btopenworld.com)`
`13:27.14`	`z00dax`	`:)`
`13:40.43`	`AndyMillar`	`z00dax: do you know if it's still a problem? :/`
`13:42.21`	`Cope`	`z00dax: Isn't it just that netfiler in the available upstream kernels doesn't support stateful IPv6 firewalling?`
`13:43.08`	`z00dax`	`Cope: yup`
`13:43.20`	`z00dax`	`checks if 5.6 resolves this`
`13:51.03`	`z00dax`	`there are a bunch of patches into the 5.6 kernel that might be relevant`
`13:51.10`	`z00dax`	`i dont have a machine to test on right now though`
`13:56.13`	`AndyMillar`	`hmm, I might have a play`
`14:13.47`	`*** join/#gllug sabinef72 (~sabinef72@sabinef72.ipv6.popipo.fr)`
`14:19.59`	`*** join/#gllug __marcus_ (~marcus@lenny.uk-debtcollection.com)`
`14:20.12`	`*** join/#gllug cbz (chriseb@vortex.ukshells.co.uk)`
`14:37.19`	`*** join/#gllug sabinef72 (~sabinef72@ns.popipo.fr)`
`17:21.29`	`*** part/#gllug dick_turpin (~dick_turp@host217-34-163-30.in-addr.btopenworld.com)`
`18:42.12`	`*** join/#gllug Hamzah (~mhamzahkh@genesis.home.hamzahkhan.com)`
`19:05.13`	`*** join/#gllug Hamzah (~mhamzahkh@genesis.home.hamzahkhan.com)`
`19:05.46`	`*** part/#gllug yaMatt (~yaMatt@li99-88.members.linode.com)`
`19:11.06`	`*** join/#gllug Mohan (~nixh0st@unaffiliated/mohan)`
`19:17.10`	`*** join/#gllug Mohan (~nixh0st@unaffiliated/mohan)`
`19:44.42`	`*** join/#gllug Hamzah (~mhamzahkh@genesis.home.hamzahkhan.com)`
`19:45.55`	`*** join/#gllug gmarkall (~graham@84.45.235.192)`
`20:30.30`	`*** join/#gllug __marcus_ (~marcus@lenny.uk-debtcollection.com)`
`23:36.02`	`*** join/#gllug Leeds (~richardc@pcd253019.netvigator.com)`

Generated by irclog2html.pl Modified by Tim Riker to work with infobot.