NSA CSI IPv6 Security Guidance (2023) [pdf] (opens in new tab)

> They go on to recommend disabling SLAAC and using only DHCPv6. Does NSA know something exploitable about common DHCPv6 implementations that we don't? ;)

This is what they say

> NSA recommends assigning addresses to hosts via a Dynamic Host Configuration Protocol version 6 (DHCPv6) server to mitigate the SLAAC privacy issue. Alternatively, this issue can also be mitigated by using a randomly generated interface ID (RFC 4941 – Privacy Extensions for Stateless Address Auto-configuration in IPv6) [1] that changes over time, making it difficult to correlate activity while still allowing network defenders requisite visibility

Debian 11 VMs that I was setting up last week were getting non-privacy SLAAC addresses. So I am skeptical of how common it is to default to privacy addresses.

What would be the advantages of running 6to4 on your network edge?

That is the exact opposite off what it says. The US government has actually mandated IPV6 only networks in the next few years.

>At least 20% of IP-enabled assets on Federal networks are IPv6-only by the end of FY 2023;9 >b. At least 50% of IP-enabled assets on Federal networks are IPv6-only by the end of FY 2024; >c. At least 80% of IP-enabled assets on Federal networks are IPv6-only by the end of FY 2025

https://www.cio.gov/assets/resources/internet-protocol-versi...

Aren't these comments getting a bit old at this point? Running dual-stack should not be any more difficult than just running IPv4. There is a plethora of automated deployment tools and I'd hardly think people are DHCP'ng addresses to their servers. You don't have to use SLAAC and can statically assign addresses just like IPv4. Even for your dual stacked devices getting IPv6 addresses via RA can be tracked back to their IPv4 DHCP bootp requests.

I'm making the assumption here that anyone concerned about their network attack surface is actively capturing network or netflow data in which tools like openargus[1] or Arkime[2] make all of this collectable/searchable. Additionally most network devices support mirror/monitoring to offload data if you aren't working on the scale of needed dedicated taps/aggregators.

[1] https://openargus.org/ [2] https://arkime.com/

That's not at all what I got from this.

Ipv4 security guidelines do not look much different.

TLdr: be aware of the differences and prefer ipv6-only instead of dual stack if you can, to reduce complexity.

You are getting downvoted but ipv6 was ratified in 1998. The sunken cost fallacy is real here. At what point or threshold should there be a proposal for a simple address length extension of IPv4. Even in cloud providers who have an army of sysadmins and netadmins they don't support v6 in private networks.

Let's be very honest here, does anyone have a good reasom to believe another 25 years would mean ipv6 would displace ipv4 or even solve the address shortage when cgnat and other workarounds are profitable to network vendors?

https://en.m.wikipedia.org/wiki/Sunk_cost_fallacy -----

My controversial solution is to stop using numbers for addressing on layer3. A new IP protocol should have hierarchial domain name addressimg. So google.com would have .com as the top domain you would have routes for each TLD with non-ISPs default routing tlds like .com, ISP networks would resolve the route for .google under the .com routing table and so on. Upper layers would be oblivious except that you have less code now. On LANs you can create whatever domain hierachy works for you so long as the TLD is part of a predefined list. TLDs will have a fixed maximum length of 128bits for routing performance amd such. PKI/TLS would work just fine except now you have an extra layer of security in that ISP routing tables would have to also route to the wrong AS and can implement source route (customer1244.telecast.isp) validation to make mitm only slightly harder and address spoofing ddos impossible. So forget about numbers, ascii is also numbers. You are already doing this with v6 and 2600:: and other prefixes. As for layer3 translation, I have an even more controversial idea that will also solve wifi security and lan based mitms for good but for another comment.

> I was shocked to see that as soon as your ISP switched to IPV6, your host is now directly addressed. As a by product of skipping NAT you are now relying on every machine having proper firewall settings.

When my ISP started handing out IPv6 addresses, my Asus RT-AC68U by default blocked incoming IPv6 connections unless they were replies to previous outgoing connections.

That is to say: stateful firewalls exist in the IPv6 world just like they do in the IPv4 work.

Just because your laptop or desktop gets a globally routable address does not mean that anyone can hit it.

I'm not so concerned.

For one thing, a /64 issued to a house is a pretty daunting search space for the scanning worms of yesterday.

Another, computers today do come with firewalls that are enabled by default and tricky to disable.

Third, the industry really had to start taking memory safety and attack surface seriously after the Blaster/Sasser/MyDoom days. We see another article here on HN every week about another company categorically solving memory problems by adopting Rust.

Finally, having remote desktop shouldn't be a problem if people don't know your password, no? It's not like there is a firewall stopping baddies from guessing your Gmail password.

I realize that a NAT/PAT device does incidentally serve as a stateful firewall for many homes, but I think it is less important with modern OS's than one might think.

Now for the hospitals still using Windows XP...yeah you're right about that. I'd like to see regulators start fining companies for using obsolete hardware and software.

IPv6 not having NAT doesn’t make it incompatible with stateful firewalls. You can still have routers doing drop inbound by default.

It should be possible for every device on the internet to easily communicate with ever other device. A silver lining of the poor designs of the past is that it is practically very difficult to attack services listening on private network addresses. This difficulty also makes it hard to do useful things.

IPv6 is a step in the right direction, but the resolution to security issues can't be more firewalls or more network equipment. It has to start with operating systems. It is completely ridiculous that applications have access to the network and most of the filesystem by default. Operating systems need to give limited access to the filesystem and other services so that a compromised service isn't a big deal. A successful attacker doesn't own the whole system. They owned a poorly written application and the small sandbox that it's in. This is an obvious idea to most engineers, but neither windows nor macOS get this right out of the box. The iPhone's sandboxing model and fine-grained permissions are way ahead here, but there is still more improvement to be had.

And then there's the issue of most applications not requiring network access in the first place. There is no reason for Word, Photoshop, Blender, etc. to ever need access to the network. A firewall that only administrators can manipulate is also not a solution, that has to be in the users hands as well. Reasoning about a global table of rules is the wrong UX.

Here are two rules for the openbsd packet filter. one for ip4/nat one for ip6/direct. they do the same thing.

    match out on em2 inet from ! em2 to any nat-to em2
    block in on em2 inet6 from any to any

Not many people run a openbsd firewall but the point is that with a statefull firewall preventing people from opening an ip6 connection to internal machines is just as hard as allowing ip4 internal machines a connection out.

I'm not really sure its anymore of a security hole than any other device an end user would plug into their network. You can go on Shodan and look at hundreds of peoples devices exposed on the internet over IPv4. The same block in/all could be deployed for IPv6. I don't think most residential ISP's are concerned with protecting end users networks as they are trying to be mostly net neutral.

On the side of hospitals I would think most IPv6 allowances would at a minimum be managed on the edge firewalls which would be a separate device than the ISP's hand-off, host based firewalls aren't a requirement. An assumption on my part but I would doubt for those transit connections the upstream is just "turning" IPv6 on without some co-ordination. Admittedly, I don't know a lot about how hospital networks are run but i'd imagine some MSP involvement for smaller locations, possibly.

Having a globally unique address does not imply having no firewalls.

This paragraph from RFC7934 really sums it up much better than I can:

> Indeed, it could be argued that the main reason for deploying IPv6, instead of continuing to scale the Internet using only IPv4 and large-scale NAT44, is because doing so can provide all the hosts on the planet with end-to-end connectivity that is constrained not by accidental technical limitations, but only by intentional security policies.

Or you could just configure firewall rules on the router and only allow outgoing connections.

thats EXTREMELY naive. depending on ISP provided cheap router for security.

most of those routers are very, very dumb.

do the following excercise. add your routers external address as a gateway for your net internal IP, now from the outside reach your computer. easy. fully standards compliant. pierce your NAT like it wasn't even there.