What's the responsibility of an IPv6 owner?

security ipv6

Living behind a consumer-grade router for the memorable past, I guess I took the side-effect of NAT for granted, in that I had the burden of forwarding ports when I needed to, instead of have to manage them with a software firewall.

If there's no address translation problem to solve with IPv6, and if it still uses ports, is it now my responsibility to manage this? What's automatically deflecting probing traffic in the IPv6 world?

Do I have to actively try to be defensive in things like blocking RPD or SSH requests, or should I be confident in the updated modern OS saving me from thinking about these things?

If an ISP is delivering IPv6, does it need to be understood by the average netizen before it's enabled?


Solution 1:

Having used IPv6 for the better part of a decade now, and watching the changes go by, I have a little bit of perspective on this.

The most important point here is this: NAT is not the firewall. These are two completely distinct things. In Linux it happens to be implemented as part of the firewall code, but this is merely an implementation detail, and isn't necessarily the case on other operating systems.

Once you completely understand that the thing in the router protecting your home network is the firewall, and not the NAT, then the rest falls into place.

To answer the rest of your question, let us take a look at a real live IPv6 router firmware, OpenWrt version 14.07 Barrier Breaker. In this router, IPv6 is enabled by default and works out of the box using DHCPv6 with prefix delegation, the most common way that ISPs will assign address space to customers.

OpenWrt's firewall configuration, like any reasonable firewall, blocks all inbound traffic by default. It contains a way to set up port forwarding rules for NATted IPv4 connections, as most every other router has for years. It also has a traffic rules section for allowing specific traffic to be forwarded; this is what you use instead to allow inbound IPv6 traffic.

Most home routers I've seen with IPv6 support also firewall inbound IPv6 traffic by default, though they might not provide an easy way to forward inbound traffic, or it may be confusing. But since I never actually use factory firmware on any home router, (OpenWrt is that much better) it's never affected me.

Indeed, many people are using IPv6 right now and have absolutely no idea that this is the case. When their ISPs enabled it, their home routers picked up the DHCPv6 responses and provisioned the addresses and everything Just Worked. Had I not needed more than a /64, I could have just plugged it in with zero configuration. I had to make one change to get a larger prefix delegation, though this is easy enough.

Finally there's one more thing: If you have a system on the IPv4 Internet today, it gets all sorts of inbound connection attempts on a variety of ports, attempting to exploit known vulnerabilities or brute-force passwords. The IPv4 address range is small enough that it can be scanned in its entirety in less than a day. But on IPv6, in almost a decade I've never seen such a connection attempt on any port. The much larger size of the host-part of the address makes scanning the range virtually impossible. But you need the firewall still; the fact that you can't be found from an IP address scan does not mean you can't be targeted by someone who already knows your address because they got it somewhere else.

In short, generally, no you won't have to be too overly concerned about incoming IPv6 traffic because it will be firewalled by default, and because IPv6 address ranges can't be easily scanned. And for many people IPv6 will come on automatically and they will never notice.

Solution 2:

NAT really did very little for security. To implement NAT you basically have to have a stateful packet filter.

Having a stateful packet filter is still a strong requirement to be secure with IPv6; you simply no longer need the address translation since we have lots of address space.

A stateful packet filter is what permits outgoing traffic without permitting incoming traffic. So on your firewall/router you will set up rules which define what your internal network is and then you might permit your internal network to make outbound connections, but not permit any other networks to connect to your internal hosts, except in reply to your requests. If you are running services internally you might set up rules to permit the traffic for that specific service.

I expect IPv6 consumer routers either already do this, or will start implementing this in the future. If you are using some custom router, you might have to manage this yourself.

Related

How to lock a file in Windows without changing it or using third party tools?
How this windows command works: echo %path:;=&echo.%
How can I print one page enlarged to multiple pages?
Trying to open a VM config which has the same UUID as an existing virtual machine
What problems does udev actually solve?
Is DDR4 RAM compatible in a DDR3 RAM slot?
Faster alternatives to "find" and "locate"?
Does RAID1 increase performance with Linux mdadm?
How do I remove a device from the "Other Devices" list on the new tab page?
Why are Excel weekdays wrong for 1900?
SSH is slow to make a connection [duplicate]
How to load tun module in linux?