Globally unidentifiable intranet users with ipv6 based access restrictions



  • The topic has been changed from "Host specific ipv6 address range for address rotating in pfsense dhcpv6" to better reflect the question this thread has answered.

    Not sure if it`s best to ask it here, but here goes!

    I have taken upon myself the configuration of an ipv6 network in an enterprise lan. There is a single VLAN for all the hosts in the LAN. I am using pfsense 2.3.4 software.

    I now have to figure out the address distribution in the LAN. The addresses should not allow identifying any of the hosts from the global network, so there are 2 options. NATv6 with local addresses or global addresses with address rotating, but I`ve read about NATv6 being a bad choice. I could just set up address rotating with global addresses, but that would keep me from creating IP address based firewall rules, since the addresses would change all the time.

    Is there a way I could assign an IPv6 address range to each of the hosts to rotate their addresses within that range, so I could still write firewall rules for each of these ranges (instead of static addresses) and hide (to some extent) the public addresses of hosts from global viewers? And is this doable in pfsense?

    I could also have just made a VLAN for each different role in the office and rotate global addresses on a per role basis and create firewall rules on a per role basis, but that is not an option.



  • The normal practice is to use "privacy addresses" on IPv6.  These are based on random numbers and combined with the prefix to create the IPv6 address.  These addresses will change every day or so and have no connection to the MAC address.



  • And is there any way I can write static IPv6 address based firewall rules? Or will all of the hosts in the LAN have random addresses with the given prefix and therefor no firewall rules will be able to differentiate them in certain groups?

    Thank You for Your response!



  • You bring up an interesting point.  Essentially, is goal of IPv6 "privacy" addresses is exactly as you specify, that is, "does not allow identifying a particular host".  So, in turn, how would the firewall be able to identify a particular host? 
    NATv6 is a really bad idea because IPv6 clients and servers haven't taken this into account.  NPT is one possibility, (NAT for prefixes), but you'd still be doing a 1:1 mapping of hosts within the IPv6 unique local address (ULA) range to IPv6 Global Unique Addresses (GUA), so you'd still be able to identify a particular host.
    See this article: https://community.infoblox.com/t5/IPv6-CoE-Blog/3-Ways-to-Ruin-Your-Future-Network-with-IPv6-Unique-Local/ba-p/5663

    Unfortunately, as far as I know, pfSense doesn't really have a solution to what it is you're trying to do, but I know of several commercial firewalls that when integrated with windows active directory, allow you to write rules based on users and groups, as opposed to address objects.  In that case, it allows you to use IPv6 "privacy" addresses, and their rotation isn't an issue.



  • Thank You for Your response!

    As for NAT: I could have the translation happening between 2 address pools (the ULA and GUA pools). So any of the ULA-LAN addresses could be translated into any of the GUAs. That would allow to keep up with the privacy.

    Yes, Ive read about NAT being bad for IPv6, but if I only use a single VLAN and all of the hosts are in the same LAN, then if I use GUAs I cant apply access restrictions on them using firewall rules. If we assume I need to apply the access restrictions based on IPv6 addresses, then NAT and what Im looking for are the only options. Ive also heard about commercial firewalls providing this (paloalto for example has this partially working).

    The only way I could avoid NAT66 in this case would be identifying hosts for firewall rules in a different matter. UUIDs could come to aid on this, since I can have my pfsense box remembering those. But to my knowledge, there is no way to write firewall rules based on anyhting besides IPs or FQDNs.

    If UUID based firewall rules where possible (maybe through the use of aliases), then this would be doable.

    Without having other ways to identify hosts in pfsense and without per host address ranges for address rotating in ipv6, the only way to do what I want to do is with NAT66. I could also divide the hosts in groups based on access restrictions using VLANs, but this thread is about doing this in a single VLAN.

    Maybe to clearify and write up a summary, someone could confirm, that pfsense indeed has no other way to identify hosts in the network, and therefor what I want can`t be accomplished with the tools available at the moment?



  • @girtsd:

    And is there any way I can write static IPv6 address based firewall rules? Or will all of the hosts in the LAN have random addresses with the given prefix and therefor no firewall rules will be able to differentiate them in certain groups?

    You can configure the computers to use either random or MAC based addresses or both.  Normally, both are used with the random address used for outgoing connections.  DNS would point to the MAC based address for incoming.  Also, Windows has another option where a consistent random number is used, which does not change regularly.  The only way I know to do what you want is to filter on MAC address, but pfSense doesn't do that easily.  The only other thing I can think of is to use DHCP6, with the allowed computers getting addresses within a limited range and others outside of that range.

    Also, please forget about using NAT.  It's a hack to get around the IPv4 address shortage and also causes other problems.  It has no place on IPv6, so please forget about using it.



  • You mentioned a single VLAN.  Any chance of having another one?  If so, you could put some computers on that VLAN, with a different address block and filter/route accordingly.  However, this will require getting something bigger than a /64 from your ISP.  I get a /56 from mine and I can chose whichever of the 256 /64s I want to use on any interface.



  • Using multiple VLANs is a good hack for home use, but it definitely doesn't scale well in the enterprise.
    Keep in mind that in an IPv6 deployment, even if using privacy addresses, you would also have a preferred address assigned to the interface.
    In fact in an IPv6 deployment, an interface will typically have 2 addresses if not more, plus if you are using privacy possible one of those too.
    The upshot of that is that there is a selection mechanism (not always to everyone's liking) that controls when each address is used for communicating with other hosts.
    It is possible, for instance to have the preferred addresses used when communicating with other hosts in the enterprise, but the privacy (temporary) address used when communicating with the Internet.

    Here's what's on my windows PC LAN adapter, the 1st IPv6 address is the host's static IPv6, the second was self-generated because of the router advertisements on the network tells it to, the 3rd is a self-generated address out of the adapter's MAC address, the 4th is the temporary "privacy" address, and the 5th the link-local address, which would be used for communicating with any other hosts on the same subnet.  Imagine the difficulty any NAT state engine would have keeping track of all that!  Conceptually, there are elements of IPv6 for which you cannot use IPv4 thinking.

    Ethernet adapter LAN:
    
       Connection-specific DNS Suffix  . : example.com
       IPv6 Address. . . . . . . . . . . : 2001:db8:1234:5678:0:c1:a551:f1ed
       IPv6 Address. . . . . . . . . . . : 2001:db8:1234:5678:1b7:201b:eebe:ed71
       IPv6 Address. . . . . . . . . . . : 2001:db8:1234:5678:7089:212d:2210:1425
       Temporary IPv6 Address. . . . . . : 2001:db8:1234:5678:51ff:407d:18e9:d990
       Link-local IPv6 Address . . . . . : fe80::7089:212d:2210:1425%14
       IPv4 Address. . . . . . . . . . . : 10.125.200.16
       Subnet Mask . . . . . . . . . . . : 255.255.248.0
       Default Gateway . . . . . . . . . : 2001:db8:1234:5678::1
                                           fe80::5eb9:1ff:fe27:9b80%14
                                           10.125.200.1
    


  • @awebster:

    Using multiple VLANs is a good hack for home use, but it definitely doesn't scale well in the enterprise.
    Keep in mind that in an IPv6 deployment, even if using privacy addresses, you would also have a preferred address assigned to the interface.
    In fact in an IPv6 deployment, an interface will typically have 2 addresses if not more, plus if you are using privacy possible one of those too.
    The upshot of that is that there is a selection mechanism (not always to everyone's liking) that controls when each address is used for communicating with other hosts.
    It is possible, for instance to have the preferred addresses used when communicating with other hosts in the enterprise, but the privacy (temporary) address used when communicating with the Internet.

    Here's what's on my windows PC LAN adapter, the 1st IPv6 address is the host's static IPv6, the second was self-generated because of the router advertisements on the network tells it to, the 3rd is a self-generated address out of the adapter's MAC address, the 4th is the temporary "privacy" address, and the 5th the link-local address, which would be used for communicating with any other hosts on the same subnet.  Imagine the difficulty any NAT state engine would have keeping track of all that!  Conceptually, there are elements of IPv6 for which you cannot use IPv4 thinking.

    Actually, VLANs work very well.  I've used them several times, even with 3 or 4 of them on a network.

    Your problem is you want a magic solution, where none exists.  I have given you a few suggestions, but VLANs would certainly be the easiest.  That way any device attached to the VLAN will have a different address range than the native LAN.  You can then do whatever filtering you want based on IP address or VLAN.  It's that simple.

    Also, I am quite familiar with multiple IP addresses on IPv6.  It's even possible, though not common, to have multiple IPv4 addresses.

    And please, once again forget about NAT.  It's crap that has no business on IPv6.  You're only making things more difficult for yourself.

    As I said, your easiest solution is to put the preferred devices on there own prefix, using VLANs.  Then route & filter accordingly.

    Here's an example of what I've done with VLANs, though not pfSense.  The network was in a retirement home. There was the native LAN for office use, a VLAN for office VoIP phone, a 2nd VLAN for the residents to get Internet access and a 3rd VLAN for network management.  The phones were configured to be on their VLAN.  Computers could be plugged into the back of the phones for native LAN access.  The residents access used a switch port, configured on the appropriate VLAN, connected to ADSL shelves to connect to the suites over existing phone lines.  The WiFi also used VLANs and multiple SSID for employee/guest access.  Using VLANs kept things nice and simple and separate, as required.

    Compared to the above, what you want to do is simple.

    With IPv6, you should have multiple /64s available.  Make use of them.  Even if you only have a single /64 available, you can put the others on a unique local address network and do pretty much the same.



  • As an experiment, I just created a Unique Local /48 prefix on my network.  This gives me 64K /64 prefixes to assign on any interface, including VLAN.  You can do this too, with some computers getting real world addresses and others UL, depending on which LAN/VLAN they're on.  This should solve your problem, if I understand it correctly.



  • Thank You all for Your responses and ideas!

    I figured out another way to possibly achieve this.

    I could have the same network (LAN), have both ULAs and GUAs. Going to the global network would cause the hosts to use the global addresses, that can be temporary, rotating addresses and going to the inside infrastructure with local addressing would cause the host to use its local address as a source. That way the hosts are protected from identification from the global network and at the same time I can keep writing firewall rules based on local addresses. The only problem is that I would need static local addressing which could be done by a DHCPv6 server.

    So the RA would handle global addressing and DHCP would handle local addressing, but can this be set up in pfsense that way? Also wouldn`t I require 2 addresses on my LAN interface on the pfsense box?

    Thanks again!



  • @girtsd:

    Thank You all for Your responses and ideas!

    I figured out another way to possibly achieve this.

    I could have the same network (LAN), have both ULAs and GUAs. Going to the global network would cause the hosts to use the global addresses, that can be temporary, rotating addresses and going to the inside infrastructure with local addressing would cause the host to use its local address as a source. That way the hosts are protected from identification from the global network and at the same time I can keep writing firewall rules based on local addresses. The only problem is that I would need static local addressing which could be done by a DHCPv6 server.

    So the RA would handle global addressing and DHCP would handle local addressing, but can this be set up in pfsense that way? Also wouldn`t I require 2 addresses on my LAN interface on the pfsense box?

    Thanks again!

    I think you have things backward.  As I recall you only wanted some devices to be able to access the Internet.  Use DHCPv6 to provide a global unique address only to those devices that are permitted to use the DHCPv6 server.  RAs & SLAAC can be used to give every device on the network a ULA address.  RAs on ULAs work exactly the same as with GUA, in that you get both a MAC based and random privacy
    address.



  • Ok, I`ll try to clarify this!

    I want all hosts to be able to access the internet. With the mentioned firewall rules I want to limit accessability on other interfaces of the firewall.
    I want all hosts to communicate with internet using temporary GUAs, so that they are unidentifiable from the global network and I want all hosts to communicate with other parts of the enterprise network using a different network (ULA network as mentioned before, but can also be global addresses, that will have all communication with the global network disallowed). This other network should have static addresses so that firewall rules can be written based on them. So each host as well as the firewall need to have addresses in 2 networks. One network could be taken care of with DHCPv6 and the other with RAs.

    Can this be achieved, and if yes, then where do I set the other address of the LAN interface?



  • @girtsd:

    Ok, I`ll try to clarify this!

    I want all hosts to be able to access the internet. With the mentioned firewall rules I want to limit accessability on other interfaces of the firewall.
    I want all hosts to communicate with internet using temporary GUAs, so that they are unidentifiable from the global network and I want all hosts to communicate with other parts of the enterprise network using a different network (ULA network as mentioned before, but can also be global addresses, that will have all communication with the global network disallowed). This other network should have static addresses so that firewall rules can be written based on them. So each host as well as the firewall need to have addresses in 2 networks. One network could be taken care of with DHCPv6 and the other with RAs.

    Can this be achieved, and if yes, then where do I set the other address of the LAN interface?

    Well, if that's all you want, it's easy.  Just create a ULA prefix as discussed in my other thread.  PfSense will then advertise both the ULA and GUA networks.  No need for DHCPv6 on the client side.  As I mentioned before, privacy addresses are normally used and this also applies to ULAs.  The ULA network is not available to the Internet, as ULA addresses are supposed to be blocked.

    https://forum.pfsense.org/index.php?topic=133054.0



  • Ok, I`ve gotten so far.

    It all seems appropriate to what Im trying to achieve, but the last detail is that I want to create firewall rules based on the ULAs. If I advertise both global and local addresses, then the hosts will use temporary private addresses for the local network, which means the addresses will change and I will not be able to create firewall rules based on them. Using DHCPv6 for local addresses was my guess, because of static addresses, which couldnt change.

    Is using DHCPv6 for the local addresses bad/impossible or is it just advised to use RA for that, because of some incompatabilities with DHCPv6 in some host OSs?



  • I would suggest before you go ahead and set it, have a look at how Windows (I'm assuming, but each OS has their own rule set), chooses which IPv6 address to use when communicating with another host.

    Officially it is defined in RFC 6724 here: https://tools.ietf.org/html/rfc6724
    However, older OSes (Windows 7 for example) are based instead on RFC 3484 (the precursor to 6724) here: https://tools.ietf.org/html/rfc3484

    This article is also helpful: http://biplane.com.au/blog/?p=22



  • I`ve done some more tweaking and tinkering and have gotten to a good spot in the last couple of days.

    So I will write up a summary of what I got to work and my last question in the end.

    To refresh the topic: I wanted to create a network behind a single (LAN) interface of my pfsense box. The requirements for the network was to provide workstations in the network with working ipv6 addresses.
    The network shouldn`t allow the global network to identify devices on this network, but should provide an option to write firewall rules based on addresses in this network. I want all hosts in this network to be able to "anonymously" browse the web and stay unidentified, and I want all hosts in this network to have access restrictions for other networks that are directly attached to my pfsense box. So I need to identify each of the hosts and write per host (or per employee role) firewall rules that restrict some access to inside resources.

    To my knowledge there were 3 ways to achieve this.

    1. Use ULAs (Unique Local Addresses) for inside communications and have access restrictions on the static ULAs, but use NAT66 for global communications, protecting the identity of hosts.
      This is agreed to be bad.

    2. Have multiple per employee role (access level) VLANs in the network. That way the firewall rules can be written based on VLANs ignoring the addresses and every host could have GUAs (Global Unique Addresses) for both global and local communications. There could be temporary privacy addresses to help protecting the identities from the global network.
      This was not an option, since I want to do this with a single VLAN.

    3. Still keep having a single VLAN with GUAs, but assign a specific address range for each host in which it can rotate its addresses. This way I can write firewall rules based on these ranges and protect identities with the rotating addresses.
      This is what I wanted to achieve, but found is impossible in pfsense (opposed to some commercial solutions).

    Now I have found a fourth way to achieve this.

    1. Each host in the LAN has 2 different network addresses: one ULA and one GUA. There can actually be multiple GUAs, since GUAs are autogenerated. I could have the the Router Advertisements taking care of GUAs by advertising the global prefix to hosts in the network. These GUAs would then be used for reaching the global network and hosts could use privacy (rotating) addresses so that they stay unidentifiable from the global network.
      As for the ULAs: the DHCPv6 server would take care of these addresses providing a statitc per DUID LUA for each host. These addresses could be used for the mentioned inside communications and have firewall rules written based on them. To make this work I need each host to only have a single address in this local network, so I have to disable RAs (Router Advertisements) for this prefix. By default pfsense generates the /var/etc/radvd.conf configuration file with all the RA listed prefixes and always adds the DHCPv6 prefix to RA as well. This way all the hosts get multiple addresses which would cause them using privacy addresses as source and my firewall rules would be of no use, so I commented out the part that generates the DHCPv6 prefix clause for the radvd.conf file from /etc/inc/services/inc file, and the DHCP network no longer gets advertised with Router Advertisements. This way each host only has a single address within this local prefix. In addition to that I have to make sure that hosts will always use the ULA to reach inside resources and GUA for global resources, which happens thanks to the 2nd rule in source address selection protocol per RFC6724 (https://tools.ietf.org/html/rfc6724), which says that a source address with the same scope (global, local, link local) as the destination will be preffered. Thanks to this and inside resources having local addresses as well I have everything working the way I want it to. The only hack is to change the /etc/inc/services.inc file to comment out that one part.
      Furthermore I also have to set up an IP Alias type Virtual IP for the LAN interface with an address from the second prefix of the network. So one address gets set to the interface (in my case the local one) and the other (global address) gets set to the virtual IP.

    So this fourth way is working as expected and hasnt required more VLANs or NAT66 or a feature pfsense does not offer. There is only one thing left for me to ask: Is there a chance I could replace the DHCP static addresses with manually configured static addresses on the hosts, but keep the RA prefixes going? This way I wouldnt have to implement changes in the /etc/inc/services.inc file. It would be best to set static IPv6 adrresses for the hosts but keep both DHCP and RA running. This could also be a question for the forums of the host operating systems, since this is to be implemented in the host systems.

    As the very last thing I`d like to thank all of You guys for helping me through this IPv6 labyrinth and apologize for my bad explanatory skills.



  • Got my own answer. This is not the place for this question, but since I asked it here I`ll answer it too, so the network has fewer places with questions and no answers.

    Yes, one can have both static and automatic IPV6 addresses.
    I tried this on Windows 7 and Ubuntu 16.04 and had a solution for both of these OSs.

    On windows you just go to the connection properties and set static address of IPv6 and thanks to Windows not turning off the deamon that listens to RAs you will be able to have both static and automatic addressing.

    On Ubuntu linux one has to have a manually configured interfaces file which has IPv6 addressing set to automatic, but has another line that says to add an address to a specific interface. Example below:

    auto enp0s3
    iface enp0s3 inet6 dhcp
    up ip -6 addr add dead:beef:cafe🔢:myaddress:feed/64 dev enp0s3

    Or one can just issue the IP command in command line for a temporary solution.


  • LAYER 8 Global Moderator

    "Using multiple VLANs is a good hack for home use, but it definitely doesn't scale well in the enterprise."

    What??  Did you mean that the other way around?  Doesn't scale well.. So I have 10k hosts on my network, I should just put them all on the same broadcast domain?

    "I could have the same network (LAN), have both ULAs and GUAs"

    So you want to run multiple Layer 3s on the same layer 2?  What?  That is also just plain Borked!!

    What is actually you concern here, why can a client not talk to the internet via is address?  Normally this would be temporary address it would use for that, it will change it in a bit and when it talks to somewhere else it will use a different one, etc.  For you to talk to it you would use is assigned ipv6 address.  Which you would assign via dhcpv6, this is the perm address.



  • Yes, one can have both static and automatic IPV6 addresses. I

    Yep, that's normal.  All my devices get both static and privacy addresses, though that's configurable.  Also, Windows by default gets a static random address, but that's also configurable.



  • @johnpoz:

    "I could have the same network (LAN), have both ULAs and GUAs"

    So you want to run multiple Layer 3s on the same layer 2?  What?  That is also just plain Borked!!

    What is actually you concern here, why can a client not talk to the internet via is address?  Normally this would be temporary address it would use for that, it will change it in a bit and when it talks to somewhere else it will use a different one, etc.  For you to talk to it you would use is assigned ipv6 address.  Which you would assign via dhcpv6, this is the perm address.

    Ok, so: I want to have addresses from 2 different networks on the same interface for all my hosts. I need to control what resources the hosts access and I do it via IP based firewall rules. If I write up rules based on the host addresses and they just change their address (hosts will almost always use privacy addresses as source) the rules are lost in vain.
    If I want the hosts to access inside resources (lets say time capsule for MACos backups) I want to control who can access them. Lets say writing a firewall rule that allows all MACs to that server, but deny access to all Windows and Linux hosts. If they change their addresses, then this rule is useless. The only way to force this rule is to only let the hosts have one static address for the network which is used for inside communications since otherwise the hosts will just use privacy addresses and bypass all my rules.
    The GUA prefix on the other hand is for global communications. For that the hosts will generate their privacy addresses and rotate them protecting themselves from identification from the global network.



  • So you want to run multiple Layer 3s on the same layer 2?  What?  That is also just plain Borked!!

    I'm unsure why you think this is not a good idea?  RFC6724 specifically addresses the case where an IPv6 host is multi-homed, with multiple prefixes on an interface.  Whether the prefixes are ULA or GUA doesn't really matter, just the fact that there is more than one address, and semantically it is no different than the link-local address fe80::.
    Admittedly multiple L3s, on the surface, sounds confusing, but the specs deal with this. 
    Don't forget that one of the main reasons why we think multiple L3s is a "bad idea" is that in an IPv4 network there is no source address selection mechanism, making it a shot in the dark at best.
    After 25 years, our brains are so hard-wired with IPv4 techniques and "best-practices", it is hard to adapt to some of the radically different underpinnings of IPv6, but this is the challenge we face.

    Ultimately the host has to decide which address to use when speaking to a client, and if RFC6724 is TL;DR, then if nothing else, just look at section 10.



  • So you want to run multiple Layer 3s on the same layer 2?  What?  That is also just plain Borked!!

    Actually, no.  A couple of weeks back I enabled a Unique Local Address prefix on my network, so I now have 2 prefixes on my devices, in addition to link local.  Even with IPv4, it was possible to have an alias address on an interface.  IPv6 is designed to support this properly.  You could even have multiple routers advertising different prefixes and it will all work.


  • LAYER 8 Global Moderator

    While I will be first to admit to the point of having to forget ipv4 when thinking about ipv6.. It really is a whole new ball game.  But to me a ULA is not same as link local, link local does not route across L2 boundaries, while a ULA can.. ULA is more like ipv4 rfc1918 address.  You can route it across your local private network all you want - but the addresses do not route across the global network.

    And I will also admit I have not spent much time working/playing or even investigating ULA.. Will for sure take a look at the rfc linked too.  How does the device determine that it should use its global vs its ULA address.  I assume it could think well the dest address is global so use a global address, oh the address is ula so use my ula address would be my guess at it.  But again will admit I have not investigated that sort of scenario.  This points directly to your good statement of

    "IPv4 network there is no source address selection mechanism"

    I had not run into a scenario where you could just not use your global IPv6 address across the board..  Both for internal local networks and global access..



  • @johnpoz:

    While I will be first to admit to the point of having to forget ipv4 when thinking about ipv6.. It really is a whole new ball game.  But to me a ULA is not same as link local, link local does not route across L2 boundaries, while a ULA can.. ULA is more like ipv4 rfc1918 address.  You can route it across your local private network all you want - but the addresses do not route across the global network.

    And I will also admit I have not spent much time working/playing or even investigating ULA.. Will for sure take a look at the rfc linked too.  How does the device determine that it should use its global vs its ULA address.  I assume it could think well the dest address is global so use a global address, oh the address is ula so use my ula address would be my guess at it.  But again will admit I have not investigated that sort of scenario.  This points directly to your good statement of

    "IPv4 network there is no source address selection mechanism"

    I had not run into a scenario where you could just not use your global IPv6 address across the board..  Both for internal local networks and global access..

    ULAs are used pretty much the same as RFC1918 addresses and, as you say, they're routeable but not to the Internet.  One thing I spend a lot of time doing is using Wireshark to see exactly what's happening on the wire.  When choosing between GUA and ULA, if you provide a ULA address, then that's what will be used.  Basic routing rules etc.  IPv4 and IPv6 link local addresses are similar in that they are confined to the local link (I guess that's why they're called "link local".  ;) )

    While I have experimented with IPv4 link local, the only use I've ever had for it is with my TP Link switch I mentioned in the other thread.  I configured it with a static link local address (yeah, I know that violates the RFC) so that when I use the switch to monitor a circuit, it won't send out frames that might interfere with the network.  The computer runs duplicate address detection when first connected to the switch and keeps quiet after that.  So, I connect to the switch first and then connect the switch into the circuit. I also have TP Link's version of spanning tree turned off, for the same reason.


Log in to reply