Kitz Forum
Internet => General Internet => Topic started by: Chrysalis on October 19, 2021, 02:44:08 PM
-
Got involved in a security discussion on another forum. They had a few hacked accounts so enabled 2FA for everyone.
The argument I put forward is I consider forced rotation of passwords and forced expiry of login sessions a lazy approach to security that also causes inconvenience.
There is one security method that has always been very strong and that is IP based ACL's.
IPv6 allows every internet device out there to have its own routable IP, ISP's would have to get used to proper allocations not temporary DHCP one's sorry BT/sky. The big problem though is the privacy features implemented, these have the side affect that makes this not workable, privacy has in effect been prioritised over security.
If we was in a IPv6 global enabled internet with no privacy randomisation of the address, then every service out there could utilise a automated ACL, that when you login, you dont need to reauthenticate providing you have valid session date on the client device and the IP is in the ACL, if either of these mismatches, you then require 2FA. This would kill all the database account compromises dead which probably account for 99% of compromised accounts out there.
Some companies already do this, especially datacentres, if I login to linode, soyoustart, hetzner and my ip has changed, I have to redo 2FA. Some even let you configure static IP whitelists as well. I think its the way forward and its that killer IPv6 feature, albeit without the privacy randomisation.
Additional note I think AAISP also do this, if they detect an IP change, then its 2FA time.
-
I still remember MoDaCo being hacked, that killed that community.
-
Chrys makes a good point. My iPad’s IPv4 address is globallly routs or and static, so could use that, but as Chrys mentioned, it’s iPadOS that’s in control of IPv6 addressing, not me. I could have an ACL on the /64 with a wildcard on the rightmost 64 bits, that would work.
-
Its quite ironic, considering one of the big reasons I rolled back IPv6 on my network is because I can't monitor how much traffic is going to each client on pfSense for IPv6.
I've recently been rolling it out on its own VLAN (dual-stack with a different IPv4 subnet) and discovered the Xbox STILL insists on re-creating its UUID every time it boots, so you cannot assign it a static IP.
Ultimately my plan is to upgrade my TV cabinet switch to smart-managed Pro (apparently Netgear in their infinite wisdom allow SNMP on their Pro Switches but not on their Plus) and just monitor traffic over the ports instead.
-
Yeah I am not a fan of the UUID dynamically create IP nonsense, and as I think you already mentioned Alex, The Xbox you cannot set a static IPv6 at all. This makes auditing and security more difficult.
What is recreating the UUID, pFSense? there should be an option there to make it only generated once, and then preserve across reboots.
-
What is recreating the UUID, pFSense? there should be an option there to make it only generated once, and then preserve across reboots.
I was of course referring to Xbox, not sure how that word got deleted.
Another bizarre issue is I installed Windows to test a used GPU I picked up off eBay (I got a crash on a game I was 99% sure was a Linux issue) on my Linux box that currently has the IPv6 VLAN on its port, and Windows got an IPv6 IP even though Home edition doesn't support VLANs. What's more confusing, it couldn't actually use it. So it seems it picked up DHCPv6 and router announcements, but actual normal traffic is not flowing. How and why is it doing that?
Of course I'd just move that box onto dual-stack but I kinda prefer how it is now, as I can keep IPv6 off on Linux and only turn it on when I want to, by having it on its own virtual NIC.
-
In my case my VLAN is assigned on my openwrt switch, I set it on the port, and windows itself has no VLAN tag on its packets. I dont know your LAN setup though.
In regards to the traffic flow does the IPv6 have a valid gateway configured on the windows home?
On my Series S, I couldnt get multiplayer gaming to work without native IPv6. For some reason the teredo tunnel just wouldnt work, and as soon as I enabled IPv6 on the VLAN, everything came to life.
-
The point is in this scenario I didn't want IPv6, it was a temporary boot into Windows where I expected it to only respond to the untagged LAN.
On that machine in Linux I have the main IPv4 untagged and dual-stack on VLAN 6, with iIPv4 disabled on that adapter so it uses the main LAN for IPv4. This is so I could test IPv6 functionality, switch it on and off, without impacting IPv4.
The devices that are actually intended to use the IPv6 VLAN have it untagged on their switch ports so work as intended.
Its the fact VLAN 6 was somehow leaking into Windows that bothered me. I was able to get its IPv6 static IP and DNS server, which it shouldn't have. As I understand it DNS on IPv6 comes from RA, thus why I surmised its somehow seeing DHCPv6 and RA, but I think you may be right in that it possibly didn't get the gateway. But frankly, it shouldn't have gotten any of it.
How did it even get to DHCPv6 if Windows isn't tagging the outwards traffic so Windows should have been unable to talk to the router? I suppose theoretically it could have gotten the IP from RA alone, if pfSense broadcasts DHCPv6 Static Mappings over RA too, I don't really understand how IPv6 works in that respect. I didn't think you could do static IPs using RA and pfSense certainly makes no mention of it.
This is why I hate IPv6, its very poorly documented compared to IPv4.
-
About poor docs. There is a good Microsoft Press book about IPv6; of course it’s full of Windows stuff too and Microsoft-specifics, but it’s very well written as far as the protocols go. I will have to dig for the reference.
> even though Home edition doesn't support VLANs
I didn’t understand that bit. I’m sure you’re not sending out tagged PDUs from your switch or from your Windows-box’s NIC.
Could the leakage be a switch config problem? Is there any chance that an o/s is sending out tagged PDUs?
I’m not much help as I’ve never used DHCPv6. Nor VLANs much, apart from my modems which use VLAN mux/demuxing so they will fit into the limited number of ethernet ports on my FB2900 router. (Limited ethernet ports (three free) was an issue when I had four modems, but actually doesn't have to be now I only have three modems. I haven’t changed the topology though, because having my small mux/demux VLAN switch in between router and modems is another line of defence to hopefully protect the router from lightning strike. Together with the modems, the small mux switch would hopefully take a bullet first.)
-
I dont know Alex, I havent had any DHCPv6 allocations leaking from different VLAN's.
pfSense can have DHCP talk over RA, depending on how its configured in pfSense. If your VLAN's are configured in pfSense, you should see two separate VLAN configuration screens for DHCPv6 and RA. This might be easy to miss, as the second VLAN appears at top of configuration screen, and have to select it to configure for second VLAN.
I dont disagree that its more complicated than it needs to be. It seems the designers of IPv6 implemented things they felt should of been there from the off, and have used the new protocol as a reason to make these changes. Especially as we have different vendor's choosing which parts to support. Some have static UUID, some only dynamic, some can configure the behaviour, plus fragmented support for DHCPv6 or RA. These things may well be contributing to slow rollout of the technology from ISP's.
I am with Weaver that I think this particular problem you got might be a VLAN configuration issue. I remember when I first setup VLAN's on my network it was a learning game with mistakes made on the way to where I have got to now.
-
I don’t agree about o/s decisions affecting IPv6 rollout. What goes on within o/s is a lan-internal matter, is it not? Do you agree. All ISPs need to do is provide a (static unless they’re insane) prefix to a site, route stuff, and then walk away, job done. Let RA do its thing in the CPE. AA does it perfectly has for what, 15 years?, and other ISPs even giant ones can just copy AA if they don’t know what to do. They don’t need to go near DHCPv6 - that’s for site admins or corporates. Doing so just complicates matters and brings back the vulnerability (single point of failure) of IPv4 with DHCP, and in any case many o/s won’t obey DHCPv6 for all I know. (Will iOS/MacOSX obey DHCPv6?)
-
I am with Weaver that I think this particular problem you got might be a VLAN configuration issue. I remember when I first setup VLAN's on my network it was a learning game with mistakes made on the way to where I have got to now.
It works in Linux absolutely fine.
The main LAN is untagged across the whole network, its excluded from the ports that are on the VLAN6 except on my Linux machine as like I said, I can enable/disable that when I want it as Linux supports VLAN tagging. The problem is Windows Home is hobbled not to use VLANs, so somehow its seeing the IP allocation despite not being able to talk to VLAN6 as obviously the NIC isnt tagging the traffic going back out.
Now obviously normally I wont use that configuration with Windows, knowing it doesn't support VLAN tagging. But as this was temporary on my Linux box, I found the behaviour really odd, as surely if Microsoft insist that Home doesn't support VLANs, it should completely dismiss all tagged traffic rather than get the IP then be unable to talk to it because the traffic going back out is untagged so going out the wrong VLAN on the switch.
-
Agree, that seems like a complete bug in Windows Home. But the moral is, don’t ever, ever under any circumstances buy a copy of "Home" as they are crippled beyond all reason. It’s just not worth the enormous hassle.
-
... But the moral is, don’t ever, ever under any circumstances buy a copy of "Home" as they are crippled beyond all reason. It’s just not worth the enormous hassle.
I think that's a bit of a over-generalisation as for the vast majority of users, myself included, the Home version does everything required. If you want or need to get into more advanced network configurations etc then you do need the Pro version, but most domestic users will never need the extra features.
:)
-
I said this some years back. Win Home cannot be secured properly, that’s why I hate it. But then most people have no possible way to get the help needed to establish a secured configuration so as you say it’s not such a big deal. But the point is, Win Pro is not much more money so it should be the default.
-
Ethernet driver is stripping VLAN tag inbound. No tag being applied outbound so one-way traffic only as the v6 traffic is ending up on native VLAN.
-
Windows Home shouldnt really exist. Microsoft trying to over segment as usual.
But I am not convinced thats Alex's problem unless he is trying to do the tagging from in windows itself.
If its done on the switch then the traffic for the other VLAN shouldnt even hit windows? I am not using Windows Home, but at the same time I dont even have VLAN tagging enabled on the network card which means windows has no knowledge of what VLAN it is using and as such wouldnt be filtering out other VLAN traffic.
When I tried to do a poor man guest network setup (without proper VLAN configuration) I had a FreeBSD VM with the same symptoms as Alex described.
Alex I attached some screenshots, my PC is on Port 2 untagged VLAN 3 (switch managed, windows has no vlan knowledge), the WAN port (repurposed as a LAN port) is where pfSense is connected. My other switch is also VLAN managed. All my client devices have no VLAN configuration, all untagged. VLAN3 normal private LAN, VLAN9 guest network with restrictions, VLAN1 no longer used as advised by pfSense devs to not use it.
On the RA vs DHCPv6 thing, I think it should have been just DHCP or static configuration the same as IPv4, people who have never used IPv6 before have to learn RA and how it works, which isnt a good thing, it adds a barrier and complexity to take up.
We seem to have gone from me trying to raise a point on the potential security benefits of having sticky IPv6 on every device, to why IPv6 isnt perfect. :) What you guys think of it?
-
Yes the traffic coming into the NIC IS TAGGED, because this works perfectly on Linux allowing me a one-click solution to enable/disabe IPv6 on that box for testing as I just disconnect the virtual NIC assigned to that VLAN, without impacting the untagged traffic whatsoever or interrupting my network shares to the NAS.
My point wasn't to troubleshoot the issue rather to highlight how idiotic Windows default behaviour is if its untagging the traffic rather than ignoring it, particularly as the NIC driver is VLAN aware and I can manually select which VLAN to use, so you'd expect the default of "none" would ignore ALL tagged traffic? I guess its possible this is a driver issue.
The intent wasn't to fix the issue but to understand HOW its getting its fixed IP address from pfSense when surely DHCPv6 can't function if its unable to receive a response from the client? So presumably its using RA which pfSense makes no mention of this being tied to the DHCPv6 static IP list.
-
I said this some years back. Win Home cannot be secured properly, that’s why I hate it. But then most people have no possible way to get the help needed to establish a secured configuration so as you say it’s not such a big deal. But the point is, Win Pro is not much more money so it should be the default.
Considering my copies of Windows come from sales, upgrades, etc, they were a LOT cheaper than Pro. When I bought them the missing functionality was much less of an issue that it is today and if you try to use Windows standard way of upgrading, the Pro upgrade is a huge rip-off. The only way its cheap that I'm aware of is buying keys from sources that might not be trusted.
With all the claimed focus on security on 11 I thought they were finally going to ditch Home and make Pro the base version. Needing TPM but disabling Bitlocker support is a whole new level of moronic, particularly as every other OS supports encrypted drives as standard. (although MacOS is clear as mud if its actually working or not as its an instant toggle with no indication of WHEN its actually finished encrypting your data)
-
I can understand why they make Home so useless, it’s to prevent businesses from buying it.
-
Yes the traffic coming into the NIC IS TAGGED, because this works perfectly on Linux allowing me a one-click solution to enable/disabe IPv6 on that box for testing as I just disconnect the virtual NIC assigned to that VLAN, without impacting the untagged traffic whatsoever or interrupting my network shares to the NAS.
My point wasn't to troubleshoot the issue rather to highlight how idiotic Windows default behaviour is if its untagging the traffic rather than ignoring it, particularly as the NIC driver is VLAN aware and I can manually select which VLAN to use, so you'd expect the default of "none" would ignore ALL tagged traffic? I guess its possible this is a driver issue.
The intent wasn't to fix the issue but to understand HOW its getting its fixed IP address from pfSense when surely DHCPv6 can't function if its unable to receive a response from the client? So presumably its using RA which pfSense makes no mention of this being tied to the DHCPv6 static IP list.
I would expect windows if not configured to use VLAN's to ignore the tags rather than ignore the traffic, thanks for confirming your setup. This to me explains why you had the problem you had.
-
I would expect windows if not configured to use VLAN's to ignore the tags rather than ignore the traffic, thanks for confirming your setup. This to me explains why you had the problem you had.
I could understand that if the NIC driver didn't support VLANs, but on Linux if the NIC isn't opted into a VLAN it ignores the traffic, which is obviously necessary if you are using tagged and untagged on the same port. A prime example of that being OpenWRT.
-
Yeah that would indicate Linux is always VLAN aware, whilst Windows when its disabled just acts dumb and accepts everything regardless of tagging.
-
Yeah that would indicate Linux is always VLAN aware, whilst Windows when its disabled just acts dumb and accepts everything regardless of tagging.
Just another thing about the Windows networking stack to hate I guess.