gfunkdave

I've recently discovered that Time Warner supports IPv6 here. My router gets an IPv6 prefix and most of the devices on my network get IPv6 addresses with those prefixes.

I understand that this means all the devices on my network now have public IP addresses. Do I need to ensure that everything on my network has a good firewall in place? How does security on IPv6 work? I've tried searching the interwebs, but there's a lot of info out there, much of which conflicts. I bet there are a bunch of IT gurus here...

Thanks!

HDQDD

If you have your firewall wide open this may be true. Otherwise your router is likely providing DHCP addresses to your devices. On internal networks I prefer IPv4 because the addresses are easier to remember. Outside my internal network, I could care less.

For a firewall test, go to canyouseeme.org (on a device behind your router) and then test using your external IP. If you need to know your external IP, goto whatismyip.com

gfunkdave

Interesting, thanks, but I think this is not quite accurate. I found an online IPv6 port scanner and it couldn't connect to any of my devices. For example, my home Linux server has an IPv6 address. On my laptop in Chrome I can go to [ipv6 of server] and it works. If I ssh to the router at my parents' house and try to telnet to port 80 of that IP, the connection times out. But I can ping the server's IPv6 address from my parents' router.

So there must be some routing going on in my home router that allows pings from the internet but doesn't allow incoming connections.

HDQDD

Perhaps your parent's router/device/ISP doesn't support IPv6 yet? There are lots of devices out there that don't yet support (or have enabled) IPv6.

I would assume that's the default behavior and generally what people would want...

So it sounds like your devices are firewalled. That's good. Are you using DHCP? Is it being provided by your router? There may be a setting on there to turn off IPv6.

gfunkdave

My parents' house has an IPv6 address from Comcast. IPv6 works fine there. I can ping the IPv6 address of the server from their house.

Everything is using DHCPv6 with prefix delegation from the ISP.

I guess I'd just thought that, if everything attached to the internet has a publicly addressable IP in IPv6 then I thought everything would be reachable but it seems not to be the case. So that's good. It's not how I thought it worked. So I'm still curious how exactly it works, since I just haven't found it documented anywhere.

docbert

At the moment most "consumer" routers that support IPv6 simply firewall all inbound connections. Some of them allow you to configure this firewall in that you can allow specific IPs/ports (much the same as port forwarding with IPv4/NAT), but I've yet to find one that allows you to turn the firewall off completely - which is probably a good thing.

I beta test some products for one of the major consumer router vendors, and I've been having discussions with a few of their engineers around the best way to handle IPv6 when it comes to security - unfortunately it's one of those things were basically every decision has a side effect, if only because of the average clue level of the type of people that are using many of these products...

tmiw

Actually it's more likely that SLAAC's used to assign IPv6 addresses on the internal network. You can usually tell by the number of addresses the device receives (2 if it's a PC) and the last half of the assigned address (containing a slightly modified form of your MAC address). DHCPv6 is used to get the IPv6 block from your ISP as well as to obtain additional configuration information such as DNS servers that SLAAC isn't capable of broadcasting.

LIH Prem

by any chance are your devices behind your firewall assigned addresses starting with fc00?

Those are local addresses for ipv6

-David

tmiw

My local addresses start with fdad. Those aren't really relevant for Internet use though because IPv6 doesn't have NAT.

LIH Prem

so how does that work? if you get a local address it's not visible publicly, right?

The packets have to get routed back to you somehow.

I guess I'll do some searching/reading on ipv6.

-David

tmiw

Correct. Your router gives you an IPv6 address or few that's visible to the rest of the Internet (starts with 2xxx); IPv6 addresses beginning with fxxx are solely for internal LAN use.

PAX_fips

There is a similar thing: prefix translation as per RfC 6296. With that a translation like from
fd01:203:405::/48 to 2001:db8:1::/48 is possible.

JadedTraveler

A few comments based on the original questions and the subsequent back and forth.

How does security on IPv6 work? Effectively the same as IPv4, with the one difference being IPv4 routers (home or otherwise) do NAT and IPv6 addresses are almost always globally routable. What does that mean? In IPv6, every device behind a router has an IPv6 address that is unique across the entire internet. That is not necessarily a bad thing, because that is how IPv4 was intended to work, but the addresses ran out to quickly.

A good home router does SPI, an acronym for Stateful Packet Inspection. The quick description of SPI is it will not let a packet of data, any packet in any format (TCP or UDP or any other) come into your LAN unless the incoming packet is a "result" of an outgoing packet originating from your LAN. Example, you type flyertalk.com in a browser window, and all the data packets in response to that request are allowed in. But separately and at any other time of the day or night data packets to say establish an FTP connection that did not originate on your LAN are not allowed. Timeouts of ports and protocols are involved, for the FlyerTalk.com request, and this all works inside the router with little to no tuning or configuration needed on your part for home or SOHO class routers, (but a different story for business class routers).

Not all home routers do this, for example the $39 model may not do it at all or not as well as the $200 SOHO model. Words used in these descriptions are "full cone NAT" and "restricted cone NAT" routing, and you might find some useful descriptions if you search for those terms.

I disagree with one of the statements above, SLAAC not DHCPv6 is in all likelihood used to give your LAN clients IPv6 addresses. I don't use Time Warner and am not 100% certain on this, but a design feature of IPv6 was to not have to reply on NAT and to be self configurable. SLACC (Stateless Address Auto Configuration) is the acronym for the self-configurable feature in IPv6. And if you are not doing this on the LAN side, (it's up to you not TM, and TM doesn't control this unless they give you a locked down router), then you're over complicating things.

Another statement above is somewhat misleading. If you are using SLAAC, you want to "randomize" the part of the IPv6 address that is not delegated to your router, don't rely on the algorithm that uses the devices MAC address to derive the value. To check this on windows (not sure it will work on XP), from a CMD prompt:

netsh interface ipv6 show global > check if "Randomize Identifiers" is enabled.

netsh interface ipv6 show privacy > See if Use Temporary Addresses is enabled, it should be for some number of days or hours.

The critics, (reference: people on dslreports.com) seem to think Microsoft got all the defaults right and the above two settings should be as listed.

For a quick check of your router's IPv6 Firewall, do this test http://ipv6.chappell-family.com/ipv6tcptest/. The results should be all green, like in the image in the third message here.

gfunkdave

Thanks, JadedTraveler! My router is indeed doing its SPI job.

Although I was surprised to find that Windows 10 allows ping responses by default - I remember Win7 doing the opposite.

tmiw

With TWC, DHCPv6 is used on the router end to assign the router itself an IPv6 address as well as grab the /64 prefix that should be given out to devices behind the router. SLAAC is likely used to give the individual computers IPs, yes, but it's also possible to run DHCPv6 in tandem (with DHCPv6 assigning network properties that can't be assigned with SLAAC).