Re: OpenBSD as IPv4+6 gateway
In my limited experience with ipv6, this has been the case. The provider has you on a /64 of their own (not part of your /48), so your WAN interface would have one of their IP's on it, and they should tell you exactly what it should be. Just as it's done in IPv4. Your own personal /48 is then routed through that IP. You can assign more IP's from your /48 to your WAN interface, of course, by dedicating a /64 to it. But you will always need to have at least the one ISP IP on it. RK On Thu, Jun 21, 2012 at 4:22 PM, Simon Perreault wrote: > On 2012-06-21 15:50, Hugo Osvaldo Barrera wrote: >> >> I have read a great deal regarding IPv6 and IIRC, if I subnet my >> >> network block, my ISP would have to know it has to route traffic to that >> subnet through the WAN IP address of my router. > > > Yes. If they don't allow that, then they don't know what they are doing. > You're not supposed to assign a /48 to a single link. A single link gets a > /64. > > >> The alternative would be to proxy ndp and have OpenBSD forward packets, >> yet I don't see a way to proxy an entire subnet using ndp. > > > Right, because you shouldn't do that, especially in IPv6 with the 64 bits of > addressing for a single subnet. > > >> Am I missing something perhaps? > > > Call the support and ask them for the missing information? > > You're definitely not supposed to bridge. > > Simon
Re: OpenSSL handling intermediate certificates
On Thu, Aug 23, 2012 at 12:08 PM, Ted Unangst wrote: people designing the protocol never got that far. > > Anyway the workaround du jour is certificate pinning. Your browser is > supposed to remember the cert used for the previous connection and > warn if it changes, which reduces the window of opportunity. > And a poor workaround at that. The only browser this works well in is Chrome, and only with Google properties. In Firefox, the Certificate Patrol add-on is bothersome to the user as it constantly asks permission, to the point of crying wolf. Large organizations with multiple certificates for the same site, such as Google and Microsoft, are not understood by this add-on. Firefox 17 is working towards a native certificate pinning feature. I hope the release of that feature works well and spurs other browser vendors to follow suit. One thing I've never understood is that if you're MITM'd, what good is a cert revocation going to do? The proxying individual can easily block access to the revocation lists, and your browser be none the wiser. 'DNS-based Authentication of Named Entities', in my opinion, is a more promising system than certificate pinning, as it allows web site operators to publish certificates (or hashes of them) in DNS. However, this would require DNSSEC to be secure (which itself seems to be mired in controvery lately, not to mention the slow rate of adoption), and the project at IETF appears to be mostly dead: https://datatracker.ietf.org/wg/dane/charter/
Re: OpenSSL handling intermediate certificates
You're definitely on track, although I was referring to D.J. Bernstein's recent slides: http://cr.yp.to/talks/2012.06.04/slides.pdf In these, he does bring up the same problems again that his DNSCURVE purported to solve, about weak algorithms, signing (or lack of), forgeries, and UDP amplification. It might just be who I follow, but I've seen a lot of discussion around this lately on twitter by Jacob Appelbaum and other privacy/crypto types. Perhaps 'mired in controversy' was an overstatement, but it definitely appears that spec has problems. RK On Fri, Aug 24, 2012 at 6:17 AM, Kevin Chadwick wrote: >> However, >> this would require DNSSEC to be secure (which itself seems to be mired >> in controvery lately, not to mention the slow rate of adoption) > > Do you have a reference for that. I know of the controversy around > DNSCURVE before DNSSEC even arrived but haven't seen any of late. Is it > to do with the restriction of key length by dns record size and use of > RSA rather than ecdsa which offers more security to key length ratio or > something else? > > > -- > ___ > > 'Write programs that do one thing and do it well. Write programs to work > together. Write programs to handle text streams, because that is a > universal interface' > > (Doug McIlroy) > ___
