IPv6 and/or IPv4... (rant like post)


#1

I must confess that I am more or less a passive member of this community in that I mostly read the posts on this forum and write seldom.

This will be a kind of rant, discussion starter type of post as I am noticing more and more people have problems with certification issuance, be it new or renewals, when they have a misconfigured server.

YES, misconfigured server and/or firewall.
Yes, I know that IPv6 is the new thing that ISPs are pushing towards customers which is great, about time I say, but the thing is that the users are mostly not educated enough about IPv6 connectivity, how is it different from IPv4 and what caveates does it bring with it’s implementation.

1st. IPv4 NAT is not security in a sense of a firewall, it’s a false sense of security
2nd. IPv6 is natively to run without NAT due to abundance of IPs available and therefore requires a correctly installed and configured firewall as each device that is connected to the internet via IPv6 has a PUBLIC IP address which is normally globally routable, i.e. each user on the internet can directly access your device if the IP is known and the firewall permits it - no port forwarding neccesarry as with IPv4 and NAT configuration.

So please to all users, that have IPv6 enabled, please double check and make sure that you have firewall correctly installed and configured in place otherwise it is best to disable IPv6 until you do so. Doing so will ensure that your certificate from Let’s encrypt will be issued without problems and also you will be more secure on the internet while using IPv6(or not).

I apologize for this, kind of rant, post, but I really hate to see people blame LE for issues regarding certificate issuance where they have misconfigured IPv6.

LE and the community, keep up the good work, I love it!


#2

Telling people to disable IPv6 is exactly the wrong answer. People need to learn and use IPv6 and make sure services are reachable before they expect auto cert generation via IPv6 to work on their web servers. Just like they would do with IPv4.


#3

@Yomamma: please read again this part / especially the first sentence.

And to add another notion, having IPv6 enabled and mis-configured in most cases poses a security risk if not only a degradation in service.

For example if you have IPv6 AAAA record configured for your website but the web server is not properly configured it represents a degradation in service as users that access your website via IPv6 will not be able to access it and also LE will not be able to do a HTTP/TLS challenge check.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.