Tunnelled IPv6 Attacks Bypass Network Intrusion Detection Systems

"The transition to internet protocol version 6 has opened up a whole new range of threat vectors that allow attackers to set up undetectable communications channels across networks, researchers have found." Slashdot reader Bismillah summarizes a report from IT News. Researchers at NATO's Cooperative Cyber Defence Centre of Excellence and Estonia's University of Tallinn have worked out how to set up communications channels using IPv6 transition mechanisms, to exfiltrate data and for systems control over IPv4-only and dual-stack networks -- without being spotted by network intrusion detection systems.
The article argues that "Since IPv6 implementations and security solutions are relatively new and untested, and systems engineers aren't fully aware of them, the new protocol can become a network backdoor attackers can exploit undetected." The researchers' paper is titled "Hedgehog In The Fog."

this is not an ipv6 specific issue

IPv6 is called out unfairly here. Any kind of tunnel is potentially not handled by an IDS.

There's better ways to exfiltrate data. VPN anyone?

Re:this is not an ipv6 specific issue

[phayes]

VPNs aren't setup and enabled by default on windows machines the way teredo, 6to4 and isatap are.

Re: this is not an ipv6 specific issue

No. The point is that ipv6 is often not watched by IDS. In most cases because the admins didn't realize v6 was running and simply haven't configured it.

Re: this is not an ipv6 specific issue

[Highdude702]

Shitty admins use Shitty configurators on Shitty windows for Shitty protection.

Re: this is not an ipv6 specific issue

We just have all IPv6 blocked at the firewall and none of the switches internally are setup for IPv6

Re: this is not an ipv6 specific issue

I like a guy who's username let's you know in advance he is holding a crackpipe with the hand not on the keyboard. Good intro to read a conversation the idiot is having with the voices in his head that somehow found itself as a reply to an unsuspecting comment.

My question to you is - when you taken too much of your that autism medication, before you to on randomly typing stuff like this that is a converastion with yourself - does it make zero sense because the reply has nothing to do with the subject matter that you are replying to witch - to you the next day like it does for us?

Re:this is not an ipv6 specific issue

[Cramer]

Perhaps. But the key here is that admins often are completely blind to IPv6 and various shit systems (and users) do to enable IPv6. (I'm looking right at you Microsoft!) VPNs? Sure. And many will block them.

Re: this is not an ipv6 specific issue

[Cramer]

Switches operate at layer-2. They don't give a shit what layer-3's you run through your network. You may not be routing IPv6, but I can all but assure you IPv6 is present on the link. (if you have windows machines (newer than XP), you DO have v6 in your network.)

give me a break.

[nimbius]

IPv6 transition mechanisms

ipv6 has been around nearly a decade. any company that doesnt have a competent dual-stack implementation deserves what they get. that having been said the number of vendors that recoil in shock and horror when you ask if they can route, or even support ipv6 is amazing.

Since IPv6 implementations and security solutions are relatively new and untested

but this has been an issue thats unaddressed by the industry, not security pros. I can think of maybe five vendors ive declined because their ipv6 implementation was either partial, shitty, or non-existent. I decided on implementing OpenBSD instead and so far havent found anything as robust.

systems engineers aren't fully aware of them

this happens when you have a baby-boomer tech employee who refuses to retire. you let him ride out his last days as a senior or manager while backfilling him with what you hope are more competent and open minds, but unless its from the vendor that bought him steak and told him he was a real straight shooter, hes not going out of his lane to potentially fail at this point in his career, or learn something new.

Re:give me a break.

this happens when you have a baby-boomer tech employee who refuses to retire. you let him ride out his last days as a senior or manager while backfilling him with what you hope are more competent and open minds, but unless its from the vendor that bought him steak and told him he was a real straight shooter, hes not going out of his lane to potentially fail at this point in his career, or learn something new.

Thats nice, but we have newly graduated kids from top-tier schools coming in that couldn't tell you the first thing about ipv6. They know it exists, and that's about the extent of it.

Re:give me a break.

The problem isn't boomers as such, but rather the resistance to implement ipv6 in the first place because it removes the scarcity of addresses. Dealing in IP-addresses is big business, and nothing will happen wrt the established players unless they can come up with a scheme which lets them fleece you for IPv6 addresses as well.

Re:give me a break.

this happens when you have a baby-boomer tech employee who refuses to retire

that happens when anybody is not much interested in exploring newer technologies ; actually I'd put more trust in a network specialist baby boomer who still lives off the industry, and who experienced the multiple changes since the 70s.

Re: give me a break.

Depends on your definition of "working". I'm tired of have to work around broken systems that others consider "working". Most of my experiences are that "working" system are systems that were designed to fail silently in undefined ways. "Out of sight, out of mind" and "Ignorance is bliss" come to mind.

Re:give me a break.

[sjames]

It goes well beyond the boomers. v6 has been around for TWENTY years and TFA is calling it "new". The kids coming out of school now seem to think of it as "new" as well. Even XP supports v6, just how new could it be? Before you cast too many stones at the boomers, remember you seem to have been asleep for 10 years yourself. By the time you noticed this v6 thing, I was running dual stack at home so I could get familiar with it.

This from the same industry that gushes over every new application framework that offers no tangible benefits over the old framework and will probably be yesterday's news by the time an actual project can be completed. Where are all those much younger network guys pushing for a v6 initiative? For God's sake, Comcast beat them to v6!

Re:give me a break.

[myowntrueself]

IPv6 transition mechanisms

ipv6 has been around nearly a decade. any company that doesnt have a competent dual-stack implementation deserves what they get. that having been said the number of vendors that recoil in shock and horror when you ask if they can route, or even support ipv6 is amazing.

The truly terrifying thing is the amount of otherwise competent and knowledgeable IT professionals who are utterly terrified of IPv6 and get elevated blood pressure whenever its mentioned.

Theres a whole generation of IT pros who have come to believe that NAT is the solution to almost all of their security issues, have no use for port blocking firewalls or defense in depth. It wasn't that long ago that desktop workstations often had Internet routeable IP addresses and you had to have actual firewalls on the front end and inside as well.

Nowadays they run their webserver in an RFC1918 range and use DNAT to send the traffic into it, thinking this is more secure than having a firewall and, when they look at IPv6, they see this security blanket as being taken away from them and they retreat into their shells.

Re:give me a break.

[myowntrueself]

I have more than enough IPv4 addresses allocated to me and my servers. I don't need IPv6.

Sorry the rest of you have to fight over IPs. I've got plenty (no you can't have them).

Let me guess, you use DNAT extensively?

Re:give me a break.

[johanw]

I just deactivate IPv6 at all dual stack machines, that should fix this (and a lot more issues that the idiot who implemented IPv6 first instead of use it only if no IPv4 available created).

Re:give me a break.

> ipv6 has been around nearly a decade.
IPv6 is around since 20 years.

Re:give me a break.

[johanw]

I can use the entire 10.x.y.z range internally, that are more IP's than I'll ever need.

Re:give me a break.

[WaffleMonster]

I have more than enough IPv4 addresses allocated to me and my servers. I don't need IPv6.

Sorry the rest of you have to fight over IPs. I've got plenty (no you can't have them).

It is great to hear you have enough IPv4 addresses. What happens when you want to communicate with someone who happens to be less fortunate?

Speaking for myself restoring the Internet to a viable network of PEERs where everyone has the capability if desired to directly address everyone else is of upmost importance to countering the proliferation of centralized manure currently waging war against *my* Internet.

IPv6 is well worth any initial hardship or annoyance. Even if everyone hides behind an SPI anyway the ability to trivially prime direct connections with a 1:1 map is an absolutely priceless capability by itself without getting to global costs of dealing with IPv4 scarcity or people being forced into CGN land.

Takes two to Tango.

Re:give me a break.

[sjames]

That's going to blow up in spectacular fashion as soon as v6 only sites start popping up that you or your employer care about (there are v6 only sites now, but mostly not targeted at English speakers).

Re:give me a break.

You'd do much better to ask that boomer why they don't like IPv6. Cisco is teaching it as part of their curriculum, but that's largely to push companies to buy new Cisco gear in order to keep themselves relevant in a world where they are, at this point in time, largely irrelevant.

IPv6 has a storied history and has changed so much since the 90's it's basically a brand new Layer 3 protocol every 3 or 4 years. Microsoft and Google got on the standards board early and shoved EUC-64 addressing and pushed the "Kumbiyah we're all going to hold hands and give every machine anywhere a publicly routable address" madness because they wanted advertising dollars, and their government overlords wanted to reign in these hackers. All of that basically broke IPv6 so badly no vendor in their right mind would support it for any scalar enterprise network. The protocol is still, to this day, hostile to private addressing scheme's. ISP's can run it and love it because instead of using Private IPV4 networks as the underlay network and public IPv4 networks as the overlay network, they can just use IPv6 as the overlay, which eliminates a lot of headaches. Everyone else is asking, how many refresh cycles of 5 and 6 figure networking gear will it take until the protocol is actually usable?

Re:give me a break.

[tommeke100]

Yep, learned about it in college in '98 and how it was going to be the next big thing and rolled out quickly. Took its time though but it's here to stay.

Re:give me a break.

[knorthern+knight]

> Speaking for myself restoring the Internet to a viable network of PEERs where everyone has
> the capability if desired to directly address everyone else is of upmost importance to countering
> the proliferation of centralized manure currently waging war against *my* Internet.

I have a paranoid iptables firewall. Having said that, DID (Defense In Depth) always helps. I don't have a complacent "it can't happen to me attitude". I *WANT* a NAT'ing router between my home machines and the internet for an extra layer of protection.

> IPv6 is well worth any initial hardship or annoyance. Even if everyone hides
> behind an SPI anyway the ability to trivially prime direct connections with
> a 1:1 map is an absolutely priceless capability by itself without getting to global
> costs of dealing with IPv4 scarcity or people being forced into CGN land.

I hope somebody comes out with a NAT'ing IPV6 ADSL router that NATs multiple machines behind it to one publically visible address. It'll be worth it just to watch all those internet hippies' heads explode.

Re:give me a break.

[WaffleMonster]

I have a paranoid iptables firewall. Having said that, DID (Defense In Depth) always helps. I don't have a complacent "it can't happen to me attitude". I *WANT* a NAT'ing router between my home machines and the internet for an extra layer of protection.

1:many NAT is *LESS* secure than SPI. NAT requires added complexity to support ALGs, packet mangling and tolerance of ambiguous assumptions about application state.

Re:give me a break.

That's going to blow up in spectacular fashion as soon as v6 only sites start popping up that you or your employer care about

That'll probably happen sometime around the Year of Linux on the Desktop, at this rate.

Re:give me a break.

[cstacy]

this happens when you have a baby-boomer tech employee who refuses to retire. you let him ride out his last days as a senior or manager while backfilling him with what you hope are more competent and open minds.

So, in your world, young people with no experience in deploying networking will use
their "more competent and open minds" to do a job that older workers cannot,
even though the older worker has been aware of IPv6 for nearly as long as the
younger people have been alive. Because, you know, they are older.

Fuck You, you ageist piece of shit.
I hope someone sues your company into fucking oblivion.

Re:give me a break.

They already exist. I used to routinely log into a facility with many machines with only IPv6 access. They did have an IPv4 SSH login server, but it had a max of 16 connections which were used up almost all of the time (license issue, don't know why they didn't simply go for OpenSSH instead of a proprietary appliance)

Re:give me a break.

> Speaking for myself restoring the Internet to a viable network of PEERs where everyone has > the capability if desired to directly address everyone else is of upmost importance to countering > the proliferation of centralized manure currently waging war against *my* Internet.

I have a paranoid iptables firewall. Having said that, DID (Defense In Depth) always helps. I don't have a complacent "it can't happen to me attitude". I *WANT* a NAT'ing router between my home machines and the internet for an extra layer of protection.

> IPv6 is well worth any initial hardship or annoyance. Even if everyone hides > behind an SPI anyway the ability to trivially prime direct connections with > a 1:1 map is an absolutely priceless capability by itself without getting to global > costs of dealing with IPv4 scarcity or people being forced into CGN land.

I hope somebody comes out with a NAT'ing IPV6 ADSL router that NATs multiple machines behind it to one publically visible address. It'll be worth it just to watch all those internet hippies' heads explode.

Repeat after me: NAT is *not* a security mechanism. If you think it protects you, you are a fool.

Re: give me a break.

That is only arguable on a theoretical technical level at best and you KNOW it.

Re: give me a break.

I don't recall things necessitating one or the other? Wait... you mean we have to choose only one, NAT or SPI? SHIT!!! Everyone turn off your NAT before we break the space time continuum!

Re: give me a break.

Seems to me those baby boomers arent the inly ones making assumptions then are they ? Generalize much?

Re:give me a break.

[unixisc]

XP actually didn't support IPv6 out of the box: that support had to be added later.

Saying that IPv6 is 20 years old is misleading, given that only recently have enterprises accelarated their moves to this protocol, and also, a lot of changes happened in the IPv6 spec over that time (e.g. the deprecation of IPv4 compatible addresses)

Re: give me a break.

[unixisc]

Just because something works doesn't mean that it scales. When you are unable to add any new boxes to the network, or when your ISP ultimately pulls IPv4 support due to the address shortage, the only thing that would be working perfectly would be your intranet - your 192.168 network

Re:give me a break.

[unixisc]

Reading the summary, since the issue is regarding IPv6 packets that are undetected on an IPv4 network that's unaware of the protocol, it'll only make it easier for IPv6 to be a disguised carrier of attack vectors

Re: give me a break.

In Canada, Telus allows five IPv4 IP's for their 50Mbps service. For Shaw, I get two on a 150Mbps plan.

No IPv6. Couldn't tell you when they'll have it, either.

All my cheap VPS in Canada or US come with at least one IPv4 and only some with IPv6.

I'm in no rush for IPv6. There's zero benefit and just more hassles.

Re:give me a break.

[marka63]

XP supported it out of the box. You had to enable it but the code was installed on the box when it was delivered.

I've been writing and shipping applications that support IPv6 for nearly 20 years now. I've been using IPv6 from home for 15 years now.

Work has been operating servers reachable by the public over IPv6 for longer still.

Re:give me a break.

[simpz]

Amazingly one reason some people are looking at IPv6 is that they are out of private IPv4 addresses in their CGN (carrier grade NAT) setups. Apparently mobile phone companies are hitting this.

Re:give me a break.

[grimr]

I hope the idea of IPV6 NAT gets taken out back and shot. NAT has been the single most pain in the ass thing to network gaming since forever.

I don't now how much time I've wasted trying to troubleshoot why certain people can't connect to our gaming session. Most of the time it's because of NAT. And when they can connect to the game, the audio chat doesn't work still. Grrrrrr.

Then there's people who have multiple consoles and want to play the same game together online. One of them can and the other can't because the ports are taken.

IPV6 will get rid of all that crap but not if people use NAT or are forced to use NAT by their ISP.

The only thing NAT gives you on IPV6 is protection if you disable the deny inbound for all machines rule. All that router manufacturers have to do is make sure that can't be disabled on a consumer device. Only UPnP and inbound rules for static IP hosts would then be the way to allow inbound, just like with IPV4+NAT.

Re:give me a break.

Most Carrier Grade NAT is in the 100.64.0.0/10 IP range (to avoid conflicts with users of 10.0.0.0/8 or 192.168.0.0/16 (for example for a LAN NAT). This are only 4 million addresses in the best case, which a large ISP or mobile provider can easily use up.

Re:give me a break.

[sjames]

Actually, it did. It wasn't configured out of the box until SP2 or 3 but you could configure it if you wanted from day 1. TYhe protocol driver was on the install disk.

V4 has changed as much as v6 has over the years. For example, source routing and source quench went away. Congestion control has changed a good bit.

The fact that enterprises have only recently gotten interested in v6 just means they were asleep at the switch for a long time. They jumped on every flavor of the month they could find while ignoring the one thing that was nearly certain to be around for the long haul.

Re:give me a break.

[sjames]

Any security NAT can give you can easily be implemented in v6 with a few simple rules.

Re:give me a break.

[sexconker]

Nope. No NAT. Real, public IPv4 IPs. Yes, the allocation is unfair.

I have returned a bunch of IPs (some /24s and some /26s or something) to the organization's pool (which is much larger than /24) as we've consolidated some things, but as far as I know there's no chance of those IPs going back to public use as far as I know. In the grand scheme of things, a few hundred IPs for public allocation won't help much. Now, IBM on the other hand, with it's /8 assignment...

Re:give me a break.

[sexconker]

> Speaking for myself restoring the Internet to a viable network of PEERs where everyone has
> the capability if desired to directly address everyone else is of upmost importance to countering
> the proliferation of centralized manure currently waging war against *my* Internet.

I have a paranoid iptables firewall. Having said that, DID (Defense In Depth) always helps. I don't have a complacent "it can't happen to me attitude". I *WANT* a NAT'ing router between my home machines and the internet for an extra layer of protection.

> IPv6 is well worth any initial hardship or annoyance. Even if everyone hides
> behind an SPI anyway the ability to trivially prime direct connections with
> a 1:1 map is an absolutely priceless capability by itself without getting to global
> costs of dealing with IPv4 scarcity or people being forced into CGN land.

I hope somebody comes out with a NAT'ing IPV6 ADSL router that NATs multiple machines behind it to one publically visible address. It'll be worth it just to watch all those internet hippies' heads explode.

Repeat after me: NAT is *not* a security mechanism. If you think it protects you, you are a fool.

NAT is not a security mechanism, but it provides useful security by preventing hosts from having publicly routable IPs when they simply don't need them.

It's an additional layer on top of a firewall which may or may not actually be configured properly (or actually work). Think of the tens of millions of home users who have a crappy modem/router combo device managed by their ISP.

Re:give me a break.

[grimr]

Useful security? How many times have you seen "just put it in the DMZ" as a solution to many connectivity issues NAT causes? There goes their supposed security.

Re:give me a break.

[sr180]

If all the unused /8's were returned, that would get us a few more months at most.

Re: give me a break.

Correct. A the national cellphone carrier where I work, if you're on Android you're forced v6 only, with iOS 10 devices coming soon.

Re: give me a break.

But that's the point.

"Your ISP" will never pull IPv4. To them, IPv6 is worse than a cost, it's a double cost. It cost money to implement, and it hurts the big business of dealing with routable ipv4 addresses. Instead, be prepared to see a lot more of balkanization and NAT:ing of the Internet, because that's the way there is money and power.

Possibly one day we'll get IPv6, but not until the powers that be are actually forced to use it, and not until they can monetize it too.

Re: give me a break.

I haven't seen that response in 10 years due to upnp and port forwarding being implemented in every home router.
If you keep reading that, get new friends.

Re:give me a break.

Why have the complexity of IPv6 unless you have to have it?

1: IPv6 allows an intruder to get your entire network topology in an heartbeat. IPv4 may rely on NAT, but if you are looking at my 10.0.0.x network, you have no clue if that is a real network, a DMZ, or a honeypot. With IPv6, you can figure out where everything is in a heartbeat.

2: IPv6 is still untested. We have yet to see IPv6 stacks hardened against the likes of future land, teardrop, ping of death, etc. stuff.

3: You can't use NAT to protect stuff. If you know a device's address, you can attack it at will.

4: No built in encryption.

5: Support by ISPs is still half-assed.

6: IPv6 causes weird errors. I've wound up disabling IPv6 to solve printing problems.

If you have to have it, that is one thing. Otherwise, I just block it at the firewall. It is one less way someone can get in.

Re:give me a break.

100.64 is public, routable. Were you thinking of 10.64?

Re:give me a break.

I hope somebody comes out with a NAT'ing IPV6 ADSL router that NATs multiple machines behind it to one publically visible address. It'll be worth it just to watch all those internet hippies' heads explode.

Why can't you then simply use IPv6's Network Prefix Translation? It does the conversion of a routable to a unique local address (fd00::/8), but still maintains a 1:1 relation, making no changes in the host address/interface ID. It achieves your objective of an added layer of security, and what's more, it's the only endorsed IETF mechanism (forgetting the RFC# at the moment, and not in the mood to look it up) for IPv6 NAT for cases where it's really needed, like in load balancing, avoid reconfiguring networks when ISPs change, and so on

Re:give me a break.

But the IETF did create a standard for IPv6 NAT, unlike in IPv4, where it left it to the market. That is called Network Prefix Translation. There are times it is useful, like load balancing, creating an interface between an intranet and the rest of the internet, and isolating an organization's internal network topology. That way, organizations that need NAT can use NPT, and those that don't, like yours, can work with pure end to end communications like they did before NAT was around

Re: give me a break.

Sure they will. How many Novell Netware networks are still around today? Same thing will happen with IPv4 once IPv6 becomes the default norm: at a future point in time, IPv4 will be eliminated as IT will then be a malware attack vector, as opposed to IPv6 in this story

Re: give me a break.

[grimr]

What does me reading something on the internet have to do with my friends???

That was more of a rhetorical question. I was hoping you had seen it. Regardless, the advice is out there and it's being put to use. The routers have that feature and their websites have the instructions on how to use it. I have seen it recommended when upnp and port forwarding fail to work for whatever reason. I've had upnp stop working mysteriously many times.

But that doesn't matter. It's a very common built in feature that will completely bypass the supposed protection from NAT and every other firewall protection feature of the router.

My point is that NAT doesn't give any more protection than the firewall does. And the DMZ is the easiest way to bypass both of them. So NAT doesn't protect the user from themselves.

Right now the DMZ can only have one device in it. That's mainly because people only have one external IPv4 address. No such restriction with IPv6 when end users can get /64s. And end users tend to take the path of least resistance. "My skype, game, whatever doesn't work", "DMZ the computer!"

Re:give me a break.

[grimr]

NPT is 1:1 which doesn't have all but one of the issues that 1:many NAT has. There's no port rewriting, not statetful packet inspection, etc. The only issue is if the internal host needs to tell an external host its IP address. Incoming using DNS would have no issues.

NPT does not block incoming connections like regular NAT does. This is because 1:many NAT has no idea where to send incoming without an explicit rule. NPT which is 1:1 does know where to send incoming connections because each external IP is routed to the appropriate internal IP.

So you still need a firewall with NPT.

Re:give me a break.

From what I understand, NPT was never intended to get rid of any firewall: it was just put in place to provide the advantages that NAT has, such as provider independent addresses, load balancing. So just like one should continue to have their firewall setup under IPv6, regardless of whether they're using public or unique local addresses. Even if an external entity knew the public IPv6 address of a node, such as 2001:db8:dead:beef::face, an enabled firewall at the router point should be able to drop any packets from that node

Re:give me a break.

this article is 5 years late.

Re:give me a break.

[Dagger2]

No.

Re:give me a break.

[Dagger2]

This is because 1:many NAT has no idea where to send incoming without an explicit rule.

A lot of people think this, but it's not true. Your router knows perfectly well where to send the packet, because the packet has a dest address field in the header that tells it where to send it.

Now, it is true that if your network is using RFC1918 addresses (which I note isn't actually a requirement for NAT) then it's quite hard to send your router a packet with one of those addresses in the dest field... but your ISP could do it easily, and of course so could anybody else in a position to twist your ISP's arm until they cooperate. If they do, your router will happily route those packets on to their destination, unless you also have a firewall in place that drops them.

In other words: if you want a firewall, you need a firewall. NAT is no substitute.

Re:give me a break.

[Cramer]

RFC 6598 -- http://tools.ietf.org/html/rfc...

Re:give me a break.

[Cramer]

XP has an IPv6 stack, but I wouldn't go so far as to say it "supports v6". It only supports SLAAC. (pinning a static address is a pain in the ass, and doesn't always survive a reboot) There is zero GUI integration for managing it. The OS will not use it for it's own internal processes (namely DNS.) And Microsoft has never officially supported it.

It's also so hopelessly out-of-date, it only barely works. Very little of what is considered IPv6 today is supported.

Re:give me a break.

[Cramer]

"every flavor"? You mean NAT? Shit we've all been using since the mid-90s? ISPs have been grasping at straws because they can't get any more v4 addresses, and still have to connect a growing number of users to the v4 internet. (and develop v6 CPE hardware and infrastructure, AND still get the v6 only connected to the v4 internet.) And their answer has been NAT as well; just on a scale beyond reason.

Re:give me a break.

[Cramer]

Those professionals hate it because it's a constantly moving target. If IPv6 were one thing to implement, ONCE, they'd've done it long ago. However, that's not the case. Even today, it's a constantly changing ball of shit.

IPv6 is a different way to doing things. NAT does involve a "firewall" -- 'tho it's unlikely to be watching traffic with an eye to security. With IPv6, security is not automatic; firewall rules have to be manually crafted.

Re:give me a break.

[Cramer]

Don't blame M$ and Google for what was a basic, founding tenant of IPv6... "None of this bullshit NAT!" And from a second chair in the room, "yeah, and none of this G** D*** DHCP!" By the time we get around the room, IPSec (think all of OpenSSL) had been glued into the protocol. Many hard lessons completely unlearned -- SLAAC, RA's, multicast DNS, etc.

If you want something to blame on Google, ask them why Android doesn't support DHCPv6.

[On the subject of SLAAC: this wasn't such a bad idea on the surface. However, the types of limited machines SLAAC specifically called out were *NEVER* going to be able to run anything close to a standards compliant IPv6 stack. It's a very stupid optimization once all the other designed-by-committee bullshit was stapled together. And worse, to date it has simply cemented the completely anti-IPv6 mindset of 64/64 network/host divide. So much so, that Stupid(tm) has been built into silicon!]

Re:give me a break.

[Cramer]

#1 - Wrong. This is often trotted out, but an outsider cannot find every machine on your network with just the prefix or a single address. Once inside your network (compromised host), it's possible, but far from dirt simple.
#2 - It's as tested as anything else.
#3 - True, but you can attack anything that has a NAT map as well. And this is partially why privacy extensions exist (your address changes regularly)
#4 - Wrong. This was a basic requirement of early IPv6 standards. It's now "optional", but present in many stacks.
#5 - I'd say it's "full assed" by the few ISPs that bother to offer it at all.

Re:give me a break.

[grimr]

You are correct. I was referring to NAT + RFC1918 when I said that it doesn't know where to send incoming packets (originally sent to the public IP). That's the mechanism that creates the psudo security of NAT.

As you said, using routable addresses on the inside does not trigger this. Without a firewall they can go direct. Same with NTP and routable addresses on the inside.

Yes, ISPs can send to you using RFC1918. If you're using a tunnel broker for IPv6 that can be intercepted without ISP help and IPv4 injected that way (6to4, IPv4 compatible addresses, IPv4 mapped addresses). I have my firewall blocking all those.

I agree, NAT is not a substitute for a firewall. NAT is also a waste of resources and causes problems when used with routable addresses behind a firewall. People keep saying that it protects you if your firewall is misconfigured. There are so many ways to get around NAT when the firewall is broken that it's a naive view to have.

Re:give me a break.

[sjames]

I mean every flavor of everything. CASE tools, XML, CORBA, Ruby on Rails, Java, a zillion management fads, you name it, as soon as some exec read about it while waiting for tee time, it became a must have. Except for IPv6 apparently.

But I agree the extremes they're going to to avoid just going with v6 are silly at the least. Personally, I would love to just go with v6 so I can get enough addresses allocated without submitting my last colonoscopy and the opinions of 3 or more fortune tellers, but it's just not a great option if nobody can reach it.

Re:give me a break.

[sjames]

Consider, XP itself is hopelessly out of date and unsupported. Since XP was for workstations (not servers) SLACC made plenty of sense (and it still does).

Notably, if v6 was enabled and it didn't get a router announcement, it would auto-configure Teredo.

Basically, it worked well enough to meaningfully operate in a dual stack environment. It would not work in a v6 only environment.

So no excuses there, the capability existed.

First thing I change on Win devices I use

[phayes]

netsh interface teredo set state disabled
netsh interface isatap set state disabled
netsh interface 6to4 set state disabled

These IPV6 tunnels are use than useless in my experience.

Windows Homegroup depends on IPV6 being present & some other users of the machines I use find it useful so it can't be disabled as well all the time but at least it's not trying to tunnel out. When (though it's still rare), the network has IPV6 connectivity it also has IPV6 firewalls so it's less of an issue as well.

Re: First thing I change on Win devices I use

When ipv6 on my router is set to disabled, is it blocked?

Re: First thing I change on Win devices I use

As long as your router is the default gateway for all devices on your LAN, sure. (More specifically: that you don't have any other network configuration setups on your LAN systems that have alternate ways of shoving packets out the network. An example would be a VPN client on a LAN machine, through some VPN provider)

Re: First thing I change on Win devices I use

Depends on the router. If it just switches off IPv6 routing, then no.

Re: First thing I change on Win devices I use

[phayes]

Turning off IPV6 in your router will turn off native IPV6 routing but that's not the issue here. The problem is that Windows in particular sets up three different means of tunnelling IPV6 in IPV4. Turning off IPV6 in your router will do nothing for these and you need to turn off Teredo, 6to4 and Isatap on every windows machine.

Re:First thing I change on Win devices I use

[myowntrueself]

netsh interface teredo set state disabled
netsh interface isatap set state disabled
netsh interface 6to4 set state disabled

These IPV6 tunnels are use than useless in my experience.

Windows Homegroup depends on IPV6 being present & some other users of the machines I use find it useful so it can't be disabled as well all the time but at least it's not trying to tunnel out. When (though it's still rare), the network has IPV6 connectivity it also has IPV6 firewalls so it's less of an issue as well.

At least you didn't advise disabling IPv6 completely, which isn't even a supported configuration any more (in Microsoft products).

Re:First thing I change on Win devices I use

[phayes]

When IPV6 is configured on a Windows machine and it is getting & attempting to use AAAA DNS records, resulting in a 30 second timeouts, that's when I diable IPV6: http://blogs.cisco.com/enterpr...

Yeah, it's the client's network that "should" be fixed, but I've given up at tilting at windmills. I'll just tell them that their IPV6 is messed up, disable IPV6 on the server with the issues getting rid of the timeouts and move on.

Re:First thing I change on Win devices I use

Funny on my W7-64 pro sp1 (fully updated) I don't have the 6to4 at all, there's nothing. Teredo and isatap I've disabled. Any idea why I wouldn't have 6to4?

Re:First thing I change on Win devices I use

[myowntrueself]

When IPV6 is configured on a Windows machine and it is getting & attempting to use AAAA DNS records, resulting in a 30 second timeouts, that's when I diable IPV6: http://blogs.cisco.com/enterpr...

Yeah, it's the client's network that "should" be fixed, but I've given up at tilting at windmills. I'll just tell them that their IPV6 is messed up, disable IPV6 on the server with the issues getting rid of the timeouts and move on.

Thats using a sledgehammer to crack a nut. You don't need to disable IPv6 to do that.

Re:First thing I change on Win devices I use

[Cramer]

Until you reboot. Or install virtually anything from Microsoft. (read: they won't STAY turned off.)

Re: First thing I change on Win devices I use

[Cramer]

In a word, NO! In fact, it will cause windows to fall back to using teredo, etc. to fake IPv6 connectivity. One must take active measures to block that shit from the network. Turning off those interfaces within windows will *NOT* keep them turned off.

Re:First thing I change on Win devices I use

[phayes]

I don't know whats wrong with your installations but around here, interfaces disabled using netsh do not get enabled through a mere reboot.

Re:First thing I change on Win devices I use

[phayes]

Given that I couldn't care less about homegroup and it's the only thing that I see that breaks when IPV6 is disabled & "netsh interface ipv6 set state disabled" takes 5 seconds, it's a itty bitty teeny tiny sledgehammer. MS can state that it's an unsupported config but why should I care (presently)? If IPV6 becomes necessary in the future for things I need, I'll change my habits but so far? Meh...

Re:First thing I change on Win devices I use

[phayes]

You'd have to ask someone who pretends to understand why MS adds multiple IPV6 tunneling adapters without ever asking if they might be useful. That certainly isn't me.

Re:First thing I change on Win devices I use

[myowntrueself]

Given that I couldn't care less about homegroup and it's the only thing that I see that breaks when IPV6 is disabled & "netsh interface ipv6 set state disabled" takes 5 seconds, it's a itty bitty teeny tiny sledgehammer. MS can state that it's an unsupported config but why should I care (presently)? If IPV6 becomes necessary in the future for things I need, I'll change my habits but so far? Meh...

It isn't a supported configuration. Microsoft do not test with IPv6 disabled. If you disable it you are on your own, in uncharted territory, with pretty much only blogs to guide you.

Good luck.

Re:First thing I change on Win devices I use

[phayes]

Oh gee, no IPV6, only IPV4, what _ever_ will we do? IPV4 only hosts are _such_ a mystery!!!

Re:First thing I change on Win devices I use

[myowntrueself]

Oh gee, no IPV6, only IPV4, what _ever_ will we do? IPV4 only hosts are _such_ a mystery!!!

In this case it is a mystery because the configuration has not been tested by the vendor. Its not that the system needs IPv6 connectivity to the Internet, thats completely different. Its that some applications expect to find a functional IPv6 stack and may react unpredictably if it isn't present. Thats what testing would be for. If the applications and OS were tested in the presence of a disabled IPv6 stack you'd be dead right. But it isn't. So you don't really know how its going to fuck up until YOU test it yourself.

Like I said, good luck. But don't be surprised if things break.

Re:First thing I change on Win devices I use

[phayes]

I've never seen an app (other than homegroup) that _needs_ IPV6 so like I said earlier, not having it is no loss and can quickly clear up some problems.

somebody discovered 6in4?

Er, my ISP provides a 6RD tunnel. Wasn't Hurricane Electric one of the frist to do this???

I mean, WTF. What kind of complete idiot would think that tunneling IPv6 in IPv4 is unpossible or that it's much different from an IPv4 over IPv4 tunnel?

Oh I know, the kind of complete idiot who develops Apping Apps! (Apps!) and thinks that a reverse HTTP proxy to prove that is web service isn't working correctly is unpossible.

How can we throw these idiots out of the profession?

Re: somebody discovered 6in4?

The apping app appers apps! crowd is probably there because of the market of idiots who blindly continue to purchase said apps. This Charlie Sheen coke snorting insanity seems more of a systemic issue than the folks exploiting developing/selling the snakeoil software to mindless buffoons that think it provides a solution to a problem they don't even understand in the first place, -ones that might actually be fixed by, and wait for it, an actual Luddite (but not in the literal sense). Ah, the forbidden word around here.

But where is the rush?

[Midnight+Thunder]

I wonder how much of this is from win to denying that IPv6 is coming and not doing the homework and proper security analysis?

Re: But where is the rush?

Please proofread. I don't know what the fuck you meant to say.

Re:But where is the rush?

[rtb61]

None of this make sense, every indication is that NATO (North American Territorial Occupation farce), along with the CIA and NSA (to be fair the entire global spy vs spy apparatus), will hide any hacks they find so that they can use them even when organised crime already has them. Is this a subtle attack on IPV6 to keep people on IPV4 for as long as possible because they have completely hacked IPV4. Also IPV6 represents a nearly figurative infinite number of disposable IP addresses, allowing people to use each address only once, basically changing it every time they turn their computer on and rotating MAC addresses.

NATO and crew are more into getting a IP and MAC address permanently implanted into your skull, that you can never get rid of and that they can read where ever and when ever they want. For them a figurative near infinite number IPV6 addresses along with rotating MAC addresses pretty much sucks. Now honestly, really truly honestly, if they could get away with skull implanted remote identifiers, do you think they would say no or yes and in fact given the opportunity do you think they would demand and enforce it, say at birth for the safety of the children and of course good enough for children good enough for adults.

Re: But where is the rush?

[Midnight+Thunder]

Uh, heck. Typing on a phone with auto-corrupt :(

Corrected English:

I wonder how much of this is from tech teams denying that IPv6 is coming and not doing the homework and proper security analysis? For example, I have observed tech teams who didn't want anything to do with IPv6 and then ended up having systems that were kinda talking IPv6, but under the radar. No IPv6 firewalls and not even specifically deactivating IPv6 link-local on devices.

Re:But where is the rush?

You should stop using "figurative" that way. It makes you look like you were home-schooled by somebody who didn't understand an English textbook.

Re:Boomer's created IPv6

nobody can understand everything

"Understand" is a relative term. Most people who "understand" a problem really just have many years of experience making mistakes and have associated certain actions to get something seemingly working, aka cargo-cult. In nearly every situation where I got to meet a domain specialist, a quick 5 minute reading on the domain from wiki and talking to the specialist for a day or two allowed me to understand the domain better than the specialist. Logical problems can be solved 100% by logic, no knowledge or experience required.

Fluid intelligence is the general ability to think abstractly, reason, identify patterns, solve problems, and discern relationships

Fluid intelligence or fluid reasoning is the capacity to reason and solve novel problems, independent of any knowledge from the past

Once you understand the problem, the answer is obvious. Find someone with decent abstract reasoning and "understanding everything" becomes a reality.

Microsoft must stop

[WaffleMonster]

Automatic transition mechanisms are beyond useless in todays dual stack world. They are not now nor will they ever be sufficiently reliable for production use and therefore universally ignored for purposes other than owning end users. Microsoft themselves shut down their own teredo servers due to stated reason of non-existent demand.

The only thing continuing to have teredo, isatap and 6to4 enabled by default on billions of machines does is help end users get owned.

New internet?

[CaptainDork]

Can I put this to use to clone a mesh network for private communications?

It affects IPV4-only machines too

[knorthern+knight]

> I just deactivate IPv6 at all dual stack machines, that should fix this...

Wrong. If your ISP doesn't support IPV6, you can still get IPV6 via a "tunnel broker". Packets get tunnelled over an encrypted connection to IPV6-land. I know this is Slashdot, but please RTFA https://www.itnews.com.au/news...

> The researchers developed proofs of concept with tunnel-based IPv6 transition tools over
> IPv4-only, or IPv4/IPv6 dual-stack networks, that were able to pass traffic undetected by
> common network intrusion detection systems (NIDS) such as Snort, Suricata, Bro and Moloch.

Re:It affects IPV4-only machines too

[grimr]

My IPV6 tunnel is not encrypted. It doesn't have to be as there's no point and all it would accomplish is add more CPU load to my router and the tunnel broker's router.

Any unencrypted traffic like HTTP attackers could mess with after it leaves the tunnel broker to the rest of the internet so waste of effort there. Encrypted traffic like HTTPS would get encrypted twice which is also a waste of effort.

IPv6

[TheOuterLinux]

Its one of those protocols hardly anyone uses in relation towards IPv4. You can turn it off on your system and everything runs just fine. It doesn't matter how old it is, but the "neck massager" was never really meant for your neck. Know what I mean ;) ? It was new and was supposed to be able to handle more web addresses. Cloud computing is getting worse, so maybe it'll get its use when we all have servers in our houses or maybe in our phones. You never know anymore. I still say cloud computing will destroy open source.

Re:IPv6

[unixisc]

One thing hardly has anything to do w/ the other - and that's w/o touching your mixed metaphors regarding the neck massager

IPv6 was designed from ground up to be a replacement for, not an enhancement to, IPv4. Bottom line was that there was no way to extend IPv4 addresses b'cos any fix would have to monkey around w/ the definition of the lengths of the source and destination address headers, and the moment one touched that, every router on the internet would have to be upgraded. Given the effort involved, the IETF decided that rather than do piecemeal solutions, they'd do one cleanroom implementation of the internet protocol using everything that had been learned over the decades of IPv4 usage.

Your reference to cloud computing is neither here nor there: cloud computing can happen w/ either IPv4 or IPv6: it's just that instead of happening on disparate clients that can have any platform - be it Wintel, Mac, Lintel, BSD, Amiga, OS/2, Haiku, et al, where the solution would have to be tested on all, the computing is done on a central server that is controlled by the entity providing the computing service. Maybe it's a good thing for maintenance reasons, or a bad thing due to privacy implications, but either way, it has nothing to do w/ the IPv4 vs IPv6 debate. And cloud computing can be open source or closed source: the fact that it sits on Linux or BSD servers as opposed to Windows servers has nothing to do w/ it.

IPv6 is already on our phones: if you use Verizon, chances are that that's what your phone uses to get on the internet. In fact, for the networks, which have millions of subscribers, but there ain't millions of IPv4 addresses, and NAT is a kludge when it comes to handling mobile IP traffic, IPv6 IS the norm. The ISPs are getting there, although they still don't look like they have their roadmap clear. I have Xfinity both at home & Comcast business at work. At work, IPv6 is what's used to get on the internet: at home, it's IPv4. Go figure!

Re:IPv6

[marka63]

The only reason people can "turn it off and everything runs just fine" is that you have been paying extra to your ISP to pay for the CGN boxes to keep IPv4 limping along well past the time when everyone should have been off it.

Sane ISP's know that they don't want to run CGN boxes. They are expensive and increase they amount of logging that needs to be kept for law enforcement purposes. They also break functionality on which some of the customers depend.

Sane ISP's enable IPv6 as it takes load off the CGN boxes. A typical household with a IPv6 enabled sees around 60% of the traffic happening over IPv6 with
the percentage increasing everyday as CDN's turn on IPv6 support.

Re:IPv6

[Cramer]

IETF decided that rather than do piecemeal solutions, they'd do one cleanroom implementation of the internet protocol using everything that had been learned over the decades of IPv4 usage.

HAH! They actively ignored much of what had been learned, and further, ignored what enterprises actually used. They put zero effort into how to get there -- backwards compatibility, migration paths, ... And they gave zero consideration to any aspect of security. IPv6 is the horribly broken, constantly changing ball of shit that it is because of the design-by-committee pile of personal projects and agendas that were nailed together and called a protocol. There were many proposed methods of extending IPv4 address space, but it was agreed to create a new protocol to fix more than just addressing. In the end, we still have to build a new internet -- after decades, we still haven't.

IPv6 has NAT as well

[dbIII]

NAT is not security, it's a placebo, and it's still subject to NAT traversal attacks.
Also IPv6 can do NAT (eg. you can use it for a transparent proxy) and there are routers that let you define your own firewall rules so that cheap ADSL router with NAT is already available - so you can do it, just don't assume that NAT is going to keep anyone other than the honest out.

Re: IPv6 has NAT as well

I don't think you know what placebo means.

Compare a wireshark capture of a PC sitting on an IPv4 and one with NAT router between.

If you don't see a significant difference in random port scans and hacking attempts, you fucked up.

Re: IPv6 has NAT as well

[Dagger2]

I've done this, and I saw no difference. If you did then you fucked up the test. Specifically, you most likely changed the PC from a public v4 address to an RFC1918 one at the same time as introducing the NAT. Making two changes at once means you can't tell which change caused the different behavior.

Try comparing a traffic capture of a machine with an RFC1918 address with vs without NAT on the router, and then separately compare a capture of a machine with a public address with vs without NAT on the router. This will make it clear that it's not the NAT that makes any difference to inbound connections.

windows 10 enables the tunnel mechanisms by defaul

[gl4ss]

windows 10 enables the tunnel mechanisms by default.
and has no easy way to turn them off.

yeah, you can remove ipv6 from the network card - but are you so daft that you think it actually removes this threat? hahahahha. of course no. you have to go into registry to disable ipv6. and of course they will reset it on update, because fuck you, that's why. and disabling any ipv6 support entirely wouldn't help either if the offending sw gets to write it's own ethernet packets(though thats more complicated than some powershell script. oh yeah don't try disabling powershell either, it will break half the system, because again, fuck you).

of course, if you can't turn off the iot mesh shit either then why worry about this.

Re:windows 10 enables the tunnel mechanisms by def

[Cramer]

Hell, Windows XP enables them by default. (once IPv6 is installed)

network/host divisions

Just like in IPv4 classful addressing was the first to go out the window once the address limitation hit, I predict this 64:64 split will be the first to go in IPv6. People love doing a numbers analysis, but that flies in the face of what IPv6 authors have recommended in terms of addressing structures. They recommend people to go out and get anything from /48 to /32 allocations from their RIR, making the allocations rather ridiculous. It also assumes a one size fits all for all networks, and gives the networks a ridiculous size that will never be remotely reached by any subnet, but are just there for autoconfiguration

Instead, having a fixed 64-bit global prefix, and then a variable option of 32:32 or 16:48 for a subnet:host split would have made more sense. A clean hierarchical routing would have been possible with IPv6, but still allowed generous allocations to ISPs and downstream organizations, including Provider independent addresses. Instead, once these limits show up, the IETF/IANA will have to come out with an IPv7 that will be IPv6, but with a change in the network/host divide. People can argue that one can do this now, but as you point out, those splits have been hard coded into silicon, so that any change would probably be cleanly implemented in a newer version of the IP - say IPv7 (I know all the versions have been pre-emptively defined, but that may need another look).