dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
6145
share rss forum feed

vancata

join:2012-02-02

IPv6 for residential users

What options are available to connect to the ipv6 Internet, based on the following scenario:

- no ISP and no router support for IPv6

- no ISP but IPv6 capable router

- ISP but no IPv6 capable router

I would like to find out all the possible mechanisms to connect to the internet using IPv6, based on the scenarios above. I currently find myself in the first situation and I managed to connect using tunnel broker and Teredo. What other ways are available to connect for each situation?

Thank you


whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast
You're going to be stuck using a tunnel no matter how you do it. (unless your ISP decides to provide native)

The first thing I would recommend is moving away from Teredo.

Teredo has to use STUN (nat traversal) with each relay which can lead to less than stable connections. Relays can also be overloaded and really slow. I have seen a lot of breakage with Teredo.

If you have a dedicated (always-on) Mac or *nix machine, I would recommend having it act as an IPv6 router using tunnelbroker.net and broadcasting IPv6 across your LAN.

If you are using Windows, I'd recommend using signing up for a tunnel through »sixxs.net . They offer AYIYA tunnels which are UDP based tunnels that can go through multiple layers of NAT. You won't have to mess with your firewall or worry about your IP address changing. There is also a nice GUI based Windows client.

If you go that router, I'd recommend just opening a tunnel for each PC (you'll need to wait a couple of weeks until you get the credits to open more tunnels).


graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2
Reviews:
·Comcast
reply to vancata
Unless your ISP hands out native IPv6 addresses, you're going to be using a tunnel.

If you don't have an IPv6 capable router you can put one together very cheaply.

I run m0n0wall on more than adequate hardware that most people would throw away. I have been using some four port GB-1000 routers that I got on ebay for small change.


timcuth
Braves Fan
Premium
join:2000-09-18
Pelham, AL
Reviews:
·Charter
·AT&T Southeast
reply to vancata
And I am not talking against what graysonf See Profile said, but I simply flashed my router with a version of dd-wrt that supports ipv6. Cost=0 beyond what I already had, and I learned a lot in the process. You would also learn a lot doing it with m0n0wall (or with pfsense, or untangled, or many other ways of doing it).

Tim
--
"Life is like this long line, except at the end there ain't no merry-go-round." - Arthur on The King of Queens
~ Project Hope ~


whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast

1 recommendation

said by timcuth:

]You would also learn a lot doing it with m0n0wall (or with pfsense, or untangled, or many other ways of doing it).

...or just a linux box running radvd. You can also run rtadvd on OS X (it's built in).

You only need a single nic and can announce RAs onto your lan. Remember your IPv4 and IPv6 routers don't have to be the same.


JTC
Always Mount A Scratch Monkey

join:2002-01-09
USA
reply to vancata
I used a virtual machine with m0n0wall to connect to the tunnel broker Hurricane Electric offers. Works a treat
--
All hardware sucks, all software sucks, some just suck more than others

vancata

join:2012-02-02
I spoke with Netgear and they did not really help. They said that they will be no more firmware upgrades for my router and therefore will not support Ipv6. Anyway, I have heard of dd-wrt and looked at their page, but everything seems so complicated and time consuming as it has to be done manually by typing in some commands. Therefore I will not be doing it, as I am not sure whether it will work at all.

Anyway, let's say that my only way to connect is using tunnels, Teredo or a third-party service. What are the implications of those in terms of security? Is there a better option and if there are some security holes, how can they be mitigated?

Thank you

Ivan


graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2
Reviews:
·Comcast

2 recommendations

You'll want to run a firewall on IPv6 just as you would on IPv4. Since there is no NAT involved with IPv6, you will have routable public IP addresses on your interfaces, hence the need for firewalling.

However, since the IPv6 space is so vast, even your own comparatively minuscule typically assigned /64, it is somewhat impractical to port scan it.

I have yet to see the first attempt to penetrate my IPv6 network, whereas the single IPv4 address I have gets many probes.

vancata

join:2012-02-02

1 recommendation

reply to vancata
Do different transition mechanisms such as:

- 6to4
- Teredo
- Tunnel brokers, or
- Native

require different security to be put in place. I mean does the transition only require Ipv6 capable firewall and that's it. Shouldn't there be additional security as each mechanism functions in different way?

Thank you


graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2
Google: ipv6 security vulnerabilities

Dive in.


whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast

2 recommendations

reply to vancata
said by vancata:

Do different transition mechanisms such as:

- 6to4
- Teredo
- Tunnel brokers, or
- Native

require different security to be put in place.

Yes. Teredo for example is a host based transition mechanism and requires a host firewall.

I should also add that not having IPv6 enabled on your network is also a security risk.

For example, an exploited PC can announce IPv6 on your LAN even if you don't have it running. All other PCs on the subnet will pick up v6 addresses and prefer traffic going over v6. Throw in a NAT64 gateway with DHCPv6 or RADVD and you can do a MITM with their v4 by using v6.

That's why it's important to deploy IPv6 rather than waiting for an exploited PC to deploy it for you.


MrIpv6

@fay-ar.us
reply to vancata
Try latest OpenWrt.

Since 2010-11 it has "just worked" with Hurricane Electric tunnel AND even if you have a dynamic IP4 address the OpenWrt will automatically update the Hurricane Electric end-point with your changed IPv4 address.

It is now "easy" to do IPv6 with routers that OpenWrt supports (MOSTLY the same set as DD-WRT, but watch out, there are some differences).

Up until then it was very difficult to get all the settings, now it is plug-and-play.

It even has a great combined IPv4 + IPv6 firewall.

I've set up 12+ sites for friends and family to use it and no problems for over a year of operations.

Give it a shot. Highly recommended.

If you have a static IP address and want to do even more than OpenWrt can do (which it can do quite a lot) then try the free Vyatta software.

Business class router software as free and open-source.

WIth both OpenWrt and Vyatta you can also do site-to-site and/or client-to-server VPN.

With OpenWrt, Vyatta, OpenVPN + IPv6 I can do everything needed very easily.

When my ISP finally switches to Native IPv6 (if ever, Cox, when will you have native IPv6 for Cable Modems?) all I have to do is set up the connection to the ISP and tear down the tunnel to Hurricane Electric.

Give it a shot. MUCH MUCH easier than it used to be over a year ago.


leibold
Premium,MVM
join:2002-07-09
Sunnyvale, CA
kudos:10
Reviews:
·SONIC.NET

1 recommendation

reply to whfsdude
said by whfsdude:

I should also add that not having IPv6 enabled on your network is also a security risk.

Leaving computers and other network equipment at default settings is the biggest security risk (all modern operating systems are IPv6 ready by default).
Explicitly disabling IPv6 on every networked device eliminates the IPv6 specific risks.
Running an IPv6 network eliminates many but not all IPv6 specific problems. It is still possible for an exploited PC to make rogue router announcements (to redirect traffic) and to use neighbor discovery to get valuable information.
--
Got some spare cpu cycles ? Join Team Helix or Team Starfire!


whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast
said by leibold:

Running an IPv6 network eliminates many but not all IPv6 specific problems. It is still possible for an exploited PC to make rogue router announcements (to redirect traffic) and to use neighbor discovery to get valuable information.

Correct. That's why there is RAguard (HP gear has them now). You can even do RAguard like snooping via ndisc6 on Linux.

If your switch doesn't support RAguard (eg. Cisco's older gear), you can toss up an ACL on the access ports that takes care of the problem.

deny icmp any any router-advertisement
 

But getting back to my point. It's easier to implement IPv6, even if you don't announce it to the customer, than it is to disable IPv6 on every device.

You also take a hit of having to re-enable IPv6 on every device when you actually roll it out.

Then you just have some devices that are hard to disable IPv6 on. Cellphones are usually a decently convoluted process.

cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:9
Two things... a) that requires a switch with some sort of layer-3 capabilities. And b) the command you provide is for IPv4 -- it will do jack all to limit IPv6. (if it doesn't have IPv6 capability, then it won't have "ipv6 access-list" either.)

This, of course, presumes one has a managed switch. Very, very few "residential users" have managed switches. The few that do are "smart" switches -- i.e. managed by a very limited web interface. (Even I don't use Cisco switches in my home network. Gigabit cisco gear is f'ing expensive. I use a cheap Nortel ERS 5510. )


whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast
said by cramer:

b) the command you provide is for IPv4 -- it will do jack all to limit IPv6.

Wrong. First off note the fact it says "router-advertisement."

Second, here is the Cisco white paper on it:
»www.cisco.com/en/US/prod/collate···135.html

said by cramer:

it will do jack all to limit IPv6. (if it doesn't have IPv6 capability, then it won't have "ipv6 access-list" either.)

That was my point. If you don't have v6 enabled (network gear supported, ACLS up, etc), then your network is vulnerable.

said by cramer:

This, of course, presumes one has a managed switch. Very, very few "residential users" have managed switches.

You're assuming I'm talking about res. users, which I am not.

With rogue RAs we're talking about something similar to arp spoofing, DHCP attacks, or modification spanning tree. Home users don't protect against those.......

A residential user hardly needs a network based firewall. A host based firewall will do because most exploits are via systems rather than network based ones.


leibold
Premium,MVM
join:2002-07-09
Sunnyvale, CA
kudos:10
Reviews:
·SONIC.NET

2 recommendations

reply to cramer
The proper syntax recommended by cisco for filtering router advertisements from all sources except the real router on your network:

ipv6 access-list outsideACL permit icmp6 host xxx any router-advertisement
ipv6 access-list outsideACL deny icmp6 any any router-advertisement
access-group outsideACL in interface yyy

The caveats are many:
- IOS version has to be recent (older versions don't support IPv6 or only contain much more limited IPv6 filter capabilities)
- existing Cisco router and switches cannot always be upgraded to current IOS versions
- requires extended access lists (this usually means a license for Advanced IP Services)
- the IOS images for Advanced IP Services tend to be bigger in size and can not always be installed on routers/switches with limited memory (not always upgradeable)

Despite the small mistake (icmp vs. icmp6), whfsdude See Profile raises some valid points. Regardless which approach to securing the network is taken (disabling IPv6 everywhere or setting up a secure IPv6 LAN) there is significant effort involved. Even in situations where an evaluation shows that disabling IPv6 is the lesser effort this may turn into more work when IPv6 is deployed later on. In a corporate environment with many network devices and frequent change it may indeed be better to configure and secure IPv6 then to disable it everywhere.

As cramer See Profile correctly points out, securing an IPv6 network is next to impossible for the typical residential user (and this was the topic of this thread). For the residential user with a small number of devices turning off IPv6 until it is actually needed seems to be the easier and safer option. Without the ability to filter IPv6 in the network infrastructure (consumer grade switches) filtering can only take place on the host itself. Care must be taken when attempting to perform host based IPv6 filtering because if the access controls are on the physical network interface they may not apply to IPv6 tunnel endpoints created on the same host.

OT: is anybody else finding it totally absurd that we are sold the migration to IPv6 with the benefit of automatic configuration only to find out that instead of configuring a static default route we now have to configure the router address in static firewall rules to prevent autoconfiguration from unauthorized sources (which are typically far more effort to configure, never mind the performance impact) ?

--
Got some spare cpu cycles ? Join Team Helix or Team Starfire!


whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast

2 edits
said by leibold:

Despite the small mistake (icmp vs. icmp6)

"icmp" is the syntax cisco recommends for on IPv6 PACLs on switches.

At my previous job this was used on the production network and it does work.

However the ASA appears that it might use icmp6. So we might actually both be right.

said by leibold:

OT: is anybody else finding it totally absurd that we are sold the migration to IPv6 with the benefit of automatic configuration only to find out that instead of configuring a static default route we now have to configure the router address in static firewall rules to prevent autoconfiguration from unauthorized sources (which are typically far more effort to configure, never mind the performance impact) ?

Well the same can be said for DHCP. That's why we have DHCP snooping.

Edit: To clear this up. »www.cisco.com/en/US/prod/collate···135.html

From Cisco
ipv6 access-list ACCESS_PORT
remark Block all traffic DHCP server -> client
deny udp any eq 547 any eq 546
remark Block Router Advertisements
deny icmp any any router-advertisement
permit any any
!
interface gigabitethernet 1/0/1
switchport
ipv6 traffic-filter ACCESS_PORT in
 

cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:9

2 recommendations

reply to whfsdude

That was my point. If you don't have v6 enabled (network gear supported, ACLS up, etc), then your network is vulnerable.

No. We're talking about switches here -- traditionally, layer-2 devices. Your switches are where RAGuard has to be done. If your switch does not have any ipv6 layer-3 capability (which is not something that is generally fixable with a software upgrade), you will have no ability to limit RA. You *may* be able to filter protocol 0x86dd (i.e. ALL ipv6 frames), but that's not exactly what you want here.

You're assuming I'm talking about res. users, which I am not.

THE WHOLE THREAD IS ABOUT RESIDENTIAL USERS.

The lax security in residential networks is a serious problem within IPv6. Once you get a foothold in their network, it is an absolutely trivial matter to completely take over the network. Rogue RA can make you the router for the network -- then you can watch, rewrite, etc. all the traffic. ND will almost instantly tell you about every device in the network -- and then you can target them. Yes, the same sorts of things can be done to IPv4 networks, they're just more work and generally harder to pull off.

[Btw, IPv4 had "icmp router advertisement" as well. It was abandoned as a Very Bad Idea(tm) thousands of years ago. Here we are learning the same mistakes again.]

Runamok81

join:2012-01-09
Clemson, SC

1 recommendation

reply to vancata
To answer one of the OP's original questions. How to approach the following scenario?

- no ISP and router support for IPv6.

Most likely, this is the scenario which applies to the majority of home networks. The easiest way around no ISP support of v6 is a tunnel broker. The easiest way around no router support of v6 is flashing the router. It took a few hours of googling around to figure out how to do this without many clear tutorials to get started. THIS TUTORIAL should be a big help, because it shows everyone how to do both.

cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:9

2 recommendations

reply to whfsdude

Well the same can be said for DHCP.

Actually, DHCP is a lot more tame.

Rogue RA vs Rogue DHCP:

Rogue RA... hosts on the network will immediately respond to any RAs. That means building an address and routing to whom ever is claiming to be origin of the RA. It doesn't have to be a different prefix. And the RA is trivial to spoof. (not that many lans carry enough traffic to "DoS" a single machine, making spoofing a bad idea unless you want to be detected almost immediately.) And as was recently reported, windows systems have no upper bounds on the number of RAs they will obey, which results in a very effective, instant DoS. (mac and linux limit is 15)

Rogue DHCP... has zero immediate effect on the network. Hosts that already have an address won't notice it at all -- they will continue the normal unicast renewal process. Only new devices will possibly notice it during the broadcast discovery phase. Which ever dhcp server gets an answer to the client first wins. The rogue is not guaranteed to win that race. And history has shown foreign dhcp servers tend to call attention to themselves by making a mess, but even where care is taken to minimize problems, they won't be completely eliminated.

In the end, rogue dhcp is a long term hack that doesn't always work. Rogue RA always works, instantly. Most random hacks aren't done by people willing to wait days for their hacks to be fruitful.