Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: [1] 2

Author Topic: IPv6 the selling point everyone missed.  (Read 6021 times)

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
IPv6 the selling point everyone missed.
« on: October 19, 2021, 02:44:08 PM »

Got involved in a security discussion on another forum.  They had a few hacked accounts so enabled 2FA for everyone.

The argument I put forward is I consider forced rotation of passwords and forced expiry of login sessions a lazy approach to security that also causes inconvenience.

There is one security method that has always been very strong and that is IP based ACL's.

IPv6 allows every internet device out there to have its own routable IP, ISP's would have to get used to proper allocations not temporary DHCP one's sorry BT/sky.  The big problem though is the privacy features implemented, these have the side affect that makes this not workable, privacy has in effect been prioritised over security.

If we was in a IPv6 global enabled internet with no privacy randomisation of the address, then every service out there could utilise a automated ACL, that when you login, you dont need to reauthenticate providing you have valid session date on the client device and the IP is in the ACL, if either of these mismatches, you then require 2FA.  This would kill all the database account compromises dead which probably account for 99% of compromised accounts out there.

Some companies already do this, especially datacentres, if I login to linode, soyoustart, hetzner and my ip has changed, I have to redo 2FA.  Some even let you configure static IP whitelists as well.  I think its the way forward and its that killer IPv6 feature, albeit without the privacy randomisation.

Additional note I think AAISP also do this, if they detect an IP change, then its 2FA time.
« Last Edit: October 19, 2021, 02:48:21 PM by Chrysalis »
Logged

meritez

  • Content Team
  • Kitizen
  • *
  • Posts: 1623
Re: IPv6 the selling point everyone missed.
« Reply #1 on: October 19, 2021, 02:57:38 PM »

I still remember MoDaCo being hacked, that killed that community.
Logged

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: IPv6 the selling point everyone missed.
« Reply #2 on: October 19, 2021, 04:25:50 PM »

Chrys makes a good point. My iPad’s IPv4 address is globallly routs or and static, so could use that, but as Chrys mentioned, it’s iPadOS that’s in control of IPv6 addressing, not me. I could have an ACL on the /64 with a wildcard on the rightmost 64 bits, that would work.
Logged

Alex Atkin UK

  • Addicted Kitizen
  • *****
  • Posts: 5260
    • Thinkbroadband Quality Monitors
Re: IPv6 the selling point everyone missed.
« Reply #3 on: October 19, 2021, 06:40:20 PM »

Its quite ironic, considering one of the big reasons I rolled back IPv6 on my network is because I can't monitor how much traffic is going to each client on pfSense for IPv6.

I've recently been rolling it out on its own VLAN (dual-stack with a different IPv4 subnet) and discovered the Xbox STILL insists on re-creating its UUID every time it boots, so you cannot assign it a static IP.

Ultimately my plan is to upgrade my TV cabinet switch to smart-managed Pro (apparently Netgear in their infinite wisdom allow SNMP on their Pro Switches but not on their Plus) and just monitor traffic over the ports instead.
« Last Edit: October 19, 2021, 08:39:37 PM by Alex Atkin UK »
Logged
Broadband: Zen Full Fibre 900 + Three 5G Routers: pfSense (Intel N100) + Huawei CPE Pro 2 H122-373 WiFi: Zyxel NWA210AX
Switches: Netgear MS510TXUP, Netgear MS510TXPP, Netgear GS110EMX My Broadband History & Ping Monitors

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: IPv6 the selling point everyone missed.
« Reply #4 on: October 19, 2021, 07:38:51 PM »

Yeah I am not a fan of the UUID dynamically create IP nonsense, and as I think you already mentioned Alex, The Xbox you cannot set a static IPv6 at all.  This makes auditing and security more difficult.

What is recreating the UUID, pFSense? there should be an option there to make it only generated once, and then preserve across reboots.
Logged

Alex Atkin UK

  • Addicted Kitizen
  • *****
  • Posts: 5260
    • Thinkbroadband Quality Monitors
Re: IPv6 the selling point everyone missed.
« Reply #5 on: October 19, 2021, 08:40:15 PM »

What is recreating the UUID, pFSense? there should be an option there to make it only generated once, and then preserve across reboots.

I was of course referring to Xbox, not sure how that word got deleted.

Another bizarre issue is I installed Windows to test a used GPU I picked up off eBay (I got a crash on a game I was 99% sure was a Linux issue) on my Linux box that currently has the IPv6 VLAN on its port, and Windows got an IPv6 IP even though Home edition doesn't support VLANs.  What's more confusing, it couldn't actually use it.  So it seems it picked up DHCPv6 and router announcements, but actual normal traffic is not flowing.  How and why is it doing that?

Of course I'd just move that box onto dual-stack but I kinda prefer how it is now, as I can keep IPv6 off on Linux and only turn it on when I want to, by having it on its own virtual NIC.
« Last Edit: October 19, 2021, 08:48:14 PM by Alex Atkin UK »
Logged
Broadband: Zen Full Fibre 900 + Three 5G Routers: pfSense (Intel N100) + Huawei CPE Pro 2 H122-373 WiFi: Zyxel NWA210AX
Switches: Netgear MS510TXUP, Netgear MS510TXPP, Netgear GS110EMX My Broadband History & Ping Monitors

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: IPv6 the selling point everyone missed.
« Reply #6 on: October 19, 2021, 09:47:22 PM »

In my case my VLAN is assigned on my openwrt switch, I set it on the port, and windows itself has no VLAN tag on its packets.  I dont know your LAN setup though.

In regards to the traffic flow does the IPv6 have a valid gateway configured on the windows home?

On my Series S, I couldnt get multiplayer gaming to work without native IPv6.  For some reason the teredo tunnel just wouldnt work, and as soon as I enabled IPv6 on the VLAN, everything came to life.
« Last Edit: October 19, 2021, 09:49:32 PM by Chrysalis »
Logged

Alex Atkin UK

  • Addicted Kitizen
  • *****
  • Posts: 5260
    • Thinkbroadband Quality Monitors
Re: IPv6 the selling point everyone missed.
« Reply #7 on: October 19, 2021, 11:54:51 PM »

The point is in this scenario I didn't want IPv6, it was a temporary boot into Windows where I expected it to only respond to the untagged LAN.

On that machine in Linux I have the main IPv4 untagged and dual-stack on VLAN 6, with iIPv4 disabled on that adapter so it uses the main LAN for IPv4.  This is so I could test IPv6 functionality, switch it on and off, without impacting IPv4.

The devices that are actually intended to use the IPv6 VLAN have it untagged on their switch ports so work as intended.

Its the fact VLAN 6 was somehow leaking into Windows that bothered me.  I was able to get its IPv6 static IP and DNS server, which it shouldn't have.  As I understand it DNS on IPv6 comes from RA, thus why I surmised its somehow seeing DHCPv6 and RA, but I think you may be right in that it possibly didn't get the gateway.  But frankly, it shouldn't have gotten any of it.

How did it even get to DHCPv6 if Windows isn't tagging the outwards traffic so Windows should have been unable to talk to the router?  I suppose theoretically it could have gotten the IP from RA alone, if pfSense broadcasts DHCPv6 Static Mappings over RA too, I don't really understand how IPv6 works in that respect. I didn't think you could do static IPs using RA and pfSense certainly makes no mention of it.

This is why I hate IPv6, its very poorly documented compared to IPv4.
« Last Edit: October 20, 2021, 12:01:00 AM by Alex Atkin UK »
Logged
Broadband: Zen Full Fibre 900 + Three 5G Routers: pfSense (Intel N100) + Huawei CPE Pro 2 H122-373 WiFi: Zyxel NWA210AX
Switches: Netgear MS510TXUP, Netgear MS510TXPP, Netgear GS110EMX My Broadband History & Ping Monitors

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: IPv6 the selling point everyone missed.
« Reply #8 on: October 20, 2021, 02:20:57 AM »

About poor docs. There is a good Microsoft Press book about IPv6; of course it’s full of Windows stuff too and Microsoft-specifics, but it’s very well written as far as the protocols go. I will have to dig for the reference.

> even though Home edition doesn't support VLANs

I didn’t understand that bit. I’m sure you’re not sending out tagged PDUs from your switch or from your Windows-box’s NIC.

Could the leakage be a switch config problem? Is there any chance that an o/s is sending out tagged PDUs?

I’m not much help as I’ve never used DHCPv6. Nor VLANs much, apart from my modems which use VLAN mux/demuxing so they will fit into the limited number of ethernet ports on my FB2900 router. (Limited ethernet ports (three free) was an issue when I had four modems, but actually doesn't have to be now I only have three modems. I haven’t changed the topology though, because having my small mux/demux VLAN switch in between router and modems is another line of defence to hopefully protect the router from lightning strike. Together with the modems, the small mux switch would hopefully take a bullet first.)
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: IPv6 the selling point everyone missed.
« Reply #9 on: October 20, 2021, 02:29:32 PM »

I dont know Alex, I havent had any DHCPv6 allocations leaking from different VLAN's.

pfSense can have DHCP talk over RA, depending on how its configured in pfSense.  If your VLAN's are configured in pfSense, you should see two separate VLAN configuration screens for DHCPv6 and RA.  This might be easy to miss, as the second VLAN appears at top of configuration screen, and have to select it to configure for second VLAN.

I dont disagree that its more complicated than it needs to be.  It seems the designers of IPv6 implemented things they felt should of been there from the off, and have used the new protocol as a reason to make these changes.  Especially as we have different vendor's choosing which parts to support.  Some have static UUID, some only dynamic, some can configure the behaviour, plus fragmented support for DHCPv6 or RA.  These things may well be contributing to slow rollout of the technology from ISP's.

I am with Weaver that I think this particular problem you got might be a VLAN configuration issue.  I remember when I first setup VLAN's on my network it was a learning game with mistakes made on the way to where I have got to now.
« Last Edit: October 20, 2021, 02:42:26 PM by Chrysalis »
Logged

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: IPv6 the selling point everyone missed.
« Reply #10 on: October 20, 2021, 03:37:45 PM »

I don’t agree about o/s decisions affecting IPv6 rollout. What goes on within o/s is a lan-internal matter, is it not? Do you agree. All ISPs need to do is provide a (static unless they’re insane) prefix to a site, route stuff, and then walk away, job done. Let RA do its thing in the CPE. AA does it perfectly has for what, 15 years?, and other ISPs even giant ones can just copy AA if they don’t know what to do. They don’t need to go near DHCPv6 - that’s for site admins or corporates. Doing so just complicates matters and brings back the vulnerability (single point of failure) of IPv4 with DHCP, and in any case many o/s won’t obey DHCPv6 for all I know. (Will iOS/MacOSX obey DHCPv6?)
Logged

Alex Atkin UK

  • Addicted Kitizen
  • *****
  • Posts: 5260
    • Thinkbroadband Quality Monitors
Re: IPv6 the selling point everyone missed.
« Reply #11 on: October 20, 2021, 09:01:32 PM »

I am with Weaver that I think this particular problem you got might be a VLAN configuration issue.  I remember when I first setup VLAN's on my network it was a learning game with mistakes made on the way to where I have got to now.

It works in Linux absolutely fine.

The main LAN is untagged across the whole network, its excluded from the ports that are on the VLAN6 except on my Linux machine as like I said, I can enable/disable that when I want it as Linux supports VLAN tagging.  The problem is Windows Home is hobbled not to use VLANs, so somehow its seeing the IP allocation despite not being able to talk to VLAN6 as obviously the NIC isnt tagging the traffic going back out.

Now obviously normally I wont use that configuration with Windows, knowing it doesn't support VLAN tagging.  But as this was temporary on my Linux box, I found the behaviour really odd, as surely if Microsoft insist that Home doesn't support VLANs, it should completely dismiss all tagged traffic rather than get the IP then be unable to talk to it because the traffic going back out is untagged so going out the wrong VLAN on the switch.
« Last Edit: October 20, 2021, 09:05:10 PM by Alex Atkin UK »
Logged
Broadband: Zen Full Fibre 900 + Three 5G Routers: pfSense (Intel N100) + Huawei CPE Pro 2 H122-373 WiFi: Zyxel NWA210AX
Switches: Netgear MS510TXUP, Netgear MS510TXPP, Netgear GS110EMX My Broadband History & Ping Monitors

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: IPv6 the selling point everyone missed.
« Reply #12 on: October 21, 2021, 01:48:44 AM »

Agree, that seems like a complete bug in Windows Home. But the moral is, don’t ever, ever under any circumstances buy a copy of "Home" as they are crippled beyond all reason. It’s just not worth the enormous hassle.
Logged

tubaman

  • Senior Kitizen
  • ******
  • Posts: 12514
Re: IPv6 the selling point everyone missed.
« Reply #13 on: October 21, 2021, 08:31:41 AM »

... But the moral is, don’t ever, ever under any circumstances buy a copy of "Home" as they are crippled beyond all reason. It’s just not worth the enormous hassle.

I think that's a bit of a over-generalisation as for the vast majority of users, myself included, the Home version does everything required. If you want or need to get into more advanced network configurations etc then you do need the Pro version, but most domestic users will never need the extra features.
 :)
Logged
BT FTTC 55/10 Huawei Cab - Zyxel VMG8924-B10A

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: IPv6 the selling point everyone missed.
« Reply #14 on: October 21, 2021, 11:35:32 AM »

I said this some years back. Win Home cannot be secured properly, that’s why I hate it. But then most people have no possible way to get the help needed to establish a secured configuration so as you say it’s not such a big deal. But the point is, Win Pro is not much more money so it should be the default.
Logged
Pages: [1] 2