sdf.org

       bboard hyperpithole gate
 (DIR) Menu
 (DIR) Section <GOPHER>
 (DIR) Forward
 (DIR) Backward
       Thread[.post]: 24
       TACKER:  alberti (Bob Alberti)
       SUBJECT: IPV6 and XLAT464 on TMobile
       DATE:    26-Dec-22 23:15:51
       HOST:    sdf
       
       One thing I see happening, to which services such as the gopher proxy may 
       need to adapt, is the use of XLAT 464 to provide Internet IPV4 serices to 
       IPV6 provider networks such as (but hardly limited to) T-mobile.
       
       As IPV4 addresses are increasingly scarce providers are building IPV 6 
       networks and then providing IPV6-to-IPV4 NATing. However they do not 
       attempt to build in a 1:1 allocation of V4 to V6 addresses, instead 
       assigning addresses to each packet indiviudally.
       
       This is a problem because the Gopher-HTTP proxy interprets this as:
       
       Malicious Activity Detected
       You appear to be using software associated with or exhibiting bot-like 
       activity. This is banned for security reasons. If this is a legitimate 
       access, please E-mail gopher@floodgap.com with an explanation.
       httpi/1.7.2 (nano_inetd_turbo/AIX) by Cameron Kaiser
       
       A simple fix, if you have it available, is a single-horizon VPN. My 
       employer has one, and it gathers all of one's random IP packets and 
       rewrites them at the other end of the VPN to a single static address.
       
       Lacking that, however, I think it might be worth examining how services 
       like the Floodgap proxy might identify non-malicious XLAT 464 packets in 
       
       [ SCROLL (F)ORWARD, (B)ACKWARD - (Q)UIT ] FORWARD
       HOST:    sdf
       
       One thing I see happening, to which services such as the gopher proxy may 
       need to adapt, is the use of XLAT 464 to provide Internet IPV4 serices to 
       IPV6 provider networks such as (but hardly limited to) T-mobile.
       
       As IPV4 addresses are increasingly scarce providers are building IPV 6 
       networks and then providing IPV6-to-IPV4 NATing. However they do not 
       attempt to build in a 1:1 allocation of V4 to V6 addresses, instead 
       assigning addresses to each packet indiviudally.
       
       This is a problem because the Gopher-HTTP proxy interprets this as:
       
       Malicious Activity Detected
       You appear to be using software associated with or exhibiting bot-like 
       activity. This is banned for security reasons. If this is a legitimate 
       access, please E-mail gopher@floodgap.com with an explanation.
       httpi/1.7.2 (nano_inetd_turbo/AIX) by Cameron Kaiser
       
       A simple fix, if you have it available, is a single-horizon VPN. My 
       employer has one, and it gathers all of one's random IP packets and 
       rewrites them at the other end of the VPN to a single static address.
       
       Lacking that, however, I think it might be worth examining how services 
       like the Floodgap proxy might identify non-malicious XLAT 464 packets in 
       order to provide service to users on IPV6 ISPs. This issue is only going to 
       increase with time.
       
       
       
       (continue)