[ipv6hackers] my IPv6 insecurity slides

Michael Hartwick hartwick at hartwick.com
Wed Nov 30 19:49:07 CET 2011 

> -----Original Message-----
> From: ipv6hackers-bounces at lists.si6networks.com
> [mailto:ipv6hackers-bounces at lists.si6networks.com] On Behalf Of
> Fabian Wenk
> Sent: Wednesday, November 30, 2011 09:21
> Subject: Re: [ipv6hackers] my IPv6 insecurity slides
> 
> There are at least two different types of internet users, the
> ones like people on this mailing list, which are more advanced
> and know how the Internet works. And then there are the normal
> users, for which the whole Internet is only in the browser,
> including e-mail and chat. Google makes it very nice and more
> integrated, see "The next stage in our redesign" [1] which is
> just new. :)

One web site (albeit very common web site) trying to convince everyone
that the entire world is HTTP does not make it true.

There are people who play online games (not all are HTTP based), use
peer to peer sharing for music/video/whatever transfer, VoIP type
traffic, offsite backup (rsync over ssh comes to mind), VPN's, remote
access (VNC, Remote Desktop, SSH) and those are just some of the
things that I have seen my customers use this week alone. So again,
the user does not want NAT, the user wants the protection the stateful
firewall like functionality that their packet mangler providers. By
the same token customers don't want IPv4 or IPv6, they just want
everything to work.

Obviously, people who are on this mailing list are most likely the
ones who have a more in depth understanding of how things actually
work.

> > And they will start to lose some customers because of this. I have
> > canceled one supposed provider because they were only providing a
> > subset of the internet. They were filtering packets which
prevented
> me
> > from using the connection properly, the result was me canceling.
If
> 
> I would do the same, but compared to the whole customer base of a
> large ISPs, we are probably only a very small fraction.

Agreed. We are also the customer base who rarely calls the support
line and when we do we have usually diagnosed the problem for them. We
are also the customer base who at least some percentage of the simpler
users go to for questions/advice etc. I do not recommend the "ISP"
locally who does not provide complete internet access. So is it likely
that the simpler users will change providers because of something like
packet filters blocking ICMP, no. However, I know of quite a few
people who have picked a different provider because of my
recommendation. That becomes a larger percentage. Those customers
(like my mother for example) use relatively little bandwidth, don't
call the providers support line because they phone their knowledgeable
friends instead are the ones that I would much, much rather have than
the ones who do clog the support lines.

Clearly my cancellation did not put that provider out of business, but
speaking with my wallet is the only option that they could understand.
I even tried to work with their support people to no avail. According
to them, blocking ICMP was for my protection. They could not explain
how exactly that was true of course.

> > All of the internet is not HTTP or SMTP after all.
> 
> It is for most of the normal users, see above.

I know of a large number of people who are using VoIP service for
their telephone. That runs over SIP/RTSP as I recall and not HTTP. P2P
file sharing, online games are a few more examples of things that are
not HTTP or SMTP. Parents with teenagers comes to mind as being a
largish portion of the internet users. So again I must say that All of
the internet is not HTTP or SMTP.

> > There is a lot of content already dual-stacked, there is very
little
> > reason not to. I have deployed dual stack without any issues, it
> > has been very easy and done with very little cost.
> 
> I know, Google pushed it already on some places, eg. some content
> of Youtube is also available with IPv6. But I do not get IPv6
> addresses for the main site names like www.google.com or
> www.youtube.com. I use my own DNS server to resolve, which is
> running dual stacked on IPv4 and IPv6.

Google has restricted their IPv6 to those IPv6 name servers that have
been registered with them as I recall. They have demonstrated that
they can support IPv6 and made available ipv6.google.com. Is it
perfect? No. I don't know if they have finished crunching the data
from World IPv6 Day, but I know they participated. So while it is not
perfect, they are at least able to enable IPv6 and have it work. That
is a lot further than a lot of providers are.

> Sure, this would be the best solution for all. But I am wondering
> how for example the large cable ISP here in Switzerland
> (upc-cablecom) will do IPv6 assignments to their customers.
> Currently depending on the subscription plan (bandwidth) you get
> from 1 up to 5 dynamic public IPv4 addresses (which could even be
> in different sub networks, as the cable modem is just a
> transparent bridge). How would they do it with IPv6? To properly

That is rightfully a question for them. My understanding is that the
DOCSIS standard requires DHCPv6 to the CPE. If the modem is indeed
transparent then it shouldn't have a problem passing non-IPv4 traffic.
They should be assigning a /48 (some say /56 and some say /64) when
you connect be it dynamic or static. My personal preference would be
static, but there are some who feel that is a breach of privacy so it
is hard to say how that will end up.

Even with dynamic I don't see it as big of an issue as it would have
been in IPv4. You can have multiple IPv6 addresses/networks on one
interface. I have 3 addresses on 2 networks on my Windows 7 machine
now. Sure one in link-local, but for on LAN traffic that could be
used. You can also use ULA's for the on LAN stuff which would continue
to work even if your DSL/Cable/tin-can-and-string connection drops. If
it is a dynamic address when the connection is restored your machines
suddenly get yet another IPv6 address and appropriate route. The
renumbering issue should largely be a non-issue. Does the SOHO routers
support this? That I do not know.

> maintain your own local network with IPv6, they should assign a
> static /48 IPv6 subnet to the customer, so he can create his
> internal networks, eg. with LAN and WLAN separated (with IPv4
> this is done behind NAT). But I am afraid, that they will do

You can use the ULA's to maintain stability within your LAN if it is
dynamic from your provider.

> something else. Currently with IPv4, if you would like to have
> static IP addresses the only option is to use their business
> offer which costs around 3 times more (eg. for 100/7 Mbit/s
> consumer is 75.- CHF/mt [2] and with 16 static IPv4 address it is
> 225.- CHF/mt [3]). The same is with other (incl. DSL) ISPs, home
> users get dynamic IPv4 addresses, some offer 1 static IPv4
> address and nothing else, others give you more addresses, but
> then again only with business subscriptions.

That is not a technical question so that becomes much harder to guess.
At one point static IPv4 addresses were a billable because it was
reserved for your use and there are only so many available. Dynamic
made sense in the dialup days when you had 300 people sharing 30 IP's.
Since there is no scarcity of IPv6 addresses that should be a moot
point. However, businesses will charge what they can get away with. If
people are willing to pay for a dynamic IPv6 assignment and not
complain then that is likely what you will get. If customers want a
static IPv6 address (enough to shift the momentum) then that is likely
what will happen.

> > Everyone seems to think that the Content or the Eyeballs need to
> > move first. The truth is both can and should move at the same
time,
> > and for that matter should have started years ago. I have been
> 
> Sure, this would be the best. But as somebody else pointed out,
> the killer application (some hype thing like Facebook, Twitter or
> G+) which runs only on IPv6 is missing, which could push both
> content provider and ISPs to move forward. So most of them
> currently do not see the real need for the use of IPv6, as there
> is not enough pressure around from paying customers.

I guess running out of IPv4 addresses is not real enough for them.
There won't be a killer application (not sure I would call Facebook,
Twitter or G+ killer applications) since that would require some
company to restrict their service to just IPv6. Doing that will
virtually guarantee it never becomes a killer application since there
are not enough Eyeballs. If both the Content and Eyeball networks
don't both work towards a solution then I suspect what will happen is
one day there will be a bunch of Eyeballs that are IPv6 only and all
of a sudden the Content providers will need to scramble to make their
Content IPv6 enabled. I know that doing things in a panic situation
tends to cost more both in terms of capital and operating expenses,
but it seems that not everyone understands that.

> I do the same on my home network since many years. But compared
> to the whole internet user base, we are probably a very small
> fraction.

When the Internet first started there was a very small fraction too.
It has to start somewhere.

> I did see some strange behavior with IPv6. One just recently with
> sending e-mails to an other dual stacked mail server. And the
> second with the IDLE function between my mail client and my IMAP
> server. As far as I know, the version of Thunderbird (3.1.16) I
> am using fails, so I force it to IPv4. It is fixed in newer
> versions, but I do not like to upgrade to the fast release cycle
> of TB and I am waiting until the Extended Support Release is
> available.

So by you adopting IPv6 you found a bug, presumably reported it, and
then it was fixed. To some degree that is what the earlyish (not that
13 years after the protocol was defined is early) adopters are going
to be doing. I cannot deploy it for customers until I know it myself.
So why not learn it and deploy it before it gets down to the "Oh shit,
Widget Co. is only available on IPv6 we need it now!!!!" point.

> As I do understand it, the most real security issue are only a
> problem in the LAN, so this depends on the kind of organization
> and users who use this LAN. I currently do not see this as a real
> problem in my own private LAN. :)

Fair enough, I have not encountered these issues either. That does not
mean that others haven't which makes the threat real enough. How
quickly is a vendor going to fix a bug that affects a very small
number of customers? They would fix it a lot faster if it affected the
entire Internet.

> Who thinks that IPv6 will fix basic problems like spam and
> botnets? I do not thinks so, why should this fix it? It even will
> not fix phishing and other social engineering tricks done
> nowadays. They will also move to IPv6 as soon as they see enough
> business there.

I would hope that nobody thinks that IPv6 will fix those issues. Those
are the more common threats that people face. So we replace one DDoS
attack for another. The net result is still a DDoS. The point is until
there is more IPv6 traffic the full extent of the issues will a) not
be known and b) not be fixed.

> In Europe most ISPs provide the ADSL/VDSL/cable router/modem to
> their customer, almost non of them can run IPv6. I do remember
> many years back when ZyXEL had an IPv6 capable ADSL router in
> their product line, but they canceled it, as it could not be
> sold, because back then non of the ISPs supported IPv6 on the
> ADSL network.

You are right. The reality is they have replaced those modems at least
once in the past decade, I know that around here DSL modems last
somewhere around 3 years, cable modems about the same. So that means
that during the last 5 years pretty much all of the DSL/Cable modems
have been replaced. Had the provider been replacing the failed modems
with IPv6 compatible ones as they went there would not be a huge cost
to do so now. As I recalled a lot of SOHO routers can support IPv6
will a firmware change. If that can be done by going to DD-WRT then
the vendor could roll their own with IPv6 as well. Around here DSL
modems are essentially bridges so they are mostly protocol agnostic.
The point was the cost of deploying IPv6 compatible hardware did not
have to be incurred at once. It could easily have been spread out over
the natural lifetime of the equipment. The fact that it was not does
not change the fact that it could have been done.

> I even see new devices sold today, which are not able to run
> IPv6. Modern home cinema equipment (eg. A/V receiver, TV, media
> player) come with WLAN or LAN, but are not able to use IPv6. I am
> happy that my internal network also does support IPv4 behind NAT. :)

In this day I would consider them not supporting IPv6 to be a bug and
would report it as such. Will that mean that they actually fix the
problem? Of course not. The point of dual stacking is to allow for a
clean, smooth transition. Since you can support both IPv6 and IPv4 at
the same time on the same network means that you don't have to throw
out everything. I have a couple of IPv4 only print servers. Of course
I won't be immediately replacing them, but when they do get replaced
then IPv6 will be a requirement. I won't buy any network connected
hardware today that does not at least pass IPv6 traffic. Do I need my
WAP or Ethernet switch to be managed from IPv6, no. Sure I would like
it to, but since it passes IPv6 packets just fine that allows the rest
of my network to use it.

> Sure it is both, but when non of the two move forward, which
> could create enough pressure on the other, we will stay much
> longer with IPv4 only then we would like to. And it even takes
> longer until bugs will be fixed in IPv6. Everything depends on
> the others, but no one will take the first step and go forward.
> "Lets wait and see what the others are doing."

That right there is the problem. There are companies who have taken
the first, second, third etc. steps. There are sites that are dual
stacked now, some have deployed dual stack for World IPv6 Day and
didn't shut it off. Mozilla comes to mind. If no one wants to look and
see that others have been there, done that they will be waiting a long
time.

> This is up to you, you did accept the EULA of Skype. You give
> them a lot of permissions to do stuff on your computer. This is
> one reason why I do not use Skype. Even Google [42] knows about

It is not exactly a surprise that Skype is doing that. It is
documented, but it does not change the fact that it is happening. Sure
I can go into the registry and prevent Skype from becoming a supernode
but that was one example of the workarounds that have been put in
place to allow services to be developed while working around NAT. The
mind boggling part is that people still want to keep NAT around in
IPv6.

> Sure, NAT on the ISP level needs to be avoided, but for the
> internal network of a normal home user (not us), NAT is perfect
> to create a properly working internal network, when all they get
> from their ISP is a dynamic IPv4 address. What will they do, if
> their ISP will give them only one dynamic IPv6 address?

I would never called NAT perfect in any context. NAT did what is was
designed for sure. If their ISP gives them a single dynamic IPv6
address they should change providers.

Michael

----------------------------------------------------------------------
Michael J. Hartwick, VE3SLQ                      hartwick at hartwick.com
Hartwick Communications Consulting                      (519) 396-7719
Kincardine, ON, CA                             http://www.hartwick.com
----------------------------------------------------------------------

More information about the Ipv6hackers mailing list