Ipv6 Locally

[G-Stress]

I'm watching a webinar now on ipv6 so I can learn it. It mentions there isn't really a pre-defined set of ip's for local lan routing. It says that a local address would start with "FEC0" and that will work the same as our 192, 172, 10. lan's. My question is, if this is the case any consumer grade router that supports ipv6 on the lan side, will their still need to be port forwarding to hosts running web servers, ftp, etc?

Also I haven't done really any research yet, but what about dyndns, services like that? IPv6 I'm sure will be better with the amount of internet enabled devices, but what about troubleshooting? Setting static addresses? Doesn't seem like it will be to user friendly.

[Infiltrator]

So far, from what I've been reading a host that has an IPv6 protocol enabled will have a direct connection to the internet. Unless an IPv6 Firewall is in between the host and the internet, then you will most likely need to do some port forwarding. I may be wrong, but that's how I understand it.

[G-Stress]

This is going to be interesting. That's the same understanding I got. I just wonder say most of the consumer grade router's out there now say they all or even some switch to using ipv6 addresses for local lan for the one's that support it, that will then expose those hosts directly to the internet? IPv6 has it's advantages, but I wonder what the disadvantages are.

[Infiltrator]

I haven't finished reading this documentation yet, but it should give some ideas of the disadvantages of using IPv6

http://www.infosecwriters.com/text_resources/pdf/IPv6_SSotillo.pdf

[Jason Cooper]

I'm watching a webinar now on ipv6 so I can learn it. It mentions there isn't really a pre-defined set of ip's for local lan routing. It says that a local address would start with "FEC0" and that will work the same as our 192, 172, 10. lan's. My question is, if this is the case any consumer grade router that supports ipv6 on the lan side, will their still need to be port forwarding to hosts running web servers, ftp, etc?

Also I haven't done really any research yet, but what about dyndns, services like that? IPv6 I'm sure will be better with the amount of internet enabled devices, but what about troubleshooting? Setting static addresses? Doesn't seem like it will be to user friendly.

IPv6 has what is called a link-local address range (fe80::/10) that will only work on the local LAN and won't be routeable over the internet.

If you have IPv6 access to your network from the internet then you should also have a IPv6 network range for you network, so every device will also have an internet routable IPv6 address. Because everything that can connect to the Internet via IPv6 should have an internet routeable address it will also be visible from the internet, without the need to forward any ports. This does mean that you will have to make sure that you have a firewall in their blocking access to those IPs that you don't want reachable and allowing access to those that you do.

For the most part you won't need to set static IP addresses, except for those machines that you wish to remain static. DynDns will potentially get easier as it is unlikely that our ISP will keep changing the IPv6 range assigned to you as it will be easier for them to keep it static. This means that your IPv6 addresses of your servers should remain static and any DNS records pointing to them will not need updating regularly.

[digip]

The following is based on what I have come to understand about Ipv6 so far, but might not be entirely accurate, so take it with a grain of salt. I would say lookup any of this yourself to be 100% sure, but here is what I have gathered so far.

All IPv6 devices, will have two addresses. One Link Local address, for lan only routing, and the other, the full internet routable IPv6 address which is unique to all devices, kind of like your MAC address. The only way you would need to port forward on a router, is if you run dual stack on the workstations OS and are encapsulating/tunneling IPv6 through 4, or 6-to-4 routing if the router itself doesn't natively support IPv6. If you run Windows XP, you have the Microsoft implementation of the Toredo IPv6 protocol, which uses Microsoft as a sort of proxy to route through. (Mubix touched on this briefly in a segment, but I don't rememebr a lot of it).

If the router supports IPv6 natively, and your OS as well, you are essentially online at all times via IPv6, and NAT does not come protect you any longer. It also means anyone who discovers your IPv6 address as online, can send you whatever probes and attacks they want, and the router will forward it over to you.

The current problem with IPv6 only networks, is they can only speak to IPv6 only end devices and computers, unless they run dual stack or encapsulate through IPv4, which means they still use up the same number of addresses as their IPv4 counterparts, this defeating the purpose of IPv6 all together. That is why they came up with NAT-PT, which is a form of NAT for IPv6 that sits between IPv6 and IPv4 in a manner similar to NAT on a router, allowing you to speak to both sides of the network.

If your router supports IPv6 and you are running both IPv4 and Ipv6 side by side, know that your machine could possibly be at risk simply because the IPv6 side is always visible from the internet, and as far as I know, will always be seen at the same IPv6 address from the internet side.

Again, I could be way off base on some of these things, so do your own research, but this is what has stuck in my head after reading a few things(some of which might not be accurate itself) and seeing talks in video from various places.

https://twitter.com/sambowne has some excellent videos on YouTube talking about the Microsoft IPv6 DoS for router announcements - http://www.youtube.com/user/sambowne

edit: By the way, I wanted to add, something I had saved in notepad a while back that might come in handy for windows users running IPv6, this apparently stops the DoS attack for router announcements, but I believe you then have to add new deivces manually:

netsh interface ipv6 set interface "Local Area Connection" routerdiscovery=disabled

Edited June 13, 2011 by digip

[G-Stress]

Thanks guys for all the info. I would like to find a consumer grade router that supports ipv6 natively and setup a few workstations on a separate network at home to play with it. The webinar I've been watching did mention the link-local address that's equivalent to the APIPA (169.254.x.x) address scheme in XP. I guess the only other thing that is of ? to me is our ISP's providing these cable modems, dsl modems, etc. I wonder if configurations will be such as cable modem --> 24-port switch and that modem capable of providing 24 ipv6 addresses.

1 weird thing I've noticed a few months ago I believe and I did post it here somewhere (can't remember what the topic was called) but when I ping one of my hosts on my lan it always replies back with the ipv6 address.

[digip]

Thanks guys for all the info. I would like to find a consumer grade router that supports ipv6 natively and setup a few workstations on a separate network at home to play with it. The webinar I've been watching did mention the link-local address that's equivalent to the APIPA (169.254.x.x) address scheme in XP. I guess the only other thing that is of ? to me is our ISP's providing these cable modems, dsl modems, etc. I wonder if configurations will be such as cable modem --> 24-port switch and that modem capable of providing 24 ipv6 addresses.

1 weird thing I've noticed a few months ago I believe and I did post it here somewhere (can't remember what the topic was called) but when I ping one of my hosts on my lan it always replies back with the ipv6 address.

Depends on the OS I guess, but windows has a ping and a switch for IPv6 pings. In windows 7, IPv6 takes priority over IPv4, and is always checked first, unless changed in the registry, or disabling Ipv6 all together. If you want to disable IPv6 in 7, you need to go into the device manager, show hidden devices and look for anything with Toredo and IPv6 listed next to it under network adapters, as well as "non-plug and play drivers", which are system drivers and not physical devices.

[Infiltrator]

Internet Protocol version 6 (IPv6) is a networking protocol that allows Windows users to communicate with other users over the Internet. It interacts with Windows naming services such as Domain Name System (DNS) and uses security technologies such as Internet Protocol security (IPSec), because they help facilitate the successful and secure transfer of IP packets between computers.

Ideally, IPv6 is used in a pure environment, that is, an environment where IPv6 is the exclusive Internet protocol used between computers. Currently, however, pure IPv6 transmissions are attainable only with routers that support IPv6 and computers that are running Windows and that support IPv6. As IPv6 supplants IPv4, pure IPv6 across the Internet will become more prevalent and will eventually replace IPv4. Until that occurs, the transition technologies described in this reference can be used to bridge the technological gap between IPv4 and IPv6.

In addition to describing the transition technologies between IPv4 and IPv6, this subject describes how IPv6 relates to other networking protocols, which functions IPv6 performs, how IPv6 addresses are structured and assigned, and how IPv6 packets are structured and routed.

IPv6 Architecture

The IPv6 protocol component that is installed in Windows operating systems is a series of interconnected protocols that include Internet Control Message Protocol version 6 (ICMPv6), Multicast Listener Discovery (MLD), and Neighbor Discovery. These core protocols replace the Internet layer protocols in the Defense Advanced Research Projects Agency (DARPA) model. All protocols above the Internet layer rely on the basic services that IPv6 provides. Protocols at the Host-to-Host Transport and Application layers are largely unchanged, except when addresses are part of the payload or part of the data structures that the protocol maintains. For example, both Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) must be updated to perform new checksum calculations that include IPv6 addresses. TCP must be updated to store IPv6 addresses in its internal Transmission Control Block (TCB). Routing Information Protocol (RIP) must be updated to send and receive IPv6 route prefixes.

The following figure shows the architecture of the IPv6 core protocols in relation to the Open Systems Interconnection (OSI) model, the TCP/IP protocol architecture, and the other protocols in the TCP/IP suite.

Host-to-Router and Router-to-Host

In the host-to-router tunneling configuration, an IPv6/IPv4 node that resides within an IPv4 infrastructure creates an IPv6 over IPv4 tunnel to reach an IPv6/IPv4 router. The tunnel spans the first segment of the path between the source and destination nodes. The IPv6 over IPv4 tunnel between the IPv6/IPv4 node and the IPv6/IPv4 router acts as a single hop.

On the IPv6/IPv4 node, a tunnel interface representing the IPv6 over IPv4 tunnel is created, and a route (typically a default route) is added using the tunnel interface. The IPv6/IPv4 node tunnels the IPv6 packet based on the matching route, the tunnel interface, and the next-hop address of the IPv6/IPv4 router.

In the router-to-host tunneling configuration, an IPv6/IPv4 router creates an IPv6 over IPv4 tunnel across an IPv4 infrastructure to reach an IPv6/IPv4 node. The tunnel endpoints span the last segment of the path between the source node and destination node. The IPv6 over IPv4 tunnel between the IPv6/IPv4 router and the IPv6/IPv4 node acts as a single hop.

On the IPv6/IPv4 router, a tunnel interface representing the IPv6 over IPv4 tunnel is created, and a route (typically a subnet route) is added using the tunnel interface. The IPv6/IPv4 router tunnels the IPv6 packet based on the matching subnet route, the tunnel interface, and the destination address of the IPv6/IPv4 node.

The following figure shows host-to-router (for traffic traveling from Node A to Node B) and router-to-host (for traffic traveling from Node B to Node A) tunneling.

Host-to-Host

In the tunneling configuration between hosts, an IPv6/IPv4 node that resides within an IPv4 infrastructure creates an IPv6 over IPv4 tunnel to reach another IPv6/IPv4 node that resides within the same IPv4 infrastructure. The tunnel spans the entire path between the source and destination nodes. The IPv6 over IPv4 tunnel between the IPv6/IPv4 nodes acts as a single hop.

On each IPv6/IPv4 node, an interface representing the IPv6 over IPv4 tunnel is created. Routes might indicate that the destination node is on the same logical subnet defined by the IPv4 infrastructure. Based on the sending interface, the optional route, and the destination address, the sending host tunnels the IPv6 traffic to the destination.

The following figure shows tunneling between hosts.

I would recommend reading this article from Microsoft it covers everything about IPv6.

Microsoft How IPv6 works article.

Edited June 14, 2011 by Infiltrator

[digip]

I would recommend reading this article from Microsoft it covers everything about IPv6.

http://technet.microsoft.com/en-us/library/cc781672(WS.10).aspx

You mean covers specifics regarding Microsoft and IPv6. Not every OS or even hardware device treats IPv6 in the same manner. By the way, that link you posted was broken,I guess because of how the forums parsed the ( ), so I changed it to a bitly link instead - http://bit.ly/aYlcUe

IPv6 is still in the infancy stages, and I imagine a lot of what is out now, will mature over the next couple of years, if not change from what it is now to adding new rules and standards. As much as IPv4 is dead, its not going away any time soon, and could be around forever. Even when shops start to convert their systems to IPv6 only, I imagine there will be some that just do not make the switch.

This isn't just some communication protocol that works over the existing IP landscape. Its something that crosses all layers of the OSI model, and can throw a wrench into any setup from the application layer all the way down to layer 2. Taking unsolicited router announcements from the internet for example, has the potential to shut down any windows IPv6 network today, as well as peg their CPU to 100%, forcing the need for a reboot, or disconnection from the ethernet cable, which pretty much kills all traffic any way. This is something that has been addressed to Microsoft, and apparently, they have no plans to fix any time soon. -

Edited June 14, 2011 by digip

[Infiltrator]

I just fixed the URL and that video you posted on mitigating DDOS attacks was very informative. By the way do you know what tool he used in Backtrack to simulate that syn flood attack.

[G-Stress]

@ digip, nice find on that video I just finished watching. This is all far to interesting. I can see so many advantages as well as disadvantages for everyone.

@ Infiltrator, this might be the tool: http://www.backtrack-linux.org/forums/tool-requests/34754-ddosim-layer-7-ddos-simulator.html

Another thing I thought of earlier is this could be an advantage for ISP's as I can see customer's leasing a pool of IP's at least once IPv6 is standard.

[Infiltrator]

Thank you G-Stress much appreciated.

[digip]

He sent IPv6 router announcements, up to 100 random announcements. Probably wrote his own tool for this, but might be something included in bt already.