ISP's enabling IPv6 by default

limnam

I'm sorry if this has been discussed at length before I didn't search much before posting.


I haven't played with IPv6 in anger since the earlier days of brokers and tunneling over ipv4 etc.


I'm wondering how people feel about ISP's such as eir enabling IPv6 by default on home routers. A lot of people have no interest in security and probably shouldn't need to. Opening up IPv6 opens up a whole new attack surface that a lot of users most likely don't even know exists.


IPv4 natted offers a certain level of security out of the box. Where IPv6 puts a lot of devices that support it in your home directly on to the internet again without even knowing about it.This requires more complex firewalling etc. to stay safe. Opening up SMB shares/local FTP servers etc etc etc.


Any thoughts on it? Should they be doing it out of the box?

oscarBravo

It's vaguely true that NAT offers a veneer of security, but people really need to start taking security a lot more seriously than "I'm behind the barest minimum of a firewall, so I can stop worrying."

Arguably, IPv6 offers a comparable level of security-through-obscurity by having such a vast address space that it's infeasible to run address scans. Either way, every device should have a proper firewall running on it. Most do - even Windows has a basic stateful firewall running by default.

limnam

oscarBravo wrote: »

It's vaguely true that NAT offers a veneer of security, but people really need to start taking security a lot more seriously than "I'm behind the barest minimum of a firewall, so I can stop worrying."

Yeah agreed, I'm certainty not promoting NAT as a level of security. But by it's nature it tends to give "joe user" a certain level without even having to really know or think about it.


I'm also with you on people having to educate themselves but people tend to not care about these things and really they shouldn't have to become Bruce Schneier to browse the internet.

oscarBravo wrote: »

Arguably, IPv6 offers a comparable level of security-through-obscurity by having such a vast address space that it's infeasible to run address scans. Either way, every device should have a proper firewall running on it. Most do - even Windows has a basic stateful firewall running by default.

Granted the address space takes longer to scan than v4 so you're unlikely to be done a few seconds after putting something directly online like we've seen with windows in the past.


I'm very much in favor of IPv6 I'm just not overly comfortable with it been on out of the box and people been unaware of it and the risks. Especially as some users tend to lower the firewall settings if it causes them problems rather learning about what needs to be let in and out.

Marlow

First of all... wake up and smell the truth .. IPv6 is unavoidable. The IPv4 pool in the RIPE region (Europe, North Africa and the Middle East) reached the last /8 in September in 2012. That's 6 years ago. Providers were supposed to move to IPv6 years before that. No more IPv4 to be got.

Secondly .. before starting an outcry .. have you looked at how routers implement IPv6 ? NAT does not equal firewalling.

Let's take the AVM Fritz!Box for example that quite a few providers in Ireland supply their customers with .. while each of your devices has a public IPv6 address, it will not let traffic through to your devices by default. You either need to allow it to do so or you need to initiate the connection to an IPv6 address first before traffic from that destination can flow back.

That means, it's as secure as the IPv4 (via NAT) connection that you are used to .. or even more.

Please research first before starting scaremongering.

And fact is ... we are not far from switching IPv4 off. CGNat (Carrier Grade NAT) is already commonly used to save IPv4 resources and and that means very limited port forwarding capabilities to the end user.

/M

limnam

Marlow wrote: »

First of all... wake up and smell the truth .. IPv6 is unavoidable. The IPv4 pool in the RIPE region (Europe, North Africa and the Middle East) reached the last /8 in September in 2012. That's 6 years ago. Providers were supposed to move to IPv6 years before that. No more IPv4 to be got.

Secondly .. before starting an outcry .. have you looked at how routers implement IPv6 ? NAT does not equal firewalling.

Let's take the AVM Fritz!Box for example that quite a few providers in Ireland supply their customers with .. while each of your devices has a public IPv6 address, it will not let traffic through to your devices by default. You either need to allow it to do so or you need to initiate the connection to an IPv6 address first.

That means, it's as secure as the IPv4 (via NAT) connection that you are used to .. or even more.

Please research first before starting scaremongering.

And fact is ... we are not far from switching IPv4 off. CGNat (Carrier Grade NAT) is already commonly used to save IPv4 resources and and that means very limited port forwarding capabilities to the end user.

/M

All right, Don't get your knickers in a twist.


Just looking for a discussion on it no need to start ranting and raving.


IPv6 is the future. I use it, fully support it. No issues.


No one stated NAT = firewall. But the nature of it been non routable creates a layer of security.


No ones trying to scare munger anyone. Just looking for peoples thoughts on it. Not to be spoken at like a child.

Marlow

You have to accept, that a bystander looks at your post and goes .. oh .. I better switch that off ... And that's the worst that can happen to get anywhere with this migration from an ISPs perspective. So please do a proper research first.

limnam wrote: »

No one stated NAT = firewall. But the nature of it been non routable creates a layer of security.

Well. When it comes to IPv6 you have to rethink what you have learned. NAT was meant to be abolished with IPv6. It breaks so many things. There are IPv6 NAT implementations now, but let's not go there. NAT is evil, it gives a false sense of security and it's not a solution.. It's a workaround.

Next you have to understand that Router manufacturers who took this serious implemented IPv6 in a secure manner. So AVM routers block traffic until YOU initiate communication or whitelist a host.

I have not tested Huawei's behaviour (which is what Eir and Vodafone supply), but if they are in anyway sensible, it'll be the same.

So in principle security is at least as good as it was before with NAT on IPv4.. you just have to get used to that you actually have a unique public IPv6 for each of your hosts and be happy that things work a lot better.

Anonymity is a different problem, but that doesn't come into the picture here.

/M

ED E

IMO Kill v6 on CPE. Yes, v6 is the future but end users are not the issue. Its services that are holding it back.

What we need is a cliff. A point where v4 jus stops. Thats the only thing that'll cause any real progress. Chrome in theory could do it, but won't. MS could do it (destroy the v4 stack with 12mo notice). They won't.

No one MNC having the balls to force the issue has led us down this path and nothing will change by 2025 unless that fact changes.



PS: F-ckin DSLite is the devils work.

Marlow

The big service providers actually have moved.

Apple enforced in 2016, that all apps on the play store must be IPv6 capable or use their network API. After the cut off date, the ones that didn't get removed. As a result over 60% of their network traffic is now IPv6.

Google and all services relating to Google are IPv6 enabled.

Microsoft has fully IPv6 enabled all their services.

So, the services are not what's holding it back. It's the ISPs and end-users that need to cop on. It's the old routers and the users that are disabling it .. And those ISPs that still are ignorant.

/M

rogue-entity

Marlow wrote: »

So, the services are not what's holding it back. It's the ISPs and end-users that need to cop on. It's the old routers and the users that are disabling it .. And those ISPs that still are ignorant.

/M

The ISPs that are doing it right are offering proper dual-stack and not making a fuss about it, which is unfortunately not all of them. On the other hand, I have a much nicer IPv6 experience using a tunnel.

Tinder Surprise

Lads any web sites that i can type an I.p address into to see if it is dslite, or not?

I'm having some network issues and my WAN ip has changed and i suspect it dslite

I need a site that I can type the address into vs one that automatically loads the i.p

wiz569

Tinder Surprise wrote: »

Lads any web sites that i can type an I.p address into to see if it is dslite, or not?

I'm having some network issues and my WAN ip has changed and i suspect it dslite

I need a site that I can type the address into vs one that automatically loads the i.p

The only way I know is using https://test-ipv6.com/

Cuddlesworth

ED E wrote: »

IMO Kill v6 on CPE. Yes, v6 is the future but end users are not the issue. Its services that are holding it back.

What we need is a cliff. A point where v4 jus stops. Thats the only thing that'll cause any real progress. Chrome in theory could do it, but won't. MS could do it (destroy the v4 stack with 12mo notice). They won't.

No one MNC having the balls to force the issue has led us down this path and nothing will change by 2025 unless that fact changes.



PS: F-ckin DSLite is the devils work.

We have reached that point, major network services to home users have seen huge advances in adoption and the majority of western traffic is now ipv6, driven hugely by mobile networks. The enterprise could do with getting the finger out.

And yes, DSlite is the devil.

limnam wrote: »

No one stated NAT = firewall. But the nature of it been non routable creates a layer of security.

Not really much difference, the edge firewall will still deny unsolicited traffic regardless. The internal network is still inaccessible.

The wider issue is why you have to reject that traffic in the first place, why is it home devices have to be protected?