The USS Quad Damage

IPv6 and firewalling

I take a look at IPv6 and whether getting it for your home network will be a security threat.

I’m on IPv6 now. It turns out pretty much all PCs now support it, mobile phones have pretty much needed it from the start, and almost anything that requires IPv4 is old or esoteric enough that I’ve managed to get rid of it. The only two limiting factors to an IPv6 deployment is the ISP itself and the router. Fortunately, even with a relatively old router, I still had the ability to update it to support IPv6, and I happen to be with one of the few Australian ISPs with IPv6.

There’s just one problem: I’m not as up with IPv6 as I am with v4, and I’ve been living in the relative comfort of the “natural” firewall that is NAT. The other caveat is, being a Telecommunications Engineer means I’m relatively old fashioned when it comes to internet principles. Therefore, I decided to use this as a learning opportunity to figure out how IPv6 does its thing.

Firstly, let me explain what I mean by “old fashioned”. See, in the utopian days of ye olde internete, when they came up with protocols like POP, SMTP, and others which are almost exploitable by design, part of the idea with the internet was network transparency. That is to say, no matter what you’re doing, the network should just go ahead and let you do it. A “firewall” (at least, one on a network device) goes against this principle, as it “protects” devices behind it, and therefore it is VERBOTEN. There are various other principles like not tunnelling everything under HTTP or whatever but network transparency is the most salient one here.

You see, the claim is that I am like some low hanging fruit for hackers, and my network is ripe for pwnage. My question is basically, how? I’m not saying there are no vulnerabilities in any of my home network devices, but my mobile phone is routinely on a non-NATted network, and most of the ports of most of the other devices are pretty much switched off. In any case, let’s see how IPv6 handles various tasks.

In order to get an IP address, for home networks by and large a computer will use SLAAC, or StateLess Address Auto-Configuration. This will get the default router and ask for the network address, then append the MAC address to get the address of the device. This means there’s no DHCP server. This can be both good or bad, but it has no real implications for hacking, except that with 64(ish) bits of address space for just your subnet, an attacker isn’t going to be able to guess your IP address, they’ll need to see it. There’s also no central management or real central point of failure like in DHCP.

How do computers find each other on the local network then? There are two main methods, either Microsoft’s UPnP or Apple’s Bonjour nee Zeroconf. Zeroconf is the better implementation here, it does service broadcast and discovery using link-local addresses. This basically means it uses “house names” to talk between computers on the network. Pretty much all the local network protocols (IPv4, IPv6, and ethernet) have some method of doing the multicast necessary to do mDNS which Zeroconf uses. UPnP does strange things, because it is implemented on top of DHCP and then sits HTTP notifications on top of that with SSDP.

I prefer the Zeroconf model, but it trusts your internal network to not have attackers in it. More interestingly, if an attacker can get into one of your machines, they could use Zeroconf to quickly identify what else is on the network. However, in both scenarios, you’re already compromised. UPnP, however, is a more complex protocol. It requires a full DHCP client on a supporting device on top of HTTP, which is notably not link-local. This means that subtle bugs in a UPnP implementation might give an attacker a vector.

The main advantage of IPv6, of course, is that your IP is now global. This means that any computer on the internet can talk to your computer directly. However, this isn’t going to make much of a difference for a while yet. A lot of the technologies which would talk directly between machines (something which is probably now known as “peer to peer” but before was just “the internet”) have since been re-written to have a server middleman. This middleman was necessary to work around NAT issues. This is why Skype became so big while the standards compliant SIP languished.

Unfortunately, everything has become web based in part because you couldn’t have these peer to peer communications and in part because HTTP is everyone’s new hammer. However, having middlemen is expensive, and once IPv6 takes over completely, we might end up with the “novel” idea of perhaps eliminating these middlemen. Perhaps privacy conscious individuals will start using the privacy enhanced features of IPv6, like opportunistic IPSec and peered VPNs (as opposed to the Hamachi-style client-server VPNs) Perhaps there will be some sort of in-between web and peered protocols in the new age, something like Firefox’s social APIs.

In any case, IPv6 seems to be worth the trouble, and unlike some of my peers, I feel pretty good about having my home network accessible from outside.