Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
colmmacc 2 hours ago

If GitHub flipped a switch and enabled IPv6 it would instantly break many of their customers who have configured IP based access controls [1]. If the customer's network supports IPv6, the traffic would switch, and if they haven't added their IPv6 addresses to the policy ... boom everything breaks.

This is a tricky problem; providers don't have an easy way to correlate addresses or update policies pro-actively. And customers hate it when things suddenly break no matter how well you go about it.

[1] https://docs.github.com/en/enterprise-cloud@latest/organizat...

alibarber 2 hours ago | parent | next [-]

Having been messing around personally with getting my own blocks of IP addresses and routing[1] - I've become terrified at the idea of implementing access control based on IP address.

Unless your own organisation in the RR has the IP addresses assigned to you as Provider Independent resources, there just seems to be so many places where 'your' IP address could, albeit most likely accidentally, become not yours any more. And even then, just like domain names, stop renewing the registration and someone else will get them - I was that someone else recently...

[1] AS202858

yosamino an hour ago | parent [-]

Oh, cool! that's on my bucket list as well. I am still grappling with some concepts, though.

Do you have a writeup of your setup somewhere or can you recommend some learning materials ?

alibarber 39 minutes ago | parent [-]

It's fun and has now become an addictive rabbit hole - trying to get packets from one location to the other in the fastest, most direct way (and at hobbyist budget level).

Initial writeup based on IPv6: https://abarber.com/Setting-Up-ASN-IPv6-Routing-BIRD-Teltoni...

Have been having fun recently with an IPv4 block and Asynchronous routing, working on writing that up right now :)

progbits 2 hours ago | parent | prev | next [-]

Anyone who relies on IP filtering for security deserves to have it broken. Change my mind.

omh 2 hours ago | parent | next [-]

I'll take that bait ;-)

IP filtering is a valuable factor for security. I know which IPs belong to my organisation and these can be a useful factor in allowing access.

I've written rules which say that access should only be allowed when the client has both password and MFA and comes from a known IP address. Why shouldn't I do that?

And there are systems which only support single-factor (password) authentication so I've configured IP filtering as a second factor. I'd love them to have more options but pragmatically this works.

apexalpha an hour ago | parent | prev | next [-]

IP filtering + proper security is better than just having the security.

There's value in restricting access and reducing ones attack surface, if only to reduce noice in monitoring.

sebiw 2 hours ago | parent | prev [-]

Defense in depth is a thing but I agree that relying on it is not a good idea.

TabTwo an hour ago | parent | prev | next [-]

Thanks to the trend to SASE like Palo Alto GlobalProtect or ZScsler this practice is not a good idea anymore. Speaking of ZScaler, they are still IPv4 only, right?

bluGill an hour ago | parent | prev [-]

If you can't handle sites switching to ipv6 in 2015 (ten years ago) your security plan is garbage.