IPv6 Security



  • I am running Pfsense 2.2 ISP is Comcast and have a IPv6 IP on my WAN, LAN set to track interfaces; all Lan hosts have IPv6 addresses.

    What I am trying to find out is are there any best practices for my Firewall. With IPv4 and NAT is was easy to lock down access to my network and only allow through what I wanted with IPv6 it seems to be much more complicated especially with the addressing not coming from my local server.

    I have Snort running on my LAN interface so I would think this would help keep it somewhat more secure.

    Google has not revealed the a clear answer to me as of yet. I will keep looking but wanted to post up the question here as well.



  • Well - Incoming unsolicited packets to your IPV6 enabled interfaces are dropped silently by default (just like IPV4) by default and you can also set up pass rules on the interface firewall (just like IPV4) if you wish to allow traffic…

    So, not really sure whats harder about it?



  • @kejianshi:

    Well - Incoming unsolicited packets to your IPV6 enabled interfaces are dropped silently by default (just like IPV4) by default and you can also set up pass rules on the interface firewall (just like IPV4) if you wish to allow traffic…

    So, not really sure whats harder about it?

    Thats kind of what I figured but still wanted to ask the question. Would rather ask a dumb question then leave something possibly unsecure.



  • I'm pretty new to IPV6 so there is every chance that someone will correct me, but so far to me it seems very straight forward and lacking the NAT BS.



  • I personally love NAT, even though it can be a pain sometimes but isn't that what we want? I don't see the need for my grandma's toaster to have a public IP address. It is true that Pfsense is a stateful firewall so unsolicited packets will be dropped. But I just don't trust it. Seems to me things are getting crazy with IPv6 and HTTP 2.0 where servers can push information to your computer before you ask for them just seem like a receipt for disaster. Didn't I mention the fact that your MAC address is encoded in your IP address with IPv6. I know it can be obscured but that is not the default (In non-Windows OS) so how many people will change it?



  • Me either - I put in a block rule for my refrigerator and toaster….

    I will say this - Handing out dynamic IPV6 that changes all the time, which is what comcast and the rest will be doing, is pointless.

    I'd go so far as to say they put in extra effort to make sure that running a server on a static IPV6 IP would be as painful as possible.

    No doubt, for a mere pittance they will gladly un-break IPV6 for you (-;

    A HE tunnel is far more useful.


  • Rebel Alliance Global Moderator

    "Didn't I mention the fact that your MAC address is encoded in your IP address with IPv6"

    How is this an issue to be honest, who really gives a shit if a mac address is given.  What does it tell someone?  They can look up who the maker of your nic is..  If your concerned is quite easy to change it so not used, or just change your mac of your device.  This is very simple on every OS I have ever used, windows, linux, bsd, etc..



  • @kejianshi:

    Me either - I put in a block rule for my refrigerator and toaster….

    I will say this - Handing out dynamic IPV6 that changes all the time, which is what comcast and the rest will be doing, is pointless.

    I'd go so far as to say they put in extra effort to make sure that running a server on a static IPV6 IP would be as painful as possible.

    No doubt, for a mere pittance they will gladly un-break IPV6 for you (-;

    A HE tunnel is far more useful.

    This is an issue as for me but I have been thinking about setting up a script on my servers to dynamicly update google dns. I have to do somemore tuning on my firewall tonight to try and get everything working 100%.



  • @johnpoz:

    "Didn't I mention the fact that your MAC address is encoded in your IP address with IPv6"

    How is this an issue to be honest, who really gives a shit if a mac address is given.  What does it tell someone?  They can look up who the maker of your nic is..  If your concerned is quite easy to change it so not used, or just change your mac of your device.  This is very simple on every OS I have ever used, windows, linux, bsd, etc..

    Your MAC identifies who you are, that is why I give a shit. Am I doing anything wrong? No but people are all happy about the increased address space but don't look at the other things that are going on with the protocol. In today's world of high profile attacks it is just one more thing for a would be attacker to attack (I know the argument about niddle in the hay stack). Not to mention it is possible to ban a machine from the internet if you know the MAC regardless of the ISP. (I know you can change the last 64 bits)

    I don't want to get into a religious war on IPv6 but it seems like an over engineered solution to a problem that NAT / BGP had already solved. All we needed was a re numbering of the Internet so companies like GM aren't taking up a whole /8 network of which they are maybe using 30 IPs. Just seems like people aren't asking questions anymore. I will only go to IPv6 dragging and screaming but then again I hope I'm not just being stuck on the past, I don't think so but let me know.


  • Rebel Alliance Global Moderator

    "Your MAC identifies who you are"

    How is that??  A mac address sure is specific to a nic, how does it identify who I am?

    So I go to the store and buy a PC, with cash.  How is it that could in any way be tracked to "me" even if the NSA for example had a database of who bought what PC with the MAC address, etc.  And I take that PC home, and then I take that PC over to my friends house and set that up for him.. How is that mac identify me or him?

    I think you tinfoil hat is on a bit tight ;)  And if you don't like it, change your mac - change it every hour if you want.  Make sure privacy addressing is enabled - I do believe in windows its been on by default since like xp sp2  In the other OSes if not on by default its quite easy to turn on

    linux
    sysctl net.ipv6.conf.all.use_tempaddr=2
    sysctl net.ipv6.conf.default.use_tempaddr=2

    Mac I believe its enabled by default since 10.7
    But this should turn it on
    sysctl -w net.inet6.ip6.use_tempaddr=1

    Freebsd I believe is
    sysctl net.inet6.ip6.use_tempaddr=1
    sysctl net.inet6.ip6.prefer_tempaddr=1

    As to
    "Not to mention it is possible to ban a machine from the internet if you know the MAC regardless of the ISP"

    Huh..  Since I can change that whenever I want, how is that any different than blocking by IP - which again I can change just as easy.

    So windows and mac have it privacy addressing enabled for ipv6, I would think the other OSes will join that bandwagon as it becomes more in use..  But to be honest I am quite sure unless your very young that you will be able to get along without using ipv6 if you don't want to for many many years.

    One of my issues with ipv6 is the use of /64 as the smallest prefix..  Talk about wasteful ;)  And why does a machine need to grab multiple addresses?  I can see the use of link local, but out of the box windows for example will start using multiple global ipv6 addresses if you let it..

    Another option btw if you don't like the use of mac address in your global address is assign whatever address you want, either static or dhcp, etc.  There is nothing saying you have to use auto configuration for your global ipv6..


  • Netgate

    @johnpoz:

    "Didn't I mention the fact that your MAC address is encoded in your IP address with IPv6"

    How is this an issue to be honest, who really gives a shit if a mac address is given.  What does it tell someone?  They can look up who the maker of your nic is..  If your concerned is quite easy to change it so not used, or just change your mac of your device.  This is very simple on every OS I have ever used, windows, linux, bsd, etc..

    Without address randomization "they" can track you by MAC address wherever you go.  IPv6 has this covered with random, changing MAC addresses.



  • "How is that??  A mac address sure is specific to a nic, how does it identify who I am?"

    Most inventory systems keep track of inventory by:

    Serial Number, Model Number, Mac address: so taking your point by purchasing an item by cash doesn't ensure your anonymity anymore. Because they can just see which register rung up the item and get you that way via video camera. While I agree with you that the last 64 bits can be obscured the fact that it can even be done is a little scary and I'm sure they have ways that can derive the MAC if they wanted to.

    Think about it, if you wanted to put controls on an open system like the Internet what is the first protocol that you would change? I don't think that we are in disagreement here about ways to keep your self safe, its just the fact that it is possible that has me a little jumpy or am I crazy.


  • Netgate

    @johnpoz:

    "How is that??  A mac address sure is specific to a nic, how does it identify who I am?"

    If your MAC address can be gleaned from your IPv6 address then every site you visit has what amounts to a persistent cookie.  A UUID that identifies your computer everywhere you go.  Join a hotel wireless that has IPv6?  Same cookie.  All you have to do is, say, sign on to amazon now they can associate all your account information with that cookie.  Maybe you trust amazon, but this is true for every site you visit.  Eventually your MAC will be associated with your ID and everything everyone knows about you until you change it.

    You might be fly enough to change your MAC address periodically but most users are not.

    IP address randomization works fine.  You have a persistent MAC-address IP (or statically set IP address) if you need to accept inbound connections.  Outbound connections can use the random address that changes periodically.  There are 18 billion billion to choose from on every /64.


  • Rebel Alliance Global Moderator

    " All you have to do is, say, sign on to amazon now they can associate all your account information with that cookie."

    And how is that any different than MY IP address, that is always the same when I use my home connection.  So now "they" – who are you referring to by the way Amazon?  the NSA?  Chinese Hackers?

    If am on some wifi network, that IP would now be different - and as stated windows and mac already enable privacy addressing for IPv6.. So there is no part of your mac used - and if your worried about it with some other OS, then do a some simple research an enable it.  Which I would guess as ipv6 becomes more used the the OSes will enable out of the box as well.

    I sure an the hell do not see it as such a security concern to not use ipv6..  Is it more likely "they" have multiple persistent cookies on your machine anyway and could care less what IP be it v4 or v6 that your coming from ;)

    edit:  I just checked my unbuntu box 14.04.1 and it has it on by default

    johnpoz@ubuntu:~$ sysctl net.ipv6.conf.all.use_tempaddr
    net.ipv6.conf.all.use_tempaddr = 2
    johnpoz@ubuntu:~$ sysctl net.ipv6.conf.default.use_tempaddr
    net.ipv6.conf.default.use_tempaddr = 2


  • Netgate

    @johnpoz:

    " All you have to do is, say, sign on to amazon now they can associate all your account information with that cookie."

    And how is that any different than MY IP address, that is always the same when I use my home connection.  So now "they" – who are you referring to by the way Amazon?  the NSA?  Chinese Hackers?

    But it doesn't follow you around the world everywhere you take your laptop.

    Who am I talking about? Without address randomization, anyone.  That's the point.

    If am on some wifi network, that IP would now be different - and as stated windows and mac already enable privacy addressing for IPv6.. So there is no part of your mac used - and if your worried about it with some other OS, then do a some simple research an enable it.  Which I would guess as ipv6 becomes more used the the OSes will enable out of the box as well.

    You are making the case that address randomization enhances privacy.  I fail to see what the issue you have with it is?

    Apple has it on by default as well.

    I sure an the hell do not see it as such a security concern to not use ipv6..  Is it more likely "they" have multiple persistent cookies on your machine anyway and could care less what IP be it v4 or v6 that your coming from ;)

    Yeah, probably not.


  • Netgate

    @johnpoz:

    One of my issues with ipv6 is the use of /64 as the smallest prefix..  Talk about wasteful ;)

    There are enough IPv6 addresses to give every person on earth 39,478 /48 assignments, not accounting for the chunks that are reserved.  Don't sweat the /64.

    http://www.wolframalpha.com/input/?i=2^48+%2F+people+on+earth


  • Rebel Alliance Global Moderator

    Yeah I got over my /64..  But it still seems wasteful ;)  When ipv4 first started - hey were handing out /8 like they were candy and /16, etc.  Now look what happens ;)

    "You are making the case that address randomization enhances privacy."

    Exactly you get rid of your mac address out of your ipv6.. this is my point.. If you have a problem with your mac being in your global ipv6 - then make sure privacy addressing is enabled.  Windows has it on by default since like forever, mac has it on, and now I checked and ubuntu has it on by default as well.. So this whole discussion of mac being in your IP is kind of pointless as more an more OS turn on privacy by default.  And if the user is worried they can always turn it on if not on by default.

    "But it doesn't follow you around the world everywhere you take your laptop."
    A persistent cookie - it sure would follow you around..  My point is if mac being in your ipv6 is like a cookie that can be used to track you and find out who you are, why are you not worried about those?  I would think those would be a bigger issue then if your mac address is in your ipv6.

    So we are clear.  Privacy Addressing in ivp6 seems to be common default in major Oses used today, windows, os x, at least 1 linux distro has it on by default.  So it seems to becoming the norm.  And it can be turned on very easy with anyone that feels mac in your ipv6 is bad and can google.

    I don't use auto IPv6 anyway - so not an issue for me if it was on or off.  I don't use ipv6 on my tablets or my laptops.. Its not enabled on my phone so to me it doesn't matter, my point is I don't see how the fact that some oses that done enable privacy addressing by default would be a issue for not using ipv6??



  • NAT break ALOT!

    IPV6 is wonderful…



  • I think I agree with a lot what people are saying here but it just seems like a engineering nightmare. To my point earlier who knows what hashing algorithm they are using to randomize the mac address. Is it even a hash?  I'm just glad that I am not the only one that thinks everything about IPv6 is NOT all good. NAT just seemed like an elegant solution to a problem and now we have IPv6 and it just doesn't seem right to me, but we will see.

    If IP addresses was all we were worried about they could have just added an extra octet and called it a day. Hell you could even make that octet Hex which would have given you 48bits in the address space with is a ridiculous amount of IPs, but i guess we couldn't call it an octet, maybe a hextet. Older devices would just read the lower 32 bits; newer device would read all 48 bits.

    I read this book about every open system becomes closed, let me check the name real fast. The book is called "Who controls the Internet" it is on audible if you don't have time to actually read a physical book I definitely recommend you checking it out.

    I do appreciate everyone opinion though, it is good to hear different perspectives.