Broadband

IPv6: Oops, it's on by default

Do you know whether your computers are actively using IPv6 or not? Better check, as the bad guys probably already know. Michael Kassner explains how that might be exploited.

Microsoft began enabling IPv6 protocol by default with the release of Vista. That policy continued with Windows Server 2008 and will with Windows 7. Apple, Linux, and Solaris are also shipping their latest distributions with IPv6 enabled.

Before continuing, I need to explain something. We all understand that IPv6 is important. I even mustered enough courage with Joe Klein's (director of IPv6 security at Command Information) gracious help to write several articles about it. So that's no longer on my radar.

What's on my radar

I'm not sure why, but computers are now shipping with IPv6 enabled. My guess would be that most OS developers figured IPv6 networks would be more predominate by now. Or that there's no down side to enabling IPv6, so why wait.

I do know of one Microsoft service that requires IPv6. It's called Windows Meeting Space. It uses the peer-to-peer framework and IPv6 to setup ad hoc networks automatically.

What numbers are we talking about

The number of computers running IPv6 is staggering. Carolyn Duffy Marsan in a NetworkWorld article quoted Joe Klein as saying:

"We're probably talking about 300 million systems that have IPv6 enabled by default. We see this as a big risk."

What I'm wondering, is how many of the people using the 300 million computers realize IPv6 is enabled or know what it means?

What's being exploited

In a concurrent article, Marsan asked experts what they considered the most serious issues of running a dual stack comprised of IPv6 and IPv4. Here's what they said:

  • Rogue IPv6 traffic: Attackers realize that most network administrators aren't monitoring IPv6 traffic or they can't. Because existing firewalls, IDS, or network management tools aren't IPv6-aware. Therefore, an attacker can send malicious traffic to any computer running IPv6 and it will get through.
  • IPv6 tunneling: Protocols such as Teredo and Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) encapsulate IPv6 packets inside IPv4 packets. The morphed packets can easily pass through IPv4 firewalls and network address translation (NAT) equipment, defeating perimeter defenses purposed to sense and drop IPv6 packets.
  • Rogue IPv6 equipment: Because IPv6 uses auto-configuration, an attacker can gain considerable control over computers running IPv6, simply by placing a rogue device capable of issuing IPv6 IP addresses on the network under attack. To make matters worse the device could have router attributes. Forcing all traffic to transit through it, allowing attackers to snoop, modify, or drop traffic at their whim.
  • Built-in ICMP and multicast: Unlike IPv4, IPv6 requires ICMP and multicast traffic. That fact will significantly change how administrators approach network security. Right now, blocking ICMP and multicast traffic on IPv4 networks is the accepted practice. That will no longer work and complicated filtering of ICMP and multicast packets will be required to maintain some semblance of security.
Leave IPv6 enabled or not

Whether to leave IPv6 "enabled or not" is about as clear as mud. There's the yes camp and there's the no camp with the whole gray area in between littered with other opinions. I thought I'd let the experts introduced in Marsan's article present their views:

Tim LeMaster: Director of systems engineering for Juniper's federal group mentions:

"If you're not prepared for IPv6, then the prudent thing to do is not to allow it into your network," LeMaster says. "But you shouldn't be blocking all IPv6 traffic for the next five years. You should only block it until you have a policy and understand the threats."

Lisa Donnan: Vice president of advanced technology solutions at Command Information has a different viewpoint:

"We don't recommend that you block IPv6 traffic. We are recommending that you do an audit and find out how many IPv6 devices and applications are on your network. If you have IPv6 traffic on your network, then you've got to plan, train, and implement IPv6."

Sheila Frankel: Computer scientist in the Computer Security Division of the National Institutes of Standards and Technology (NIST) expresses a middle-ground viewpoint:

"Companies need to acquire a minimal level of expertise in IPv6, which will help protect them against threats. The other thing they should do is to take their outward-facing servers, those that are external to the corporation's firewalls, and enable IPv6 on them. That way, customers from Asia with IPv6 addresses will be able to reach these servers and their own people will acquire expertise in IPv6. This will be a first step in the process."

Frankel continues:

"IPv6 is coming. The best way is to face it head on and to decide you're going to do it in the most secure manner possible."

As soon as I started receiving computers with IPv6 enabled, I turned the protocol off. My rational was why take a chance when it's not necessary. Apparently, my choice is paying off, as my client's computers aren't vulnerable to these new exploit vectors.

That works for me for the time being at least. I don't pretend to think my choice will work for everyone. From the above opinions, the only thing I do know for sure is that getting up-to-speed on IPv6 is important. As that knowledge will help you determine what's in your network and computer systems best interest.

How to disable IPv6

Thankfully, disabling IPv6 is quite easy. I've provided links to Web sites that explain the process for several of the operating systems, if you're so inclined:

Disable IPv6 in Linux

Disable IPv6 in Windows Vista

Disable IPv6 in Mac OS X

Final thoughts

This is definitely a thorny subject and full of surprises. Just like every new and untested technological change. I can accept that. What's hard to accept is that security once again appears not to be a main consideration. I hope it's just a temporary oversight.

Worried about security issues? Who isn't? Delivered each Tuesday, TechRepublic's IT Security newsletter gives you the hands-on advice you need for locking down your systems and making sure they stay that way. Automatically sign up today!

About

Information is my field...Writing is my passion...Coupling the two is my mission.

182 comments
Jimbo Jones
Jimbo Jones

traffic they don't recognize. I do understand the concern about encapsulation - as someone said, that is a concern with any kind of tunneling, GRE or whatever. But the article makes it seem that if your edge firewalls aren't IPv6 aware they will pass it by default, and I don't see how that could be. Can you explain this?

Michael Kassner
Michael Kassner

I was worried when some members commented that I was spewing FUD in this article. I'm sorry. I don't see that. I presented the opinions of experts. I did mention what my approach was, but I also added a qualification: "That works for me for the time being at least. I don?t pretend to think my choice will work for everyone. From the above opinions, the only thing I do know for sure is that getting up-to-speed on IPv6 is important. As that knowledge will help you determine what?s in your network and computer systems best interest." I am curious as to what you as member feel about the article. I absolutely do not want to promote anything but the truth.

lastchip
lastchip

Another excellent article Michael, which prompted me to look at my Debian server. Interestingly, it seems the default is "turned off", as the line mentioned in your link was hashed (#) out. It is my understanding, that all lines marked with a hash, are ignored in Linux. But, far from being an expert in server configuration, I decided to research a little more and the excellent Debian Administration web pages, suggest exactly the same action as your link, except that, the lines should be place in a file *prior* to /etc/modprobe.d/aliases. The suggestion was: 00local. (for clarification: /etc/modprobe.d/00local) It seems it's important this file is read *before* the aliases file and the "00" makes sure this happens. I considered the options and decided "belt and braces" was probably a good idea, therefore, I created the said file on the assumption that it being there won't cause any harm and at worse, can only do good! If anyone of you server gurus out there thinks I've got this fundamentally wrong, I'll be very pleased to hear from you. On testing the server after its makeover, it all seems to function perfectly normally. Whether I've actually achieved anything worthwhile, remains to be seen - or hopefully, not to be seen!!!

PhilippeV
PhilippeV

Yes we know that IPv6 is on by default in OSes, however it does not mean that this is a risk, for good reasons: - either your ISP does not provide full IPv6 connectivity : the only way for IPv6 traffic to pass through your Internet connection will then be through tunneling (Teredo and 6to4), which most firewalls will not parse and block; it's simple: block Teredo and 6to4 tunneling in your IPv4 firewall. - when your IPS will provide you IPv6 connectivity, it will not activate it by default on your Internet connection. Before you activate it, first make sure that you have the necessary firewalls updated to support this protocol. Note that your ISP will probably offer you IPv6 through a firmware upgrade in the router that it provides for you. This router most often already privide a basic firewall (most often through NAT, that IPv6 will probably not offer as NAT was made for IPv4): this router should immediately be made and preconfigured so that all sensitive ports will be blocked by default. When you'll have this IPv6 connectivity, you won't need the Teredo and 6to4 tunneling support, so you can leave them blocked. Anyway, it's unbelievable that most firewalls (external appliances or local softwares) are still built and sold withuot IPv6 support when this support is built in the OS. Really, the OEM manufacturers of these devices and softwares are severely guilty when they have still not prepared their software/firmware to build full support for IPv6. Most probably this support will come when there will be a market explosion for it (but unfortunately, there's still no demand for it in America, Europe and Russia: this support will come from Asia, most probably from China or India, possibly also from Brasil, because of the explosion of the mobile Internet accesses which will be the only option for most users that can't have broadband access except within some restricted areas of large metropolitan areas). I can't understand why hardware appliances can't support IPv6 for now, when most of them are embedding OSes for which this support is ready since many years (Cisco has it in its firmware modules for its routers, but most appliances for the SOHO market are using embedded OSes like Linux or *BSD kernels for which IPv6 is ready since long, as well as the support in the routing and firewalls). Most ISPs are just lame: they don't want to add it and won't add it as long as they will be able to give an IPv4 address to each of their clients: this is the case in Europe and North America, just because they have reserved TOO BIG address blocks for fitting all their customers in their network; the ICANN is pressing these North American and European ISPs to release the very large unused IPv4 address clocks they already have (but these ISPs don't want to do that, they are falsifying their usage rates, notably by rotating and randomizing the addresses assigned in these large address blocks, notably on DSL accesses for which they provide temporary IPv4 addresses that must be renewed or changed every (few) day(s). Not only this is a nightmare for customers, but they can also sell additional services like renting a permanent IP address within these blocks: you can easily explain the success of services like DynDNS just because of these temporary addresses). If ISPs really wanted to promote IPv6 (and let newcoming competitors to enter the Internet access market), they would have offered a permanent IPv4 address to all their customers, and the existingaddress blocks would have been allocated in a much more compact way. Why do we need IPv6 in fact? It's NOT because there is a lack of IPv4 resources (the exhaustion of this address space is artificial), but because it is now highly fragmented. The main problem is the maintenance of the IPv4 routing tables in internet gateways. IPv6 has been created to allow routing tables to be managed more logically in a hierarchic way, with much less administration costs (and less security risks due to the maintenance of very large routing tables in inter-network gateways). The other problem is the explosion of the number of AS numbers : most of them are really too small and don't allow easy collaborations. AS administrators are really stupid and they want an As just to maintain two alternate routes. If they went to IPv6, they would just have perrings with two alternate networks and addresses within the addressing spaces of each peer AS. IPv6 offers easy configuration (and zero administration) to allow mapping all addresses from one IPv6 address block to another and offer equivalent connectivity withing the inner network, without even using network address translation: with IPv6, a host can have multiple IPv6 addresses, one for each logical network to which it is connected, and each one is perceived as if it was another logical network interface on the same host; most aplications in fact do not care about which interface they need to listen or connect to, as this is taken in charge within the underlying OS that can select locally which one to use within its own local routing tables. But the main brake for the adoption of IPv6 is to explain to customers how to configure their firewalls: most people do not want to have to type (and remember) very long IPv6 addresses; for them they want it to be as easy as in IPv4. There are good solutions for that: let OS vendors offer a way to ignore the high part of the IPv6 address, managed by the interface and ISP configuration, and let they manage themselves the last 4 bytes of IPv6 addresses independantly of the IPv6 address prefix which could be used. People don't care in fact about all the 128 bits. They just want a simpel way to identify which addresses are external to their network, and which one is internal. There's a simple solution for that: continue to use the "local" IPv4 address blocks like 10.x.x.x, 172.16.x.x to 172.31.x.x, and 192.168.x.x on the IPv6 address blocks for all your local configurations for IPv6. Unfortunately, the IPv6 protocol has forgotten to declare all the following IPv6 addresses with the following formats as being UNROUTABLE by default on the Internet (except for private LAN configuration within VLANs): xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:0.x.x.x xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:10.x.x.x xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:172.(16 to 31).x.x xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:192.168.x.x (this should be the case even within IPv6, because all these addresses can still be mapped within the same IPv6 /48 block allocated for each ISP customer, and even if several /48 blocks are used because a final sutomer has several internet connections from distinct ISPs or peers). These address sub-blocks should still use local NAT as if they were IPv4, when they are communicating between a private LAN and the rest of the world (or if an external IPv6 address, using a non recognized /96 prefix, is using an address with this formats, that should not be used for general purpose Internet services like web servers). Note that the address blocks above are all sharing the same /96 prefix, which largely fits within the same /48 block given by the ISP to each customer. This type of configuration would allow easy configuration for most customers. ISPs shuold explain the benefit of making the transition to IPv6 to their customers. and They should really provide the necessary tools with easy administration: managing IPv6 addresses (and which ones should be NAT'ed if they conflict with the easy administration) should be part of their assistance services. They must work better to provide immediate connectivity within a secured subblock of the given /48 block. OS vendors shoulmd also work better to offer this assistance as well (it's not enough to support the IPv6 protocol, you also need tools to manage the larger addressing space and assign security zones within them: this is still not the case of Windows). But the main problem for IPv6 adoption is that too many applications are not prepared at all to accept IPv6 addresses and manage them easily: this also includes server softwares (web servers, RDBMS/ODBMS databases, media servers...) that do not provide this by default (or with an easy ON/OFF option). Most comunication programs for the home and small office users do not have the minimum IPv6 support (even though this is extremely easy to add, even if this support can be OFF by default). We desesperately need that common firewalls be preconfigured with a secure profile that supports IPv6 natively and which can be left ON by default. For now IPv6 support in applications is only added as a paid option and this is not reasonable. Really the problem is then NOT the fact that IPv6 is ON by default within the OSes but the fact that the rest of the environment is not prepared to support it. Don't blame Microsoft for that: blame ISPs that do not do their homework. IPv6 is not complicate, it just appears to be so, only because there are too many applications that have still not be updated to support it, at least basically, despite IPv6 is ready since many years. So where is the risk todday: only within the "transition" services that have been adopted and activated since the begining. Teredo and 6to4 tunneling should have been OFF by default (and blocked by default within IPv4 firewalls), even if IPv6 is left ON by default. It's quite easy to add this blocking within existing IPv4 firewalls (but it should be even easier, just like the default configuration that blocks the IPv4 traffic of Windows/SMB/CIFS/Active Directory ports through the internet connection). Users still want a secure default configuration where they can easily identify which traffic is between hosts within their local LAN. This is possible, but this common profile (that shoudld become a recommendation before massive deployment) is still not defined. Let's hope that Microsoft, Apple, and major Linux/Unix distributors will cooperate to define this common profile. And that they finally accept to cooperate to define this minimum SAFE profile which will be as easy to understand as in IPv4 for most users (including at home), and force the ISPs to do their homework so that they will support this profile without any additional configuration by their customers, or without forcing them (like they do now) to buy additional "PRO" support services. Supporting this minimum profile will then very rapidly be added within most applications. People want IPv6 because they are fed up of using NAT (even through UPnP). Let's just drop the tunneling options (Teredo and 6to4 are not scalable anyway and are definitely not the right solution for fast adoption and migration). If you want to secure your network just block these tunnels by default (and disable this unnneeded tunneling support by default within OSes.)

uli.fuerst
uli.fuerst

IPv6 on Linux was on by default long before it was turned on by default on Vista. (On WinXP you needed to install the IPv6 protocol first). However Linux has IPv6tbles to configure a firewall in the same manner as IPtables does for IPv4. IPv6 is coming and in countries like China a huge part of the internet traffic is IPv6 - some IPv6 only. With IPv4 address shortages looming it is time that IP professionals get used to the new protocol and secure their network. Turning IPv6 off - from my point of view at least - can only be a short term option until companies have familiarised themselves with this protocol. Now IPv6 is nothing new in computer terms (around for more than 10 years) so I regard it as negligence if the protocol is turned on and not secured. After all a simple ifconfig/ipconfig command shows the IPv6 address if IPv6 is turned on.

LarryD4
LarryD4

Well it seems that some of the HPLJ 4350s have IPX/SPX, Appletalk, and DLC/LLC network support. But they suddenly stopped supporting those protocols and suddenly IPv6 is their on and fully operational. My newest 4350 does not have those protocals as options anymore and neither do the new 3005s. So as not to confuse people we are turning off IPv6 on the printers.

Craig_B
Craig_B

We are running out of IPv4 addresses, here is the current projections from today (July 21, 2009). Projected IANA Unallocated Address Pool Exhaustion: 22-Jun-2011 Projected RIR Unallocated Address Pool Exhaustion: 02-Apr-2012 We need to start using IPv6 now so that we can come up to speed over the next few years and answer some of the questions people have. I don't think we can learn by turning everything off. IPv4 was designed to be end to end and NAT was put in place as a bandaid to the quick expansion of the internet. IPv6 is end to end, that does not mean that controls and safeguards don't exist. The migration process should be: Dual Stack Routers, upgrade DNS, verify applications and Dual Stack Clients. I believe it is only a matter of time before everything is IPv6, now that might be another few years or another 10+ years. Just like x86 is giving way to x64, IPv4 will give way to IPv6. So the real question is; When are you going to learn how to use this? Depending on your environment that answer may change however as a technical person, I believe it's good to at least have an understanding on how things work so that we can make informed decisions. Based on this knowledge we can decide to disable IPv6 or not.

Neon Samurai
Neon Samurai

I prefer Bastille supported distributions so my build scripts always include a /etc/Bastille/firewall.d/post-rule-setup.sh ip6tables -I INPUT -j DROP put that at the bottom of your post-rule-setup.sh or equivalent firewall customization file. I'll have to add in the mod probe disable config also. I that will be a nice clean "sed" call.

Michael Kassner
Michael Kassner

That everyone has an edge firewall. I submit that there are millions of computers sitting right on the gateway.

seanferd
seanferd

I'm just not seeing it, either. Of all the places I can read about security issues, your articles (the general tone of all your writing here, comments or articles) strike me as particularly "laid back". The difference between your articles, and say, Fox 8 News reports regarding e.g., Conficker, (aside from the actual information content differential) is a calm and reasonable tone. I just don't see the "fear-mongering". Meh. I thought it was informative.

Neon Samurai
Neon Samurai

Looks good to me also though I'm a more recent Debian admin than other's here. # is normally a commented out line # command # code notation command # code notation The first would not be read, the second would read the command but not the "code notation" part after the # midway through. I think it does depend a little on the language reading the file but anything Bash and 99% of config files I've seen use # for commenting out parts. The init.d, modprobe.d and similar directories usually run there contents in alphanumeric order so the 00local sorts the file to run before the later files. That's my understanding also. I can't see why having the modprobe line in place would be an issue. I'd do that and still drop an ip6tables line in my firewall exception rules. if one doesn't do it then the other is your backup. This should be the same as using iptables rules along with hosts.allow/hosts.deny.. if one gets compromised, the other may remain in place. Like shooting; if the two siting rings don't line up, the packet does not hit the target.

derekmorr
derekmorr

Software firewalls in Windows XP, Vista, 7, Mac OS X, and RedHat support IPv6 and are enabled by default. I don't routinely use other Linux distros, so I can't comment on them. Solaris 10 Update 4 includes IPv6 support in its firewall, but it's not enabled by default (it's not for IPv4 either). ESET Personal Firewall and F-Secure do as well. Norton Personal Firewall and the one in Symantec Endpoint Protection Suite do not support IPv6. As for hardware firewalls, Cisco PIX and ASA firewalls (as well as the FWSM module for the Cat 6500) support IPv6, as does Juniper ScreenOS 6.0, Checkpoint Firewall-1, and Fortinet Fortigate 3.0. Cisco IOS's built-in firewall also supports IPv6. Now, this is support for native IPv6, not 6to4 or Teredo tunnels. Blocking or disabling both of those is fairly easy (Windows Vista machines will disable Teredo if bound to AD, and blocking 6to4 is easy on firewalls). In Windows 7 and Win 2008R R2, there are new GPOs for disabling 6to4, Teredo and IP-in-HTTP tunnels. Some documents your readers might find useful: RFC 4890: Recommendations for Filtering ICMPv6 Messages in Firewalls - http://tools.ietf.org/html/rfc4890 NSA Router Security Configuration Guide Supplement - Security for IPv6 - http://www.nsa.gov/ia/_files/routers/I33-002R-06.pdf NSA Firewall Design Considerations for IPv6 - http://www.nsa.gov/notices/notic00004.cfm?Address=/snac/ipv6/I733-041R-2007.pdf CERT has provided sample ip6tables (Linux) and Windows Vista firewall configurations, based on RFC 4890 at https://www.cert.org/blogs/vuls/2008/11/icmpv6_types_and_hostbased_fir.html Cymru provides templates for IPv6 bogon filtering - http://www.cymru.com/Bogons/v6top.html I also highly recommend the book _IPv6 Security_ published by Cisco Press in 2008. There was also an excellent presentation on IPv6 security at Winter 2009 Internet2 Joint Techs meeting. Slides are available at http://www.uoregon.edu/~joe/ipv6-security/ipv6-security.pdf and the video is at http://events.internet2.edu/2009/jt-texas/netcast-streamtypes.cfm?session=10000367&streamtype=23&live=0.

Michael Kassner
Michael Kassner

I always appreciate it when you comment on my articles. I have two things. First, I feel that you are looking at this from the standpoint of an IT expert. In many cases that's what the vendors do as well. I suggest that's why we are in so much trouble with malware right now. Look at it from a different perspective, that of the millions of people that just use their computer. Then read all of your comments. I assure you it will look very different. Secondly, I feel that those millions of people aren't prepared to get out from behind NAT right now. I realize it's a form of security by obscurity, but it's something. I suspect that every form of malware infestation would jump monumentally if those millions of computers were connected directly to the Internet, irregardless if there is a viable IPv6 software firewall on each and everyone of those millions of computers.

Michael Kassner
Michael Kassner

But, what about the millions of computers that are sitting in homes right behind a cable or DSL gateway?

LarryD4
LarryD4

Yep Post to wrong thread.

Michael Kassner
Michael Kassner

The point of the article. As I understand it, users having IPv6 enabled is self-defeating if the backbone isn't fully IPv6 enabled. It's actually a vulnerability, especially if it's dual stacked.

Michael Kassner
Michael Kassner

Have you noticed if all distros are now coming with IPv6 enabled?

derekmorr
derekmorr

I've found that assumptions like this aren't helpful. Even if a home machine is directly connected to its SOHO router, the majority of home OSes (XP, Vista, Mac OS X) have IPv6-capable firewalls enabled by default.

JCitizen
JCitizen

they could call that the FUD network and it wouldn't bother me at all. No sir! I guess my eye doctor ripped me off too, 'cause I just don't see it here either! Nope! Not here! ?:|

reubenhwk
reubenhwk

Why are you so worried about this? IPv6 doesn't make a computer vulnerable. My home network has been 6to4 for over a year and I've had no problems while friends of mine who are IPv4 only install viruses themselves by clicking on links in emails and/or opening attachments. Telling people that they're safe if they turn off IPv6 is no good. It gives a false since of security. Leave IPv6 on and learn how to use a computer!

uli.fuerst
uli.fuerst

My D-link ADSL router at home is not capable of IPv6 - I have to tunnel through (6to4) from my computer if I want to use IPv6. I know that the Cisco ADSL router can be configured for IPv6 but it is about 8 times the price. Would be interesting to know which ADSL router are IPv6 capable and IPv6 enabled. Behind the router the computers which are IPv6 enabled only have a link local address (fe80::).

pgit
pgit

To answer your question, yes. It appears all the distros I follow are enabling it. Mandriva does. BTW the method on your Linux link above is not the preferred method in Mandriva anymore. Not sure about others. But you put this in modprobe rather than the lines suggested on the link: install ipv6 /bin/true /bin/true is a null process. Like telling ipv6 (or anything pointed at it) to sit in the corner of the round house. I think the "running out of addresses" argument is disingenuous. There's whole blocks they've "reserved" that could be used, and of course the vast majority of machines are behind a NAT device. Three locations I can think of off the top of my head: total of 34 (minimum) computers with internet access, 3 world routable IPv4 addresses. If I had to guess I'd say there's probably less than 5,000 total public IP addresses in this county of 60,000 people.

Neon Samurai
Neon Samurai

I can see what Backtrack which may hint towards Slax as it's the parent of that particular fork. As a security distro, I expect it's enabled so you can use the tools going out though. I believe Mandriva has it but my last familiar version is 2008.1. At least it has a good firewall off by default so I expect it'd be ipv6 off by default. Debian for server use has some basis for assuming the admin has the skills to harden the system. IPv4 is on by default and no default rules for the firewall are provided. Bastille does firewall rules after install as do some other iptables front ends. - drop the iptables rule in my post-rule-setup.sh - set mail to only listen on ipv4 interface disabling the module directly will be another step to disable it until I have reason to have it on. I'll have to poke through my installed distros and see. If I'm motivated, I may go through my liveCD iso directory and see how much of that makes noise. I'm back into the DeICE and Hackerdemia disks though so that's been sucking my brain out of my head outside of work.

JCitizen
JCitizen

I appreciate your input to this discussion, even if a few felt like you were too dismissive :)

makkh
makkh

To be honest, as IT literate ppl, I believe we all fall under either 1 of the group: Explorer or Observer (rare cases if occupied both characteristics). From what I see here, seems like these 2 group of ppl are arguing on 1 plain topic. Since these 2 groups have total diff behavior & approach thus conflicts occurred. I myself can be considered more like Observer as I prefer to stay cool until more info are ready to support the new technology. Also it relies on dependency where I find it useful or interesting to know more. I am not siding any party here, but I do have high respect upon all the efforts shown on both parties. All I can say is there is no harm to stay caution with something we're not sure about. My reason is I noticed some approach provided by major IT player (you know who I mean) doesn't delivered as they promised / might not even requested by users. From the posts I read here, it seems there is an internal loop for V6 when it is not properly route thus affect networking (internet) performance. Proofs shown it helps by disabling V6 feature (thanks for info sharing by others as I encountered the same issue previously on Vista machines). I have no objection upon V6 trial as I understand sooner or later it will succeed V4, however until that day is near the corner, I rather wait for the fine-tuned environment ready.

derekmorr
derekmorr

The only way to exploit a link-local address is to first gain access to the machine or the network. Neither is directly an IPv6 issue. Assuming an attacker meets the above criteria, s/he can learn details about your internal topology. However, the same information can be gleaned with IPv4 and ARP. There are pre-canned attacks against NDP (the Neighbor Discovery Protocol), but each of these has a direct analogue in IPv4+ARP. So I don't really see how this increases your exposure.

JCitizen
JCitizen

Can a crime cracker find any use for this? Like discovering the topology of your interior network for later attack? I once discovered a vendor supplied driver CD(made by another vendor of course) that had an SMnP client installed with it, to simply see how many open ports I had on the LAN. I spent a LOT of money to find out it was not malware from any other source and not the onboard SMNP service or spooler. Somebody at the CD printing service had hacked it into the factory CD. Downloading a fresh copy off the original vendor's driver site solved the problem. I find what are fortunately malware laying dead in temp folders afterward, but I find a lot of installed suspect things in the libraries, that I never have any idea where they came from for sure. This is the threat landscape that my clients deal with everyday, and they don't have a clue how to deal with it. They can only afford to have me come look at the problems only so often. When it comes to clients I default to disabling unnecessary services and verify later. Now with me, I run a lab honey pot, so I WANT to see malware behaviour. I'll be leaving it on, just becuase I want to verify ALL network activity/behavior.

derekmorr
derekmorr

Why is Windows XP relevant here? XP does not enable IPv6 by default. XP does, however, support IPv6 in its firewall. But speaking of Windows, the Vista and 7 firewalls do support outbound filtering, for IPv4 and IPv6.

derekmorr
derekmorr

The argument has been about default configuration - that IPv6 being enabled by default poses a security risk. Well, if we're speaking about defaults, the OSes in question all run IPv6-aware firewalls by default. I never claimed that every single third-party firewall supports IPv6. I have said that several do. Specifically, ESET Personal Firewall, F-Secure, and Little Snitch do. Norton Personal Firewall, Symantec Client Firewall, DoorStop X, and NetBarrier X5 do not. However, merely having IPv6 enabled does not open your machine up to the public Internet. Having IPv6 enabled will only cause your machine to configure a non-routable link-local address. Unless your OS or SOHO router automatically create IPv6 tunnels, there is no way for a malicious third-party to connect to your machine.

Michael Kassner
Michael Kassner

I didn't even think of that about that. Sure thing the MS firewall doesn't help with outbound traffic. Thanks Alan for pointing that out.

alan
alan

You assume that the use of OSes (XP, Vista, Mac OS X) is relevant to Firewall protection. Why ? I am one of many home users that has disabled XP Firewall because its incoming protection is inferior to alternative Software Firewalls, and its outgoing protection does not exist, and the XP Firewall conflicts with the superior products and has to be disabled. How do you know that every available Software Firewall automatically provides full protection against IPv6. That seems to be a most dangerous assumption. I learnt about IPv6 many years ago, but had not realised until this important valuable topic was posted that IPv6 was now activated and unleashed on the unsuspecting public. I am very thankful to Michael Kassner for this topic. Alan

derekmorr
derekmorr

Which statements are you referring to (I've made several posts here). If it's the statements about IPv6 support in firewalls, IDS, etc, I can provide ample documentation. If it's statements about network configuration, I can provide references to RFCs, OS and router manuals, and ample packet captures. What citations can you provide that IPv6 is actually a threat?

Michael Kassner
Michael Kassner

Your statements are considered evidence? If that's your logic then the statements of the other experts are as qualified.

derekmorr
derekmorr

When those opinions aren't based on empirical evidence or operational experience. I have repeatedly asked in several posts for concrete evidence of actual attacks taking place via IPv6, or actual data breaches that used IPv6. So far, no evidence has been presented. Further, most of the allegedly "insecure" configurations have been shown to be hype. I stand by my original claim. IPv6 does not pose a serious security threat at the moment. This article has been baseless, unsupported fear mongering and FUD.

Michael Kassner
Michael Kassner

Of the experts, if they differ from you, apparently.

JCitizen
JCitizen

I was never going to get the time during business hours to fix that problem. That worked! That Brian Krebs is something, isn't he!!?? Now if FF gets the Java fix, I can breath easier! P.S. - I'm going to set my clients to disable v. 6 until I can see if Comodo is capable of blocking it. Am I to understand that a statefull software firewall can't see end to end traffic like this?

Michael Kassner
Michael Kassner

But, I have yet to see a software firewall do anywhere near as good a job as a hardware one. True you can have a hardware firewall if you want. But how many mom and pops are going to do that? I'd love for someone to correct me as I see this whole thing as rather scary for the consumer-style of users.

CG IT
CG IT

while some claim that they haven't had problems, it's the fact that the traffic is hidden and can go undetected that's the point. Not going to go into all the details about IPv6 and how it works. Anyone can find out with a little digging on Google. but will say this, IPv6 is all about directly connected hosts. Proponents say because IPsec is built in, that IPv6 is secure from end to end by encryption so firewalls and NAT aren't needed. But IPv6 traffic can be hidden either as appearing as IPv4 traffic or simply because it's an end to end connection. While many say hey no problemos, unless your actually looking for the encrypted traffic and have a device that filters all traffic, you won't see it because the host is directly connected to the other end.

JCitizen
JCitizen

He is not trying to be alarmist; you can see that he is trying to illicit discussion not spread Fear Uncertainty and Doubt. I felt all were adding to this discussion very well. I'm probably not going to do the fix, as my gateway firewall handles things like this very well v.6 capable or not.

reubenhwk
reubenhwk

You need anti-virus for Windows!

JCitizen
JCitizen

no body says this fix is the end all to security! I'm sure you have you computer secured, so the next thing you're going to say is we don't need any anti-virus - right?

Michael Kassner
Michael Kassner

To your opinion and I appreciate you voicing it. I also think you should respect other expert opinion as well. I'm not talking about me either. I'm referring to the good people that commented in the articles. They do have some street-cred regardless of what you say.

derekmorr
derekmorr

I have spoken with folks from CI, at the Google IPv6 Implementors Conference a few months ago. I have read the article in question. I thought it was the same old scare tactics repeated all over again. I have been running IPv6 in production for several years, without security incident. I have blogged about IPv6 and security. See this post - http://www.personal.psu.edu/dvm105/blogs/ipv6/2008/11/ipv6-is-not-a-security-issue.html - and this one - http://www.personal.psu.edu/dvm105/blogs/ipv6/2009/05/thoughts-on-ipv6-security-take.html.

JCitizen
JCitizen

whether you turn if off or not. At least the article gives you choices, while allowing that it may not be exactly an emergency. The title of the article is just an attention grabber, if folks get scared, that is their fault. I liked the article, but I'm not going to turn it off.

reubenhwk
reubenhwk

Instead of scaring folks and encouraging them to bury their heads in the sand (by turning off IPv6) why not encourage them to understand and embrace it?

derekmorr
derekmorr

Right. So a client machine with IPv6 enabled behind a v4-only SOHO router is most likely not reachable over IPv6. Unless it's running an OS that automatically creates an IPv6 tunnel, and isn't running a IPv6-capable firewall. I'm not aware of such an OS off the top of my head. So as far as a "typical" home user is concerned, I'm still thinking this is FUD.

reubenhwk
reubenhwk

dlink DIR-615C1 dlink DIR-825B1 dlink DI-524 D dlink DI-624 D dlink DI-784 I think the linksys 610n does 6to4 automatically, but can't be configured (or disabled). The apple routers all have ipv6 support (very nice support too). I'm waiting for D-Link to release a firmware for DGL 4500 with ipv6. Until then, Linux is my 6to4 router with proto-41 forwarding in the DGL.

Editor's Picks