Join 3,497 readers in helping fund MetaFilter (Hide)


I felt a great disturbance in the Force, as if millions of to-do lists suddenly cried out in terror, and were suddenly silenced
February 1, 2011 4:59 PM   Subscribe

IPv6, a newer version of the Internet Protocol that most of the net will convert to during the next few years due to "address exhaustion" with the current IPv4, (previously, previously) has a variety of advanced security features in it. Once IPv6 is fully rolled out and all the technical people are familiar with it, computers connected to the internet will be much safer from some kinds of hacking - but until then we may be in for a bumpy ride.
posted by XMLicious (60 comments total) 7 users marked this as a favorite

 
For the non-technical, my interpretation: those articles have exciting names, but it's just that a bunch of the fundamental rules of computer security are going to change. Many computer people have procrastinated about dealing with the changes and the related problems. (From the second link, "...much of the advice given as far back as 2005 has still not been widely adopted.") So expect a period of adjustment with a few more high-profile security breaches in the news and the more set-in-their-ways and easily spooked IT people doing the Unfrozen Caveman Lawyer "Your world frightens and confuses me!" thing.

(But as a side note, from the other recent IPv6 thread: another effect will be that due to some of these changes, the internet is definitely not going to be an automatically-anonymous place any more, not that it ever really was, and you should expect that any web site you hit will be able to pretty easily track down who you are IRL. Unless you're intentionally trying to foil them by using something like Tor^.)
posted by XMLicious at 4:59 PM on February 1, 2011 [1 favorite]


And indeed APNIC just got the last two free /8s, leaving the final five /8s to be allocated to each of the five regional internet registries.
posted by jedicus at 5:08 PM on February 1, 2011


Is this something that I would have to know subnet masking to understand? Seriously. Because I still have problems doing that on paper. I got a C.
posted by Splunge at 5:30 PM on February 1, 2011 [2 favorites]


Wolf!
posted by Bovine Love at 6:02 PM on February 1, 2011


Will we be able to put off the transition for a while by reissuing all of Egypt's unused IPs? Waste not, want not...
posted by mindsound at 6:04 PM on February 1, 2011 [2 favorites]


Tor love internet.
posted by Splunge at 6:21 PM on February 1, 2011


Just have to say, as a network security professional, the amount of FUD with IPv6 is really stunning.

Here's my MAC address, y'all : 00:26:bb:5e:ad:e6
Feel free to post my "dox."
posted by Threeway Handshake at 6:32 PM on February 1, 2011 [7 favorites]


Is any part of IPv6 a good idea anymore, except for the additional addresses? Including the MAC address in the IP address is a terrible idea and always has been, NAT has gone from an inglorious kludge to a vital part of one's network security, and most of the other things IPv6 brings to the table have successful and tested IPv4 alternatives. In a lot of ways switching over feels like a really bad idea.
posted by Mitrovarr at 6:35 PM on February 1, 2011 [1 favorite]


So, you're predicting the imminent death of the internet?
posted by teppic at 6:40 PM on February 1, 2011 [1 favorite]


Well, not until 11.
posted by hattifattener at 6:44 PM on February 1, 2011 [3 favorites]


Mitrovarr wrote: "Including the MAC address in the IP address is a terrible idea and always has been, NAT has gone from an inglorious kludge to a vital part of one's network security."

Why? What does your MAC address get me? Nothing. Moreover, using your MAC address as the least significant 64 bits of the address is not required. You can set them to any arbitrary number you like. Or you can let your network autoconfigure itself. Yay, choice!
posted by wierdo at 6:51 PM on February 1, 2011 [1 favorite]


Well, not until 11.

Why don't you just make ten louder and make ten be the top number and make that a little louder?
posted by infinitywaltz at 6:52 PM on February 1, 2011 [1 favorite]


wierdo: Why? What does your MAC address get me?

It lets you prove what device connected, assuming you aren't scrambling the number or changing your MAC address on the device.

Although I suppose it shouldn't matter, because all you'll get is the MAC address of the border router. Everyone's going to keep using NAT. Most people need a direct connection to the internet like they need a hole in the head.
posted by Mitrovarr at 7:04 PM on February 1, 2011


that most of the net will convert to during the next few years

ahahahahahhahahahahhahahaha

No, really. The odds of this happening are slim to none. The addresses are all allocated, but they're not all in use (not by a long shot - MIT's got 32 million just for themselves). We won't start to see a wholesale replacement of the IPv4 backbone until it the market value of an IP address exceeds the cost of transitioning to IPv6. (Of course, the troubling part is that nobody seems particularly concerned about preparing for this eventuality. IT departments seem less and less concerned with technological evolution these days.)

The paranoid person in me also suspects that the IPv6 transition will somehow be linked to the death of net neutrality.

Also, has anybody tried actually running an IPv6 network? I've been playing around with Microsoft's implementation, and haven't been having much luck. It works, but the latency is AWFUL.
posted by schmod at 7:05 PM on February 1, 2011


Everyone's going to keep using NAT.

Doubt it. NAT requires work on the part of the border router. It's simpler, not to mention a hell of a lot more technically elegant, to just implement a basic firewall without doing NAT. And frankly, IPv6 makes using unroutable private address space harder than doling out /64s properly (as it should be).

The few SOHO gateways that do IPv6 out of the box right now (which are mostly Apple Airports, as far as I know) do the 6to4 thing — which is tunneling but not really NAT — but hand out (or allow the devices to generate) unique routable IPv6 addresses on the LAN side. Thus the standard behavior has already been set.

You can get all the benefits of NAT if you want it by implementing a stateful firewall. Most people probably ought to still have those, although I suspect enough people won't so that it'll fall to OS vendors to do a better job of endpoint security.

Also, an increasing number of people don't just use their "home" computer in the home anymore. If you're constantly taking your main computer out to the coffeeshop, airport, library, bookstore, &c., and connecting to whatever tempting-looking wifi APs pop onto the menu — as many people do and will increasingly continue to do — having a home router with a firewall or anything else isn't going to do you a ton of good.
posted by Kadin2048 at 7:39 PM on February 1, 2011 [1 favorite]


Also, has anybody tried actually running an IPv6 network? I've been playing around with Microsoft's implementation, and haven't been having much luck. It works, but the latency is AWFUL.

I've ran one for many years now. I started to do it just to see what the dancing turtle looked like.

The microsoft anycast v6-over-v4 is really bad, because most of the time it picks something really far away from you. If your IP doesn't support it, then sign up for one of the tunnelbrokers, you can pick the endpoint close to you and you'll have far better connectivity. Actually getting the tunnelbroker's route to work is up to you though. It helps greatly to have a linux "server" at home.

Everyone's going to keep using NAT.

NAT is not what protects people's computers - it is the firewall in that NAT device. The same device can be configured for firewalling an IPV6 routable network.
posted by Threeway Handshake at 7:46 PM on February 1, 2011 [1 favorite]


Mitrovarr wrote: "It lets you prove what device connected"

MAC addresses can be changed. I have 5 on this machine by default. They prove nothing. They indicate the possibility of something, the same possibility of something that can be had with a subpoena to your ISP.

If someone asks you "hey, is your Ethernet MAC address 00:41:21:C0:FD:E2", what will your response be? Mine would probably be along the lines of "fuck off," so to prove I was the source of a given packet, they'd have to have my computer or the cooperation of my ISP. Same as today. And even then, it's still not proven. v6 addresses can still be spoofed, you know.

Either way, it seems DHCPv6 is almost certainly going to be used, so it seems unlikely most people will have their MAC addresses encoded in their v6 address anyway.
posted by wierdo at 7:49 PM on February 1, 2011


It lets you prove what device connected, assuming you aren't scrambling the number or changing your MAC address on the device.

Changing a MAC address or spoofing another one is pretty trivial. I wouldn't consider it much proof of anything.
posted by humanfont at 7:54 PM on February 1, 2011 [1 favorite]


Will this affect end users in any way, or is this just a technical "behind the scenes" thing? Because my interpretation of the linked stories was just that this may cause some headaches for IT professionals, but if I'm wrong about that, let me know.
posted by modernnomad at 7:55 PM on February 1, 2011


Is any part of IPv6 a good idea anymore, except for the additional addresses?

Whoa, hang on - let's be clear, everything about IPv6 is a good idea. What these articles in the OP are saying is that because it's a radical change in security fundamentals (to BETTER FUNDAMENTALS) and because an immense number of individuals (mostly individuals whose titles begin with "C") and organizations are approaching this necessary, inevitable change in a completely half-assed and incompetent way, there's going to be a wave of security catastrophes amongst those incompetent organizations when their IPv6 transition tasks, which they've procrastinated on for as long as they possibly can, get rammed through as fast as possible because they got to the end of the rope for putting it off and consequently carelessly open a bunch of security holes when they try to indiscriminately mash IPv4 and IPv6 stuff together.

All of these organizations could dramatically increase their security if they approached it in an orderly, though-out fashion, and took advantage of the new security features that will be available in IPv6, and they could probably manage to get more bang for their buck by auditing other aspects of security at the same time.

But human nature being what it is, they're not going to do that. That's what all of these prognostications are forseeing - disasters that are going to happen because of incompetence, not because of any issues with IPv6 itself.
posted by XMLicious at 8:07 PM on February 1, 2011 [6 favorites]


Will this affect end users in any way

No.

this may cause some headaches for IT professionals who fear change.

I kid. Obviously, huge corporate networks will be a pain to switch over, but they have much more time to do so. If you already have/own IP space, you can continue using it forever, and there will always be 10.0.0.0/8.
posted by Threeway Handshake at 8:08 PM on February 1, 2011



Here's my MAC address, y'all : 00:26:bb:5e:ad:e6
Feel free to post my "dox."
Hah, here's your website right here, why are you stealing my content!?

Actually, several years ago I setup a website for my sister using a subdomain of my main domain pointing to her machine in her college dorm (which I had helped her setup apache)

Anyway, she leaves that dorm and I stop using the domain, and I re-rout *.domain.com to localhost.

A couple of years later, we're talking about setting up a new website for her and she typed in her old domain name, and her old website came right up. That was pretty surprising until I figured out what was going on: She still had apache running on the PC, and she'd never deleted the website off her hard drive, and the domain name pointed to localhost.

---
Mitrovarr wrote: "Including the MAC address in the IP address is a terrible idea and always has been, NAT has gone from an inglorious kludge to a vital part of one's network security."
Okay first of all, your MAC isn't actually going to be included. When I did the IPv6 test, I was online but none of the MAC addresses on my system were in my IP address.
No, really. The odds of this happening are slim to none. The addresses are all allocated, but they're not all in use (not by a long shot - MIT's got 32 million just for themselves). We won't start to see a wholesale replacement of the IPv4 backbone until it the market value of an IP address exceeds the cost of transitioning to IPv6. (Of course, the troubling part is that nobody seems particularly concerned about preparing for this eventuality. IT departments seem less and less concerned with technological evolution these days.)
You can't really resell individual IPv4 addresses, though. Because generally routing works on subnets, so you can't have 123.34.32.16 on one side of the planet and 123.34.32.17 on the other. It would make for some huge routing tables. Or. Something. Maybe it would be possible if people got really desperate (like you could use some IPv6 transport or something)
posted by delmoi at 8:11 PM on February 1, 2011


Will this affect end users in any way, or is this just a technical "behind the scenes" thing? Because my interpretation of the linked stories was just that this may cause some headaches for IT professionals, but if I'm wrong about that, let me know.

End users will probably only be affected insofar as, if you work for or do business with a company or organization that is incompetent on the IT security side of things, there will be an increased likelihood of security breaches. (Note though that individual IT people you work with may well be quite competent and are just overworked / undertrained / or otherwise not being given the support they need. It's the directors and C-level executives for IT security that are going to be responsible for the problems on this kind of scale.)
posted by XMLicious at 8:13 PM on February 1, 2011


It's trivial to map a wifi MAC address to GPS coordinates. If your wifi router uses consecutive MAC addresses for its wireless and wired interfaces, then NAT will basically broadcast your physical location to every website you visit. Even without NAT, remote sites can probably play games with TTL to get your router's MAC.
posted by ryanrs at 8:21 PM on February 1, 2011


if you work for or do business with a company or organization that is incompetent on the IT security side of things, there will be an increased likelihood of security breaches.

Why? Why would there be an increased likelihood of security breaches?
posted by Threeway Handshake at 8:22 PM on February 1, 2011


if you work for or do business with a company or organization that is incompetent on the IT security side of things, there will be an increased likelihood of security breaches.

What?

It's not like ipv6 is idiot fertilizer for understaffed and technically challenged networking a systems teams.

Look, IPv6 is going to be a giant pain in the ass but the vast majority of people won't ever know much about it. It's going to be a giant pain in the ass for managed infrastructure providers, internet services firms and the people who help them get this kind of stuff done, but that's kind of our job. It's going to mean a boon for networking, consulting and services companies assisting companies with a transition in to the IPv6 space and equipment vendors will EOL a shedload of old devices they have been wanting to get rid of for years, but this will take a _long_ time.

From a practical perspective you haven't been able to secure portable v4 space if you needed less than a /22 for quite some time anyway. Have you tried to secure anything smaller than a /22 from a regional nic in the last couple years?! It's "grab on to that table and bite on this, it might tickle a bit while we check things out" to make sure you really need this type stuff.

This move will help break some of the stranglehold that legacy block holders have on allocated but underutilized space, and will allow customer to migrate from them with greater ease. It is, in general, a very good thing for everyone.

Yes, people will have to learn *slightly* more complicated math if they want to know what's really going on, ipv6 is so much nicer for *so* many things in a broad architecture sense, as a network guy I can hardly wait.
posted by iamabot at 8:35 PM on February 1, 2011 [3 favorites]


It's trivial to map a wifi MAC address to GPS coordinates. If your wifi router uses consecutive MAC addresses for its wireless and wired interfaces, then NAT will basically broadcast your physical location to every website you visit. Even without NAT, remote sites can probably play games with TTL to get your router's MAC.

I'm sorry, but what on earth are you talking about? So I put my MAC address up there at the top, and my DOX aren't up here yet. Here's another clue, my IPV6 address!

2001:470:1f07:f4c:61e:64ff:feeb:6a21
posted by Threeway Handshake at 8:41 PM on February 1, 2011


Why? Why would there be an increased likelihood of security breaches?

If you read through all the links, that's what the OP is about. For example, above you point out,

NAT is not what protects people's computers - it is the firewall in that NAT device. The same device can be configured for firewalling an IPV6 routable network.

Which is totally true, but a salient thing when you're doing that is, if a firewall device wasn't designed for IPv6 or you don't take everything into consideration you can very easily open up security holes.

Consider, for example, that under IPv6 everybody basically gets an entire subnet of their own, larger than the entire internet is today, all just for you. So a firewall rule or other security mechanism that operates based upon restricting individual IP addresses - like denyhosts or fail2ban if you're on Linux - is no good any more. delmoi pointed out in the other thread that you'd probably be able to rig something up so that every single process in a computer gets its own IPv6 address.

Heck, every single HTTP request your browser puts out could use a new IP address. An attacker has as many IP addresses as she wants; you have to ban her entire subnet, if you want to try to block her that way.

(BTW does anyone know how to do that in iptables, offhand? I haven't gotten around to looking that up yet, procrastinating y'know ;^)

As it says in the third link (From a presentation by Fernando Gont, an Argentinian network expert, drafter of a few of the RFCs and one of the people hired by the UKCPNI to evaluate the UK's IPv6 preparedness):
"Pushing people to 'enable IPv6' point-and-click style is insane."
posted by XMLicious at 8:49 PM on February 1, 2011


I don't know how IPv6 addresses relate to MAC addresses. But if I can discover your router's MAC address, I can probably turn that into a physical location.
posted by ryanrs at 8:50 PM on February 1, 2011


Why? Why would there be an increased likelihood of security breaches?

Because of 6to4 translation and various vendors claiming to "support" ipv6, knowing full well they have never tested their products with it.
posted by o0o0o at 8:52 PM on February 1, 2011


NAT has gone from an inglorious kludge to a vital part of one's network security

NAT is terrible hack that breaks all sorts of things — the only essential thing NAT does is conserve IPv4 addresses, which is, of course, unnecessary in IPv6. Those who argue for NAT in IPv6 usally claim they need it for address obfuscation or security. However, you can get better address obfuscation in IPv6 with IPv6 privacy addresses. Similarly, the security in NAT comes from stateful packet inspection. However, nothing prevents you from doing IPv6 stateful packet inspection in the same device that would have been doing NAT in IPv4, you just don't rewrite the address in the packet.
posted by RichardP at 8:59 PM on February 1, 2011 [4 favorites]


"Pushing people to 'enable IPv6' point-and-click style is insane."

Is DHCP also insane? How is DHCP any different than RADVD?

So a firewall rule or other security mechanism that operates based upon restricting individual IP addresses - like denyhosts or fail2ban if you're on Linux - is no good any more.

So using a bigger, hex, number in hosts.deny is any different? Changing "iptables" to "ip6tables" and using different numbers is less secure?

Because of 6to4 translation and various vendors claiming to "support" ipv6, knowing full well they have never tested their products with it.


Like what, Apache, IIS, iptables, Checkpoint FW, IPS/IDS systems, RSA? You're probably right, none of that would be tested.
posted by Threeway Handshake at 9:02 PM on February 1, 2011


Changing "iptables" to "ip6tables" and using different numbers is less secure?

No, that's not less secure. What's less secure is to not do that because it isn't in your checklist or your audit or something, or to miss it because your organization didn't even think things through and make up a checklist of things to do in the course of their IPv4 to IPv6 transition, all they did is the bare minimum to get everything up and working. Remember, you responded to my comment about how *incompetent* organizations are going to cause security breaches.
posted by XMLicious at 9:13 PM on February 1, 2011


You're probably right, none of that would be tested.

Is that intended to be sarcasm? Vendors are scrambling now.
posted by o0o0o at 9:17 PM on February 1, 2011


Also, it can be argued that v6 provides some level of security absent in v4. Random scanning is essentially worthless because the address space is so large. It'll be interesting to see how worm writers adapt to that.
posted by wierdo at 9:21 PM on February 1, 2011 [1 favorite]


Like what, Apache, IIS, iptables, Checkpoint FW, IPS/IDS systems, RSA?

No, like products in the lists linked to at the OSVDB in the first linked article in the post.
posted by XMLicious at 9:23 PM on February 1, 2011


2001:470:1f07:f4c:61e:64ff:feeb:6a21

Hey! You just disappeared.
posted by ryanrs at 9:25 PM on February 1, 2011


wierdo, Gont addresses that in the fifth slide here. I don't know if I agree with him but he pronounces it a "myth" that it does anything substantial for security.
posted by XMLicious at 9:27 PM on February 1, 2011


It's trivial to map a wifi MAC address to GPS coordinates. If your wifi router uses consecutive MAC addresses for its wireless and wired interfaces, then NAT will basically broadcast your physical location to every website you visit. Even without NAT, remote sites can probably play games with TTL to get your router's MAC.
Can you explain this to me? I am a programmer, but I don't know very much about networking.
posted by !Jim at 11:06 PM on February 1, 2011


I think those people who are claiming that IPv6 exposes your physical location are imagining that they will map your MAC address using the Google StreetView hack that Samy Kamkar made famous at last year's Defcon. Send a MAC address to http://www.google.com/loc/json and get back the lat and long — if they happen to have mapped it. He gets your MAC address by tricking you into visiting a page where Javascript figures out your brand of router and submits a form to its admin page, but under Obamacare IPv6 apparently your MAC address would be in every HTTP request.
posted by nicwolff at 11:21 PM on February 1, 2011


Yeah. Skyhook works too. Here'e what I get for my router's MAC address:

513 ~$ MAC=001E52798154; curl --header "Content-Type: text/xml" --data "<?xml version='1.0'?><LocationRQ xmlns='http://skyhookwireless.com/wps/2005' version='2.6' street-address-lookup='full'><authentication version='2.0'><simple><username>beta</username><realm>js.loki.com</realm></simple></authentication><access-point><mac>${MAC}</mac><signal-strength>-50</signal-strength></access-point></LocationRQ>" https://api.skyhookwireless.com/wps2/location

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<LocationRS version="2.6" xmlns="http://skyhookwireless.com/wps/2005"><location nap="1"><latitude>37.7900928</latitude><longitude>-122.4078909</longitude><hpe>169</hpe><street-address distanceToPoint="4.790685152624383"><street-number>62</street-number><address-line>Chelsea Pl</address-line><city>San Francisco</city><postal-code>94108</postal-code><county>San Francisco</county><state code="CA">California</state><country code="US">United States</country></street-address></location></LocationRS>


It's not my exact address, but it's pretty goddamn close.
posted by ryanrs at 11:42 PM on February 1, 2011 [1 favorite]


Damn I'm good at escape sequences.
posted by ryanrs at 11:43 PM on February 1, 2011 [2 favorites]


...but under Obamacare IPv6 apparently your MAC address would be in every HTTP request.

Just for the record - as far as I can tell this is only true if your device or its operating system is autoconfiguring its IP address (i.e. not using a DHCP server) and it does not have IPv6 privacy extensions enabled. (In which case the IP address is automatically generated by incorporating the MAC address, that's how it gets exposed.) If the privacy extensions are enabled then any parts of the IP address that can be generated randomly are, and will also be re-randomized from time to time evidently. RichardP links to the privacy extensions RFC above.

So, the concern becomes whether or not particular devices and OSes have privacy extensions enabled by default. According to this article, at the moment they're enabled by default in the versions of Windows that support IPv6, but for example disabled by default in iPhones.
posted by XMLicious at 11:45 PM on February 1, 2011 [2 favorites]


XMLicious: IMO, it's not a terribly significant security gain, but it is a gain nonetheless. Worms will just be rewritten with more complex neighbor discovery and sharing mechanisms and the intarweb thugs will distribute lists of known good IPv6 addresses, much as spammers sell lists of email addresses or telemarketers sell lists of phone numbers.

But the address space is large enough (even with 3 bits lopped off) that wholesale scanning is a big problem. 125 bits is a lot of address space to scan. Hell, 64 bits is pretty hard just in and of itself (and latency makes it harder), so even targeting the scans to existing allocations, presuming you had that information down to the /64, which you wouldn't, would still be a difficult problem.

If end users do in fact end up getting /48s or /56s, even knowing their block will leave blind scanning difficult if host addresses are addressed randomly or using MAC addresses.

As far as MAC leakage identifying your physical location through services like skyhook, that's easily defeated even in a scenario where using MAC addresses for the least significant 64 bits is required. Configure your wireless router to silently drop any and all packets directed at it from the outside world and don't run NAT and your router won't ever send a packet to the outside to get leaked.

Skyhook and Google don't have your PC's wired MAC address (or even it's wireless MAC address, unless it's an AP). They do both have my older AP and my neighbor's APs in the database.
posted by wierdo at 12:48 AM on February 2, 2011


...sharing mechanisms and the intarweb thugs will distribute lists of known good IPv6 addresses, much as spammers sell lists of email addresses or telemarketers sell lists of phone numbers.

Huh, that's an interesting point - any log will become valuable to some degree, simply because it's a list of valid IPv6 addresses amongst the surrounding emptiness.

Here's a thought: like other people probably do, I basically use a different email address every time I have to fill in a web form, which lets me then see exactly who resells my name in a mailing list. By the same token, you could rig up a browser plugin that uses a different source IP address to contact every web site (but the same one every time), then pair it up with something in your firewall that tracks when those fake IP addresses get incoming traffic. Whatever that incoming traffic may be and whoever is sending it, you'll know who they probably got the IP address from. (Excepting intervening proxies and routers, of course.)

An IP address by itself will kinda be a form of a honeypot all by itself... if you make up a unique IP address and leave it lying around somewhere, the odds will be astronomically against anyone ever randomly pinging it, any incoming traffic will have to be from someone or something that ran across it and grabbed it, wherever you left it.
posted by XMLicious at 1:17 AM on February 2, 2011 [2 favorites]


this may cause some headaches for IT professionals who fear change.

Wait... you mean there's another kind?
posted by pompomtom at 5:45 AM on February 2, 2011 [2 favorites]


So a firewall rule or other security mechanism that operates based upon restricting individual IP addresses - like denyhosts or fail2ban if you're on Linux - is no good any more.

You can just block the /64, if you want.

Frankly we have that sort of problem right now with NAT. It's actually much worse on IPv4+NAT than it'll be on IPv6, because on IPv4+NAT, you can (and frequently do) have hundreds of legitimate users hidden behind the same freaking IP address that one or two asshats are also using.

So you block one spammer and, whoops, you've actually blocked an entire university dorm or library or whatever. And since addresses are frequently shared out of DHCP pools (again because of scarcity), the address you block today for spamming might belong to some total innocent next week. It's a total pain in the ass.

IPv6 will let utilities and admins choose the granularity that they want to block. A single address (which is really like just shutting down the connection until the user does something that causes it to be regenerated), or try and nuke the whole /56 or /64? Admittedly, deciding whether to block at the /56 or /64 level will require knowing something about their ISP's policies, but you need to know that now (or make some reasonable assumptions) because of the IPv4-reuse issue. Chances are, the /64 (or /56, or whatever) you get from your ISP won't change nearly as much as the IPv4 address you have now -- there's just no reason for the pooling/leasing/sharing that you have with v4 addresses.

Yes, utilities like denyhosts or fail2ban (or anything else that uses IP addresses) will need to be rewritten. Such is life. But the network topology that we're moving towards with IPv6, when its eventually the standard, will be a lot better architecturally than the current IPv4 world, and the actual jobs that denyhosts/fail2ban perform will probably get easier.
posted by Kadin2048 at 12:25 PM on February 2, 2011 [1 favorite]


NAT has gone from an inglorious kludge to a vital part of one's network security

It's most likely a false sense of security if you're using any sort of messenger application, Skype or BitTorrent because NAT requires further hacks like UPnP for any of that stuff to work properly. UPnP makes your firewall configurable through a network connection. If you think that sounds like a security nightmare, you're probably right.
posted by robertc at 5:25 PM on February 2, 2011


You can just block the /64, if you want.

That's what the subsequent "you have to ban her entire subnet" note meant. You can block the /64 if you are watching all of this and thinking about it and conscious of the changes in security fundamentals when you transition from IPv4 to IPv6. But the bit you responded to was about what will happen if someone "doesn't take everything into consideration" when they move the same firewall device from filtering IPv4 traffic to IPv6 traffic. Certainly, as you say, for someone who's paying attention things will become easier, and blocking individual IPv4 addresses now isn't an comprehensive or particularly effective security measure anyways, but this is all explicitly about what incompetent organizations are inevitably going to do to cause security vulnerabilities, not about any unfixable security problems inherent in IPv6.
posted by XMLicious at 9:01 PM on February 2, 2011


Incompetent organizations manage to fuck up their security with IPv4. Sometimes even relatively competent ones manage to do the same. In that respect, IPv6 is no different.
posted by wierdo at 6:08 PM on February 3, 2011 [1 favorite]



Just have to say, as a network security professional, the amount of FUD with IPv6 is really stunning.

Here's my MAC address, y'all : 00:26:bb:5e:ad:e6
Feel free to post my "dox."


Enhance! We've got you, Steve Jobs!
posted by odinsdream at 7:41 AM on February 4, 2011 [1 favorite]


Also, has anybody tried actually running an IPv6 network? I've been playing around with Microsoft's implementation, and haven't been having much luck. It works, but the latency is AWFUL.

We've just barely started. It's nearly impossible to get an ISP to provide native IPv6 routing. I've been going back and forth with our commercial ISP for a week now. They're a gigantic company, we pay an obscene amount of money each month for service, and I'm still not close to having an implementation date.

Our datacenter is just beginning to imagine how to provide IPv6.
posted by odinsdream at 7:45 AM on February 4, 2011


It's trivial to map a wifi MAC address to GPS coordinates. If your wifi router uses consecutive MAC addresses for its wireless and wired interfaces, then NAT will basically broadcast your physical location to every website you visit. Even without NAT, remote sites can probably play games with TTL to get your router's MAC.

I'm sorry, but do you have any idea what you're talking about?
posted by odinsdream at 7:55 AM on February 4, 2011 [1 favorite]


odinsdream: He does, he's just not giving you a step-by-step explanation of his reasoning. Essentially, if you assume the following: (a) 802.11 APs' MAC addresses are mapped by Skyhook and Google location databases; (b) interface MAC addresses are embedded in their IP addresses, as they are in the original design of ipv6 autoconfiguration; and (c) your NAT box's wired interface's MAC address is related in some obvious way to its wireless interface's MAC address, as some are; then someone can deduce your physical location from your NATted IP address. And even if you're not using NAT, they may still be able to find your router's IP address via traceroute ("playing games with TTL").
posted by hattifattener at 1:17 PM on February 4, 2011


THE END IS NEIGH! Apparently ICAAN assigned the last block of availble IpV4 numbers yesterday.
posted by Ogre Lawless at 5:00 PM on February 4, 2011


THE END IS NEIGH!

Flogging a dead horse?
posted by pompomtom at 12:50 AM on February 5, 2011 [1 favorite]


Our datacenter is just beginning to imagine how to provide IPv6.


Depending on your logical architecture, F5 has some really nice v4/v6 gateway modules for their ltm platform.
posted by iamabot at 3:00 PM on February 5, 2011


iamabot: To clarify, by "our datacenter" I meant the one where we keep our servers - it's a separate company. Thankfully I don't have to manage anything near that large for IPv6 - just a couple servers and switches on my end, which are ready to go.
posted by odinsdream at 3:21 PM on February 5, 2011


Speaking of incompetent IT people (though I'm actually more of a developer, and I guess that things like this are one reason why) here's one that was not obvious to me: if the IPv6 stack is even installed in Linux - you might not have a network set up, you might only be able to ping6 localhost and nothing else - you have to be working with *both* iptables and ip6tables.

Otherwise, you can have a firewall set up via iptables - even something like all policies set to drop all packets - and at least some kinds of traffic can still sort of leak through the IPv6 stack. I just confirmed this on a system running Ubuntu Jaunty, one that was fortunately already behind a firewall that's on a separate device anyways.
posted by XMLicious at 6:07 AM on February 7, 2011


Okay, wait - I just realized that I made a certain mistake in testing, and the posts and messages I was seeing online that seemed to corroborate the problem were from a few years ago. So what I said above might not be entirely accurate, I couldn't be sure without further testing.

But I'm definitely seeing traffic in netstat that is listed under the tcp6 protocol instead of just tcp, and setting all policies to drop packets in ip6tables doesn't seem to have hurt anything, so I think I'm going to do that in the future for safety's sake.
posted by XMLicious at 6:24 AM on February 7, 2011


« Older TLC: [SLYT]...  |  Australia is copping another p... Newer »


This thread has been archived and is closed to new comments