Jump to content


Photo

Setting up IPv6

IPv6 Networking Security

  • Please log in to reply
7 replies to this topic

#1 ArchangelOfTheLamb

ArchangelOfTheLamb

    Learner

  • Quark
  • 32 posts

Posted 30 December 2016 - 10:37 AM

Hi Everybody,

 

It being near the end of the year, I am doing a 'purge' of all of my computers and setting them up again. This will involve me uninstalling the OS and wiping everything old (after backing up data I want to keep of course) and doing the configs over from scratch (with the help of a few scripts and guides for configs I wish to keep).

 

I decided that whilst I was at this task, I might have a go at something that I used to be scared of and have altogether been avoiding for a while - IPv6. My usual approach to IPv6 has been just to turn the c*nt off and use IPv4. This is because I didn't really understand it and I do not like using things that I do not understand. I was also a little bit hesitant about using a protocol that, when enabled, always seemed to make my network do things like forced automatic updates (i.e. automatic updates where I had disabled or otherwise not agreed to the same), lots of additional traffic for which I did not understand the need and random wake-on-LANs that I did not authorise or approve of. However, lately I've become a bit more adventurous and I know enough now about IPv4 that I find it fairly dull. As such, I've decided to use Purge 2016 as an opportunity to try something new and throw myself into the deep end of IPv6.

 

Now, I have Googled, Wikipedia'ed and DuckDuckGo'ed the topic to the shithouse, so I have a reasonable understanding of how IPv6 addressing works and the principles behind it. However, there are still a few things that bug me about the protocol, which I'd like some Good Samaritan(s) to assist me with:

 

  1. How the f*ck does one get used to reading and intuitively understanding these insane 128-bit hex addresses, especially after a lifetime of looking at this sh*t in decimal, 32-bit form? I've found tutorials and exercises that have helped somewhat in this regard, but it still takes me a while to decipher these addresses when I see them. I was wondering if anybody knows of any mnemonics or other aids that can help one to remember all the different address types and what they mean.
  2. Are there any good practices, conventions, etc. that one should use when assigning IPv6 addresses? (E.g. with IPv4, Cisco recommends not having wasted address space as this reduces performance - does this sort of thing also apply with IPv6?)
  3. From your experience, is there much benefit in assigning globally unique addresses to all your computers and fucking off NAT/masquerading, or is it more secure to leave NAT/masquerading on and use a private address range? (Can Aussie ISPs even handle IPv6 to this extent yet?)
  4. One of my main concerns about IPv6 is that the IP addresses are based on MAC addresses, which to me takes away some of the anonymity that one gets from sitting behind a NAT gateway and having an IP that has no link whatsoever to your adapter address. The analogy I like to use is having a mobile phone number that is generated from, or based on, your IMEI number - would you like to happily give your IMEI number to all the scammers and telemarketers that happen to chance upon your mobile number? Didn't think so. However, a NAT gateway presents its own inconveniences when running servers that you actually want to be able to access from the greater Interwebz, so I'd happily stick at least a couple of machines into the DMZ and give them globally unique addresses, if only they weren't tied to their MACs. Is there any problem with spoofing one's MAC address when getting a globally unique address, provided that the address obviously isn't one which would result in two identical addresses being given out?
  5. I have had a brief look through some of the Kali tools regarding IPv6, just to get an idea of what I'm getting myself into and how best I can make my IPv6 network do as it's damn well told. I noticed a few interesting features which don't seem to get much mention in the documentation I've seen on IPv6. These features completely explain the extra traffic, 'forced' automatic updates, random wake-on-LANs or phone WiFi activation by stealth and other really weird and 'magical' things that seem to happen around some IPv6 networks. However, unfortunately, the Linux man pages just don't cut it (I might need some man videos instead lololololol) and I want to learn how to use these tools. My purposes:
    1. Making sure that MY network does what I tell it to do, not what some pr!ck at M$ or Google tells it to do. It is partly a business network and I believe I have the right to control automatic updates and refuse the installation of software that I do not want. Likewise, since my mate and I pay the power bills, the way I see it, we should be able to control wake-on-LANs without M$ (or anyone else) sticking their fingers into that warm pie.
    2. As such, I plan on setting up my own update servers (for Windows, Linux and Android) - I want to make use of IPv6 to make these work.
    3. Better intrusion detection and incident response.
    4. Otherwise improving the integrity of, and my control over, the network and its traffic. This way, Cortana can stay in her box until I call her and my Linuxes will only change after I say 'sudo apt-get update'.
    5. I can set up a magical playground for PXEs where computers magically spring back to life even if they're shut down and launch OSes when I tell them to.
    6. Research and development into various things related to the above.
  6. More generally, are there any important security holes, capabilities that I should disable or monitor or other such things with IPv6 that aren't really well covered in the documentation around the Interwebz?

Feel free to link me if you think there's an article, tutorial or other thing that I really must read - chances are if it's on the first-to-about-fifth page of the abovementioned search engines, I've already read it, but if it's a bit more obscure, some assistance with my digging would be appreciated. Having said that, I am mostly posting this because I know that more than a few people on this forum would have had some personal experience with IPv6 and can probably explain it in a way I'll be able to understand. :P


"Be not forgetful to entertain strangers: for thereby some have entertained angels unawares." Hebrews 13:2

"These sayings are faithful and true: and the Lord God of the holy prophets sent his angel to shew unto his servants the things which must shortly be done." Revelation 22:6

"And, behold, I come quickly; and my reward is with me, to give every man according as his work shall be. I am Alpha and Omega, the beginning and the end, the first and the last. Blessed are they that do his commandments, that they may have right to the tree of life, and may enter in through the gates into the city." Revelation 22:12-14

"I Jesus have sent mine angel to testify unto you these things in the churches. I am the root and the offspring of David, and the bright and morning star." Revelation 22:16


#2 chrisg

chrisg

    Immortal

  • Super Hero
  • 34,100 posts
  • Location:Perth

Posted 07 January 2017 - 04:39 PM

:)

 

A lot of questions, some I can answer :)

 

I don't even try to read the addresses but if you Google up IP V.6 converter you'll find a few free tools that can assist is making them easier to remember.

 

Question 2. Apparently not, we don't do a lot of V.6 but Cisco seem very unconcerned over any wasted space - makes sense, we are not going to exhaust the space in a hurry but I think some hardware struggles a bit regardless.

 

3/.  I can't see the value of NAT with V.6 but you need a good firewall. Quite a number of ISPs are supporting and promoting .6 iinet I think led the charge.

 

I've not seen any of the random stuff you are worried about but we only have a very few customers on .6 as yet and we locked them down security wise pretty  tight. They are also big networks with big hardware, probably does make a difference.

 

4/. Interesting observation, I suppose you could extract the MAC but again comes down to firewall.

 

The rest I really have to have a think on, except there are indeed security vulnerabilities just as there is in any protocol but I can't tell you exactly what, I work in a team that has security gurus so I leave it to them :)

 

Hope that helps a bit :)

 

I actually had a bit to do with V.6 development but on the math side which was ages ago, not a lot of help to you :)

 

Have fun with it though, we all will have to make the leap before too long :)

 

Cheers


"Specialisation is for Insects" RAH

#3 Master_Scythe

Master_Scythe

    Titan

  • Hero
  • 19,457 posts
  • Location:QLD

Posted 09 January 2017 - 10:41 AM

Bro, honestly, at the end of the day, IPv6 was never going to go big "in the house".

INTERNALLY it will be extremely rare for anyone, even huge sprawling businesses utilizing VPN to need IPv6.

 

It basically exists for WAN's only. Even the rising IoT world will use internal NAT, and a single WAN IPv6.

 

It's cool that you're learning it, but you're right, even in large corporate, its usually 'off', most of the time.


Wherever you go in life, watch out for Scythe, the tackling IT support guy.

"I don't care what race you are, not one f*cking bit, if you want to be seen as a good people, you go in there and you f*ck up the people who (unofficially) represent you in a negative light!"


#4 SquallStrife

SquallStrife

    Really knows where his towel is

  • Atomican
  • 17,899 posts

Posted 09 January 2017 - 11:01 AM

It basically exists for WAN's only. Even the rising IoT world will use internal NAT, and a single WAN IPv6.


NAT is huge kludge that we should be glad to see the back of.
SyDjDDk.png [retro swim] | AzpUvwG.png @retroswimau | q5O6HgO.png +RetroSwim
四時半を待っています!

#5 Master_Scythe

Master_Scythe

    Titan

  • Hero
  • 19,457 posts
  • Location:QLD

Posted 09 January 2017 - 11:11 AM

 

It basically exists for WAN's only. Even the rising IoT world will use internal NAT, and a single WAN IPv6.


NAT is huge kludge that we should be glad to see the back of.

 

 

While I know it has downfalls, it's never actually had a negative impact on anything I've done while behind it.


Edited by Master_Scythe, 09 January 2017 - 11:11 AM.

Wherever you go in life, watch out for Scythe, the tackling IT support guy.

"I don't care what race you are, not one f*cking bit, if you want to be seen as a good people, you go in there and you f*ck up the people who (unofficially) represent you in a negative light!"


#6 SquallStrife

SquallStrife

    Really knows where his towel is

  • Atomican
  • 17,899 posts

Posted 09 January 2017 - 11:34 AM

Sure we've gotten really good at it, but it's been out of necessity, not because it's a good idea.

IPv6 provides billions and trillions of IP addresses for every single human being on the planet, why not use them?

It's not like firewalls, routers, and proxies go away, just IP masquerading.
SyDjDDk.png [retro swim] | AzpUvwG.png @retroswimau | q5O6HgO.png +RetroSwim
四時半を待っています!

#7 Master_Scythe

Master_Scythe

    Titan

  • Hero
  • 19,457 posts
  • Location:QLD

Posted 09 January 2017 - 11:45 AM

It'll end up being a tool that never dies though.

Technology has been build with 'IPv4 Only' for so long now. NAT use may drop, but if someone with as many 'oddball uses' for technology as me (you're probably the only person I know who trumps me :P) hasn't hit a problem with it (besides Double NAT), then I doubt people really ever will....

 

I mean we've had CNC machines for years now, but people who can use an english wheel are still admired.

It'll remain one of those "Not broken, Dont fix it" even if its not the absolute best way....


Wherever you go in life, watch out for Scythe, the tackling IT support guy.

"I don't care what race you are, not one f*cking bit, if you want to be seen as a good people, you go in there and you f*ck up the people who (unofficially) represent you in a negative light!"


#8 chrisg

chrisg

    Immortal

  • Super Hero
  • 34,100 posts
  • Location:Perth

Posted 10 January 2017 - 04:37 PM

Eh,

 

If a company I'm involved with gets its funding for an IOT project we will have no option but to be all V.6, interesting management challenge :) I like those :)

 

I agree, NAT is just a kludge, very tired of it :)

 

Cheers


"Specialisation is for Insects" RAH





Also tagged with one or more of these keywords: IPv6, Networking, Security

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users