IPv6: are you ready?
 

Most Linux admins have become accustomed to dealing with the security problems created by flaws in IPv4. Most home Linux users at least know how to create a firewall which can block certain ports to ipv4 traffic. Intermediate users can implement NAT under ipv4, and more.

But IPv6 is completely different. The problem with phasing in IPv6 is not just that even if your router was sold to you with the claim that it is IPv6 compatible, this might not really be true. The biggest problem, some security experts say, is that IPv6 breaks many of the basic defenses which have proven reliable in controlling IPv4 traffic. And will almost certainly give rise to many completely unforeseen and unprecedented security vulnerabilities as the bad guys start to learn how to exploit IPv6 for evil purposes. See the three part series recently published in thetechherald.com for an overview.

Which prompts me to ask:

• How are you preparing for IPv6 traffic?
• How do you know that your router is truly IPv6 compatible?
• How do you know that the personal firewall on your Linux PC/laptop will block malicious IPv6 traffic? (Some sources say that this is impossible by design in some cases, which is not very encouraging.)
• For admins of home or larger LANS, how do you know that your configuration and routing will be effective in ipv6 environment?

Note: I am posting this in the General forum rather than the Security forum on advice of a moderator. The reason is that any wide-ranging discussion of potential future security issues will surely involve some discussion of the sources, motivations, and nature of potential (plausible?) future threats facing the average user, which involves political issues which cannot be discussed in other parts of LQ.

I think you are going to out a lot of ipv6 ostriches, with their heads in the sand.

The distro may be ipv6 capable in theory, the isp may be ipv6 capable in theory, the router may be ipv6 in theory, but it's going to be a major nightmare. You may, like me, avoid loading the ipv6 module because it throws up crap I don't want to have to think about. And who knows about the switches & routers we never know about out in the ether somewhere, routing traffic? How will we debug that?

It isn't until they switch ipv4 off wholesale that we will _actually_ find out.

I know that we are not ready for IPV6 at work, and at home it's no better.

Because of the router issues (ie almost none have the ability to use v6) I haven't even bothered to look at anything else. I do know after yesterday (IPV5 test day) that speedtest.net did not want to run on my computers.

I would disagree that a flaw exists in IPv4 which has as a "solution" the action of blocking certain ports. If you can't trust incoming traffic because you have open ports on some machines, or even if you just want to block everything and open specific ports, that's not a design flaw of IPv4 any more than it is of IPv6. If you need to pinpoint it as a flaw, point at UDP, TCP, and SCTP. Or look in a mirror.

NAT just happened to be a convenient way to deploy the "block all ports then open some ports" model. I was doing that model before there was NAT. NAT wasn't necessary for it (we didn't need it where I worked at that time since we had a /16 allocation).

The security problems "inherint" in IPv6 come from issues in network design and deployment, and to some extent from implementations. IMHO, IPv6 itself is not any less secure than IPv4. I'd even argue it is already more secure. The real problem isn't IPv4 vs. IPv6. Instead, the real problem is education.

• We're waiting for the ISP to implement IPv6 in their provisioning system, allocate us an IPv6 subnet, and deploy the routing.
• It's Cisco.
• N/A. This is a data center LAN. (Those sources are all wrong)
• I applied a few simple access tests.

If the router/firewall implementation cannot be configured to "block all ports then open some ports" then it is defective. Sequential rule based filtering can simply do this by ending the rule list with a deny that matches all addresses. The rule search ends at the first match, and if the first match is a permit, it allows that traffic in.

NAT isn't needed for IPv6, so it's usually not implemented. The problem is too many people are accustomed to leaning on NAT in IPv4 as a security mechanism, when the correct way to do it would have been to use the firewall the way it was designed. If you turn off NAT entirely, and use your public IP address(es) directly configured on your machine(s), you would face the same issues with IPv4. Now you are tasked with securing your (currently just IPv4) network WITHOUT USING NAT. At this point it doesn't matter whether it is IPv4 or IPv6, except that with IPv6 you will have enough addresses to reach every machine you connect to the network, except ...

BTW, if you have machines you don't want to reach, or be reached by, the public IPv6, there is a block of 2,658,455,991,569,831,745,807,614,120,560,689,152 addresses in IPv6 that can be used effectively the same as private IPs (fc00::/7). For those that do reach the public IPv6, either lock the machine itself down tight, or use the "block all ports then open some ports" configuration model on your firewall.

The only political issues I see that differentiate IPv6 from IPv4 are just getting people educated about, and committed to, IPv6. In particular, be sure all firewall implementations have the ability to be fully secure in a NAT-free world (whether IPv6 or IPv4), and be sure people are educated about it.

Development might still need to be done for many products to create the proper GUI management tools to work with IPv6 addresses. GUI tools seem to always be behind the curve on technical things like this. I've heard of at least one network equipment maker that fully supported IPv6 in its router stack and its filtering engine, but required administrators to revert to command line facilities to configure it, while IPv4 could be done in the GUI tools. People that think such a router is insecure for IPv6 need to either find another product, learn something new, or hire a competent network administrator.

BTW ... when I said above (#3 in the list) that the sources are wrong, it was in reference to design possibilities. Actual products may very well be badly designed.

Looks like sand to me.

Not sure if we will try to implement it at work. It would be a massive change and not support much.

@Skaperen:

I am worried about real world implementations of IPv6 more than the design of IPv6 itself. Particularly for the humble home user.

Poor choice of words on my part.

I culled a few quotes from the cited articles:

Sounds like business as usual. How nice.


So how is the humble home user to deal with that?

Does anyone know what he is talking about? Throw me a crumb!

Aaron Barr, I mean LulzSec, will have a field day.

Politics enters: I believe that large numbers of ordinary citizens are already being targeted by sophisticated attackers more often than most people realize. If so, we can expect IPv6 vulnerabilities in home LANs to be exploited more rapidly than most IT pros expect. This is a critically important phenomenon which the designers of IPv6 could not have anticipated. But which, I fear, we home users must now try to defend against.

And how is the humble home user to do that?

The typical home Linux user probably depends upon badly designed commercial hardware and the possibly very bad decisions made by harried ISP admins who may not have been given enough opportunity by their cash-strapped employer to learn about IPv6 in a safe testing environment.

So if the IT pros employed by his ISP and the developers who write the software he uses have probably not yet taken the time to go back to school, how can the home user learn what he needs to know to stay semi-safe?


Oh good, no VPN has ever been found to have security flaw so no VPN need ever be monitored by the LAN admin (myself). What a relief!

Politics again: it is said that many governments which have not outlawed crypto completely are quietly but insistently demanding that ISPs insert "back doors" into the crypto used by their customers. Does this mean that we will all have mandated secret tunnels into our LANs?

I have that sick feeling...

But what is the humble home user to do? For all I know, my ISP buys cheap Cisco knockoffs, and doesn't care a hoot about IPv6 certification.

So how to disable IPv6 until such time as (hah!) I can take it on faith that developers and IT pros know all about the sea changes in the threat environment entailed by the adoption of IPv6?

Right now, many of the ISPs including the major ones, do not have native IPv6 support available to their customers. There are a few organizations, such as Hurricane Electric in the US sphere, that are offering IPv6 tunneling services for free. They will act as a registrar and get you assigned a block of /64 IPv6 address space(*). Then they provide a tunneling service where you can configure your network to work on IPv6. What happens is that you configure your router to point the IPv6 traffic at the tunnel IP and your IPv6 will pass to their routers which will launch it onto the global IPv6 backbone. In essence it allow you to logically connect via IPv6 while your ISP still only routes via IPv4. The benefit to Hurricane Electric is that they have invested heavily in IPv6 technologies and as it becomes adopted and hardware is upgraded and replaced to support IPv6, they stand to profit measurably. You can currently get router software like dd_wrt and tomato that support IPv6 and run them on residential grade hardware. Early adopters, who believe that IPv6 is a good thing can take advantage of this and run IPv6 on their own networks. It isn't necessary for the "big corporate brothers" to play. (More on this in the next paragraph) In fact you can even register to get your own Autonomous System (AS) Number, register with ARIN, APIC (or whoever your global agency is) and have your own IPv6 network tied in at the network level.

The internet was designed with the intention of being a free, open, level playing field. It has instead been broken up into spheres of influence and regions. It has become controlled and dominated by a few major players, such as the Time Warner, Comcast, Level 3, and so forth. The providers hold the cards and can decide what traffic can flow through their networks. The traffic all flows through centralized servers. It has given rise to places like Facebook. When you send an email, for example, for most people it goes to a centralized email server run by your ISP. It does not go to your friend, whom it was addressed. When you sent a "twit" it goes to a centralized server, not to the people whom you addressed it or subscribe to it. IPv6 is designed to break this as this was not how the Internet was meant to work. It has the capability of restoring the peer-to-peer communication which is how it was meant to work. [politics]Obviously this would make it much more difficult for the surveillance state. It would also reduce the power and money leverage held by these big corporations. Neither of which is likely to "go quietly into the night". Again, the power resides with the people and the numbers. If *WE* adopt IPv6 and start pushing the peer-peer model and reject their centralized control, sooner rather than later, the better off we will be.[/politics]

(*)I put the note on the address space. With IPv4, public addresses are a scarce commodity and ISPs charge good money to be assigned a static IP or block of IP addresses. With IPv6, this shouldn't be the case as there are enough addresses to give every person on the planet their own personal addresses space equivalent to the entire (IPv4) address space. When you are allocated a /64 (IPv6 is 128 bits long) you have allocated to your personal use a range equivalent to the entire IPv4 internet SQUARED!

One of the effects, which I believe was intentional, is that NAT is no longer required. Many, including many in my local LUG (Linux Users Group) most of whom are very network knowledgeable, will tell you that overall NAT has been a bad thing for security. They will also tell you that NAT was not originally intended to be use as a security feature and that it has allowed people to become lazy and complacent. How many machines are sitting behind NAT yet otherwise unprotected with the administrators convinced that because they are behind a NAT that they can't be accessed and are impervious to intrusion? I used to, naively, think this too. The exploit tools available today work just as well on a vulnerable router as they do on a PC or server. In fact once, they are behind the NAT, they are more likely to have free reign without being discovered.

As far as the user goes, the above threads have talked a lot about GUI tools, configuration, etc. One thing that IPv6 is going to all but necessitate is the the use of DNS. IPv4 addresses are fairly memorable by humans and IPv6 is much less so. I have been told that you begin to recognize patterns in IPv6 and and learn parts of it, so to some degree it is a learning curve. Firewalls will also become more important and likely at a lower level. According to the discussions on IPv6 that I have attended, instead of placing a machine behind a NAT and port forwarding, you will place the machine behind a firewall (or even firewall it on the machine, such as IP6Tables in Linux).

So far, the consensus amongst the people I have discussed this topic with is that IPv6 will go a long way toward eliminating a lot of the vulnerabilities, mostly caused by NAT and the false sense of security that goes along with it. Personally, looking over a lot of the statements in the above posts, I see two things: FUD and the deliberate spread of FUD on the part of "security" companies whose vested interest is in selling you a product to make you feel secure. One of the biggest technical challenges my local LUG has identified is load balancing where you have several servers all facing one common IP. Since IPv6 was designed without NAT, this becomes more difficult - yet this was one of the few legitimate uses of NAT.

Hmmmm - I wonder if that'll do me for the machines in the house ... :p

Yeah, I think there will have to be a transition period in which all these bugs will be worked out. Currently my ISP is not compatible, so I'm not switching until then for sure. My router is supposedly compatible, and the rest I will fix when the time comes.

@Noway2:

Thank you for providing such an informative and thought-provoking post!

I'd like to respond with some further thoughts of my own, but first, if you are in touch with Quantumstate, I'd also like his input.

Excellent post!

Aside from using a tunnel, you have no choice if your ISP doesn't provide IPv6. But once they do, security is not their concern unless you are using ISP provided equipment, software, configurations, or management services for security. But just the delivery of IPv6 packets isn't the security concern. If you want to find someone to blame for security, keep a mirror (glass, silver on back) handy.

OTOH, things like DoS attacks that impact your connection capacity from your ISP, that's is their concern. But IPv6 is no different than IPv4 for that.

---------- Post added 2011-06-13 at 09:04 ----------

I expect exploitation of weaknesses in bad implementations of IPv6, and the tools to manage IPv6 space, to grow very rapid once IPv6 takes off. In the mean time, those of us that can get it can enjoy a temporarily less noisy network.

Hopefully, there will be better solutions in the Linux community. Use a Linux box as the firewall.

Sadly, much of the problem in commercial products is more about companies trying to pay as little as possible for the development of these products.

Crypto is end-to-end. Nothing in the middle can deal with it beyond forwarding or blocking or trashing (effectively the same as blocking) the encrypted packets ... if the crypto is done correctly. Don't worry about the ISP unless the ISP provides the equipment doing the VPN. Do worry about the equipment makers. Or use an open source firewall.

If you depend on your ISP to provide your firewall and VPN equipment, you already have problems. FYI, you don't need to do VPN in the firewall. A separate box can do that. You just route your remote LAN subnets into that box. Then that box can access the internet and thus its peers via an enabled path through the firewall, or via a second NIC port around the firewall if the internet connectivity can do 2 or more ethernet connections. You can also add a VPN gateway outside between the firewall and the internet, though I don't recommend that because it is trickier to configure.

Don't route it in or out. If you can get your router or firewall to block it or not route it, that should be enough. If not, get/build a small router box based on Linux or BSD that can.

@Peufelon, no I don't have direct contact with Quantumstate, who has chosen to leave is contact information blank. One suggestion I would have in this regard is to use a free mail service like Hushmail that provides anonymous service up to the point of requiring a legal warrant in British Columbia.