All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Home/Small Office IPv6 insanity, protection and deployment.
I have a home router that is IPv6 enabled and security wasn't that much of an issue as it was connected to a gateway device and not plugged into the main switch. All the connected devices had static IPv4 addresses.
Imagine my surprise when I realized that after plugging into the main switch most of the devices had publicly routeable IPv6 address and I could even SSH into them, with the right password of course.
How does this happen? There is the usual talk about yeah yeah you have to put install firewalls on each device and secure their ports. Really?
Has the average user ever heard the word firewall let alone know how it applies to their home devices?
Why are ISPs deploying insecure IPv6 devices without customers having a clue about how exposed their devices are? With IPv4 NAT they are assured of a modicum of security, but this?
I learned that RA on the devices gives them a fixed routeable static address as well as a set of ephemeral addresses which are changed after a period.
My problem is I want to be able to initiate connections to IPv6 devices in the wide world, but I don't want anything coming in unless I permit it.
What I can think of is some kind of gateway/firewalling router that blocks incoming connections to internal devices unless expressly requested by the device, and all IoT devices being blocked by default with IPv6 being disabled unless expressly enabled, then setting up the router to enable connections only by MAC addresses.
What kind of software devices am I looking at here? I suspect they will be Linux/FreeBSD appliances running on embedded devices or regular hardware. I would like something I can run on an old laptop with some good wired and wireless connections because they come with the screen.
Right now I wonder how many people are running IPv6 enabled routers and devices in their homes and office without the slightest idea of how exposed they are. The governments and the media go and on about Russian, Chinese and North Korean hackers when household device manufactures and their own approved suppliers are delivering insecure devices to home and office right out of the box.
This just a nightmare, and it is going to get worse.
Comments
Blame @yoursunny.
Yes he is the one to blame.
@yoursunny you have been screaming of the top for IPv6 deployment, bringing it up
every time a new offer is announced.
What prepackaged security solutions have you prepared for home/office users once they jump on the bandwagon you have been pushing so hard?
What solutions can you recommend based on your indepth testing and evaluation?
Visit the management interface of your "home router that is IPv6 enabled" and check the firewall settings on it. Most would come with incoming connections blocked by default, it is a bit weird that yours didn't.
That seems too obvious. I'm also wondering if he tested the IPv6 remote accessibility to other devices from inside his LAN.
At least in Germany consumer routers block incoming traffic ipv4 and ipv6 by default.
Anyway IPv6 space is just too big to be efficiently scanned. So don't worry too much.
IP scanning doesn't really work for IPv6, there is simply too much space to scan looking for SSH servers as an example.
IPv4 with a 10gbps connection can send packets to every IPv4 address in a few hours, that is not happening for IPv6. You couldn't scan a single /64 in that amount of time.
The default firewall is often anything outgoing then established&related coming back so that even if a hosts IPv6 address is known nothing can connect.
Unless statically set the IPv6 addresses randomly change.
Until the mid-to-late 1990s every host on the IPv4 internet was directly reachable by any other, IPv6 brings that back because it broke a LOT of things.. Firewall rules were needed then, they are needed now.
NAT is not a firewall.
Overall, secure your shit.. It isn't too complicated to compromise a IPv4 host to use it as a proxy to connect to the rest of your internal network, public IPs make it slightly easier but not much different.
Pfsense / opnsense ?
A firewall won't help if a device has been compromised with a reverse shell because the hacked device is initiating the connection and will punch through the firewall for the attacker, (who can then use it as a proxy to attack other internal devices)
NAT prevents devices from being bruteforced, meaning that the attacker requires some kind of interaction from the user to compromise the device, (for example clicking a link, opening a file or whatever), so it's always an improvement on a public IP,...but neither NAT nor a firewall will save you if the attacked device initiates the connection
I'm yet to see a router without some kind of firewall.
What's the router model?
So does an Established-or-Related firewall rule.
But the IP space is also so large that they cannot be scanned and found.
That's true, but assuming an attacker has a way of acquiring the IP address without scanning, (for example compromising the logs of a service provider), it suddenly becomes very risky for that device to be accessible from the open internet, (especially if it's a cheap IoT device with minimal security)
I am a guy with above average IT knowledge.
How about the rest of the population who know little about IT who are simply connecting into these devices totally ignorant of how insecure they are?
There is a real problem here and both the device manufacturers and governments who are supposed to be securing these devices right out of the box don't seem to care.
It is not surprising though as being able to spy and monitor public behaviour is high on their agenda.
How about the situations where by connecting to a compromised service or service run by shady companies and rogue employees they can dial back into your IP?
As I said, I dialled back into my home SSH simply by looking at the SSH login message that tells you the last IP you connected from.
If that is your threat-model a simple firewall rule fixes that, which you will have based on your threat-model.
So the ISP sees a connection from one host to another, that will be a pretty big if that the particular host has the specific exploit an attacker would be trying to use.
Some basic Vodafone model - THG3000
That is specifically what the established and related rule is for. It only allows established and related sessions. -new- incoming connections get blocked.
Plus the IP randomly changes.
Check settings, it has a firewall - and disable pinholing.
The Internet works on an end-to-end principle, when you use NAT you break this principle. You don't have the impression that many things are broken because you probably haven't used the Internet before NAT was widely deployed.
If the device is insecure, it should not send or receive packets on the Internet at all.
ISPs typically provide either IPv4, CGNAT-only, or a combination of IPv4 and IPv6. However, if the ISP didn’t supply the router, they’re only offering the option to use both IPv4 and IPv6. Whether IPv6 is actually enabled depends on your router settings.
For example, my router (a new Asus WiFi 6G model from 2023) had IPv6 turned off by default. This is common practice for most routers.
Did your ISP provide your router? If yes, call your ISP and tell them to turn off IPv6
It a very standard threat model, but let's walk through it...
You're an average consumer and you buy some IP cameras on Amazon from a company called "Cheap CCTV Cameras" because they're cheap and they have good reviews
The cameras arrive, you plug them in and you connect them to your network. They work perfectly and you're delighted. You even leave them a 5 star review yourself
You have no idea that every device has the same embedded credentials, or that those credentials are just a Google search away. But most consumers have no idea about computer security, so why would you know that?
After a couple of months you receive an email from "Cheap CCTV Cameras" telling you they've been hacked. They hackers only stole logs with IP addresses of devices that have connected to their update server in the last 6 months, so they assure you it's nothing to worry about
Within hours, mass exploitation begins. Attackers are using the embedded credentials from Google and the leaked IP addresses in automated attacks. Your internal network is quickly compromised because the IP is publicly accessible...and now you're network access is being sold as a Residential VPN, (or worse)
The fact that a consumer grade router doesn't NAT IPv6 by default is wild because the plug-and-play majority could easily end up serving as a proxy tor CSAM and/or other nastiness...and it's unreasonable to assume consumers have the technical skills to understand what they're plugging and playing from Amazon
In a perfect world this is true, but in the real world there's tons of insecure junk devices on Amazon that people are plugging into their networks all the time, (and very little information about what is and isn't secure)
Also, you can't prevent an insecure device accessing the internet when that would defeat the purpose of the device. The viable solution is to implement vLANs and keep them isolated, but most consumer routers don't have that capability and even fewer consumers would know how/why to set them up anyway
It has happened before.. They take over the update server and the devices pull the malware from the update server.
IPv6 hosts randomly change the IP address which fixes the IP log from the last 6 month, they send out said email, reboot it and it uses a new IP.
Even if you give the host a static IP, it will still use a random IP to make its outgoing connections.
NAT is an abomination to begin with. NAT wouldn't fix this anyways. IPv6 NAT is usually 1:1 NAT and there are very situations where it should be used.
Every "issue" you pretend to have with IPv6 already has a solution.
@yoursunny will not approve this act of heresy
We don't really know if it was 'by default'. Looks like router was in use for a while, some settings could be changed and forgotten.
Privacy Extension.
Usually devices will use a new IPv6 once a certain lifetime is over. This also happens under other circumstances e.g. when you reconnect, wifi is a good example.
There's whitepapers on this. That's why there's been several IPV6 updates over the years. And more to come.