IPv6 Network details from ISP

NogBadTheBad

However, I still think the whole IPv6 thing is more complicated than Pv4. Even I could handle everything in IPv4 well, the change to IPv6 makes me nervous.

I am still not 100% sure about how the security will change. Where is the best to secure by lockdown ports and how to build up a security tree, There are still not many useful examples which describes a bigger scenario with several networks & services.

Dual stack, I don't even notice if my hosts are using IPv4 or IPv6 now it just works.

Just think no more NAT its routable and just needs firewall rules.

Lin4Fun

2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 4a:1d:53:c2:ba:c5 brd ff:ff:ff:ff:ff:ff
inet 192.168.200.203/24 brd 192.168.200.255 scope global ens18
valid_lft forever preferred_lft forever
inet6 2a02:fe0:c900:601::ffff/128 scope global dynamic noprefixroute
valid_lft 7173sec preferred_lft 4473sec
inet6 fd2e:8850:8d4c:0:481d:53ff:fec2:bac5/64 scope global mngtmpaddr noprefixroute
valid_lft forever preferred_lft forever
inet6 2a02:fe0:c900:600:0:ffff:c0a8:c8cb/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::481d:53ff:fec2:bac5/64 scope link
valid_lft forever preferred_lft forever

What in .... where do all these addresses come from and what are they? This is IP output of one server I configured through netplan with single ipv6 & ipv4 address. ( inet6 2a02:fe0:c900:600:0:ffff:c0a8:c8cb/64 scope global )
DHCP4 & DHCP6 is set to "no". It is an Ubuntu 18.04 server.

NogBadTheBad

Think you need to read up on IPv6 :)

https://en.wikipedia.org/wiki/IPv6_address

Gertjan

Also : Sign up here : https://ipv6.he.net/certification/

It's worth every penny ... no ... whait, they will pay you ! In the past, they even send you a free T-Shirt https://blog.he.net/2011/04/22/hurricane-electric-ipv6-gear/ I don't know if they still do so ...

Lin4Fun

@NogBadTheBad
funny... Of course I have read this article, already long time ago!
Like I wrote:
"I have looked to many tutorials and also saw at the IPv& hangout but I just can not identify al the settings."

Thats why I ask. I am aware of link local and the manual configured.

@Gertjan
That looks interesting! First I thought this is education, but this is to verify the IPv6 connectivity, right?

Gertjan

@lin4fun said in IPv6 Network details from ISP:

Have you done this, how long did you used if? I can`t find any prices. That looks interesting!

The image I posted is "mine", and not a static one, but generated by their web site - check out the URL ^^
Took me :
Several hours, if not days, because I wanted MY tShirt ....
The beginning is easy, like IPv4, even my grand mother could answer them.
Then it becomes more complex.
I remember that moment when I recalled myself that some said to me : IPv6 is easier as IPv4 .... they have lied.
Final advantage : no more NATting ...and no more "hop to the box with 192.168.1.1" ... (mine uses "2001:470:1f13:5c0:2::1", never typed that one by hand)

Lin4Fun

@gertjan

typing v6 addresses or even have them all in mind like it is with v4 is impossible i guess as "normal" human. So DNS naming becomes even more important i think. Even if I work now with the details from my isp now about 2 weeks, i do not get them in my mind and i do not want to.

I started with the thing from he.net. Like you said, in the beginning, everything looks easy. I got the server also online with v6 now and the clients are all the way through also talking in v6 now. So great so far, until it comes to security...

I just began to understand the concept behind the whole v6 thing and I must say even the nat-ing was a bit tricky due to all the things you need to take care, it is also somehow a kind if security advantage as the public site is never talking directly to the services.
V6 NAT do exist as well and sometimes, like i have read, it makes sense as well but basically not at all.

So setting up the firewall is kind of tricky if you are not full into v6 yet. In my example, I didn`t get any ping responses through even opened ICMPv6 request & echo from the public to the internal service. If I open up completely, means "from WAN any to DMZ any Allow", I could ping and so on. Of course, this is not the way it can be even not for a couple of minutes.

So here I came to the question "what is initially needed for IPv6 communication?" So I added a lot of rules, opened a lot of ICMP package types and it went fine at the end.
An hour later I deleted the whole thing again because I felt completely uncomfortable since I didn´t actually know what I have opened up there.

To go from IPv4 to IPv6 is not done in a couple of days that´s for sure and it takes a lot of learning and going into the detail to be and feel also save with IPv6 security & firewall!

Derelict

@lin4fun said in IPv6 Network details from ISP:

it is also somehow a kind if security advantage as the public site is never talking directly to the services.

Yes, they are directly connecting. NAT is not a proxy. It just translates the addresses and ports.

There is zero security advantage to having a firewall pass traffic to a publicly-routable address without NAT vs a NAT port forward to a private address for the same service/port.

Gertjan

@lin4fun said in IPv6 Network details from ISP:

, I didn`t get any ping responses through even opened ICMPv6 request & echo from the public to the internal service.

See my rules :

0_1536331155198_ecfe1974-38a9-4720-9dc5-6b05c1eaa6a9-image.png

Rule 1 : ... dono - but it looks nice ;)
Rule 2 : A dedicated server somewhere on the net that saves to my Syno NAS, using IPv6 only.
Rule 3 : Munin collector running on the same dedicated server chechking the Munin process on pfSense to make this.
Rule 4 : The Ipv6 ICMP hassle - I was told that was needed.
Rule 5 : Block all rule

The catch : there is no corresponding NAT rule for all this. IPv6 needs no NAT.

Btw : when I visit http://http://ipv6-test.com/ I obtain this :

0_1536331110093_ba7c875e-a9a6-41e3-b86d-bec71c7f9e91-image.png

The "Hostname shows" up because I have this ""IPv6 Reverse DNS zone" on my DNS server (runs on the dedicated server on the net) so "people" can find the reverse name of an IPv6 (a device on my LAN ... dono if that is good, but I like it)

Also : my Mega big ISP (France : Orange ) doesn't support IPv6 yet where I live§work (middle of nowhere) - so I use the pretty perfect IPv6 from he.net : a static /48 for live !

JKnott

@lin4fun said in IPv6 Network details from ISP:

I just began to understand the concept behind the whole v6 thing and I must say even the nat-ing was a bit tricky due to all the things you need to take care, it is also somehow a kind if security advantage as the public site is never talking directly to the services.

NAT does nothing for security that a properly configured firewall can't do. Most firewalls start off with deny all to which you add exceptions to allow what you want.

So here I came to the question "what is initially needed for IPv6 communication?" So I added a lot of rules, opened a lot of ICMP package types and it went fine at the

I suspect you started off by making things more complicated than needed. Once you have IPv6 up and running with your ISP, then you worry about what you want.

To go from IPv4 to IPv6 is not done in a couple of days that´s for sure and it takes a lot of learning and going into the detail to be and feel also save with IPv6 security & firewall!

For the most part, working with IPv6 is very similar to IPv4, with the advantage that you don't have to worry about NAT.

Lin4Fun

@jknott
If you use private v4 addresses on the inside of nat then you have a security advantage.
I do not want to make things more complicated but not all ICMP is necessary and good to have if not necessary.

The network I am working on is not a home network even it is at my home. I have service running here for other companies and several web servers so it is well important to think a bit more about what to open.

Even though that a so small company I am running should not be interesting to anybody to hack I had intensive attacks in the past. They weren't lucky to come through but they showed up points of attack where I before never thought about.

Not needed ICMPv6 packages should be blocked and filtered about reachable, package size, parameter problems, header 2 / 3 and so on, antispoofing, no tunnel traffic...

Derelict

@lin4fun said in IPv6 Network details from ISP:

If you use private v4 addresses on the inside of nat then you have a security advantage.

Please enumerate said advantage.

Lin4Fun

@derelict
like you may know are private networks not routed in wan. So the only reachable point is the public address the nat is configured to. That is the advantage.
If the server has a public IP then it is much easier to reach it somehow even with a firewall in front because do the attacker find a way through this firewall the server will answer due to the public address. Private will may answer inside the lan but will not be routed outside of the lan.

Derelict

If an attacker can find a way through the firewall they will be going through NAT too. No advantage gained.

You either block the traffic or you don't.

You either have another way into the network or you don't.

Lin4Fun

@derelict
That is so far correct, but you ignore the fact that private networks will not be routed in wan. That is the point with NAT. That private networks can be used internally over and over again and so we save public addresses.

I could almost securely connect a server with 192.168.0.10 direct to the wan switch without the need to be scared that somebody from WAN will access it, because they can´t since the package from that network will be dropped immediately it comes to the next public addressed router.

And that is definitely a "somehow" security advantage.

Otherwise please define for me the point of NAT else the point that we are able to use private addresses reachable from WAN? All this of course because there are to less IPv4 networks available.

JKnott

@lin4fun said in IPv6 Network details from ISP:

That is so far correct, but you ignore the fact that private networks will not be routed in wan.

Once you've compromised NAT, you have access to everything behind it. While the packets from those private addresses might not be routed over the network, that's not the only way to attack systems behind the firewall. Again, tell me why a firewall that blocks all isn't as good as NAT.

BTW, I just started reading the book "The Cuckoo's Egg" again. I first read it almost 30 years ago. It's a good read that indicates how attackers can work their way around systems. Incidentally, at the time this story happened, I was a computer tech working on VAX 11/780 computers and others. I had an insider's view of the tech involved. Even my wife (a very non tech person) had some insight when reading that book, due to me showing her stuff at work.

Lin4Fun

@jknott said in IPv6 Network details from ISP:

Again, tell me why a firewall that blocks all isn't as good as NAT.

Who in hell said here that a blocking firewall isn´t as good as NAT?
In addition to a firewall which is blocking all unwanted traffic, NAT can be an advantage for security reason! For sure that´s not why NAT does exist but it is an advantage.

Of course, if a hacker wants to come into a system he will get in if he is a good one. Everything is hackable somehow!
BUT, another step in addition like NAT makes it harder and it will take may longer time where you could be warned and take action like in 1989 for example, just pull the plug!

Another funny thing, I am from Hannover Germany. The book sounds interesting and remembers me about a movie I saw a long time ago. But I have no idea what this has to do with this case or what your wife is understanding or not.
Regarding the VAX11/780, I hope you learned a lot since. ;-) In that time, where I was a boy around 10 years old, I started with an Amstrad CPC-Series Schneider CPC464 which is a universe ahead of the VAX I guess. Since I am born in the 70th, nobody can expect that I was playing around with transistors like the VAX is made of.

JKnott

@lin4fun said in IPv6 Network details from ISP:

Who in hell said here that a blocking firewall isn´t as good as NAT

A lot of people seem to think that NAT is a firewall. It isn't. It is the stateful nature of NAT that provides the protection, just like a stateful firewall.

Since I am born in the 70th, nobody can expect that I was playing around with transistors like the VAX is made of.

Perhaps you should update your knowledge of mini-computers. Every computer I ever worked on was built around integrated circuits, though there were still some transistor based systems around. However, I didn't work on them. The VAX and Data General Eclipse generation of computers had a CPU built around bit slice processors and used microcode to create the instruction set. I would occasionally work at the microcode level on the Eclipses. The Eclipse used the AMD2900 series and I believe the VAX did too. On the VAX, the microcode was loaded from floppy at boot up.

Lin4Fun

@jknott
I am sure that you do not need to tell me something about electronics or special transistors or "mini-computers", whatever you mean by that since one of my favorite jobs over years was working at Texas Instruments and another Chip producer I am not allowed to mention here. My favorite tool in these days is the Cortex M4F which I am playing with (teensy).

Have a nice day, I need to keep on with more important things.

Derelict

@lin4fun said in IPv6 Network details from ISP:

Otherwise please define for me the point of NAT else the point that we are able to use private addresses reachable from WAN? All this of course because there are to less IPv4 networks available.

That is a practical advantage - which IPv6 renders moot - not a security advantage. NAT also breaks some protocols which is a practical disadvantage.