Tech Clinic: IPv6
#1
FlyerTalk Evangelist
Original Poster
Join Date: Nov 2002
Location: ORD
Posts: 14,231
Tech Clinic: IPv6
I've recently discovered that Time Warner supports IPv6 here. My router gets an IPv6 prefix and most of the devices on my network get IPv6 addresses with those prefixes.
I understand that this means all the devices on my network now have public IP addresses. Do I need to ensure that everything on my network has a good firewall in place? How does security on IPv6 work? I've tried searching the interwebs, but there's a lot of info out there, much of which conflicts. I bet there are a bunch of IT gurus here...
Thanks!
I understand that this means all the devices on my network now have public IP addresses. Do I need to ensure that everything on my network has a good firewall in place? How does security on IPv6 work? I've tried searching the interwebs, but there's a lot of info out there, much of which conflicts. I bet there are a bunch of IT gurus here...
Thanks!
#2
Join Date: Dec 2009
Location: RDU
Programs: DL DM+(segs)/MM, UA Ag, Hilton DM, Marriott Ti (life Pt), TSA Opt-out Platinum
Posts: 3,227
I've recently discovered that Time Warner supports IPv6 here. My router gets an IPv6 prefix and most of the devices on my network get IPv6 addresses with those prefixes.
I understand that this means all the devices on my network now have public IP addresses. Do I need to ensure that everything on my network has a good firewall in place? How does security on IPv6 work? I've tried searching the interwebs, but there's a lot of info out there, much of which conflicts. I bet there are a bunch of IT gurus here...
Thanks!
I understand that this means all the devices on my network now have public IP addresses. Do I need to ensure that everything on my network has a good firewall in place? How does security on IPv6 work? I've tried searching the interwebs, but there's a lot of info out there, much of which conflicts. I bet there are a bunch of IT gurus here...
Thanks!
For a firewall test, go to canyouseeme.org (on a device behind your router) and then test using your external IP. If you need to know your external IP, goto whatismyip.com
#3
FlyerTalk Evangelist
Original Poster
Join Date: Nov 2002
Location: ORD
Posts: 14,231
Interesting, thanks, but I think this is not quite accurate. I found an online IPv6 port scanner and it couldn't connect to any of my devices. For example, my home Linux server has an IPv6 address. On my laptop in Chrome I can go to [ipv6 of server] and it works. If I ssh to the router at my parents' house and try to telnet to port 80 of that IP, the connection times out. But I can ping the server's IPv6 address from my parents' router.
So there must be some routing going on in my home router that allows pings from the internet but doesn't allow incoming connections.
So there must be some routing going on in my home router that allows pings from the internet but doesn't allow incoming connections.
#4
Join Date: Dec 2009
Location: RDU
Programs: DL DM+(segs)/MM, UA Ag, Hilton DM, Marriott Ti (life Pt), TSA Opt-out Platinum
Posts: 3,227
Interesting, thanks, but I think this is not quite accurate. I found an online IPv6 port scanner and it couldn't connect to any of my devices. For example, my home Linux server has an IPv6 address. On my laptop in Chrome I can go to [ipv6 of server] and it works. If I ssh to the router at my parents' house and try to telnet to port 80 of that IP, the connection times out. But I can ping the server's IPv6 address from my parents' router.
So it sounds like your devices are firewalled. That's good. Are you using DHCP? Is it being provided by your router? There may be a setting on there to turn off IPv6.
#5
FlyerTalk Evangelist
Original Poster
Join Date: Nov 2002
Location: ORD
Posts: 14,231
Perhaps your parent's router/device/ISP doesn't support IPv6 yet? There are lots of devices out there that don't yet support (or have enabled) IPv6.
I would assume that's the default behavior and generally what people would want...
So it sounds like your devices are firewalled. That's good. Are you using DHCP? Is it being provided by your router? There may be a setting on there to turn off IPv6.
I would assume that's the default behavior and generally what people would want...
So it sounds like your devices are firewalled. That's good. Are you using DHCP? Is it being provided by your router? There may be a setting on there to turn off IPv6.
Everything is using DHCPv6 with prefix delegation from the ISP.
I guess I'd just thought that, if everything attached to the internet has a publicly addressable IP in IPv6 then I thought everything would be reachable but it seems not to be the case. So that's good. It's not how I thought it worked. So I'm still curious how exactly it works, since I just haven't found it documented anywhere.
#6
Join Date: Jul 2007
Location: San Francisco/Sydney
Programs: UA 1K/MM, Hilton Diamond, Marriott Something, IHG Gold, Hertz PC, Avis PC
Posts: 8,156
At the moment most "consumer" routers that support IPv6 simply firewall all inbound connections. Some of them allow you to configure this firewall in that you can allow specific IPs/ports (much the same as port forwarding with IPv4/NAT), but I've yet to find one that allows you to turn the firewall off completely - which is probably a good thing.
I beta test some products for one of the major consumer router vendors, and I've been having discussions with a few of their engineers around the best way to handle IPv6 when it comes to security - unfortunately it's one of those things were basically every decision has a side effect, if only because of the average clue level of the type of people that are using many of these products...
I beta test some products for one of the major consumer router vendors, and I've been having discussions with a few of their engineers around the best way to handle IPv6 when it comes to security - unfortunately it's one of those things were basically every decision has a side effect, if only because of the average clue level of the type of people that are using many of these products...
#7
FlyerTalk Evangelist
Join Date: Jan 2014
Location: San Diego, CA
Programs: GE, Marriott Platinum
Posts: 15,507
Actually it's more likely that SLAAC's used to assign IPv6 addresses on the internal network. You can usually tell by the number of addresses the device receives (2 if it's a PC) and the last half of the assigned address (containing a slightly modified form of your MAC address). DHCPv6 is used to get the IPv6 block from your ISP as well as to obtain additional configuration information such as DNS servers that SLAAC isn't capable of broadcasting.
#9
FlyerTalk Evangelist
Join Date: Jan 2014
Location: San Diego, CA
Programs: GE, Marriott Platinum
Posts: 15,507
#10
 
Join Date: Nov 2000
Location: Upcountry Maui, HI
Posts: 13,311
so how does that work? if you get a local address it's not visible publicly, right?
The packets have to get routed back to you somehow.
I guess I'll do some searching/reading on ipv6.
-David
The packets have to get routed back to you somehow.
I guess I'll do some searching/reading on ipv6.
-David
Last edited by LIH Prem; Oct 17, 2015 at 11:59 pm
#11
FlyerTalk Evangelist
Join Date: Jan 2014
Location: San Diego, CA
Programs: GE, Marriott Platinum
Posts: 15,507
Correct. Your router gives you an IPv6 address or few that's visible to the rest of the Internet (starts with 2xxx); IPv6 addresses beginning with fxxx are solely for internal LAN use.
#13
Join Date: Jul 2001
Location: Lower Merion Township, PA, (an inner-ring suburb to the Socialist Workers City/State of Philadelphia, PA)
Posts: 596
A few comments based on the original questions and the subsequent back and forth.
How does security on IPv6 work? Effectively the same as IPv4, with the one difference being IPv4 routers (home or otherwise) do NAT and IPv6 addresses are almost always globally routable. What does that mean? In IPv6, every device behind a router has an IPv6 address that is unique across the entire internet. That is not necessarily a bad thing, because that is how IPv4 was intended to work, but the addresses ran out to quickly.
A good home router does SPI, an acronym for Stateful Packet Inspection. The quick description of SPI is it will not let a packet of data, any packet in any format (TCP or UDP or any other) come into your LAN unless the incoming packet is a "result" of an outgoing packet originating from your LAN. Example, you type flyertalk.com in a browser window, and all the data packets in response to that request are allowed in. But separately and at any other time of the day or night data packets to say establish an FTP connection that did not originate on your LAN are not allowed. Timeouts of ports and protocols are involved, for the FlyerTalk.com request, and this all works inside the router with little to no tuning or configuration needed on your part for home or SOHO class routers, (but a different story for business class routers).
Not all home routers do this, for example the $39 model may not do it at all or not as well as the $200 SOHO model. Words used in these descriptions are "full cone NAT" and "restricted cone NAT" routing, and you might find some useful descriptions if you search for those terms.
I disagree with one of the statements above, SLAAC not DHCPv6 is in all likelihood used to give your LAN clients IPv6 addresses. I don't use Time Warner and am not 100% certain on this, but a design feature of IPv6 was to not have to reply on NAT and to be self configurable. SLACC (Stateless Address Auto Configuration) is the acronym for the self-configurable feature in IPv6. And if you are not doing this on the LAN side, (it's up to you not TM, and TM doesn't control this unless they give you a locked down router), then you're over complicating things.
Another statement above is somewhat misleading. If you are using SLAAC, you want to "randomize" the part of the IPv6 address that is not delegated to your router, don't rely on the algorithm that uses the devices MAC address to derive the value. To check this on windows (not sure it will work on XP), from a CMD prompt:
netsh interface ipv6 show global > check if "Randomize Identifiers" is enabled.
netsh interface ipv6 show privacy > See if Use Temporary Addresses is enabled, it should be for some number of days or hours.
The critics, (reference: people on dslreports.com) seem to think Microsoft got all the defaults right and the above two settings should be as listed.
For a quick check of your router's IPv6 Firewall, do this test http://ipv6.chappell-family.com/ipv6tcptest/. The results should be all green, like in the image in the third message here.
How does security on IPv6 work? Effectively the same as IPv4, with the one difference being IPv4 routers (home or otherwise) do NAT and IPv6 addresses are almost always globally routable. What does that mean? In IPv6, every device behind a router has an IPv6 address that is unique across the entire internet. That is not necessarily a bad thing, because that is how IPv4 was intended to work, but the addresses ran out to quickly.
A good home router does SPI, an acronym for Stateful Packet Inspection. The quick description of SPI is it will not let a packet of data, any packet in any format (TCP or UDP or any other) come into your LAN unless the incoming packet is a "result" of an outgoing packet originating from your LAN. Example, you type flyertalk.com in a browser window, and all the data packets in response to that request are allowed in. But separately and at any other time of the day or night data packets to say establish an FTP connection that did not originate on your LAN are not allowed. Timeouts of ports and protocols are involved, for the FlyerTalk.com request, and this all works inside the router with little to no tuning or configuration needed on your part for home or SOHO class routers, (but a different story for business class routers).
Not all home routers do this, for example the $39 model may not do it at all or not as well as the $200 SOHO model. Words used in these descriptions are "full cone NAT" and "restricted cone NAT" routing, and you might find some useful descriptions if you search for those terms.
I disagree with one of the statements above, SLAAC not DHCPv6 is in all likelihood used to give your LAN clients IPv6 addresses. I don't use Time Warner and am not 100% certain on this, but a design feature of IPv6 was to not have to reply on NAT and to be self configurable. SLACC (Stateless Address Auto Configuration) is the acronym for the self-configurable feature in IPv6. And if you are not doing this on the LAN side, (it's up to you not TM, and TM doesn't control this unless they give you a locked down router), then you're over complicating things.
Another statement above is somewhat misleading. If you are using SLAAC, you want to "randomize" the part of the IPv6 address that is not delegated to your router, don't rely on the algorithm that uses the devices MAC address to derive the value. To check this on windows (not sure it will work on XP), from a CMD prompt:
netsh interface ipv6 show global > check if "Randomize Identifiers" is enabled.
netsh interface ipv6 show privacy > See if Use Temporary Addresses is enabled, it should be for some number of days or hours.
The critics, (reference: people on dslreports.com) seem to think Microsoft got all the defaults right and the above two settings should be as listed.
For a quick check of your router's IPv6 Firewall, do this test http://ipv6.chappell-family.com/ipv6tcptest/. The results should be all green, like in the image in the third message here.
#15
FlyerTalk Evangelist
Join Date: Jan 2014
Location: San Diego, CA
Programs: GE, Marriott Platinum
Posts: 15,507
I disagree with one of the statements above, SLAAC not DHCPv6 is in all likelihood used to give your LAN clients IPv6 addresses. I don't use Time Warner and am not 100% certain on this, but a design feature of IPv6 was to not have to reply on NAT and to be self configurable. SLACC (Stateless Address Auto Configuration) is the acronym for the self-configurable feature in IPv6. And if you are not doing this on the LAN side, (it's up to you not TM, and TM doesn't control this unless they give you a locked down router), then you're over complicating things.