If GitHub flipped a switch and enabled IPv6 it would instantly break many of the...

alibarber · 2026-04-16T10:10:00 1776334200

Having been messing around personally with getting my own blocks of IP addresses and routing[1] - I've become terrified at the idea of implementing access control based on IP address.

Unless your own organisation in the RR has the IP addresses assigned to you as Provider Independent resources, there just seems to be so many places where 'your' IP address could, albeit most likely accidentally, become not yours any more. And even then, just like domain names, stop renewing the registration and someone else will get them - I was that someone else recently...

[1] AS202858

yosamino · 2026-04-16T10:55:57 1776336957

Oh, cool! that's on my bucket list as well. I am still grappling with some concepts, though.

Do you have a writeup of your setup somewhere or can you recommend some learning materials ?

alibarber · 2026-04-16T11:43:52 1776339832

It's fun and has now become an addictive rabbit hole - trying to get packets from one location to the other in the fastest, most direct way (and at hobbyist budget level).

Initial writeup based on IPv6: https://abarber.com/Setting-Up-ASN-IPv6-Routing-BIRD-Teltoni...

Have been having fun recently with an IPv4 block and Asynchronous routing, working on writing that up right now :)

yosamino · 2026-04-17T07:10:52 1776409852

Thank you for sharing! I really enjoyed reading that and learned a something too.

alibarber · 2026-04-17T13:00:58 1776430858

And thanks for the feedback - I've really been trying to write more so always nice when someone takes the time to read :D

progbits · 2026-04-16T10:16:40 1776334600

Anyone who relies on IP filtering for security deserves to have it broken. Change my mind.

omh · 2026-04-16T10:46:00 1776336360

I'll take that bait ;-)

IP filtering is a valuable factor for security. I know which IPs belong to my organisation and these can be a useful factor in allowing access.

I've written rules which say that access should only be allowed when the client has both password and MFA and comes from a known IP address. Why shouldn't I do that?

And there are systems which only support single-factor (password) authentication so I've configured IP filtering as a second factor. I'd love them to have more options but pragmatically this works.

friendzis · 2026-04-16T13:35:14 1776346514

Why are you (re-)implementing client security on provider end? If a client requires that only requests from a particular network are permitted... Peer in some way.

I do understand the value of blocking unwanted networks/addresses, but that's a bit different problem space.

sebiw · 2026-04-16T10:44:05 1776336245

Defense in depth is a thing but I agree that relying on it is not a good idea.

tucnak · 2026-04-16T12:55:43 1776344143

Defense in depth is not the point, zero trust networking is.

ignoramous · 2026-04-24T23:59:08 1777075148

Doesn't appear so. Tailscale is one such "zero trust network", and it does support ACLs anchored on IPs; ex: https://news.ycombinator.com/item?id=47875688

apexalpha · 2026-04-16T11:13:02 1776337982

IP filtering + proper security is better than just having the security.

There's value in restricting access and reducing ones attack surface, if only to reduce noice in monitoring.

anbotero · 2026-04-17T17:48:54 1776448134

Actual curiosity, how would the new filtering be/is?

I've done a lot of IP filtering, it's what a lot of systems and services allow us to, so I'm curious what the IPv6 mechanism is

bluGill · 2026-04-16T11:25:14 1776338714

If you can't handle sites switching to ipv6 in 2015 (ten years ago) your security plan is garbage.

TabTwo · 2026-04-16T11:30:56 1776339056

Thanks to the trend to SASE like Palo Alto GlobalProtect or ZScsler this practice is not a good idea anymore. Speaking of ZScaler, they are still IPv4 only, right?

azernik · 2026-04-16T17:58:50 1776362330

> providers don't have an easy way to correlate addresses

Yes, they do. It's called DNSSEC.

tptacek · 2026-04-18T22:01:17 1776549677

Leaving aside that you applied the word "easy" to DNSSEC, how do you mean? How does DNSSEC solve the problem being discussed?

azernik · 2026-04-18T22:19:57 1776550797

It was a somewhat flippant (given that GitHub doesn't implement DNSSEC either) dig at the idea of using hand-entered/hand-updated IP addresses for access control, rather than having the access control system look addresses up in the system designed to securely attest owner/ip mappings.

tptacek · 2026-04-18T22:27:40 1776551260

(Almost nobody signs zones.) How is that any easier than just having an https:// URL from which you pull an (arbitrarily-formatted) list of IP addresses to block? Is the idea that you'd otherwise be able to do real-time DNS lookups on incoming IP addresses?

azernik · 2026-04-20T09:31:44 1776677504

Yes - delay SYNs until an authenticated reverse lookup confirmed the IP was owned by a trusted domain. With caching to reduce common-case latency, which would otherwise be intolerable.

tptacek · 2026-04-20T16:53:39 1776704019

Does this system exist somewhere?

azernik · 2026-04-21T06:37:19 1776753439

Absolutely not