Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: 1 2 [3] 4

Author Topic: UK ISPs shameful lack of IPv6  (Read 13874 times)

niemand

  • Kitizen
  • ****
  • Posts: 1836
Re: UK ISPs shameful lack of IPv6
« Reply #30 on: August 25, 2019, 11:11:44 PM »

I hear your point about the difficulty of firewalling in IPv6 due to the unpredictability of IPv6 addresses.

I would hope this isn't a problem for anyone. If anyone is firewalling based on IP addresses and require any manual programming they're doing it wrong.

Zone-based firewalls have been the cool thing for a long while now. No need to micromanage anything apart from any exceptions that may be needed.
Logged

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: UK ISPs shameful lack of IPv6
« Reply #31 on: August 26, 2019, 03:43:55 AM »

What CarlT said. Watch the presentation from a Microsoft employee about their efforts to get rid of IPv4 completely in their internal corporate network and now also the guest wireless LAN they offer to visitors. This presentation concerning security and IPv6 might be of interest.
Logged

niemand

  • Kitizen
  • ****
  • Posts: 1836
Re: UK ISPs shameful lack of IPv6
« Reply #32 on: August 26, 2019, 11:29:41 AM »

Some of our enterprise customers are likewise moving away from v4. It's being used as much as possible on public-facing edge infrastructure only. Some v4 needed for internal infrastructure but a massive saving.

Saves headaches with NAT and public IPs for offering cloud services in the case of Microsoft, Amazon, Google, etc.

Provides a source of extra cash for some institutions that have absurdly large allocations way in excess of their needs, too.

EDIT: Before the obvious question is asked as to why enterprises are able to do this it's simple: they control everything end to end until it leaves their network and the end users aren't paying customers but paid employees. ISP customers may demand dual-stack or equivalent, employees and users of guest networks can be pushed through gateways and address translate so v4 may be retired.

Someone like Weaver with his /26 would be quite stuck if told no more IPv4 full stop. Same for ISPs: CG-NAT.
« Last Edit: August 26, 2019, 11:41:32 AM by CarlT »
Logged

Alex Atkin UK

  • Addicted Kitizen
  • *****
  • Posts: 5260
    • Thinkbroadband Quality Monitors
Re: UK ISPs shameful lack of IPv6
« Reply #33 on: August 27, 2019, 07:06:43 AM »

I would hope this isn't a problem for anyone. If anyone is firewalling based on IP addresses and require any manual programming they're doing it wrong.

Zone-based firewalls have been the cool thing for a long while now. No need to micromanage anything apart from any exceptions that may be needed.

The point is people are USED TO firewalling based on IP address, as this was necessary due to NAT and it simply works.  Also how is that much different to IP based routing, which is hardly an unusual thing to be doing?

So how exactly do I allow ALL incoming connections to the games consoles on v6 without allowing it for the entire LAN?
Logged
Broadband: Zen Full Fibre 900 + Three 5G Routers: pfSense (Intel N100) + Huawei CPE Pro 2 H122-373 WiFi: Zyxel NWA210AX
Switches: Netgear MS510TXUP, Netgear MS510TXPP, Netgear GS110EMX My Broadband History & Ping Monitors

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: UK ISPs shameful lack of IPv6
« Reply #34 on: August 27, 2019, 11:18:05 AM »

Clearly we have a lot of IPv6 expertise on here.   I probably don’t have enough spare brain capacity to become expert myself, so I’m hoping somebody might be able to comment on a couple of concerns I have.

Iirc, one big win for NAT is that it (accidentally) provides a layer of privacy, as it is hard to associate the public IPv4 addresses with individual devices behind the NAT.   IPv6 compensates for that, and even improves upon it, by using IPv6 addresses that change regularly, and are unpredictable.   Correct?

Now to my concerns...

1.   Is there a point of failure at whatever server assigns these addresses?   I’m thinking of my favourite mantra “All software has bugs”.   Assuming the IPv6 servers are also buggy, might vulnerabilities emerge that compromise the privacy of address allocation?

2.   Will it be possible for future government interference (think RIPA)  to mandate that ISPs disclose details that compromise the privacy of IPv6 address allocation?

Genuinely grateful for guidance on these questions.   :)

I’d also be interested in an answer to Alex’s last question so to avoid burying it, I’ll repeat it.

So how exactly do I allow ALL incoming connections to the games consoles on v6 without allowing it for the entire LAN?
Logged

niemand

  • Kitizen
  • ****
  • Posts: 1836
Re: UK ISPs shameful lack of IPv6
« Reply #35 on: August 27, 2019, 07:20:08 PM »

The point is people are USED TO firewalling based on IP address, as this was necessary due to NAT and it simply works.  Also how is that much different to IP based routing, which is hardly an unusual thing to be doing?

So how exactly do I allow ALL incoming connections to the games consoles on v6 without allowing it for the entire LAN?

I would hope this isn't a problem for anyone. If anyone is firewalling based on IP addresses and require any manual programming they're doing it wrong.

Zone-based firewalls have been the cool thing for a long while now. No need to micromanage anything apart from any exceptions that may be needed.

https://docs.oracle.com/cd/E18752_01/html/816-4554/ipv6-overview-10.html

Quote
The rightmost four fields (64 bits) contain the interface ID, also referred to as a token. The interface ID is either automatically configured from the interface's MAC address or manually configured in EUI-64 format.

Can also be set statically or via DHCPv6. SLAAC, the stateless allocation scheme, is more interesting as above but there are ways and means.

Whichever it works same way but no NAT just a destination IP and an 'allow' statement. Same level of security - a badly done port forwarding will bone you every bit as much as a badly done IPv6 firewall allow statement.

Regarding IP based routing I'd hope that's not being done by individual IP. Replace 'zone' with 'subnet' and you're about there, especially with directly connected networks. These are implicitly 'zoned' to the interface they're connected to.
« Last Edit: August 27, 2019, 07:35:06 PM by CarlT »
Logged

niemand

  • Kitizen
  • ****
  • Posts: 1836
Re: UK ISPs shameful lack of IPv6
« Reply #36 on: August 27, 2019, 07:32:10 PM »

1.   Is there a point of failure at whatever server assigns these addresses?   I’m thinking of my favourite mantra “All software has bugs”.   Assuming the IPv6 servers are also buggy, might vulnerabilities emerge that compromise the privacy of address allocation?

2.   Will it be possible for future government interference (think RIPA)  to mandate that ISPs disclose details that compromise the privacy of IPv6 address allocation?

I don't really understand the premise of the questions. As far as 1 goes it doesn't matter and with that in mind 2 doesn't matter either. The devices behind the router / NAT gateway are just IP addresses. To identify them it's necessary to either exchange traffic with them or obtain access to the LAN so that you can read MAC addresses.

If it makes you feel any better the router you connect to the ISP gets a prefix and it's that router that hands out IP addresses to your LAN clients, not the ISP, much as happens with DHCPv4 and NATed networks now.

It's not impossible to unmask IPv4 NATed devices anyway. All even static IPv6 addressing will tell people is how many devices may have been online at any particular time.
Logged

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: UK ISPs shameful lack of IPv6
« Reply #37 on: August 27, 2019, 08:21:51 PM »

Thanks Carl, that helps. :)

However, the home router that hands out IP addresses will probably be running open source software.   The ’heartbleed’ bug  of some years ago is an example of the whopping vulnerabilities that open source software (and all other software) typically contains.   Fortunately, heartbleed was able to be fixed with server updates, rather than updating everybody’s home router.

My reservation then would be that if IPv6 places responsibility for address allocation in the home router, then the inevitable open source vulnerability that compromises privacy of address allocation will be quite a biggie, leaving us without either IPv6 privacy or NAT privacy?   Bearing in mind that home routers may never receive software fixes...

I don’t agree that an IPv4 router doing DHCP is quite the same hazard, even if the DHCP allocations were compromised.   The NAT forms a natural firewall that means the NAT’d IPv4 addresses give little away in terms of privacy or attack.   I rarely use DHCP anyway, much prefer static address allocation, for IPv4.

I do of course agree, IPV4 NAT routers also have bugs, and probably contain spectacular vulnerabilities yet to be disclosed.   But I can’t think of an IPv4 home router point of failure that’s quite as devastating as my IPv6 scenario, above? :-\
Logged

dee.jay

  • ISP Rep
  • Reg Member
  • *
  • Posts: 952
Re: UK ISPs shameful lack of IPv6
« Reply #38 on: August 27, 2019, 09:24:33 PM »

Not sure why you mention open source vulnerabilities so much.

Closed source is not immune to vulnerabilities.
Logged
Starlink and AAISP L2TP combo routed by opnSense on proxmox

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: UK ISPs shameful lack of IPv6
« Reply #39 on: August 27, 2019, 09:39:26 PM »

Not sure why you mention open source vulnerabilities so much.

Closed source is not immune to vulnerabilities.

I referred to..
Quote
the whopping vulnerabilities that open source software (and all other software) typically contains

However, one difference in the modern world of Open Source software is, when vulnerabilities surface, they affect a large number of devices, across a large number of manufacturers, because all are using the same source code.

Forty years ago, when each manufacturer wrote his own source, there were at least as many bugs.   Probably more in fact, as fewer critical eyes were cast on the source code.   But when a vulnerability surfaced it affected only that manufacturer, as other manufacturers had different source, and hence different vulnerabilities. :)
Logged

niemand

  • Kitizen
  • ****
  • Posts: 1836
Re: UK ISPs shameful lack of IPv6
« Reply #40 on: August 27, 2019, 10:57:38 PM »

My point was that such privacy really doesn't matter in the grand scheme. There are far more alarming issues that have impacted home routers recently.

On the whole being able to play with how the router is allocating IP addresses suggests remote command execution as you're feeding the router code to execute or messing with parameters existing code is executing so can likely find some way to spawn a shell. A sense of privacy from which devices are using which IP addresses is likely the least of a user's concerns under those circumstances.
Logged

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: UK ISPs shameful lack of IPv6
« Reply #41 on: August 27, 2019, 11:11:07 PM »

Granted, I probably attach too much significance to NAT privacy which in any case, might be largely a myth. :)
Logged

PhilipD

  • Reg Member
  • ***
  • Posts: 591
Re: UK ISPs shameful lack of IPv6
« Reply #42 on: August 28, 2019, 07:52:27 AM »

Hi

IPv6 can expose an actual devices MAC address, as the addressing scheme often uses the devices MAC address to create a unique IPv6 address.

To overcome this, operating systems can have private or temporary IPv6 addresses, for example Windows does this, to help overcome privacy concerns and to stop the leaking out of MAC addresses.  It has a normal IPv6 address that typically doesn't change, then one or more temporary addresses that will change randomly.  When we go on the Internet, traffic is sent from/returns to the temporary IPv6 address.  This is possible due to the large amount of IPv6 addresses available, and helps stop the tracking of a single IPv6 address and the exposing of a MAC address.

https://www.internetsociety.org/resources/deploy360/2014/privacy-extensions-for-ipv6-slaac/

Regards

Phil
Logged

Alex Atkin UK

  • Addicted Kitizen
  • *****
  • Posts: 5260
    • Thinkbroadband Quality Monitors
Re: UK ISPs shameful lack of IPv6
« Reply #43 on: August 28, 2019, 08:45:20 AM »

https://docs.oracle.com/cd/E18752_01/html/816-4554/ipv6-overview-10.html

Can also be set statically or via DHCPv6. SLAAC, the stateless allocation scheme, is more interesting as above but there are ways and means.

Whichever it works same way but no NAT just a destination IP and an 'allow' statement. Same level of security - a badly done port forwarding will bone you every bit as much as a badly done IPv6 firewall allow statement.

Regarding IP based routing I'd hope that's not being done by individual IP. Replace 'zone' with 'subnet' and you're about there, especially with directly connected networks. These are implicitly 'zoned' to the interface they're connected to.

Right, but as I pointed out the Xbox One changes its UUID every reboot and that is what DHCPv6 uses to determine which client it is.  So every reboot it stops getting the IP address I assigned to it so incoming traffic is no longer allowed to the Xbox One.  Not sure if I can set it statically in the Xbox One UI, I don't think you could when I tried it only exposed IPv4.

I did try to look into SLAAC but honestly most of the IPv6 documentation is clear as mud to me.  I know just enough about IPv4 to do what I require so the IPv6 documentation could just as well be another language.

I'd actually still use IPv6 on the network on specific clients only, but it seems you either have RA enabled and everything get the IPv6 routing, or you don't.  I can see the logic in announcing the gateway like this, but it makes testing without a VLAN seem impossible. (don't even get me started on trying to get VLANs working)

Another reason I didn't try further is alll my outgoing server traffic is routed over a VPN via pfSense.  Some ports are forwarded from the VPN (bittorrent) and others are forwarded from the WAN.  So it kinda makes it complicated as all those ports would be exposed over IPv6 and even if I firewalled them on the server, I'm not sure if I can force torrents to only use IPv4.
Logged
Broadband: Zen Full Fibre 900 + Three 5G Routers: pfSense (Intel N100) + Huawei CPE Pro 2 H122-373 WiFi: Zyxel NWA210AX
Switches: Netgear MS510TXUP, Netgear MS510TXPP, Netgear GS110EMX My Broadband History & Ping Monitors

aesmith

  • Kitizen
  • ****
  • Posts: 1216
Re: UK ISPs shameful lack of IPv6
« Reply #44 on: August 29, 2019, 03:29:24 PM »

I'd actually still use IPv6 on the network on specific clients only, but it seems you either have RA enabled and everything get the IPv6 routing, or you don't.  I can see the logic in announcing the gateway like this, but it makes testing without a VLAN seem impossible. (don't even get me started on trying to get VLANs working)
Unless it is a limitation of your particular router, there's no reason why enabling IPv6 in any form should impact your IPv4 home network other than a few more broadcasts floating around.    You might have to disable IPv6 on certain hosts if you want to keep them on IPv4.
Logged
Pages: 1 2 [3] 4
 

anything