Very Basic IPv6 security question.
-
@JKnott said in Very Basic IPv6 security question.:
You also don't need a WAN GUA, something you couldn't get away with on IPv4.
Says who? You can for sure do the same thing with IPv4.. You can use 169.254 as a transit, you can use any rfc1918 as transit - the transit network doesn't have to route to use it as transit network.. See it all the time actually..
Where it makes less sense to do with is IPv6 - where you have a bajillion pretty much unlimited IP space.. Unlike with IPv4.. Not putting a gua on the transist in IPv6 is pretty stupid to be honest.. Why should you not make it routeable when you don't have to worry about running out of IP space to use ;)
-
@johnpoz said in Very Basic IPv6 security question.:
. You can use 169.254 as a transit, you can use any rfc1918 as transit - the transit network doesn't have to route to use it as transit network.. See it all the time actually..
I was referring to WAN addresses. My ISP used to use some RFC1918 addresses internally. I saw them when I did a traceroute.
@johnpoz said in Very Basic IPv6 security question.:
Not putting a gua on the transist in IPv6 is pretty stupid to be honest..
Maybe the ISP doesn't want to "waste" a whole /65 to support it.
I don't have a problem with using the link local addresses for routing. In fact, you don't even need any address, with a point to point link. All you need is the interface.
-
Hi, sorry for open this topic after 1 year :/
I have disable all IPv6 on my system, and also added
Have been running like this for a long time. Until I notice when i do a "DNS Lookup"
It takes almost 20 seconds to you get any answer. And why?
As you can see the Name server that not respond is ::1 (IPv6 localhost)So when i change this to YES.
And do another DNS Lookup its answer right away.
And now ::1 responds also
I don't know if this is an bug or not. But it is quite annoying when you have to wait almost 20 seconds for every DNS lookup. :) -
If you have anything, including DNS, that points to an IPv6 address (such as a name server) and you disable bits of IPv6 then yes, you will have a problem. To stop using IPv6 you have to be meticulous in removing all uses of it.
I've no idea why anyone wants to remove the more modern IP system that is IPv6 from their network - it is clearly beyond my brain. I guess there must be a reason somewhere but the future that is IPv6 will get you at some point... .
Almost all my traffic is IPv6 these days, what little IPv4 there is seems to be confined to some servers and services in the US. Weird.
️ -
@RobbieTT
Hi, yeah I know the IPv6 is the future, but right now my system are only using IPv4 for many years. And after upgrading to 24.03 or something, somtning new appears
And I don't know how to get ride of it :) Even i'm sure I have disable all IPv6 settings.--- 24.03 ---
Intel(R) Xeon(R) CPU D-1518 @ 2.20GHz
Kingston DDR4 2666MHz 16GB ECC
2 x HyperX Fury SSD 120GB (ZFS-mirror)
2 x Intel i210 (ports)
4 x Intel i350 (ports) -
@MoonKnight
no sweat!
Just ignore that...it's just IPv6`s way of saying: Home is where 127.0.0.1 AND ::1 are...
:) -
hehe :) I know, but I believe this is an bug. Not that ::1 is there, but DNS Lookup is so slow if you disable all IPv6. And because of that, DNS Lookup still useIPv6 for dns lookup. :/
I was hoping maybe some others have found the same "issue" :) -
@johnpoz said in Very Basic IPv6 security question.:
@JKnott I think it is at the root of the question. Trying to lock down IPv6 is much harder than just IPv4 because of temp IPv6 address. With IPv4 if a device has address 1.2..3.4 it can't just randomly use 1.2.3.5 to make a connection..
You could still do static IPv6 assignments I did that and there was no longer temps showing up
-
@MoonKnight that is just a loopback
-
@guardian said in Very Basic IPv6 security question.:
Hi - I have been using pfSense for several years, but just with IPv4 since I have yet to get my head around what I need to do to secure IPv6. At the moment I have IPv6 disabled on all interfaces including the WAN.
I am being forced into IPv6 by my ISP due to changes in the cable TV system which is moving from a legacy RF system to an IPTV system that uses IPv6. (Rogers in Canada-Ignite TV-I was told it is a similar system to Comcast in the US-I think it is called Xfinity or something like that.)
IIUC, I should be able to enable IPv6 on the WAN and get an IPv6 address (I think it uses DHCP6, but I'm not sure so I need to experiment), and since none of the other interfaces have IPv6 enabled there should be no traffic flow to/from the network.
Am I correct, or do I need to take measures to protect my network?
My initial goal is just to get IP connectivity to the router. Once I have done that to see if I can pipe IPv6 traffic over a VLAN.
P.S.: Any suggestions as to helpful learning resources would be much appreciated.
You can access the web gui over IPv6. So make sure you sure that fyi
Example every interface can access the firewall gui unless you block it...
Test it and see..
