Forum Discussion
having all your ipv6 addresses public with no router is a really bad idea.
you would be forced to put all your devices online if you wanted them to have a ip address.
No router means no ipv6 address unless its passed from the isp.
Think of all the devices you might have on your network that can't or dont have good security.
Every games console. phone, ip cam, smart tv and every ipod/iphone thats jailbroken with the same root password for ssh. thats gonna be fun
Anonymous wrote:having all your ipv6 addresses public with no router is a really bad idea.
you would be forced to put all your devices online if you wanted them to have a ip address.
No router means no ipv6 address unless its passed from the isp.
Think of all the devices you might have on your network that can't or dont have good security.
Every games console. phone, ip cam, smart tv and every ipod/iphone thats jailbroken with the same root password for ssh. thats gonna be fun
The most logical IPv6 configuration would be to assign a single address to your router, and then a /64 block routed behind it...
It would be very messy and difficult to manage connecting multiple devices directly to a cable modem each with their own IPv6 address and this would also require an IPv4 address for each device unless you wanted to go pure V6.
In the case of a router, it would hand out addresses within the /64 to all the devices you have behind it... You would assume that the default configuration of such a router, especially one provided by default by a mainstream ISP would be to block inbound connections to any of the devices while allowing unrestricted outbound connections. Having spoken to someone who has native IPv6 on an AT&T DSL in the US this is indeed the default configuration of the device he has.
Although saying that, hiding a device behind a filter is a very poor kludge... What happens if someone gets behind your filtering device and finds a bunch of easy targets? What happens if you take your misconfigured iphone out with you and connect it to a public wifi network?
There really is no excuse for not configuring your devices properly, especially if you took the trouble to jailbreak your iphone *and* install SSH on it!
- VMCopperUser14 years agoWise owl
bert64 wrote:Although saying that, hiding a device behind a filter is a very poor kludge... What happens if someone gets behind your filtering device and finds a bunch of easy targets? What happens if you take your misconfigured iphone out with you and connect it to a public wifi network?
There really is no excuse for not configuring your devices properly, especially if you took the trouble to jailbreak your iphone *and* install SSH on it!
My SolarInverter doesnt allow me to change the password!!... It has both Telnet and HTTP menu's, and, sadly, You can change critical data through those menus.If you manage to get a secure connection inside someones LAN then they are done for. I am sure that you dont have your computer set to block all lan traffic? I am sure with a bit of work you could flash custom firmware on the SuperHubs too. So if someone breaks into your LAN then they could flash the SH with firmware and chances are that all traffic coming from there does have permission to talk to your pc...
As we said ealrier tho, the "firewall" features of home routers is what gives the huge protection, we will still need a device like that when we move to ipv6 (I will not trust VM's hardware to do it).
All NetGear routers (with original firmware) can easily be tampered with from the LAN side. I know the SH firmware will not deviate much but until I find a cheap SH to tamper with I'll not try anything.... A lot of other equipment can (from LAN) be exposed with little or no way to protect them without physically disconnecting the unit. Devices on my network that have limited settings are a Roku box, Solar Inverter, Two TV's, One freeview box. I could even include my two netgear routers in there. The key is in the gateway (Router) and it will be even after the move to ipv6.
I think a /120 or /116 block would be more than enough to hand out to users.
- bert6414 years agoJoining in
VMCopperUser wrote:
My SolarInverter doesnt allow me to change the password!!... It has both Telnet and HTTP menu's, and, sadly, You can change critical data through those menus.
If you manage to get a secure connection inside someones LAN then they are done for. I am sure that you dont have your computer set to block all lan traffic? I am sure with a bit of work you could flash custom firmware on the SuperHubs too. So if someone breaks into your LAN then they could flash the SH with firmware and chances are that all traffic coming from there does have permission to talk to your pc...
As we said ealrier tho, the "firewall" features of home routers is what gives the huge protection, we will still need a device like that when we move to ipv6 (I will not trust VM's hardware to do it).
All NetGear routers (with original firmware) can easily be tampered with from the LAN side. I know the SH firmware will not deviate much but until I find a cheap SH to tamper with I'll not try anything.... A lot of other equipment can (from LAN) be exposed with little or no way to protect them without physically disconnecting the unit. Devices on my network that have limited settings are a Roku box, Solar Inverter, Two TV's, One freeview box. I could even include my two netgear routers in there. The key is in the gateway (Router) and it will be even after the move to ipv6.
I think a /120 or /116 block would be more than enough to hand out to users.
An IPv6 block smaller than /64 would break stateless autoconfig, i agree a /64 block is wasteful but this is just how ipv6 has been designed and with 2^128 addresses there really is no realistic chance of them running out. It also means that even if you do leave systems on unfiltered routable addresses, the likelihood of someone finding them within 2^64 possible addresses is fairly slim.As for blocking lan traffic, i don't block any traffic to my main workstation at all. No software firewall, and i also use a vpn connection to a colocated server to give myself fully routable ipv4 and ipv6 connectivity.
I don't block any traffic, because aside from SSH there are no other services open to answer any such traffic. If you were to attack this service, you would either need to find a vulnerability in the particular version of SSH thats in use, or brute force my private key.
The superhub is designed to be updated from the isp end, i don't believe it is designed to be updated from the customer end although vulnerabilities could exist. That said, vulnerabilities could also exist on such devices which are accessible from the outside, thus giving an attacker access to your internal network.
There are various ways attackers could get into your internal network...
Misconfigured wifi? (google for aircrack-ng or reaver-wps)
Reflection attacks against outbound applications such as browsers... Within an html page on a website it is possible to instruct a browser to fetch other resources, if you know the default internal ip of certain types of router combined with the default password it may be possible to bounce requests off a users browser, simply by that user visiting a site over which you have some level of control. The same could probably be done with your solar inverter too, although it would be necessary to guess the internal ip you can narrow down the possibilities by process of elimination (eg the default dhcp scope, default internal ranges) and some browsers can even leak their internal ip address under certain circumstances.
Guest users may introduce trojans to your network...
You may take a device elsewhere, eg a public wifi network where it can be easily attacked, backdoored, and then take it home again.
The "protection" offered by filtering is not really protection at all, it is just hiding... If you are ever found, then its game over. Like you said, if you get a connection to someone's LAN then they are done for.
However, if you configure your devices properly then a hostile connection to the LAN would not be game over at all.
If you have devices which cannot be configured in a secure way, then you need to chase the vendor of that device for an update, or switch to a more responsible competitor.
I also have various devices here, which have non routable IPv4s not out of choice but because i dont have enough addresses to go round. Some of them have fully routable V6 with no filtering.
An HP printer - both the admin interface (https) and the actual print service require authentication.
An HP networked scanner - the https admin interface requires authentication, otherwise this device only makes outbound connections and has no other services listening.
Two wireless access points operating in bridging mode - they only offer https/ssh services for administration, again authenticated.
One TV - this is purely a media consumption device, it does not offer any services which accept inbound connections.
Two freesat receivers - these have an authenticated web interface from which you can schedule recording of shows, otherwise they too are consumption devices.
A NAS - this offers authenticated file shares which are accessed by the tv and freesat receivers, and an authenticated https page for management
A VOIP telephone adapter - this offers an authenticated SIP service, through which phonecalls can be made.
Two VOIP telephones - these connect to the telephone adapter, it also connects back when inbound calls are received.
I'm sure theres some other stuff i've forgotten, but i would be perfectly happy to put all this stuff on the internet safe in the knowledge that your very unlikely to guess my authentication details, and even if you compromised the devices via an exploit access to one device would not give you any elevated access to any other.
- Dagger14 years agoTuning in
That quote is from RFC 3022 Section 6.2, which if you read the full paragraph you'll see is actually talking about the need to use proxy ARP in the case where your WAN IPs haven't been routed to you, i.e. the case I've been busy saying is a bad idea; it also highlights the fact that NAT doesn't touch MAC addresses, since if it did there wouldn't be a need to additionally use proxy ARP in that situation. (Also note that "Basic NAT" isn't the type of NAT we use; Basic NAT is when you have a public block of addresses big enough to do 1:1 address mapping with your private addresses.)
VMCopperUser wrote:Responding to ARP requests for the NAT mapped global addresses with its own MAC address is a must ..... with Basic NAT setup.
VMCopperUser wrote:I think a /120 or /116 block would be more than enough to hand out to users.
I did go over this earlier in the thread; while a /120 has enough addresses for most people, it's not about the number of addresses. SLAAC is only specified for /64s (and the subnet size is expected to be /64 on all subnets anyway); I have multiple VLANs here, each of which need their own /64, so I need a bigger block than just a single /64 routed to me.
And there is absolutely no problem with allocating /48s to every customer. It's no more difficult than allocating /64s to every customer, and Virgin have enough IPv6 space to do it.
Claustrophiles can simply ignore any extra space they get, while those of us that do need the extra space can't just pretend it into existence. Since there's no problem with allocating /48s from an exhaustion -- or any other -- perspective, we should do that, since it permits all use cases.
Related Content
- 6 months ago
- 8 months ago
- 9 months ago