IPv6: are you ready?
Most Linux admins have become accustomed to dealing with the security problems created by flaws in IPv4. Most home Linux users at least know how to create a firewall which can block certain ports to ipv4 traffic. Intermediate users can implement NAT under ipv4, and more.
But IPv6 is completely different. The problem with phasing in IPv6 is not just that even if your router was sold to you with the claim that it is IPv6 compatible, this might not really be true. The biggest problem, some security experts say, is that IPv6 breaks many of the basic defenses which have proven reliable in controlling IPv4 traffic. And will almost certainly give rise to many completely unforeseen and unprecedented security vulnerabilities as the bad guys start to learn how to exploit IPv6 for evil purposes. See the three part series recently published in thetechherald.com for an overview. Which prompts me to ask:
Note: I am posting this in the General forum rather than the Security forum on advice of a moderator. The reason is that any wide-ranging discussion of potential future security issues will surely involve some discussion of the sources, motivations, and nature of potential (plausible?) future threats facing the average user, which involves political issues which cannot be discussed in other parts of LQ. |
I think you are going to out a lot of ipv6 ostriches, with their heads in the sand.
The distro may be ipv6 capable in theory, the isp may be ipv6 capable in theory, the router may be ipv6 in theory, but it's going to be a major nightmare. You may, like me, avoid loading the ipv6 module because it throws up crap I don't want to have to think about. And who knows about the switches & routers we never know about out in the ether somewhere, routing traffic? How will we debug that? It isn't until they switch ipv4 off wholesale that we will _actually_ find out. |
I know that we are not ready for IPV6 at work, and at home it's no better.
Because of the router issues (ie almost none have the ability to use v6) I haven't even bothered to look at anything else. I do know after yesterday (IPV5 test day) that speedtest.net did not want to run on my computers. |
Quote:
NAT just happened to be a convenient way to deploy the "block all ports then open some ports" model. I was doing that model before there was NAT. NAT wasn't necessary for it (we didn't need it where I worked at that time since we had a /16 allocation). Quote:
Quote:
If the router/firewall implementation cannot be configured to "block all ports then open some ports" then it is defective. Sequential rule based filtering can simply do this by ending the rule list with a deny that matches all addresses. The rule search ends at the first match, and if the first match is a permit, it allows that traffic in. NAT isn't needed for IPv6, so it's usually not implemented. The problem is too many people are accustomed to leaning on NAT in IPv4 as a security mechanism, when the correct way to do it would have been to use the firewall the way it was designed. If you turn off NAT entirely, and use your public IP address(es) directly configured on your machine(s), you would face the same issues with IPv4. Now you are tasked with securing your (currently just IPv4) network WITHOUT USING NAT. At this point it doesn't matter whether it is IPv4 or IPv6, except that with IPv6 you will have enough addresses to reach every machine you connect to the network, except ... BTW, if you have machines you don't want to reach, or be reached by, the public IPv6, there is a block of 2,658,455,991,569,831,745,807,614,120,560,689,152 addresses in IPv6 that can be used effectively the same as private IPs (fc00::/7). For those that do reach the public IPv6, either lock the machine itself down tight, or use the "block all ports then open some ports" configuration model on your firewall. Quote:
Development might still need to be done for many products to create the proper GUI management tools to work with IPv6 addresses. GUI tools seem to always be behind the curve on technical things like this. I've heard of at least one network equipment maker that fully supported IPv6 in its router stack and its filtering engine, but required administrators to revert to command line facilities to configure it, while IPv4 could be done in the GUI tools. People that think such a router is insecure for IPv6 need to either find another product, learn something new, or hire a competent network administrator. BTW ... when I said above (#3 in the list) that the sources are wrong, it was in reference to design possibilities. Actual products may very well be badly designed. |
Looks like sand to me.
Not sure if we will try to implement it at work. It would be a massive change and not support much. |
@Skaperen:
I am worried about real world implementations of IPv6 more than the design of IPv6 itself. Particularly for the humble home user. Quote:
I culled a few quotes from the cited articles: Quote:
Quote:
So how is the humble home user to deal with that? Does anyone know what he is talking about? Throw me a crumb! Quote:
Politics enters: I believe that large numbers of ordinary citizens are already being targeted by sophisticated attackers more often than most people realize. If so, we can expect IPv6 vulnerabilities in home LANs to be exploited more rapidly than most IT pros expect. This is a critically important phenomenon which the designers of IPv6 could not have anticipated. But which, I fear, we home users must now try to defend against. Quote:
The typical home Linux user probably depends upon badly designed commercial hardware and the possibly very bad decisions made by harried ISP admins who may not have been given enough opportunity by their cash-strapped employer to learn about IPv6 in a safe testing environment. So if the IT pros employed by his ISP and the developers who write the software he uses have probably not yet taken the time to go back to school, how can the home user learn what he needs to know to stay semi-safe? Quote:
Politics again: it is said that many governments which have not outlawed crypto completely are quietly but insistently demanding that ISPs insert "back doors" into the crypto used by their customers. Does this mean that we will all have mandated secret tunnels into our LANs? Quote:
Quote:
Quote:
|
Quote:
The internet was designed with the intention of being a free, open, level playing field. It has instead been broken up into spheres of influence and regions. It has become controlled and dominated by a few major players, such as the Time Warner, Comcast, Level 3, and so forth. The providers hold the cards and can decide what traffic can flow through their networks. The traffic all flows through centralized servers. It has given rise to places like Facebook. When you send an email, for example, for most people it goes to a centralized email server run by your ISP. It does not go to your friend, whom it was addressed. When you sent a "twit" it goes to a centralized server, not to the people whom you addressed it or subscribe to it. IPv6 is designed to break this as this was not how the Internet was meant to work. It has the capability of restoring the peer-to-peer communication which is how it was meant to work. [politics]Obviously this would make it much more difficult for the surveillance state. It would also reduce the power and money leverage held by these big corporations. Neither of which is likely to "go quietly into the night". Again, the power resides with the people and the numbers. If *WE* adopt IPv6 and start pushing the peer-peer model and reject their centralized control, sooner rather than later, the better off we will be.[/politics] (*)I put the note on the address space. With IPv4, public addresses are a scarce commodity and ISPs charge good money to be assigned a static IP or block of IP addresses. With IPv6, this shouldn't be the case as there are enough addresses to give every person on the planet their own personal addresses space equivalent to the entire (IPv4) address space. When you are allocated a /64 (IPv6 is 128 bits long) you have allocated to your personal use a range equivalent to the entire IPv4 internet SQUARED! One of the effects, which I believe was intentional, is that NAT is no longer required. Many, including many in my local LUG (Linux Users Group) most of whom are very network knowledgeable, will tell you that overall NAT has been a bad thing for security. They will also tell you that NAT was not originally intended to be use as a security feature and that it has allowed people to become lazy and complacent. How many machines are sitting behind NAT yet otherwise unprotected with the administrators convinced that because they are behind a NAT that they can't be accessed and are impervious to intrusion? I used to, naively, think this too. The exploit tools available today work just as well on a vulnerable router as they do on a PC or server. In fact once, they are behind the NAT, they are more likely to have free reign without being discovered. As far as the user goes, the above threads have talked a lot about GUI tools, configuration, etc. One thing that IPv6 is going to all but necessitate is the the use of DNS. IPv4 addresses are fairly memorable by humans and IPv6 is much less so. I have been told that you begin to recognize patterns in IPv6 and and learn parts of it, so to some degree it is a learning curve. Firewalls will also become more important and likely at a lower level. According to the discussions on IPv6 that I have attended, instead of placing a machine behind a NAT and port forwarding, you will place the machine behind a firewall (or even firewall it on the machine, such as IP6Tables in Linux). So far, the consensus amongst the people I have discussed this topic with is that IPv6 will go a long way toward eliminating a lot of the vulnerabilities, mostly caused by NAT and the false sense of security that goes along with it. Personally, looking over a lot of the statements in the above posts, I see two things: FUD and the deliberate spread of FUD on the part of "security" companies whose vested interest is in selling you a product to make you feel secure. One of the biggest technical challenges my local LUG has identified is load balancing where you have several servers all facing one common IP. Since IPv6 was designed without NAT, this becomes more difficult - yet this was one of the few legitimate uses of NAT. |
Quote:
|
Quote:
|
@Noway2:
Thank you for providing such an informative and thought-provoking post! I'd like to respond with some further thoughts of my own, but first, if you are in touch with Quantumstate, I'd also like his input. |
Quote:
|
Quote:
OTOH, things like DoS attacks that impact your connection capacity from your ISP, that's is their concern. But IPv6 is no different than IPv4 for that. ---------- Post added 2011-06-13 at 09:04 ---------- Quote:
Quote:
Quote:
Quote:
Quote:
Quote:
|
@Peufelon, no I don't have direct contact with Quantumstate, who has chosen to leave is contact information blank. One suggestion I would have in this regard is to use a free mail service like Hushmail that provides anonymous service up to the point of requiring a legal warrant in British Columbia.
|
All times are GMT -5. The time now is 05:42 PM. |