UK Researchers Find IPv6-Related Data Leaks In 11 of 14 VPN Providers

jan_jes writes: According to researchers at Queen Mary University of London, services used by hundreds of thousands of people in the UK to protect their identity on the web are vulnerable to leaks. The study of 14 popular VPN providers found that 11 of them leaked information about the user because of a vulnerability known as 'IPv6 leakage'. The leakage occurs because network operators are increasingly deploying a new version of the protocol used to run the Internet called IPv6. The study also examined the security of various mobile platforms when using VPNs and found that they were much more secure when using Apple's iOS, but were still vulnerable to leakage when using Google's Android. Similarly Russian researchers have exposed the breakthrough U.S. spying program few months back. The VPNs they tested certainly aren't confined to the UK; thanks to an anonymous submitter, here's the list of services tested: Hide My Ass, IPVanish, Astrill, ExpressVPN, StrongVPN, PureVPN, TorGuard, AirVPN, PrivateInternetAccess, VyprVPN, Tunnelbear, proXPN, Mullvad, and Hotspot Shield Elite.

14 tested, 11 leaked...

[rotaryexpress]

The 14 tested are listed, but not the ones that are leaking data? Why list one and not the other?

Re:14 tested, 11 leaked...

[hcs_$reboot]

Because TFS writer is too lazy to read TFA.

Re:14 tested, 11 leaked...

[complete+loony]

And only because those 3 provide IPv6 support, and hence redirect that traffic too.

Re:14 tested, 11 leaked...

[AmiMoJo]

TFA doesn't actually say which ones were no vulnerable. However, Mulvad has features to protect against IPv6 and DNS leaks, so it looks like they are aware of this problem and fixed it a while back.

Re:14 tested, 11 leaked...

[pixelpusher220]

Just verified PrivateInternetAccess is not leaking IPv6 according to the link in the article comments. The PIA client also has a 'disable IPv6 during VPN' option that I have enabled

Get some duct tape

Naturally this would only for a temporary fix until you can put a permanent fix in place. Duct tape works great for everything!

On a positive note 3 VPN providers do not leak so apparently they're already using duct tape.

words words words

Why won't they say something useful?

Similarly?

"Similarly Russian researchers have exposed the breakthrough U.S. spying program few months back."

What? How is this "similar"? The topic is that most VPN providers aren't encrypting IPv6 for some reason. What does that have to do with the US spying program?

Re:Apple will keep your privacy

Apple gladly spread your nudes? I don't remember any time that Apple did that... Only people who had valid passwords to accounts spread nudes.

"IPv6 Leakage"??? Give me a break.

[mark-t]

The study of fourteen popular VPN providers found that eleven of them leaked information about the user because of a vulnerability known as âIPv6 leakageâ(TM).

No.... That has nothing to do with IPv6, it has to do with what those VPN's support. What that statistic really means is that 11 out of fourteen VPN providers don't really support IPv6 in the first place.

Re:"IPv6 Leakage"??? Give me a break.

[MobyDisk]

mod up. That statement, along with the following one, made no sense to me.

The leakage occurs because network operators are increasingly deploying a new version of the protocol used to run the Internet called IPv6.

I wasn't aware that IPv6 was fundamentally flawed. This sounds more like bad network design or something.

Re:"IPv6 Leakage"??? Give me a break.

[Geordish]

Exactly this.

The problem occurs when you have an IPv4 VPN tunnel, and IPv6 native connectivity. The IPv6 connectivity will be preferred over the IPv4 tunnel, and you will connect natively.

The fix? There are two

1) Add IPv6 support to the VPN, and default route traffic over that.
2) Drop the IPv6 connection while connected to the VPN.

The first solution is obviously best.

Re:"IPv6 Leakage"??? Give me a break.

[dissy]

No.... That has nothing to do with IPv6, it has to do with what those VPN's support. What that statistic really means is that 11 out of fourteen VPN providers don't really support IPv6 in the first place.

Well if IPv6 packets can pass at all, clearly they support IPv6.

The problem is that they likely are accidentally supporting it with no knowledge about doing so.

Would you put your Windows box on the IPv4 Internet with no firewall what so ever?
I don't mean having a firewall and accidentally misconfiguration it, I mean having a firewall and not adding a single rule.

Well, that's exactly what these VPN providers did for the IPv6 protocol. They have zero IPv6 firewall rules.

So while inbound IPv4 packets are filtered with a default deny rule and any allow rules the customer wants, also likely filtering some outbound as well, their IPv6 rules are default allow.

Odds are if you fired up a PC with IPX or NetBEUI as the protocol, their firewall would gladly allow that traffic unfiltered as well.

For example in the Linux iptables packet filter, you can disable the IPv6 protocol completely with a single command:
iptables -I INPUT -p 41 -j DROP

If course using IPv6 properly is a bit more work, as you have to allow the ipv6 protocol in the main iptables, and use ip6tables or something like that for filter rules on the other IP stack.

Either way, allowing everything (no matter what protocol) has always been said to be unwise, and now these companies and their customers can see why.

Re:"IPv6 Leakage"??? Give me a break.

the vpn isnt the one leaking ur ipv6 info, its ur isp or whoever u have an ipv6 tunnel with, the vpns arnt setup to handle the ipv6 traffic so that traffic gets sent out over ur regular isps pipes not ur vpns pipes, hence that are not handling the traffic

Re:"IPv6 Leakage"??? Give me a break.

[KiloByte]

For example in the Linux iptables packet filter, you can disable the IPv6 protocol completely with a single command:
iptables -I INPUT -p 41 -j DROP

No, that will drop just one of many ways of tunnelling IPv6 over IPv4. To drop or manipulate IPv6 packets, you need to use ip6tables instead.

And you really shouldn't be using DROP here, as it will delay every connection until timeout expires. You want REJECT instead.

Re:"IPv6 Leakage"??? Give me a break.

[unixisc]

If this is the model that any VPN service uses, it's really stupid, for 2 reasons:

• - It combines the weakness of IPv4 tunnels i.e. overlapping private address ranges, and the weakness of IPv6 gateways - proactively assigning node addresses if DHCPv6 ain't supported
• - It ignores one of the greatest strengths of IPv6 - better connectivity for VPNs

In IPv6, there would be 3 ways to natively support a VPN:

• - Use Unique Local Addresses (fd00::/8) which would ensure a good likelihood of non-overlapping address ranges
• - Make a VLAN of Global Unicast Addresses from the 2 networks in question, adding only the nodes that need to be in it
• - Assign addresses from one of the networks to nodes in the other, and set up a proxy connection b/w the two

Simply extending IPv4 concepts to IPv6 is likely to break things, given the changes in how the networks are built: in IPv4, nodes have to request addresses, whereas in IPv6, nodes are automatically assigned addresses. So when constructing VPNs, network admins would have to account for those differences while defining their networks.

Frankly, I don't see how a VPN could be constructed if the IPv6 networks in question don't have DHCPv6 support. That's the minimum that needs to be there, otherwise every node in the networks would be a part of a VPN, regardless of whether they need to be or not. A few days ago, we were discussing DHCPv6 support in Android: this is one of the cases where SLAAC + DAD/ND is inadequate, and where you need to have a well defined address assignment policy

Re:"IPv6 Leakage"??? Give me a break.

[unixisc]

It looks like the issue here is that since IPv6 addresses are freely assigned to any node in a network devoid of DHCPv6, nodes that shouldn't belong in that network get IP addresses, and thereby access to all traffic within the network. In IPv4, if DHCPv4 weren't there, a node has to be manually configured, or else, it doesn't get an address. In IPv6, if DHCPv6 ain't there, a node still gets an address courtesy the combination of SLAAC, ND and DAD.

The solution to this would be to mandate DHCPv6, but networks that choose to avoid it allow the free assignment of addresses to any node within the range of the network, such as tablets or phones that see the SSID. Routers see that thing within the network, and assume that it needs to be assigned one of the addresses from their range. If that node happens to be a hostile spying node, it gets the access and then automatic entry into the VPN, thereby defeating its purpose. With DHCP, one could define which nodes get IP addresses and which don't.

But,but,but! IoT

IPv6 is a must to get full traceability and we _MUST_ have that! Like Google says "If you don't want us to know that you are doing something; maybe you shouldn't be doing it?".

ipv6 incompetence is nothing new.

[nimbius]

we mandated ipv6 a while back and like alcoholics we refused to give up ipv4 for a myriad of nagging and petulent reasons. its coming back to haunt us now, with everything from legacy routers that cant grok ipv6 right to switches that cant tag or trunk v6. Many commercial firewalls even struggle to answer the questions "can you support ipv6?" and "can you route it?" with a definitive answer.

for the average user theres no clear or quick answer; youll just have to agree that some third party got it right. For slashdotters theres easy-rsa tools to start your CA and OpenVPN which has had support for ipv6 since 2.3. "leakage" is an ephemeral and undefined problem in TFA, but for those of us that live and breathe on planet RTFM an openvpn tunnel that supports v4 and v6 is trivial.

im speaking of the states, but here our cable and fibre providers have 90% coverage of a dual-stack configuration of ipv6 and ipv4 direct to the device. Sure, the modem only grants 1 ip for 1 customer (at least until the net neutrality suits are settled) but once you step into a fresh IPv6 address the measure of this ipv6 debacle becomes apparent. Big players arent playing: Amazons various services dont support ipv6 and most of your TLD's outside of the googleverse dont get AAAA. the open source community at freenode does support it however, and most shared/vps hosting providers do as well, so if you need a project this summer at least consider looking at your docsis3 options/ipv6 lease and get to work on that vpn!

Re:ipv6 incompetence is nothing new.

[petermgreen]

I can see a few ways informatoin could leak in a dual stack situation involving a VPN that would not happen if everything was IPv4 only

1: The users local connectivity is dual stack (or v6 only) but the VPN is IPv4 only. The result is IPv4 goes via the VPN but IPv6 doesn't. The user thinks the VPN is hiding the origin of their traffic but it isn't hiding the origin of all of it. With a bit of extra work it may also be possible for a website or an attacker in the network to tie the direct v6 address(es) to the VPN v4 address.
2: IPv6 traffic does go via the VPN but addresses are generated in such a way that the users MAC address is revealed (for example the user has a network behind the VPN and that network uses MAC based IP autoconfiguration). This MAC address can later be tied
3: The machine has an IPv6 address from the local ISP. Even if routing tables or firewall configurations are such that this address won't be used for making connections an application could still mistakenly send it as part of a payload. The same could in principle happen with IPv4 but it's much less likely due to pervasive use of NAT.

Re:ipv6 incompetence is nothing new.

[gstoddart]

Well, then the real thing here is that despite everybody claiming IPv6 is awesome and super, there's crappy and inconsistent support for it.

So why should any small company or individual be doing anything about IPv6 when the big players aren't, and most of the existing products are apparently doing a terrible job of it?

IPv6 has been coming "Real Soon Now" for what feels like an eternity. People aren't going to spend money to change when they still need to figure out how to work with the legacy stuff.

You describe both the epic failure of IPv6 to gain widespread adoption, and the reasons why people are staying the hell away from it.

Re:ipv6 incompetence is nothing new.

People don't want to use IPv6 because it's stupidly complex and hard to secure. There is too much broadcasting/announcing/autorouting/and other bullshit in IPv6. The address format sucks and is something only a Lisp design committee could love (wait, did I put 7 or 8 empty colons there?! Ah, dammit).

If I had designed IPv6 it would be nothing more than increasing the address space to 64 or 128 bits and that's it. Everything else would be like IPv4. If it had been done that way then IPv6 would probably already be dominant.

Re:ipv6 incompetence is nothing new.

[Geordish]

People don't want to use IPv6 because it's stupidly complex and hard to secure. There is too much broadcasting/announcing/autorouting/and other bullshit in IPv6. The address format sucks and is something only a Lisp design committee could love (wait, did I put 7 or 8 empty colons there?! Ah, dammit).

This sounds like you don't know what you are talking about. To start with, in IPv6 there is no broadcasting at all. Anywhere broadcast was used (eg ARP) this has been replaced with multicast. Announcing and autorouting? Not sure what you mean by this, but if its the router advertisements when using SLAAC then how is this different from IPv4 and DHCP? FYI this doesn't have to be turned on. From a pure routing point of view (I work for ISPs) it works no different than to IPv4. Address length aside of course.

As for empty colons... Are you writing addresses like 2001:db8::::::6? Sounds like you need to read an RFC. That can be written as 2001:db8::6. (Of course you can only truncate one set of colons, but there is only 7 maximum in total.

What is hard to secure about it? I would like some genuine details on this. I don't see where it is harder than IPv4 (address length aside)

The reason that it isn't widely deployed is simple. It is not backwards compatible. If the spec had been written so an IPv4 addressed machine could communicate with an IPv6 addressed machine without any of the hackery we are now looking at, we wouldn't be having this conversation. Unfortunately when the spec was written over 20 years ago routers were not that powerful, and they were trying to limit the amount of work they had to do.

Re:ipv6 incompetence is nothing new.

It's nothing to do with routers being powerful it's just straight forward mathematics, and is the WHOLE POINT of the new protocol version. IPv4 specifies exactly 32-bits of addresses. That means there are only about 4 billion possible addresses. Any system that has MORE addresses is incompatible. Since adding even four extra addresses would be incompatible, you might as well add a LOT more, and IPv6 does that.

Every person who thinks man, if only they had designed IPv6 they'd have made it compatible is a MORON. They're basically saying "Well, mathematicians might think there are only 2^32 different possible values in 32-bits, but I know better".

Every person who says well, IPv4 should have been made extensible to allow for more addresses is exactly as useful as the people who say well, now I know how that horse race turned out I would have bet differently. Wow, you can see the future, once it's the past. Brilliant.

And this idiocy has been rife, not just among laymen (who can't be blamed for not knowing anything about mathematics or history) or on tech fan sites like Slashdot, it's even found among people running ISPs. Blithering idiots are running the average ISP, still not really sure what the difference is between VPN and Vhosts, and hoping that nobody will notice they just once again bought a bunch of cheap IPv4-only crap that means when they're obliged to transition they'll either go bankrupt or squeeze their customers for yet more money to pay for their screw-up.

Re:ipv6 incompetence is nothing new.

[bill_mcgonigle]

I don't like what you're saying, but it's true. For this reason I disable ipv6 wherever I care about security (vmlinuz ipv6.disabled=1), because I can't trust the existing implementations and I'm pretty sure there will be data leakage if I don't (this story doesn't help assuage my concerns). Therefore, I'm not engaged in filing bug reports very much, because I mostly have to avoid it. Quite a Catch-22.

Also my ISP doesn't offer it and most endpoints don't offer it, so it just adds latency for Internet operations. There are clearly incentives missing or the situation would be better. The recent move to monetize IPv4 space transfers might finally be the impetus needed for network operators to move their internal nets to IPv6, but look at Android 5 not even supporting DHCPv6 (which administrators seem to want) and you can see how far we have to go - whether Google or the admins wind up backing down, there are still fundamental philosophical disagreements about how v6 should be disabled and no amount of shouting "but I'm right" will solve it. That's in 2015 with at least a lead time of five years for everybody to get on the same page, *after* there is agreement. And even if monetization of IPv4 does start to work, the BGP community has had its head in the sand for two decades and really can't handle it.

IPv6 is necessarily more complex than IPv4 since it shifts the complexity of kludges into services (the tech schools aren't even teaching it so only alpha nerds even understand the stack) and fundamentally the transition plan was "we'll make a spec and then everybody will support it for altruistic reasons") which is such a monumental failure in understanding human action that it's socially embarrassing to be associated with the spec. The IPv6 transition will be a warning to future generations about how not to advance technology in society.

Yet we still need it.

Re:ipv6 incompetence is nothing new.

and also because IPv6 isn't needed anymore. It was thought up as a fix for the IP-address shortage that was an issue before the invention of NAT. Now its just a tool to be able to identify every device with absolute certainty. Is this really reason enough now that IP shortage no longer is an issue?

Re:ipv6 incompetence is nothing new.

[Geordish]

It's nothing to do with routers being powerful it's just straight forward mathematics, and is the WHOLE POINT of the new protocol version. IPv4 specifies exactly 32-bits of addresses. That means there are only about 4 billion possible addresses. Any system that has MORE addresses is incompatible. Since adding even four extra addresses would be incompatible, you might as well add a LOT more, and IPv6 does that.

Every person who thinks man, if only they had designed IPv6 they'd have made it compatible is a MORON. They're basically saying "Well, mathematicians might think there are only 2^32 different possible values in 32-bits, but I know better".

Every person who says well, IPv4 should have been made extensible to allow for more addresses is exactly as useful as the people who say well, now I know how that horse race turned out I would have bet differently. Wow, you can see the future, once it's the past. Brilliant.

And this idiocy has been rife, not just among laymen (who can't be blamed for not knowing anything about mathematics or history) or on tech fan sites like Slashdot, it's even found among people running ISPs. Blithering idiots are running the average ISP, still not really sure what the difference is between VPN and Vhosts, and hoping that nobody will notice they just once again bought a bunch of cheap IPv4-only crap that means when they're obliged to transition they'll either go bankrupt or squeeze their customers for yet more money to pay for their screw-up.

This is a lot of rage. I'm clearly pro-IPv6. I'm aware of the limitations in address space in IPv4. I'm aware that IPv6 adds 96 more bits, and makes the space ridiculously large. My point was merely an observation on why the uptake has been slow. The ISP I work for is in the habit of making any new purchase or deploying anything new IPv6 capable. I think a lot of operators with clue are doing the same.

I don't think that you can disagree my point though? If IPv4 and IPv6 were able to interop, then uptake would have been much quicker.

Oh, and a lot of decisions made when IPv6 was being developed was around complexity. Routers were really starting to struggle around then. This was basically the reason that MPLS was created for. Hardware got quicker first though. Had IPv6 been developed 10 years later then a very different beast would have emerged. Hindsight is a wonderful thing though.

Re:ipv6 incompetence is nothing new.

If address space were an important factor, they would have taken away large blocks to organizations that don't need them.

I know a university with a class B block and they have maybe 100 servers that need to have publicly routable IP addresses but they have an entire class B block. If you connect to the wifi on campus you get a public facing IP address! All the computers in every lab on campus has a public IP address. Your laptop or tablet will have an address like 166.127.34.139(first two octets changed to hide the incompetent) and their weak firewall only stops ICMP traffic to your device.

That is 65,000+ wasted addresses at just one location and they aren't the only address wasters, not even close.

Next you have loopback 127.0.0.1/24. That is a massive waste. What machine needs 16,777,216 local addresses?

Now you have private address spaces: 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 which is nearly 18 million addresses. Far more than any one needs in a private address.

I wouldn't be surprised if 50% of the IPv4 address space is wasted.

The motivation behind IPv6 is security, and only pushed along because of IPv4 address waste.

Re:ipv6 incompetence is nothing new.

[Geordish]

If address space were an important factor, they would have taken away large blocks to organizations that don't need them.

I know a university with a class B block and they have maybe 100 servers that need to have publicly routable IP addresses but they have an entire class B block.

No they don't. Classfull addressing was deprecated over 20 years ago. They may have a /16. (Obligatory wikipedia link https://en.wikipedia.org/wiki/...)

  If you connect to the wifi on campus you get a public facing IP address! All the computers in every lab on campus has a public IP address. Your laptop or tablet will have an address like 166.127.34.139(first two octets changed to hide the incompetent) and their weak firewall only stops ICMP traffic to your device.

That is 65,000+ wasted addresses at just one location and they aren't the only address wasters, not even close.

Excellent! This is the way it should be done (firewall part aside). A globally routable IP address per machine is the dream!

Next you have loopback 127.0.0.1/24. That is a massive waste. What machine needs 16,777,216 local addresses?

Now you have private address spaces: 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 which is nearly 18 million addresses. Far more than any one needs in a private address.

I wouldn't be surprised if 50% of the IPv4 address space is wasted.

Reclaiming address space just isn't worth the time. At its peak, ARIN (the RIR for North America) was going through a /8 in a few months. These days there is a lot of buzz about 'The Internet of Things'. Whether you buy into all that or not, its just not possible to address every machine they are talking about out of the IPv4 address space.

They have contemplated doing things like making 240/4 routable, but it wouldn't last a year if allocations were allowed to run at the rate they would with no limitations. Reclaiming address space (even if they could) from organisations that 'don't need it' would give the Internet a year of growth at best.

There probably is a lot of waste in IPv4 address space, but we shouldn't be citing that as a reason not to change. At some point - even if we put in the effort to reclaim all the 'waste' - we are going to run out. Why spend all that energy reclaiming instead of just deploying v6?

The motivation behind IPv6 is security, and only pushed along because of IPv4 address waste.

I would not agree with you here. The motivation is a larger address pool.

Re:ipv6 incompetence is nothing new.

[unixisc]

But they can inter-operate. There are so many transport mechanisms for them - Dual Stack, Dual Stack-Lite, Teredo, CGNAT, et al.

Compatibility is an irrelevant term here: the correct concept would be 'inter-operable'. It's like the comparison b/w a freeway and a surface street. I could get from Santa Clara to San Mateo via El Camino Real, or I could get there via the I-280. It would be stupid to suggest that I-280 should have been built right next to El Camino Real so that people would use the former in preference to the latter. Or that I-280 gets less traffic b'cos it's not compatible w/ El Camino Real. Truth is that some cars could use the freeway, while those not familiar w/ the I-280 could continue to use ECR. People who use the latter would be those who don't know how to take the 280 from Santa Clara to get to the 92 exit.

Re:ipv6 incompetence is nothing new.

[unixisc]

Problem is if you tried to redefine everything within the 127. space that's not 127.0.0.1 as public unicast space, you'd have to fiddle w/ the IPv4 protocol of every router, and then you'd have 2 versions of IPv4 in supposedly IPv4 compatible equipment. That would pretty much end IPv4 communications as we know it. Even today, there is IPv4 equipment that's unaware of CIDR or subnet masks or even NAT.

You are right about the wastage, but you're forgetting something: IPv4 was never designed for global use. It was designed by the DoD purely for use by the Pentagon and everybody they worked w/. They were never going to get anywhere even close to 4 billion users, and given the scope of what they were, it was the right fit. Now IPv4 went viral, became a part of TCP/IP and caught on, and once the scope became the whole world, it was woefully inadequate for the job. The IETF recognized that, and set on working on a successor. Since any new protocol would have broken compatibility, since the address header would no longer be 32 bits, they made the new protocol address header 128 bits, so that it was unlikely to be ever changed. Of course, that meant breaking compatibility w/ every piece of Layer 3 equipment, which is why they went for the clean room approach. Some of the concepts they tried to lock in - such as autoconfiguration - was IMO overkill, and ended up potentially restricting this protocol as well, but I think that we could in future get to a point where we could use /96 subnets instead of /64.

Re:ipv6 incompetence is nothing new.

[unixisc]

It's still very much an issue, since even NAT is running this, and we need to get into 2 layers of NAT, such as NAT 444. That sort of networking won't be much different from SPX/IPX networking that we once had from Novell, where the communications were layer 2 rather than layer 3. IPv6 by contrast enables pure layer 3 communications

Re: ipv6 incompetence is nothing new.

For fuck sakes, you didnâ(TM)t even read the posts before you. You are the weakest link.

You are 3/3 wrong.

Re:ipv6 incompetence is nothing new.

[EmperorOfCanada]

For some reason I have always had two problems with IPv6. One is that it offers me as an end user exactly nothing terribly tangible. Yes yes I know of the whole running out of addresses stuff but I have never contacted a server host who said, "Sorry we are out of addresses." My ISP has never said, "Sorry no more customers we are out of addresses." So why should the average user even give a crap.

The other thing that I have found is that without exception those who I have met who are pushing IPv6 remind me nearly perfectly (and in many cases were) the same Y2K people who told us that the world was going to end. They are grade A assholes. Thus it instantly makes me suspect that IPv6 has hidden surprises buried in it that will piss me off. So paternalistic shit that is "good for me" but in reality somehow allows some asshole admin to fuck up my traffic because his traffic has a higher priority or some such bullshit.

So my prediction is that when all is said and done there will never be IPv6 but someone is going to come up with IPG2 (Generation 2) that is chock a block full of things that we all want. Things where we will be happy to demand that our ISPs make the leap, things that get us out there to buy new networking gear.

IPv6 will basically become XHTML. Some will argue that this is impossible but WEP was pretty much tossed into the trash and everyone was onboard with the new things like WPA in a heartbeat. Not because it satiated the black heart of some pedantic network admin but because it was actually better.

Re:ipv6 incompetence is nothing new.

People don't want to use IPv6 because it's stupidly complex and hard to secure. There is too much broadcasting/announcing/autorouting/and other bullshit in IPv6. The address format sucks and is something only a Lisp design committee could love (wait, did I put 7 or 8 empty colons there?! Ah, dammit).

This sounds like you don't know what you are talking about. To start with, in IPv6 there is no broadcasting at all. Anywhere broadcast was used (eg ARP) this has been replaced with multicast. Announcing and autorouting? Not sure what you mean by this, but if its the router advertisements when using SLAAC then how is this different from IPv4 and DHCP? FYI this doesn't have to be turned on. From a pure routing point of view (I work for ISPs) it works no different than to IPv4. Address length aside of course.

As for empty colons... Are you writing addresses like 2001:db8::::::6? Sounds like you need to read an RFC. That can be written as 2001:db8::6. (Of course you can only truncate one set of colons, but there is only 7 maximum in total.

What is hard to secure about it? I would like some genuine details on this. I don't see where it is harder than IPv4 (address length aside)

The reason that it isn't widely deployed is simple. It is not backwards compatible. If the spec had been written so an IPv4 addressed machine could communicate with an IPv6 addressed machine without any of the hackery we are now looking at, we wouldn't be having this conversation. Unfortunately when the spec was written over 20 years ago routers were not that powerful, and they were trying to limit the amount of work they had to do.

You're arguing with people who believe NAT makes IPV4 secure. Piss poor implementation is the most common failing, followed closely by out-sourcing responsibility (do you really trust a company who claims to hide your non-business activities?). Non-BP implementation of IPV6, and failure by users to read the documentation is just a variation of previous "commercial VPN services for private usage" fuckups (different dog, same leg action).

The majority of "individuals" use HideMyAss and iPredator type services so they can pirate - apart from stupid at both ends the biggest risk of "privacy" breaches is not from the NSA - it's "investigators" hired by the media monopolies. Not as skilled as the NSA/CIA, but just as effective when they're waving handfuls of cash. If you can't be bothered setting up your own VPN (properly) expect to be burned at some point like wearing petrol pants to a barbeque. The more people that use the same service the less safe you will be.

IP4 is not the solution (it has what security capabilities?). Just enabling IPV6 is not the answer.

And the reason that IPV6 uptake is slow is because most "users" are (that's why they want backward compatibility - so they can stick with backward, interoperability is not complex), and many of them represent service providers - both ISPs and VPN "service sellers". For the most part they consist of people who dismiss Cisco-like networking qualifications because they "don't need to study it to know it's a load of hype" (too stupid to recognize the fact).

The reasons why people should be deploying IPV6 (properly) is not just to provide more network addresses - it's because it's more secure.

Note: that's not (mostly) directed at you Geordish - just adding to your post

Demonoid-Penguin - moderating, if I can find anything relevant to the "story" worth promoting.

Re:ipv6 incompetence is nothing new.

I don't like what you're saying, but it's true. For this reason[...]

Someone please mod Bill up

(sorry - I'm out of points).

D-P

Re:ipv6 incompetence is nothing new.

well waiting for something to break, especially something as big as the internet, just sounds like a terrible idea... thats y ipv6 matters

Re:ipv6 incompetence is nothing new.

[metamatic]

The idea of solving the problem by reclaiming IPv4 addresses was considered, but the math doesn't work:

Now, average daily assignment rates have been running at above 10 /8s per year, for 2010, and approached 15 /8s towards the end. This means any reclamation effort has to recover at least 15 /8s per year just to break even on 2010’s growth. That’s 5.9% of the total IPv4 address space, or 6.8% of the assignable address space.

Looking at the /8 blocks assigned to organizations other than regional NICs, there are 40 of them. So even if we could persuade all those organizations to give up their /8s, and even if we could organize it all quickly enough, the best we could do would be to put off the problem for 3 more years.

In addition, reclaiming IPv4 addresses is far more expensive than rolling out IPv6, and it's hard enough to persuade companies that they need to roll out IPv6.

And the calculation for class B allocations is even worse, because you have to deal with a lot more organizations; the cost is higher for far lower returns.

Re:ipv6 incompetence is nothing new.

[Zaelath]

Excellent! This is the way it should be done (firewall part aside). A globally routable IP address per machine is the dream!

Even if you accept that's a good idea; that doesn't actually require 128bits, 40 would give us a trillion addresses, ~140 each. (That assumes we're all equal and the population is stable. The former is clearly false, though population is expected to peak at less than 10 billion.) Given the impossibility of everyone having US lifestyles, 1 trillion addresses is effectively unlimited, you don't actually need enough to address every atom in the observable universe.

I would not agree with you here. The motivation is a larger address pool.

IPv6 is always sold as being security aware, it just manages to fail at that as well. A rational person would say that it needs a redesign now to BE secure before widespread adoption is forced by exhaustion... (though if you put a $1/year cost on IP addresses we'd all of a sudden be awash in the damn things and businesses wouldn't have a /16 to support an office with zero servers in it...)

Facepalm

[jones_supa]

The study of 14 popular VPN providers found that 11 of them leaked information about the user because of a vulnerability known as 'IPv6 leakage'. The leakage occurs because network operators are increasingly deploying a new version of the protocol used to run the Internet called IPv6.

Aaarggghh!!! The summary does not explain the issue properly at all.

All that happens here is that the user's IPv4 traffic is tunneled through the VPN, but his IPv6 traffic is broadcasted past the VPN.

I'm sure this problem can be avoided with some reconfiguration. The easiest solution would be to simply chuck off the IPv6 subsystem in the operating system.

Re:Facepalm

You are a cow. A cow says moo. MOOOOOOOOO! MOOOOOOO! Mooooo cow moooooooo! Moo says a cow. YOU COW!!

Re:Facepalm

> The easiest solution would be to simply chuck off the IPv6 subsystem in the operating system.

I did that some time ago because IPv6 seems to be a huge step back for security and privacy.

Re:Facepalm

[jones_supa]

Hurr durr I'ma sheep.

TFA:

[Kiyyik]

http://www.eecs.qmul.ac.uk/~ha...

(Since there doesn't seem to be a link).

Basically, the table on page 3 is probably where you want to start looking. TorGuard, PrivateInternetAccess, VyperVPN & Mullvad are proof against IPv6 leakage, so it's actually 10 of 14 that aren't.

Also, they found Astrill is proof against OpenVPN and PPTP/L2TP DNS hijacking. Interesting read.

Referenced Article is a Teaser Webpage

[Tokolosh]

The actual study is due to be presented at a future conference. In that sense the findings have not yet been made. So we are lured by clickbait into discussing something that has not happened. This is a waste of time.

Tangentially, what is the purpose of headlines that say things like "President will announce tomorrow that he is starting World War 3"? Isn't that the same as announcing it now? Does he think we are stupid? Oh, wait...

According to the article...

[Streetlight]

Quote:

"Interactions with websites running HTTPS encryption, which includes financial transactions, were not leaked."

Whew... Although there are some privacy implications, HTTPS seems to work for your most important web use. And, with the transition to almost all sites running HTTPS encryption - hopefully with no bugs in that - the problem cited in the article may go away. There have been some concerns about HTTPS reliability, such as forged certificates, but hopefully the problems will be solved. I'm not completely up to date an the problems w/ HTTPS, though.

Re:According to the article...

they probably just dont have https setup on the web servers, so might just be defaulting to ipv4 anyway

is https actually working over ipv6 anywhere? just asking, im really not sure

Re:According to the article...

[rb12345]

It works for Google, Facebook and YouTube, and has done since mid-2012.

Details?

This article is so light on details, I'm just going to pretend I never read it.

Why blame IPv6?

[grahamm]

Why blame IPv6 for this? Any VPN only carries traffic which matches its traffic criteria - for IpSec the SA definition (Encryption Domain in Cisco speak). So IPv4 has the same issue if the source/destination IP addresses and Ports do not match those which are configured to pass over the VPN. Amongst other things, this allows a single system (host, router or security device) to terminate multiple VPNs and route traffic over the appropriate one (or directly).

Ahem, these aren't "leaks"

[fustakrakich]

They are sweet tasting, gooey, oh what is that word?... you know, that stuff that bees make...

Anyway they got caught... in a way... since proving intent would be very difficult.

Teredo leaks

[MrKevvy]

Teredo is one cause of the leaks in Windows. Disable it with:

netsh interface teredo set state disabled

in the command prompt.

Re:Teredo leaks

[greenwow]

But don't do that! Disabling IPv6 is an "unsupported configuration" to use the phrase our former Microsoft support rep used. I say former because they canceled our support contract without a refund after we admitted to disabling IPv6. There are many things broken in Windows if you disable IPv6, so many that Microsoft won't even try to support it and punishes people that do in order to publicize that fact.

Re: Teredo leaks

This site is dead. That post was not a troll. There's just too many Microsoft fan boys here now. This used to be a tech site.

What

[darkain]

I can't even brain after read that summary...

Concerned users will ask

[WallyL]

Isn't IPv6 bigger than IPv4, and newer? If you can't carry my ipv6 without leaking, can you just switch me back to ipv4? You should be able to fit more ipv4 in there without it leaking.

More Microsoft fanbois w/ mod points!

Amazing how they attack anyone here, like this guy, when someone posts the truth about Microsoft. Microsoft most certainly has a policy against disabling IPv6. They burned some of our license keys for disabling IPv6. Their official policy from:

https://technet.microsoft.com/en-us/network/cc987595.aspx

"IPv6 is a mandatory part of the Windows operating system"

It is not optional. Microsoft will hurt you for disabling it, if they can. The guy that runs Microsoft now, John Thompson, has talked about taking legal action against businesses that disable IPv6, but hey you Microsoft fanboi moderators, don't let the facts get in the way of lying and calling people trolls that point out official written Microsoft policy.

/. has gone full blown corporate

It's sad to see how people that post the truth about Microsoft, and other large corporations, are buried as trolls. That post is 100% correct, and I have personally seen Microsoft go on the offensive against a customer that disabled it. This used to be a tech site instead of a corporate site. It's sad to see just how much this site has gone downhill.

That's what you get...

[TCM]

That's what you get when offering VPN access must include proper client configs because users are clueless and want to be "secure" by hitting a button.

I guarantee you that I could take the credentials of each and every one of these VPN offers, put them into my router and tunnel all my clients properly(!) without any leaks.

It's not the VPN that is flawed, it's the CLIENT SETUP. For people with a clue, that's a distinction.

Hangout discussing IPv6 and DNS hijacking

Join our G+ hangout discussing #IPv6 leakage and DNS hijacking in Commercial #VPN clients. - http://bit.ly/VPNhangout Also read our response concerning VyprVPN here - http://bit.ly/1RQOxe9

i just cant hide it!!!!

i cant wait for ipv6!!! i will finally be able to run 70000 servers on a single computer :3