M1 FIBRE BROADBAND DISCUSSION - Part 2

bert64

Senior Member
Joined
Jan 20, 2020
Messages
863
Reaction score
352
In the actual internet world, IPv6 is not safer than IPv4. Read this:

https://www.internetsociety.org/deploy360/ipv6/security/faq/

That article in fact details several ways in which IPv6 is harder for malicious actors to attack. Although not explicitly stated, it's common sense that something which is harder to attack is going to be safer unless it has some other massive weakness, which in this case it does not.

It's also somewhat misleading, for instance it talks about "increased complexity of ipv6" but in many ways ipv6 is simplified, for instance the packet header is simpler, routing is simpler because routers no longer need to recalculate the checksum each time they forward a packet, nor do they need to bother with fragmentation and reassembly. Many features which were later added to IPV4 such as PMTUD are standard parts of IPv6. This makes IPv6 less complex not more, since you still have to deal with these things on an IPv4 network but with IPv4 you also have to deal with the fallback case where these newer features are not always supported.
People only perceive IPv6 to be more complex because they are unfamiliar with it.

There is also the complexity of implementation to consider. While IPv6 can be deployed as designed, IPv4 requires various extensions, as well as various hacks designed to conserve limited address space. Complexity is the enemy of security.

Perhaps they are comparing original IPv4 to IPv6, rather than the extended IPv4 that's in general use. For instance packet fragmentation was always considered a problem, so path mtu discovery was created as an alternative. However while all IPv6 implementations are required by spec to support PMTUD, IPv4 may or may not - so in practice both fragmentation/reassembly and PMTUD need to be supported whereas IPv6 may only use PMTUD.
Original IPv4 only supported address classes, CIDR was also added later and there are old/embedded implementations which don't support it at all.

In terms of security specifically however, there are several advantages to IPv6:

With IPv4, the most common technique used to discover vulnerable hosts is simply to scan address ranges. Doing so you will find every host and every service. Various automated worms use this method to spread, it's extremely effective and once one machine is infected your whole network typically comes crashing down in minutes if not seconds. With IPv6 scanning ranges is simply not practical. There are other techniques possible such as DNS enumeration, but these are more time consuming, more difficult and less thorough. On the other hand you as the network owner can always know what addresses are live by viewing the address tables on your routers and switches, so you can pass the list of active addresses to your scanning or pentest provider and still retain full coverage of your devices.
This is touched on in section 2.2 of your linked article.
TL;DR: the classic scan and compromise attack becomes much harder, you as a defender have a lot more breathing room to patch, and a lot more margin for error if you put an insecure box on an open connection.

Elimination of complexity such as NAT. With routable addresses you have simple firewall rules - external address block A is allowed to reach server B on port C.
With NAT, you have external address block A is allowed to reach external address B on port C but it's actually translated to internal address D and port E. You have to retain and correlate multiple addresses for each service, mappings of ports on the same address going to different hosts etc.
You have other mess like nat reflection rules etc, and have to worry about things such as nat slipstream attacks. Complexity is the enemy of security.

Due to NAT a single address can represent multiple users/hosts. This causes all manner of security problems.
We were performing a red team assessment against a company a couple of years ago, we found their external email service and began trying to guess credentials. They quickly identified this activity, and blocked the host we were guessing from.
So we bought a prepaid simcard from the same operator they use for their corporate mobiles, and continued password guessing from there. Because the IP address pools for the 3G users were shared, if they blocked these addresses they would also be blocking their actual employees. They didn't block the addresses, and after a while we got lucky on guessing some creds (there is always at least one user with a poor password).

I encountered another NAT problem while investigating a security breach. A company had a critical server compromised, and the attack had come from one of their branch offices. They traced the attack back to a router located at the branch office. This router was performing NAT for the ~4000 machines behind it, and was not logging every state (doing so would have caused a severe performance reduction of the router requiring a more powerful one to be purchased, as well as somewhere to store the logs). As such, we had absolutely no idea which of the 4000 potential systems was the source of the attack.

IPv4 was never designed to use NAT, since it was designed for use on a relatively small military network with tens of sites and maybe a few thousand hosts in total. You can transport lots of people around by having them hang on to the roof and bumpers of your car and cram them in like a clown car, or you can use a bus.

There are LOTS of open proxies on the internet, there are even big lists of them published and people use them for anonymous browsing of internet sites... But how many of these are connected to an internal network and would let you attack internal hosts using the proxy? If you're maliciously inclined you can find out, issue requests to the proxy for addresses within the common RFC1918 address space and see if you get any hits. The address space is small, so you should be able to sweep it all and see if there are any internal devices reachable via the proxy.
With IPv6, the open proxy less likely to be found in the first place, if it is found it still won't be practical to scan the /64 that the proxy sits inside let alone try to brute force any other address ranges that it might have access to.

Modern operating systems are designed to use IPv6, and consider it their primary protocol. They will only fall back to legacy protocols like IPv4, IPX/SPX, NetBeui etc if IPv6 is not available. If you connect a modern host to an old network, it will typically sit probing for an IPv6 router and/or DHCPv6 server constantly. A malicious attacker on the local network (esp open public wifi) can answer these requests, and become the primary DNS server and primary network route - thus hijacking traffic. While this is technically possible against protocols that are actively in use too, it's harder to pull off (you have to fight against the real dhcp/dhcpv6 server, and risk causing a very noticeable denial of service). On networks where IPv6 has not been configured, its extremely unlikely to be noticed. This is briefly touched upon as points 1.2 and 3 in your linked article, but he doesn't mention that an explicit lack of IPv6 infrastructure on a legacy network containing modern hosts makes this attack easier to accomplish.
You can search for the tool "mitm6" which can accomplish some of these attacks simply.

The greater address space of IPv6 allows you to better design your addressing plan, with better segmentation between functions.

One of the things stated in your linked article is: "IPsec employs Extension Headers, which typically result in packet drops when employed on the public Internet (see [RFC7872])."
This refers to IPv4, where the AH/ESP protocols are not recognised by some older and/or shoddier implementations, resulting in the packets being dropped. These protocols didn't exist when IPv4 was designed, so they were never considered.
IPv6 implementations are all capable of passing AH/ESP packets because it's part of the base spec. They will only be blocked or dropped if you explicitly configure a firewall to do so.

In section 3.4 he touches on SEcure Neighbour Discovery (SEND) and suggests there is no widespread support for it. While it's true that it's not widely supported by default, support can be installed on all modern operating systems if you require it. IPv4 has no equivalent to SEND at all.

Section 3.5 he details a DoS attack against NDP. The same attack can be performed against IPv4.

Section 4.4 he details an attack against packet fragmentation, similar attacks are possible against IPv4, but are more likely to succeed because support for fragmentation is not optional for IPv4.

Microsoft, Facebook, Cisco, the US government etc are all deploying IPv6 for security reasons among other things. These organisations employ a great many experts in the fields of networking and security, they know what they're doing.

There are also many non security related benefits to IPv6, which i've not touched upon as the subject was security.
 

chopra

High Supremacy Member
Joined
Apr 15, 2003
Messages
49,479
Reaction score
472
BSJOFLel.jpg
my ont n lan at purple cross
 

bert64

Senior Member
Joined
Jan 20, 2020
Messages
863
Reaction score
352
Do all the local ISPs offering fibre broadband for businesses support IPv6?
E.g. do the routers that they provide even support IPv6 by default?
Or need to specially request for IPv6 provisioning? Chargeable?

I suppose if the recent M1 outages were only affect IPv4, then I suppose it would automatically be a win if WFH staff on M1 can continue to remotely access their office infra via VPN over IPv6.

It's a win to have dual stack, since you can always fail over to the other protocol if one is having problems. It may not work in all cases as some kinds of outage will take out both, but dual stack can never be worse and can sometimes be better.

Singtel say they support native IPv6 for business users, just not for residential users.
M1 and Starhub support it for residential so no reason they wouldn't offer it for business users too. It's likely available by default and simply requires appropriate configuration of the router.

All of the ISPs have IPv6 on their core, for instance at: https://bgp.he.net/AS56300 you can see that MyRepublic has IPv6 in their infrastructure but won't provide it to residential users.
Same story with VQ:
https://bgp.he.net/AS18106
They also seem to have downstream customers with IPv6, almost certainly business customers.

What they use it for i don't know, perhaps it's only offered for business customers same as singtel?

Business customers will typically use enterprise-grade routers from the likes of Cisco, these all have full IPv6 support and have done for a very long time, way before any consumer grade routers did.
 

bert64

Senior Member
Joined
Jan 20, 2020
Messages
863
Reaction score
352
Y setting Region to Aust can get 5Ghz signal in dead spot?

Every country has laws governing which wireless channels and what levels of transmission power are permitted.
When you set your region code, the router will only allow channels and power levels that are legal in the specified region. This only sets what's allowed, in some cases the router may not physically support everything that's permitted in a given region.

Setting your region to a less restrictive one is illegal if you are broadcasting on a frequency not permitted or at a power level not permitted. In practice you probably won't get caught as they don't usually go around checking, but you should be aware. If you choose to do this it's at your own risk.

For a given model number of router, there are often variants sold into different markets. Some countries require that routers sold locally be hardware locked to the legal limitations (or sometimes they're just sold that way anyway without being compelled to by law as a weaker radio might be cheaper etc) so changing the software settings on some routers can only make it more restrictive not less. Buying a foreign version can sometimes get around such restrictions, depending where you get it from.

For an example, see: https://en.wikipedia.org/wiki/List_of_WLAN_channels

In the days of 802.11b Japan allowed 14 channels while most of the world allowed 13, and the US only allowed 11. If you set your region to JP or bought a japanese router you could use channel 14 which would usually be less congested as typically none of your neighbours would be using it.
Some hardware sold outside of japan was not physically capable of using channel 14, irrespective of the software setting, while some were.
 
Last edited:

xiaofan

Arch-Supremacy Member
Joined
Sep 16, 2018
Messages
18,097
Reaction score
2,878
https://en.wikipedia.org/wiki/List_of_WLAN_channels
Xiaomi AX3600 and Huawei AX3 Pro are the popular China version wireless router in this forum. Take note that they will have only limited 5GHz wireless band available compared to Singapore (Singapore is similar to US and Japan, EU has two more, Australia has 6 less, China has much less).

BTW, tx power limit for SG is here. Wikipedia does not mention it but IMDA standard does say 5.725 – 5.850 GHz band (CH149 - CH165) requires IMDA approval.
https://www.imda.gov.sg/-/media/Imd...ion-Standards/Radio-Comms/IMDATSSRD.pdf?la=en

100mW = 20dBm
200mW = 23dBm
400mW = 26dBm
1000mW = 30dBm

1) Max RF output power (TX power)
2.4000 – 2.4835 GHz: ≤ 200 mW (e.i.r.p)

5.150 – 5.350 GHz:> 100 mW (e.i.r.p.) and ≤ 200 mW (e.i.r.p.); DFS and TPC for 5.250-5.350GHz sub range

5.150 – 5.350 GHz: ≤ 100 mW (e.i.r.p.), DFS for 5.250-5.350GHz sub range

5.470 – 5.725 GHz: ≤ 1000 mW (e.i.r.p.), DFS and TPC

5.725 – 5.850 GHz :> 1000 mW (e.i.r.p.) ≤ 4000 mW (e.i.r.p.); Operating under this provision shall be approved on an exceptional basis.

2) Max Transmitter spurious emissions
All frequency bands used by WiFI are >1GHz, so the limit is the same: <=-30dBm
 
Last edited:

newfrog

Member
Joined
Aug 17, 2015
Messages
100
Reaction score
5
I put a small IKEA 30x30cm wall shelf in the corridor for a AC2600 router and it is enough to cover the whole flat with both wifi band signals. Just need to move your router 1 metre or so into the corridor. That small shift will increase bedroom signal so no need hassles of repeaters etc. Just remember signal travels in straight lines so the more direct the path, the stronger the wifi signal
 

cscs3

Arch-Supremacy Member
Joined
Jun 4, 2000
Messages
21,676
Reaction score
115
Every country has laws governing which wireless channels and what levels of transmission power are permitted.
When you set your region code, the router will only allow channels and power levels that are legal in the specified region. This only sets what's allowed, in some cases the router may not physically support everything that's permitted in a given region.

Setting your region to a less restrictive one is illegal if you are broadcasting on a frequency not permitted or at a power level not permitted. In practice you probably won't get caught as they don't usually go around checking, but you should be aware. If you choose to do this it's at your own risk.

For a given model number of router, there are often variants sold into different markets. Some countries require that routers sold locally be hardware locked to the legal limitations (or sometimes they're just sold that way anyway without being compelled to by law as a weaker radio might be cheaper etc) so changing the software settings on some routers can only make it more restrictive not less. Buying a foreign version can sometimes get around such restrictions, depending where you get it from.

For an example, see: https://en.wikipedia.org/wiki/List_of_WLAN_channels

In the days of 802.11b Japan allowed 14 channels while most of the world allowed 13, and the US only allowed 11. If you set your region to JP or bought a japanese router you could use channel 14 which would usually be less congested as typically none of your neighbours would be using it.
Some hardware sold outside of japan was not physically capable of using channel 14, irrespective of the software setting, while some were.

You mean set the country for NTP clock? Did not see another area for country setting other then the one for clock synchronizing.

Have a Japanese router which is capable to run on channel 14 (2.4G). Issue is can run it on PC even I set region to Japan. I think this is firmware control and not by just setting the region.
 
Last edited:

xiaofan

Arch-Supremacy Member
Joined
Sep 16, 2018
Messages
18,097
Reaction score
2,878
https://en.wikipedia.org/wiki/List_of_WLAN_channels

https://www.imda.gov.sg/-/media/Imd...ion-Standards/Radio-Comms/IMDATSSRD.pdf?la=en

It seems the router meant for local market does seem to support CH149 to CH165, so looks like there are some exception approval in this case, and assuming the tx power is 30dBm (Xiaomi AX3600 China version, only CH149, 153, 157, 161 and 165), then it sems to actually meeting IMDA requirements with regard to Tx power.

Edit to add:
I just checked my AX82U and it seems to be the settings are okay.

AX82U China set 2.4GHz wifi -- disabled. I have the Singtel Mesh Router for 2.4GHz.
AX82U China set 5GHz wifi -- CH153, 26dBm, below the 30dBm limit.
 
Last edited:

xiaofan

Arch-Supremacy Member
Joined
Sep 16, 2018
Messages
18,097
Reaction score
2,878
You mean set the country for NTP clock? Did not see another area for country setting other then the one for clock synchronizing.

Have a Japanese router which is capable to run on channel 14 (2.4G). Issue is can run it on PC even I set region to Japan. I think this is firmware control and not by just setting the region.

If you have an Asus router, in the Wireless settings, go to Professional tab, you can set the region. For example, there are a few settings for my RT-AX82U, like Asia, China, Korea, Australia, Europe, US, Region GD and Region TC. By right Singapore will use Asia region settings.
 
Last edited:

cscs3

Arch-Supremacy Member
Joined
Jun 4, 2000
Messages
21,676
Reaction score
115
If you have an Asus router, in the Wireless settings, go to Professional tab, you can set the region. For example, there are a few settings for my RT-AX82U, like Asia, China, Korea, Australia, Europe, US, Region GD and Region TC.

Singapore will use Asia region settings. But China set will default to China region.

Thanks for update. Not sure my old AC1900 has same professional setting? Currently not using it but keeping it as a spare.
 

xiaofan

Arch-Supremacy Member
Joined
Sep 16, 2018
Messages
18,097
Reaction score
2,878
my ont n lan at purple cross


Ha ha, same layout as one of my colleagues flat.

He is in the same boat as you, bad signal in master bedroom. What you can do is to put a second hand $5-$15 router (in repeater mode) in master bedroom near the door. 5ghz wise you should be able to get 50-100+Mbps. If you put mesh node there speed also same. Because your router is not at exactly the centre of hallway, and its signal being blocked by the living room wall.

Triband mesh may get better speed than repeater, if he can get the main node and mesh node have line of sight. Say put the mesh node outside the master room if possible, and probably move the main router slightly so that it can see the mesh node.
 

Henry Ng

Arch-Supremacy Member
Joined
Aug 9, 2011
Messages
14,004
Reaction score
218
It's a win to have dual stack, since you can always fail over to the other protocol if one is having problems. It may not work in all cases as some kinds of outage will take out both, but dual stack can never be worse and can sometimes be better.

Singtel say they support native IPv6 for business users, just not for residential users.
M1 and Starhub support it for residential so no reason they wouldn't offer it for business users too. It's likely available by default and simply requires appropriate configuration of the router.

All of the ISPs have IPv6 on their core, for instance at: https://bgp.he.net/AS56300 you can see that MyRepublic has IPv6 in their infrastructure but won't provide it to residential users.
Same story with VQ:
https://bgp.he.net/AS18106
They also seem to have downstream customers with IPv6, almost certainly business customers.

What they use it for i don't know, perhaps it's only offered for business customers same as singtel?

Business customers will typically use enterprise-grade routers from the likes of Cisco, these all have full IPv6 support and have done for a very long time, way before any consumer grade routers did.

Agree that it is better to have dual stack. However i am working with IPv4 VPN as my company do not have IPv6 VPN.
 

chopra

High Supremacy Member
Joined
Apr 15, 2003
Messages
49,479
Reaction score
472
Triband mesh may get better speed than repeater, if he can get the main node and mesh node have line of sight. Say put the mesh node outside the master room if possible, and probably move the main router slightly so that it can see the mesh node.
repeater means must login to another wifi network right? im using that currently. not v convenient to login logout.

during wfh, also encountered many times of disconnection esp if i close door during meetings
 

xiaofan

Arch-Supremacy Member
Joined
Sep 16, 2018
Messages
18,097
Reaction score
2,878
repeater means must login to another wifi network right? im using that currently. not v convenient to login logout.

during wfh, also encountered many times of disconnection esp if i close door during meetings

Correct. For repeater you need to have different SSID in general.

But one thing is common with repeater and mesh with wireless backhaul, the main router and the repeater or mesh node need to have good communication. That is why if you close the door you will get disconnection. If you get mesh and put the mesh node inside the room, when you close the door you may have similar issue.

So in a way, mesh with wireless backhaul has quite a major limitation on the placement of the mesh node, just like a repeater. Triband mesh does not sort out the placement issue, it only fixes the bandwidth issue of repeater and dual band mesh.
 

chopra

High Supremacy Member
Joined
Apr 15, 2003
Messages
49,479
Reaction score
472
thats y sibeh jialat during circuit breaker. teach kids + office meeting.
 

bert64

Senior Member
Joined
Jan 20, 2020
Messages
863
Reaction score
352
Agree that it is better to have dual stack. However i am working with IPv4 VPN as my company do not have IPv6 VPN.

Us too, as corporates are often the last to adopt new tech.

I have several colleagues in Manila who are often unable to connect to the VPN, but are able to send email through O365 (dual stack) and connect to a particular server we have that's dual stack. At all times, their connection to MS or the aforementioned dual stack server is faster over ipv6.
They have issues where the cgnat gateway is overloaded rendering ipv4 sites inaccessible or unusably slow, while ipv6 is direct routed and still works.

I know of another ISP with a similar setup, and similar issues. They actually have very few user complaints, as the popular services for their users (google, facebook, youtube, netflix) are all reachable over ipv6 so still work fine. The vast majority of their users primarily use these sites, and they also assume that if they're able to reach google that their connection must be fine, so the fault lies at the other end. The provider sees no reason to upgrade cgnat capacity as there are few complaints, and the percentage of traffic going over ipv6 vs cgnat is moving towards ipv6 anyway so at some point the load will drop off.
The same lack of user knowledge that stifles ipv6 deployment here, is accelerating ipv4 deprecation elsewhere.

When they finally get around to enabling ipv6 on the vpn endpoints, we will see immediate performance and stability improvements.
 

xiaofan

Arch-Supremacy Member
Joined
Sep 16, 2018
Messages
18,097
Reaction score
2,878
Thanks but already read the Faq So was seeking confirmation that load balancing is the option for no disruption to vpn/zoom/team sessions but feedback is no, so any way to overcome that?

Short disruption may be difficult to avoid as the switching will take time.

But this should not be a real problem. If you can not tolerate such a drop, then you may have to consider subscription of business broadband which has 24/7 Technical Helpdesk and 99.95% Service Level Guarantee.
https://www.m1.com.sg/Business/Deals/fibre-broadband
 

jackycar

Master Member
Joined
Aug 20, 2014
Messages
4,904
Reaction score
129
Triband mesh may get better speed than repeater, if he can get the main node and mesh node have line of sight. Say put the mesh node outside the master room if possible, and probably move the main router slightly so that it can see the mesh node.


It's not may, it's CONFIRM.

Been using a Netgear orbi triband mesh since when it first released around 2017 and never looked back.

In my parents 2700sqft 3500 storey house, 1 router and 1 extender on the second floor can blanket the whole house with typically 300-400mbps each floor and around 100mbps at its lowest.

Fast forward to 2020, I got my 1507sqft hdb a Netgear orbi triband wifi6 model, my vq 1gbps SpeedTest from my satellite I can get 900+mbps on my phone wifi, 2ms ping, 0ms jitter.

No way u can get that on an extended, no matter what brand u use.
 

xiaofan

Arch-Supremacy Member
Joined
Sep 16, 2018
Messages
18,097
Reaction score
2,878
It's not may, it's CONFIRM.

Been using a Netgear orbi triband mesh since when it first released around 2017 and never looked back.

In my parents 2700sqft 3500 storey house, 1 router and 1 extender on the second floor can blanket the whole house with typically 300-400mbps each floor and around 100mbps at its lowest.

Fast forward to 2020, I got my 1507sqft hdb a Netgear orbi triband wifi6 model, my vq 1gbps SpeedTest from my satellite I can get 900+mbps on my phone wifi, 2ms ping, 0ms jitter.

No way u can get that on an extended, no matter what brand u use.

Haha, of course you are right, but you are comparing high end triband with a lowly extender.

Rough price for two pack.
RBK50: S$445
RBK752: S$699
RBK852: S$1099
 

chopra

High Supremacy Member
Joined
Apr 15, 2003
Messages
49,479
Reaction score
472
Maybe your current router is getting old, you can try out 5ghz and 2.4ghz speedtest in master bedroom, near door, close door, and also at the place where you teleconference (open and close door). There should be a big difference at the door and where you teleconference. If not much difference, then its time for you to upgrade to ax router, as xiaofan has mentioned he got good wifi signal throughout the whole house.
roger that. sigh.
 
Important Forum Advisory Note
This forum is moderated by volunteer moderators who will react only to members' feedback on posts. Moderators are not employees or representatives of HWZ. Forum members and moderators are responsible for their own posts.

Please refer to our Community Guidelines and Standards, Terms of Service and Member T&Cs for more information.
Top