Jump to content
Sign in to follow this  

Recommended Posts

Hi Everybody,

 

It being near the end of the year, I am doing a 'purge' of all of my computers and setting them up again. This will involve me uninstalling the OS and wiping everything old (after backing up data I want to keep of course) and doing the configs over from scratch (with the help of a few scripts and guides for configs I wish to keep).

 

I decided that whilst I was at this task, I might have a go at something that I used to be scared of and have altogether been avoiding for a while - IPv6. My usual approach to IPv6 has been just to turn the c*nt off and use IPv4. This is because I didn't really understand it and I do not like using things that I do not understand. I was also a little bit hesitant about using a protocol that, when enabled, always seemed to make my network do things like forced automatic updates (i.e. automatic updates where I had disabled or otherwise not agreed to the same), lots of additional traffic for which I did not understand the need and random wake-on-LANs that I did not authorise or approve of. However, lately I've become a bit more adventurous and I know enough now about IPv4 that I find it fairly dull. As such, I've decided to use Purge 2016 as an opportunity to try something new and throw myself into the deep end of IPv6.

 

Now, I have Googled, Wikipedia'ed and DuckDuckGo'ed the topic to the shithouse, so I have a reasonable understanding of how IPv6 addressing works and the principles behind it. However, there are still a few things that bug me about the protocol, which I'd like some Good Samaritan(s) to assist me with:

 

  1. How the f*ck does one get used to reading and intuitively understanding these insane 128-bit hex addresses, especially after a lifetime of looking at this sh*t in decimal, 32-bit form? I've found tutorials and exercises that have helped somewhat in this regard, but it still takes me a while to decipher these addresses when I see them. I was wondering if anybody knows of any mnemonics or other aids that can help one to remember all the different address types and what they mean.
  2. Are there any good practices, conventions, etc. that one should use when assigning IPv6 addresses? (E.g. with IPv4, Cisco recommends not having wasted address space as this reduces performance - does this sort of thing also apply with IPv6?)
  3. From your experience, is there much benefit in assigning globally unique addresses to all your computers and fucking off NAT/masquerading, or is it more secure to leave NAT/masquerading on and use a private address range? (Can Aussie ISPs even handle IPv6 to this extent yet?)
  4. One of my main concerns about IPv6 is that the IP addresses are based on MAC addresses, which to me takes away some of the anonymity that one gets from sitting behind a NAT gateway and having an IP that has no link whatsoever to your adapter address. The analogy I like to use is having a mobile phone number that is generated from, or based on, your IMEI number - would you like to happily give your IMEI number to all the scammers and telemarketers that happen to chance upon your mobile number? Didn't think so. However, a NAT gateway presents its own inconveniences when running servers that you actually want to be able to access from the greater Interwebz, so I'd happily stick at least a couple of machines into the DMZ and give them globally unique addresses, if only they weren't tied to their MACs. Is there any problem with spoofing one's MAC address when getting a globally unique address, provided that the address obviously isn't one which would result in two identical addresses being given out?
  5. I have had a brief look through some of the Kali tools regarding IPv6, just to get an idea of what I'm getting myself into and how best I can make my IPv6 network do as it's damn well told. I noticed a few interesting features which don't seem to get much mention in the documentation I've seen on IPv6. These features completely explain the extra traffic, 'forced' automatic updates, random wake-on-LANs or phone WiFi activation by stealth and other really weird and 'magical' things that seem to happen around some IPv6 networks. However, unfortunately, the Linux man pages just don't cut it (I might need some man videos instead lololololol) and I want to learn how to use these tools. My purposes:
    1. Making sure that MY network does what I tell it to do, not what some pr!ck at M$ or Google tells it to do. It is partly a business network and I believe I have the right to control automatic updates and refuse the installation of software that I do not want. Likewise, since my mate and I pay the power bills, the way I see it, we should be able to control wake-on-LANs without M$ (or anyone else) sticking their fingers into that warm pie.
    2. As such, I plan on setting up my own update servers (for Windows, Linux and Android) - I want to make use of IPv6 to make these work.
    3. Better intrusion detection and incident response.
    4. Otherwise improving the integrity of, and my control over, the network and its traffic. This way, Cortana can stay in her box until I call her and my Linuxes will only change after I say 'sudo apt-get update'.
    5. I can set up a magical playground for PXEs where computers magically spring back to life even if they're shut down and launch OSes when I tell them to.
    6. Research and development into various things related to the above.
  6. More generally, are there any important security holes, capabilities that I should disable or monitor or other such things with IPv6 that aren't really well covered in the documentation around the Interwebz?

Feel free to link me if you think there's an article, tutorial or other thing that I really must read - chances are if it's on the first-to-about-fifth page of the abovementioned search engines, I've already read it, but if it's a bit more obscure, some assistance with my digging would be appreciated. Having said that, I am mostly posting this because I know that more than a few people on this forum would have had some personal experience with IPv6 and can probably explain it in a way I'll be able to understand. :P

Share this post


Link to post
Share on other sites

:)

 

A lot of questions, some I can answer :)

 

I don't even try to read the addresses but if you Google up IP V.6 converter you'll find a few free tools that can assist is making them easier to remember.

 

Question 2. Apparently not, we don't do a lot of V.6 but Cisco seem very unconcerned over any wasted space - makes sense, we are not going to exhaust the space in a hurry but I think some hardware struggles a bit regardless.

 

3/. I can't see the value of NAT with V.6 but you need a good firewall. Quite a number of ISPs are supporting and promoting .6 iinet I think led the charge.

 

I've not seen any of the random stuff you are worried about but we only have a very few customers on .6 as yet and we locked them down security wise pretty tight. They are also big networks with big hardware, probably does make a difference.

 

4/. Interesting observation, I suppose you could extract the MAC but again comes down to firewall.

 

The rest I really have to have a think on, except there are indeed security vulnerabilities just as there is in any protocol but I can't tell you exactly what, I work in a team that has security gurus so I leave it to them :)

 

Hope that helps a bit :)

 

I actually had a bit to do with V.6 development but on the math side which was ages ago, not a lot of help to you :)

 

Have fun with it though, we all will have to make the leap before too long :)

 

Cheers

Share this post


Link to post
Share on other sites

Bro, honestly, at the end of the day, IPv6 was never going to go big "in the house".

INTERNALLY it will be extremely rare for anyone, even huge sprawling businesses utilizing VPN to need IPv6.

 

It basically exists for WAN's only. Even the rising IoT world will use internal NAT, and a single WAN IPv6.

 

It's cool that you're learning it, but you're right, even in large corporate, its usually 'off', most of the time.

Share this post


Link to post
Share on other sites

It basically exists for WAN's only. Even the rising IoT world will use internal NAT, and a single WAN IPv6.

NAT is huge kludge that we should be glad to see the back of.

Share this post


Link to post
Share on other sites

 

It basically exists for WAN's only. Even the rising IoT world will use internal NAT, and a single WAN IPv6.

NAT is huge kludge that we should be glad to see the back of.

 

 

While I know it has downfalls, it's never actually had a negative impact on anything I've done while behind it.

Edited by Master_Scythe

Share this post


Link to post
Share on other sites

Sure we've gotten really good at it, but it's been out of necessity, not because it's a good idea.

 

IPv6 provides billions and trillions of IP addresses for every single human being on the planet, why not use them?

 

It's not like firewalls, routers, and proxies go away, just IP masquerading.

Share this post


Link to post
Share on other sites

It'll end up being a tool that never dies though.

Technology has been build with 'IPv4 Only' for so long now. NAT use may drop, but if someone with as many 'oddball uses' for technology as me (you're probably the only person I know who trumps me :P) hasn't hit a problem with it (besides Double NAT), then I doubt people really ever will....

 

I mean we've had CNC machines for years now, but people who can use an english wheel are still admired.

It'll remain one of those "Not broken, Dont fix it" even if its not the absolute best way....

Share this post


Link to post
Share on other sites

Eh,

 

If a company I'm involved with gets its funding for an IOT project we will have no option but to be all V.6, interesting management challenge :) I like those :)

 

I agree, NAT is just a kludge, very tired of it :)

 

Cheers

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×