[ipv6hackers] my IPv6 insecurity slides

Fabian Wenk fabian at wenks.ch
Thu Dec 1 01:00:19 CET 2011 

Hello Michael

On 30.11.2011 19:49, Michael Hartwick wrote:
> There are people who play online games (not all are HTTP based), use
> peer to peer sharing for music/video/whatever transfer, VoIP type
> traffic, offsite backup (rsync over ssh comes to mind), VPN's, remote
> access (VNC, Remote Desktop, SSH) and those are just some of the
> things that I have seen my customers use this week alone. So again,
> the user does not want NAT, the user wants the protection the stateful

But all of the above protocols / services also work from behind 
NAT (eg. for a normal home user) to any other outside 
destination. Not many normal home user tries to connect from the 
outside to his home computer, which most often is turned of 
during the day when he is out for work. More experienced user who 
need this functionality, either know how they can add port 
forwarding to their NAT device, or will use a real internet 
connection with public IP addresses.


> Agreed. We are also the customer base who rarely calls the support
> line and when we do we have usually diagnosed the problem for them. We

Sounds familiar.

> Clearly my cancellation did not put that provider out of business, but
> speaking with my wallet is the only option that they could understand.
> I even tried to work with their support people to no avail. According
> to them, blocking ICMP was for my protection. They could not explain
> how exactly that was true of course.

Hm, sounds awful. But I still see web servers which are behind 
ICMP filtering firewalls. With the ADSL (and now again with VDSL) 
there still is the problem with the lower then usual MTU of 1500. 
This has strange behavior in combination with web servers which 
block ICMP. Back in March 2005 we did some research and 
experimenting, as a friends expensive manage ADSL connection had 
an MTU of 1500 and almost all other ADSL connections (mine 
including) had only an MTU of 1492. After we figured it out, I 
have documented it in "Swiss ADSL with PPPoA (and MTU 1500)" [1] 
and added some background information over time. But I guess such 
documents are probably to long to read for ignorant ICMP 
filtering ISPs.

   [1] http://www.wenks.ch/fabian/ADSL-PPPoA.html

> I know of a large number of people who are using VoIP service for
> their telephone. That runs over SIP/RTSP as I recall and not HTTP. P2P
> file sharing, online games are a few more examples of things that are
> not HTTP or SMTP. Parents with teenagers comes to mind as being a
> largish portion of the internet users. So again I must say that All of
> the internet is not HTTP or SMTP.

But all of this should also work on the eyeball side from behind 
NAT. Do not understand me wrong, NAT has its problems and 
limitations and I would avoid it where possible. I am used to 
have my servers and even workstations connected directly with 
public IP addresses to the internet. So in IRC even '/dcc send 
<nick> <file>' does work without problems.

>>  I know, Google pushed it already on some places, eg. some content
>>  of Youtube is also available with IPv6. But I do not get IPv6
>>  addresses for the main site names like www.google.com or
>>  www.youtube.com. I use my own DNS server to resolve, which is
>>  running dual stacked on IPv4 and IPv6.
>
> Google has restricted their IPv6 to those IPv6 name servers that have
> been registered with them as I recall. They have demonstrated that

I know, it is documented in "Access Google services over IPv6" 
[2] and "How do I request Google over IPv6?" [3].

   [2] http://www.google.com/intl/en/ipv6/
   [3] http://www.google.com/intl/en/ipv6/faq.html#request

Unfortunately I can not sign up for this, as I do not have an own 
AS, I have only a /48 IPv6 delegated from my ISP. And it does not 
make sense for me, if my ISP does sign up his DNS servers, as I 
use my own DNS to resolve and not use his.

> That is rightfully a question for them. My understanding is that the
> DOCSIS standard requires DHCPv6 to the CPE. If the modem is indeed
> transparent then it shouldn't have a problem passing non-IPv4 traffic.
> They should be assigning a /48 (some say /56 and some say /64) when
> you connect be it dynamic or static. My personal preference would be
> static, but there are some who feel that is a breach of privacy so it
> is hard to say how that will end up.

Future will tell us, hopefully.

> Even with dynamic I don't see it as big of an issue as it would have
> been in IPv4. You can have multiple IPv6 addresses/networks on one
> interface. I have 3 addresses on 2 networks on my Windows 7 machine
> now. Sure one in link-local, but for on LAN traffic that could be
> used. You can also use ULA's for the on LAN stuff which would continue
> to work even if your DSL/Cable/tin-can-and-string connection drops. If
> it is a dynamic address when the connection is restored your machines
> suddenly get yet another IPv6 address and appropriate route. The
> renumbering issue should largely be a non-issue. Does the SOHO routers
> support this? That I do not know.

Probably not (yet).


>>  >  Everyone seems to think that the Content or the Eyeballs need to
>>  >  move first. The truth is both can and should move at the same
> time,
>>  >  and for that matter should have started years ago. I have been
>>
>>  Sure, this would be the best. But as somebody else pointed out,
>>  the killer application (some hype thing like Facebook, Twitter or
>>  G+) which runs only on IPv6 is missing, which could push both
>>  content provider and ISPs to move forward. So most of them
>>  currently do not see the real need for the use of IPv6, as there
>>  is not enough pressure around from paying customers.
>
> I guess running out of IPv4 addresses is not real enough for them.
> There won't be a killer application (not sure I would call Facebook,
> Twitter or G+ killer applications) since that would require some

Sure, it is not really possible to create a killer application 
which could push IPv6. The ones I have mentioned are more hype 
websites then killer applications.

> company to restrict their service to just IPv6. Doing that will
> virtually guarantee it never becomes a killer application since there
> are not enough Eyeballs. If both the Content and Eyeball networks
> don't both work towards a solution then I suspect what will happen is
> one day there will be a bunch of Eyeballs that are IPv6 only and all
> of a sudden the Content providers will need to scramble to make their
> Content IPv6 enabled. I know that doing things in a panic situation
> tends to cost more both in terms of capital and operating expenses,
> but it seems that not everyone understands that.

This also sounds somehow familiar. The profit of today is more 
important then doing sustainable work, which will help for the 
future. :(

>>  I do the same on my home network since many years. But compared
>>  to the whole internet user base, we are probably a very small
>>  fraction.
>
> When the Internet first started there was a very small fraction too.
> It has to start somewhere.

"We" (as the people on this mailing list) already did, now the 
"others" should follow.


> out everything. I have a couple of IPv4 only print servers. Of course
> I won't be immediately replacing them, but when they do get replaced
> then IPv6 will be a requirement. I won't buy any network connected
> hardware today that does not at least pass IPv6 traffic. Do I need my
> WAP or Ethernet switch to be managed from IPv6, no. Sure I would like
> it to, but since it passes IPv6 packets just fine that allows the rest
> of my network to use it.

Same here, the management interfaces most often are anyway on its 
own VLAN, where IPv4 with private addresses is used. This could 
stay "forever".

> place to allow services to be developed while working around NAT. The
> mind boggling part is that people still want to keep NAT around in
> IPv6.

>>  Sure, NAT on the ISP level needs to be avoided, but for the
>>  internal network of a normal home user (not us), NAT is perfect
>>  to create a properly working internal network, when all they get
>>  from their ISP is a dynamic IPv4 address. What will they do, if
>>  their ISP will give them only one dynamic IPv6 address?
>
> I would never called NAT perfect in any context. NAT did what is was
> designed for sure. If their ISP gives them a single dynamic IPv6
> address they should change providers.

I agree with you, NAT should go away, or for IPv6 never be 
available. But for IPv4 this is most often the only available 
solution for a home or small company network to have all their 
client computers connected to the Internet.


bye
Fabian

More information about the Ipv6hackers mailing list