Very Basic IPv6 security question.

guardian

Hi - I have been using pfSense for several years, but just with IPv4 since I have yet to get my head around what I need to do to secure IPv6. At the moment I have IPv6 disabled on all interfaces including the WAN.

I am being forced into IPv6 by my ISP due to changes in the cable TV system which is moving from a legacy RF system to an IPTV system that uses IPv6. (Rogers in Canada-Ignite TV-I was told it is a similar system to Comcast in the US-I think it is called Xfinity or something like that.)

IIUC, I should be able to enable IPv6 on the WAN and get an IPv6 address (I think it uses DHCP6, but I'm not sure so I need to experiment), and since none of the other interfaces have IPv6 enabled there should be no traffic flow to/from the network.

Am I correct, or do I need to take measures to protect my network?

My initial goal is just to get IP connectivity to the router. Once I have done that to see if I can pipe IPv6 traffic over a VLAN.

P.S.: Any suggestions as to helpful learning resources would be much appreciated.

SteveITS

@guardian if it’s disabled on the interfaces it won’t have an address.

If WAN doesn’t have allow rules for IPv6 incoming traffic will be blocked.

JKnott

@guardian said in Very Basic IPv6 security question.:

Hi - I have been using pfSense for several years, but just with IPv4 since I have yet to get my head around what I need to do to secure IPv6. At the moment I have IPv6 disabled on all interfaces including the WAN.

Firewalls, on IPv6, work pretty much the same as on IPv4. You block everything and then add the exceptions that you need. If you don't enable any incoming, you won't have any. On my firewall, all I allow is OpenVPN on both IPv4 and IPv6.

johnpoz

@guardian said in Very Basic IPv6 security question.:

IPTV system that uses IPv6.

Well just let your tv or dvr etc. get IPv6 and there is zero reason to enable it on your other network if you don't want to.

While sure IP is IP.. where IPv6 really confuses people is it loves to use just random IPs to make outbound connections.. so if you don't want your box X to get to somewhere, you have to worry about some random IPv6 address it will use.. Unless you disable that on the client - if you can etc..

JKnott

@johnpoz said in Very Basic IPv6 security question.:

While sure IP is IP.. where IPv6 really confuses people is it loves to use just random IPs to make outbound connections.. so if you don't want your box X to get to somewhere, you have to worry about some random IPv6 address it will use..

That's not an issue here. I'm also on Rogers and have had IPTV for a couple of years. Also, the OP may be in for a bandwidth increase. Prior to getting IPTV, I had a 150/20 connection, IIRC. After I got IPTV, it was 500/20, then 500/30, but in fact I get about 920/32.

Also, unlike some ISPs, Rogers does a good job of providing IPv6, with a consistent /56 prefix.

johnpoz

@JKnott I think it is at the root of the question. Trying to lock down IPv6 is much harder than just IPv4 because of temp IPv6 address. With IPv4 if a device has address 1.2..3.4 it can't just randomly use 1.2.3.5 to make a connection..

SteveITS

@johnpoz I think OP only wanted it on one VLAN for the video.

Using it on multiple networks would require multiple /64 blocks, one each but that’s not uncommon.

The temp addresses are a bit annoying as the wife wants to prioritize Teams but also bypass ad blocking since she’s in the online ad industry.

johnpoz

@SteveITS if it was me - I would put the tv that wants IPv6 on its own vlan, and not give anything else IPv6. I agree the changes of IPv6 bring challenges to security.

I think just enabling IPv6 as default was a bad idea, it should be brought online via opt in.. And only enabled once you understand all of the differences.

It should of been - hey users you want to use IPv6, click here..

JKnott

@johnpoz said in Very Basic IPv6 security question.:

@JKnott I think it is at the root of the question. Trying to lock down IPv6 is much harder than just IPv4 because of temp IPv6 address. With IPv4 if a device has address 1.2..3.4 it can't just randomly use 1.2.3.5 to make a connection..

The solution for that is MAC filtering, which is available in Linux and I believe soon to be in pfSense. Did he mention anything he didn't want to get out?

JKnott

@SteveITS said in Very Basic IPv6 security question.:

@johnpoz I think OP only wanted it on one VLAN for the video.

Using it on multiple networks would require multiple /64 blocks, one each but that’s not uncommon.

The temp addresses are a bit annoying as the wife wants to prioritize Teams but also bypass ad blocking since she’s in the online ad industry.

Blocking a /64 is certainly easy enough and he has 256 to choose from. I use one for my guest WiFi, which will not allow any connections to the rest of my network. It would be simple to change that to not access the Internet.

JKnott

@johnpoz said in Very Basic IPv6 security question.:

and not give anything else IPv6

Why are you so negative about IPv6? @guardian is on an ISP that does IPv6 properly. In fact, I got into pfSense because they started offering native IPv6 almost 8 years ago and the Linux firewall I was using wouldn't work with DHCPv6-PD. IPv6 on Rogers just works and works well.

BTW, I have my Sharp TV on my guest WiFi/VLAN because it can't handle the 63 character password I use on my main SSID.

JKnott

@johnpoz said in Very Basic IPv6 security question.:

It should of been - hey users you want to use IPv6, click here..

BTW, when you get the cable modem from them, it's in gateway mode, with IPv6 enabled. It just works.

guardian

@SteveITS, @JKnott, @johnpoz Thanks for the replies

@JKnott said in Very Basic IPv6 security question.:

Why are you so negative about IPv6? @guardian is on an ISP that does IPv6 properly. In fact, I got into pfSense because they started offering native IPv6 almost 8 years ago and the Linux firewall I was using wouldn't work with DHCPv6-PD. IPv6 on Rogers just works and works well.

This is correct:
"@johnpoz I think OP only wanted it on one VLAN for the video."

The reason for my negativity regarding IPv6 - In a word - ignorance -- It scares the crap out of me because it is so hard to control. I am getting a ton of IPv6 entries that I don't understand (see below) or how to control.

I am running pfBlocker with a ton of ad blocking, and "spyware" blocking which works quite well on IPv4, but it appears that I am getting a bunch of DNS leakage now.

The only way to have any control over Microsoft Windows is to keep it tightly firewalled, and Google (and possibly others) have been responsible for serving Malvertising. So far my efforts to keep this nonsense under control have been successful, but now IPv6 is opening that can of worms back up again.

@JKnott is correct in saying that in bridge mode, "It just works." - simply changing the WAN IPv6 setting to DHCP6 got me a public IP Address.

The DPinger address was set to what I believe is a link local address: fe80:0:0:0:217:---:----:e58f, and it showed 100% packet loss, but when I changed the monitor address to 2607:f8b0:400b:807::2003 (Google.ca), the packet loss dropped to 0% and showed RTT/RTTsd values. So it appears that I have IPv6 connectivity, and the Status / Interfaces tab seems to confirm it. Is there a better monitor target, or a way to make pfSense pick a useful monitor IP automatically?

Status / Interfaces
WAN Interface (wan, em0)

Status: up 
DHCP:   up
MAC Address: 00:28:--:--:--:04 
IPv4 Address: 99.--.--.-- 
Subnet mask IPv4: 255.255.254.0 
Gateway IPv4: 99.--.--.1 
IPv6 Link Local:  fe80::228:----:----:1004%em0 
IPv6 Address:     2607:----:----:1dd:fd3d:----:e479:c4c1 
Subnet mask IPv6: 128 
Gateway IPv6:     fe80::217:----:----:e58f 
DNS servers
2607:f798:18:10:0:640:7125:5204 
2607:f798:18:10:0:640:7125:5198 
MTU: 1500

The Diagnostics / States / States display tab shows a ton of activity: WTF is going on here?

IP                                   # States	Protocol	# States	Source Ports	Dest. Ports
2607:f798:804:1dd:fd3d:9735:e479:c4c1   204       udp          203                           1

Protocol counts
IP	# States	Protocol	# States	Source Ports	Dest. Ports
2600:9000:5304:2800::1	1	udp	1		1
2600:9000:5305:7800::1	1	udp	1		1
2600:9000:5302:6000::1	2	udp	2		1
2001:4860:4802:32::a	9	udp	9		1
2600:9000:5303:b600::1	3	udp	3		1
2600:9000:5304:bd00::1	1	udp	1		1
2001:502:1ca1::30	2	udp	2		1
2001:4860:4802:32::6b	1	udp	1		1
2600:9000:5301:fa00::1	1	udp	1		1
2600:9000:5307:c200::1	1	udp	1		1
2600:9000:5304:9400::1	1	udp	1		1
fe80::228:1aff:fee0:1004	1	ipv6-icmp	1		1
2600:9000:5306:d600::1	2	udp	2		1
2001:4860:4802:32::6a	1	udp	1		1
2600:9000:5305:bf00::1	1	udp	1		1
2001:4860:4802:38::6a	1	udp	1		1
2607:f8b0:400b:807::2003	1	ipv6-icmp	1		1
2001:500:856e::30	3	udp	3		1
2600:9000:5303:1000::1	1	udp	1		1
2600:9000:5305:4e00::1	1	udp	1		1
2600:9000:5307:8600::1	1	udp	1		1
2600:9000:5307:8e00::1	1	udp	1		1
2001:503:231d::2:30	1	udp	1		1
2600:9000:5302:7700::1	1	udp	1		1
2600:9000:5304:2000::1	1	udp	1		1
2401:fd80:400::1	3	udp	3		1
2600:9000:5302:e700::1	1	udp	1		1
2a01:618:400::1	1	udp	1		1
2600:9000:5307:1700::1	1	udp	1		1
2600:9000:5303:8e00::1	1	udp	1		1
2001:4860:4802:34::6e	1	udp	1		1
2001:500:48::1	3	udp	3		1
2001:501:b1f9::30	4	udp	4		1
2a00:1b98:1:0:20c:29ff:fe83:d782	4	udp	4		1
2001:4860:4802:34::a	16	udp	16		1
2600:9000:5303:1600::1	1	udp	1		1
2600:1401:2::f0	3	udp	3		1
2600:9000:5303:2e00::1	1	udp	1		1
2600:9000:5306:4e00::1	2	udp	2		1
2600:9000:5300:b700::1	1	udp	1		1
2600:9000:5302:d000::1	1	udp	1		1
2001:500:40::1	1	udp	1		1
2001:503:83eb::30	4	udp	4		1
2600:1480:f000::43	1	udp	1		1
2600:9000:5305:4c00::1	1	udp	1		1
2a06:fb00:1::1:96	1	udp	1		1
2001:500:f::1	3	udp	3		1
2001:678:20::41	1	udp	1		1
2600:1401:1::43	4	udp	4		1
2001:4860:4802:36::a	21	udp	21		1
2001:502:2eda::3	2	udp	2		1
2001:67c:26b4:7:21e:bff:fec7:87a	4	udp	4		1
2606:4700:50::adf5:3a7e	1	udp	1		1
2600:9000:5303:e00::1	1	udp	1		1
fe80::217:10ff:fe9a:e58f	1	ipv6-icmp	1		0
::1	2	udp	2		1
2600:9000:5300:3e00::1	1	udp	1		1
2001:503:d2d::30	3	udp	3		1
2001:502:8cc::30	3	udp	3		1
2600:9000:5306:d400::1	1	udp	1		1
2600:9000:5307:3d00::1	1	udp	1		1
2600:9000:5300:1500::1	1	udp	1		1
2600:9000:5307:b500::1	1	udp	1		1
2600:9000:5304:2d00::1	1	udp	1		1
2a01:4f8:c0c:97af:ca62:cd80:657f:18cc	5	udp	5		1
2001:4860:4802:34::6b	1	udp	1		1
2001:dcd:1::10	1	udp	1		1
2600:9000:5302:6600::1	1	udp	1		1
2001:4860:4802:38::a	11	udp	11		1
2600:9000:5302:df00::1	2	udp	2		1
2001:503:39c1::30	3	udp	3		1
2600:9000:5301:7900::1	2	udp	2		1
2001:500:e::1	2	udp	2		1
2600:9000:5301:200::1	2	udp	2		1
2610:a1:1009::3	2	udp	2		1
2001:502:7094::30	4	udp	4		1
2a06:98c1:50::ac40:2154	1	udp	1		1
2600:9000:5304:a000::1	1	udp	1		1
2001:500:d937::30	2	udp	2		1
2600:1480:4800::43	1	udp	1		1
2001:503:a83e::2:30	4	udp	4		1
2600:9000:5302:f900::1	1	udp	1		1
2600:9000:5302:5400::1	1	udp	1		1
2600:9000:5301:7800::1	1	udp	1		1
2001:503:eea3::30	3	udp	3		1
2600:9000:5303:b900::1	1	udp	1		1
2600:9000:5302:c900::1	2	udp	2		1
2600:9000:5302:5600::1	1	udp	1		1
2600:9000:5303:9300::1	1	udp	1		1
2600:9000:5300:b800::1	1	udp	1		1
2a01:618:404::1	1	udp	1		1
2600:9000:5302:6900::1	1	udp	1		1
2600:9000:5301:e500::1	1	udp	1		1
2001:4860:4802:32::6c	1	udp	1		1
2600:9000:5306:fd00::1	1	udp	1		1
2401:fd80:404::1	2	udp	2		1

Is this stuff is dangerous? Thoughts/suggestions?

EDIT: I had a pcap running (IPv6 traffic only) while I was doing this investigation, and it seems like I am getting a ton of DNS (Port 53) activity.

I want to shut it down if it is anything more than just resolving stuff for the IPTV box (Which I don't have yet). Why am I getting all this IPv6 traffic when don't have any internal interfaces with IPv6 enabled?

Now I need to figure out if I can get IPv6 through my SG300 switch and Ethernet over powerline adapter. I currently have a 3 VLAN IPv4 trunk that connects to my WiFi Access Point (2 Private SSIDs, and 1 GUEST.

I guess my next step is to create an interface for the IPv6 and send it to an access port on the SG300 to see if I have IPv6 connectivity. If that works, then I move on to the Ethernet over powerline.

JKnott

@guardian said in Very Basic IPv6 security question.:

The reason for my negativity regarding IPv6 - In a word - ignorance -- It scares the crap out of me because it is so hard to control. I am getting a ton of IPv6 entries that I don't understand (see below) or how to control.

I think that's the case with a lot of people, but they forget it was the same when they started with IPv4. The basic principles of IPv6 are the same as IPv4. However, when it was designed, they took IPv4 and kept what worked and dropped what didn't. For example ICMPv6 is used for a lot to manage things. It gets rid of ARP, which existed before IPv4. Other things were done to improve performance, such as a fixed length header, etc..

I've been using IPv6 for over 13 years, initially with a 6in4 tunnel, but for the past 6.5 years with native IPv6 from Rogers.

The DPinger address was set to what I believe is a link local address: fe80:0:0:0:217:---:----:e58f, and it showed 100% packet loss, but when I changed the monitor address to 2607:f8b0:400b:807::2003 (Google.ca), the packet loss dropped to 0% and showed RTT/RTTsd values. So it appears that I have IPv6 connectivity, and the Status / Interfaces tab seems to confirm it. Is there a better monitor target, or a way to make pfSense pick a useful monitor IP automatically?

You have to use a routeable address for that. Link local won't work. I suspect this is a deficiency with pfSense. I ran traceroute to Google and used the first global address I saw.

Now I need to figure out if I can get IPv6 through my SG300 switch and Ethernet over powerline adapter. I currently have a 3 VLAN IPv4 trunk that connects to my WiFi Access Point (2 Private SSIDs, and 1 GUEST.

For things like switches, power line adapters, WiFi, etc., it makes no difference whether IPv4 or IPv6 is used. They're both valid Ethernet frames.

RobbieTT

@guardian said in Very Basic IPv6 security question.:

The DPinger address was set to what I believe is a link local address: fe80:0:0:0:217:---:----:e58f, and it showed 100% packet loss, but when I changed the monitor address to 2607:f8b0:400b:807::2003 (Google.ca), the packet loss dropped to 0% and showed RTT/RTTsd values. So it appears that I have IPv6 connectivity, and the Status / Interfaces tab seems to confirm it. Is there a better monitor target, or a way to make pfSense pick a useful monitor IP automatically?

If you get a dedicated ISP handshake then pfSense will use the first external hop from your gateway (ie to your ISP's connection node) link-local address for IPv6 monitoring. If ICMPv6 is enabled (as it should be but your ISP may be doing something whacky on its first node) Dpinger will get a return ping6 to monitor.

2023-07-19 at 14.03.39.png

Once you start to learn IPv6 you never look back. It is refreshing how simple it all is but just like IPv4, if you are new to it it does look daunting. Fear not, many of us have been running IPv6 for well over a decade and now find IPv4 restrictive or painful with kludges like NAT being relied upon.

There are many in the networking world, particularly those in the US, who have had IPv4 address space to spare and have simply taken the step of ignoring IPv6 and disabling it rather than learning about it. Meanwhile IPv6 is the backbone of the cell / mobile phone industry and for dedicated protocols such as those used with Thread, Matter, HomeKit, Zigbee and similar low-power home-meshing technology.

If the US had embraced IPv6 from the outset would they ever had to endure horrible things like CGNAT?

So come on in, the IPv6 pool is large, warm and friendly.

️

JKnott

@RobbieTT said in Very Basic IPv6 security question.:

Meanwhile IPv6 is the backbone of the cell / mobile phone industry

Yep, my phone is IPv6 only and uses 464XLAT to access IPv4 only sites.

SteveITS

@guardian IPv6 is independent of the wired or wireless connection. One can run IP, NetBIOS, whatever it was Netware used to use :) or other protocols.

One thing about IPv6 alluded to above, is "they" figured out that if each PC has an IPv6 address then that PC can be tracked by that address. So most browsers and apps ask for a temporary IPv6 address to make connections, and eventually discard it. Windows shows this in ipconfig /all output:

IPv6 Address. . . . . . . . . . . : 2001:470:xxxxxxxxx(Preferred)
Temporary IPv6 Address. . . . . . : 2001:470:xxxxxxxxx(Deprecated)
Temporary IPv6 Address. . . . . . : 2001:470:xxxxxxxxx(Deprecated)
Temporary IPv6 Address. . . . . . : 2001:470:xxxxxxxxx(Deprecated)
Temporary IPv6 Address. . . . . . : 2001:470:xxxxxxxxx(Preferred)
Temporary IPv6 Address. . . . . . : 2001:470:xxxxxxxxx(Deprecated)

This is possible because each /64 (each network) gets several quintillion addresses in the /64 block.

IPv6 is not inherently dangerous like IPv4 is not. If there are no firewall rules on WAN allowing unsolicited inbound traffic from the Internet, then there isn't any.

JKnott

@SteveITS said in Very Basic IPv6 security question.:

whatever it was Netware used to use

IPX

SteveITS

@JKnott Ah yes. We pretty much just removed it. :)

guardian

@RobbieTT said in Very Basic IPv6 security question.:

@guardian said in Very Basic IPv6 security question.:

The DPinger address was set to what I believe is a link local address: fe80:0:0:0:217:---:----:e58f, and it showed 100% packet loss, but when I changed the monitor address to 2607:f8b0:400b:807::2003 (Google.ca), the packet loss dropped to 0% and showed RTT/RTTsd values. So it appears that I have IPv6 connectivity, and the Status / Interfaces tab seems to confirm it. Is there a better monitor target, or a way to make pfSense pick a useful monitor IP automatically?

If you get a dedicated ISP handshake then pfSense will use the first external hop from your gateway (ie to your ISP's connection node) link-local address for IPv6 monitoring. If ICMPv6 is enabled (as it should be but your ISP may be doing something whacky on its first node) Dpinger will get a return ping6 to monitor.

Can you please explain how ICMPv6 should be enabled? Are you telling me that I need to add firewall rules to the WAN?

Once you start to learn IPv6 you never look back. It is refreshing how simple it all is but just like IPv4, if you are new to it it does look daunting. Fear not, many of us have been running IPv6 for well over a decade and now find IPv4 restrictive or painful with kludges like NAT being relied upon.

In some ways I agree with you - especially if you are creating "general infrastructure" where you are providing connectivity to customers and it is up to the customers to secure their own stuff. When it comes to privacy / blocking all the garbage that want;s to constantly phone home, it becomes a nightmare due to the sheer number of ip addresses involved.

I don't know if this is more or a pfSense thing than an IPv6 thing, but why when I only enabled IPv6 on the WAN, and have it disabled on all other interfaces am I getting so much IPv6 DNS traffic?

Then there is the size of the tables for AD blocking etc. just the increased sizze of the address alone causes the tables to balloon, and than there is the sheer number of extra addresses.

Do you run an ad blocker or attempt to control the behavior of Applications or IoT devices/

There are many in the networking world, particularly those in the US, who have had IPv4 address space to spare and have simply taken the step of ignoring IPv6 and disabling it rather than learning about it. Meanwhile IPv6 is the backbone of the cell / mobile phone industry and for dedicated protocols such as those used with Thread, Matter, HomeKit, Zigbee and similar low-power home-meshing technology.

If the US had embraced IPv6 from the outset would they ever had to endure horrible things like CGNAT?

I will agree with that one for sure!

So come on in, the IPv6 pool is large, warm and friendly.

️
Maybe so, but I might get Athlete's Foot from the pool deck. (All this #uc3ing DNS leakage???)

@SteveITS said in Very Basic IPv6 security question.:

IPv6 is not inherently dangerous like IPv4 is not. If there are no firewall rules on WAN allowing unsolicited inbound traffic from the Internet, then there isn't any.

If the firewall block all uninitiated incoming by default, that solves some of the problem, but with interfaces being able to create their own random accresses with SLAAC, it makes controlling outbound traffic much more difficult.

@JKnott said in Very Basic IPv6 security question.:

For things like switches, power line adapters, WiFi, etc., it makes no difference whether IPv4 or IPv6 is used. They're both valid Ethernet frames.

Thanks for that - I suspected that was the case, but I wasn't sure.

I still need to figure out how to create the necessary IPv6 paths in my managed switch to get the IPv6 into the trunck, and then get it out agian in my new Tomato router.