[ipv6hackers] my IPv6 insecurity slides

Fabian Wenk fabian at wenks.ch
Wed Nov 30 15:20:44 CET 2011 

Hello Michael

On 29.11.2011 19:22, Michael Hartwick wrote:
> NAT doesn't do anything more than a stateful firewall except mangle
> the
> packet headers which I see as a negative. The customer does not
> appreciate NAT. The customer might appreciate their device not having
> direct access from the Internet but they are not the same.

There are at least two different types of internet users, the 
ones like people on this mailing list, which are more advanced 
and know how the Internet works. And then there are the normal 
users, for which the whole Internet is only in the browser, 
including e-mail and chat. Google makes it very nice and more 
integrated, see "The next stage in our redesign" [1] which is 
just new. :)

   [1] 
http://googleblog.blogspot.com/2011/11/next-stage-in-our-redesign.html

I personally prefer real clients for e-mail, IRC and jabber.

>>  Or the ISPs start to use NAT also on their network and putting
> several
>>  customers behind one NAT gateway (like they already do with mobile
>>  internet). Sure when ISPs start using NAT at large on home internet
>>  connections, this will cause other problems, eg.
>
> And they will start to lose some customers because of this. I have
> canceled one supposed provider because they were only providing a
> subset of the internet. They were filtering packets which prevented me
> from using the connection properly, the result was me canceling. If

I would do the same, but compared to the whole customer base of a 
large ISPs, we are probably only a very small fraction.

> providers are insisting on hanging everyone behind NAT then I would
> hope that either they would reduce their prices to compensate the
> customer for the reduced service being provided or the customers
> would change to an actual ISP who provides actual Internet access.
> All of the internet is not HTTP or SMTP after all.

It is for most of the normal users, see above.

>>  >  Content folks will want to provide parity to IPv4, IPv6, and
>>  >  dual-stack eyeballs, so that is why content will go to IPv6.
>>
>>  Sure, content need to go dual-stacked first.
>
> There is a lot of content already dual-stacked, there is very little
> reason not to. I have deployed dual stack without any issues, it
> has been very easy and done with very little cost.

I know, Google pushed it already on some places, eg. some content 
of Youtube is also available with IPv6. But I do not get IPv6 
addresses for the main site names like www.google.com or 
www.youtube.com. I use my own DNS server to resolve, which is 
running dual stacked on IPv4 and IPv6.

> The so-called ISP's need to get their act together and deploy IPv6
> to allow dual stacking before the entire IPv4 pool is depleted, that
> will allow for a much more seamless transition than the
> abomination known as NATxx(xxxx).

Sure, this would be the best solution for all. But I am wondering 
how for example the large cable ISP here in Switzerland 
(upc-cablecom) will do IPv6 assignments to their customers. 
Currently depending on the subscription plan (bandwidth) you get 
from 1 up to 5 dynamic public IPv4 addresses (which could even be 
in different sub networks, as the cable modem is just a 
transparent bridge). How would they do it with IPv6? To properly 
maintain your own local network with IPv6, they should assign a 
static /48 IPv6 subnet to the customer, so he can create his 
internal networks, eg. with LAN and WLAN separated (with IPv4 
this is done behind NAT). But I am afraid, that they will do 
something else. Currently with IPv4, if you would like to have 
static IP addresses the only option is to use their business 
offer which costs around 3 times more (eg. for 100/7 Mbit/s 
consumer is 75.- CHF/mt [2] and with 16 static IPv4 address it is 
225.- CHF/mt [3]). The same is with other (incl. DSL) ISPs, home 
users get dynamic IPv4 addresses, some offer 1 static IPv4 
address and nothing else, others give you more addresses, but 
then again only with business subscriptions.

   [2] 
http://www.upc-cablecom.ch/en/b2c/internet/fiberpower100.htm 
(prices incl. VAT)
   [3] 
http://www.upc-cablecom.biz/en/b2b/kmu_angebote/biz_kmu_internet/business_internet_fiber_power/internet_fiberpower100.htm 
(prices excl. VAT, add 8%)

>>  >  Content go to IPv6 to reach the users.
>>
>>  It will be needed.
>
> Everyone seems to think that the Content or the Eyeballs need to
> move first. The truth is both can and should move at the same time,
> and for that matter should have started years ago. I have been

Sure, this would be the best. But as somebody else pointed out, 
the killer application (some hype thing like Facebook, Twitter or 
G+) which runs only on IPv6 is missing, which could push both 
content provider and ISPs to move forward. So most of them 
currently do not see the real need for the use of IPv6, as there 
is not enough pressure around from paying customers.

> running dual stack in a Content environment for well over a year,
> and even longer in an Eyeball environment. My networks are fairly

I do the same on my home network since many years. But compared 
to the whole internet user base, we are probably a very small 
fraction.

> small so there is obviously a scale difference which I do understand
> exists and influences things. I have not encountered very many
> issues on either end with being dual stacked. In fact, I have
> encountered more issues with NAT in the Eyeball environment than
> I ever have with IPv6.

I did see some strange behavior with IPv6. One just recently with 
sending e-mails to an other dual stacked mail server. And the 
second with the IDLE function between my mail client and my IMAP 
server. As far as I know, the version of Thunderbird (3.1.16) I 
am using fails, so I force it to IPv4. It is fixed in newer 
versions, but I do not like to upgrade to the fast release cycle 
of TB and I am waiting until the Extended Support Release is 
available.

> There is concern about security issues with IPv6, but in all honesty
> does anyone expect those issues to be fixed until there are enough
> customers demanding the vendor fix them? By everyone avoiding
> IPv6 because of security issues (real or theoretical) the customers
> are not demanding the vendor fix them. Patiently waiting for a bug
> to get fixed is not as effective as hundreds or thousands of customers
>   calling their vendor support and/or sales lines to complain that the
> bug remains. A lot of the issues that will plague the IPv6 Internet

As I do understand it, the most real security issue are only a 
problem in the LAN, so this depends on the kind of organization 
and users who use this LAN. I currently do not see this as a real 
problem in my own private LAN. :)

> have not been resolved in the IPv4 Internet so why would anyone
> expect a IP version change to magically fix the problem. SPAM,
> Botnets etc. will still exist in the IPv6. NAT has done nothing to
> help
> fix those problems, but it has made it harder to trace the source of
> the problem, yet people still want NAT in the IPv6 world.

Who thinks that IPv6 will fix basic problems like spam and 
botnets? I do not thinks so, why should this fix it? It even will 
not fix phishing and other social engineering tricks done 
nowadays. They will also move to IPv6 as soon as they see enough 
business there.

>>  Currently there is nothing out there, which gives enough pressure to
> content
>>  providers or / and ISPs to move forward with IPv6. At the current
> point it just
>>  costs money and effort without any real benefit (without looking at
> Asia).
>
> With 13 years (RFC2460 is dated December 1998) to replace
> equipment to haveIPv6 capabilities there really should not be a huge
> capital cost. Most providers on either end will have replaced a lot of
> equipment in that time (in some cases several times). As I recalled

In Europe most ISPs provide the ADSL/VDSL/cable router/modem to 
their customer, almost non of them can run IPv6. I do remember 
many years back when ZyXEL had an IPv6 capable ADSL router in 
their product line, but they canceled it, as it could not be 
sold, because back then non of the ISPs supported IPv6 on the 
ADSL network.

> planning ahead the natural upgrade process could have most gear
> being IPv6 capable today without huge extra capital expenses. Did
> they do that? It certainly does not look that way. Yes, there is a

I even see new devices sold today, which are not able to run 
IPv6. Modern home cinema equipment (eg. A/V receiver, TV, media 
player) come with WLAN or LAN, but are not able to use IPv6. I am 
happy that my internal network also does support IPv4 behind NAT. :)

> cost
> to rolling it out in the terms of man power etc., but I suspect that
> that cost will need to be incurred at some point whether now or
> next year or 5 years from now. You cannot tell me that the CGN's
> will pop into existence without both capital and operating costs. The
> pressure goes both ways. Eyeballs need content, content needs
> eyeballs. So if the question is the "chicken or egg", the easy answer
> is do both. Dual stacking does not break IPv4 so the current
> functionality continues to happy chug along.

Sure it is both, but when non of the two move forward, which 
could create enough pressure on the other, we will stay much 
longer with IPv4 only then we would like to. And it even takes 
longer until bugs will be fixed in IPv6. Everything depends on 
the others, but no one will take the first step and go forward. 
"Lets wait and see what the others are doing."

>>  And as pointed out above, to give internet access to home customers
> NAT at
>>  large could be used, as it is already in operation on the mobile
> phone data
>
> So services like Skype can continue to steal my bandwidth because
> you are hanging everyone behind NAT? How exactly is that fair? Was

This is up to you, you did accept the EULA of Skype. You give 
them a lot of permissions to do stuff on your computer. This is 
one reason why I do not use Skype. Even Google [42] knows about 
it. The first result [4] dates back to 2005 (the "blog" software 
does not display the year, but it is visible in the overview [5] 
(I do not work there any more).

   [42] https://www.google.com/search?&q=fabian%20wenk%20skype
   [4] http://nic.phys.ethz.ch/news/1106655341/index_html
   [5] http://nic.phys.ethz.ch/news/old_news.html

> NAT not intended as an address conservation method. It mostly
> worked for that, but it has convinced a lot of people that you have
> to use NAT for everything which is not aiding in the deployment of
> IPv6 which does not benefit from the address conservation that NAT
> provides. I for one will shop around for different providers to avoid
> NAT.

Sure, NAT on the ISP level needs to be avoided, but for the 
internal network of a normal home user (not us), NAT is perfect 
to create a properly working internal network, when all they get 
from their ISP is a dynamic IPv4 address. What will they do, if 
their ISP will give them only one dynamic IPv6 address?


bye
Fabian

More information about the Ipv6hackers mailing list