undefined | Better HN

0 pointssgtnoodle3y ago0 comments

I still don't think you're really providing any examples or arguments that make your point, though. You're just coming across as really salty about IPv6. I'm not downvoting you.

IPv6 has link-local addresses that aren't routable, so you can't really get more local than that. Unlike a typical IPv4 setup, typical IPv6 hosts have multiple addresses, and you can make your own for local traffic and only rely on ISP prefixes for internet access if you want to.

Sure, the internal host's internet routable IP address is visible rather than being masked behind the router's IP address. Pretty much all operating systems periodically randomize the bottom 64 bits, making it effectively as opaque as NAT. You could call that a hack, but people call NAT a hack. There's tradeoffs.

The CVE links you provided are just lists of vulnerabilities with "firewall" in the name. Skimming through them, I don't see how they're specific to IPv6? Most of the vulnerability descriptions I read seem equally problematic for NAT setups. The one IPv6 specific one I saw had to do with a bad firewall rule allowing access to LAN facing services running on the router; it could have just as easily been a bad IPv4 rule.

I agree, consumer network gear all sucks. IPv6 is bolted on as an afterthought, and is probably buggy in a lot of them. More features means more opportunity for bugs, but that's true of anything. IPv6 isn't being deployed for no reason; there's limited IPv4 addresses to go around. I still don't follow why IPv6 is fundamentally riskier than IPv4 when traversing a router. Sure, with NAT an incoming packet needs to have a port number that's been dynamically mapped back to an internal host and port, or have a static port forward. In IPv6, an incoming packet needs to have a destination address and port that's been dynamically mapped back to an internal host and port, or have a static firewall rule. It's basically the same, but also less complicated for the router because there's no translation involved. In time, less complexity is good for software hardness.

I also get anxiety from trying to wrap my head around IPv6 address assignment. It is nuts. It's very comforting to work in the effectively 8-bit address space of a /24 IPv4. I suppose it's true that you can't control internet routable IPv6 addresses in that they are dynamic and ephemeral in their nature. Coming from IPv4, it feels messy. I've experimented in detail with configuring my own ULA, DHCPv6 configuration, and SLAAC. I've tried to embrace the benefits of IPv6, and having used a few of the features I can appreciate them for what they are.

0 comments

drtgh3y ago

One of my main concerns is when the firewall stops working (due a poisoned packet what shutting it down, what would be the first logic kind of attack I guess) currently the access to the "local" network would be granted with IPv6; the network becomes the same as the attacker's one.

I put the CVE links with the generic word "firewall" because it is the point where the "local" vs "internet" resides with blind faith within IPv6 (without indicating an specific exploit, just vulnerabilities exist). For this case, the DDOS and buffer overflows that force the firewall to shut down, or code execution, what are periodically discovered, is what I wanted to show for being considered as a serious problem. Not everyone reports firewall bugs, and others I guess even wickedly insert them.

With NAT setups, the local and internet networks are different between them, what requires the packets to be filtered and rewritten by NAT for the address what solicited it, while unsolicited packages are discarded. The NAT in consumer gear is run mainly by software, but a poisoned packet will not aim to shut it down for network penetration because it would be the end. If the NAT stops working, the doors close for everyone.

It is about the double checking,

-IPv6 without NAT: If the firewall stop working, opened doors. Feast.

-IPv6 with NAT: If the firewall stop working, many rules get unfiltered, wild. But NAT keeps the local/internet separation besides filtering unsolicited packages. Not absolutely secure, nevertheless keeps being a complex target.

Like all of we, I suffered some problems that NAT can bring losing countless hours trying to make work some specific services, but when I first read IPv6 didn't implemented NAT nor something similar in the protocol (for whom whish to use it at least...) and what the supposed local IPs are merely part of internet (link-local addresses that aren't routable as first target, devices with internet connection are), each device with its own public address, I doubted seriously about what was going on.

Given that even Mikrotik RouterOs periodically have security vulnerabilities related with the firewall, I can't conceive the idea of people relying on firewalls rules to do the home/internet separation within IPv6 (plus the public address of each device gives me also anxiety), as it is a matter of time before such separation ceases to exist; it is like the crossing of fingers.

I mean, it is not a matter of misfit, it is more like the users will not even notice the router's firewall was shut down.

j / k navigate · click thread line to collapse