IPv6 Roll Out

[AfriNatic]

How does the router know what IPv6 addresses to allocate to each device sitting behind the router?

The router will act as a relay to the DHCPv6 server on our side.

Leases granted are for 30 days.

You can do an IP config test on a pc and see that you get a public IPv6 address from Afrihost.

 

[Mr Scratch]

We will have to wait and see what Openserve comes up with once they have implemented it as it might change what they currently have set up.

@websquadza does it native, why can't Afrihost?

 

[AfriNatic]

@websquadza does it native, why can't Afrihost?

I'm not sure how Websquad set up IPv6 on their side but Openserve does not support it at all so it might be a tunnel of some sort on their network.

 

[Mr Scratch]

The router will act as a relay to the DHCPv6 server on our side.

Leases granted are for 30 days.

You can do an IP config test on a pc and see that you get a public IPv6 address from Afrihost.

Hold on, you're exposing LAN devices directly to the IPv6 WAN?

No NAT? No firewall?

Big big balls, I hope all your clients have every device on their LAN patched.

 

[AfriNatic]

Hold on, you're exposing LAN devices directly to the IPv6 WAN?

No NAT? No firewall?

Big big balls, I hope all your clients have every device on their LAN patched.

That is exactly what IPv6 is about. NAT was designed for IPv4 and the challenges relating to the number of addresses that is available. NAT was never designed for IPv6 as there are so many available that each host can have an IP address.

Any device that has open ports are not configured correctly and we should not blame IPv6 for that.

 

[Mr Scratch]

That is exactly what IPv6 is about. NAT was designed for IPv4 and the challenges relating to the number of addresses that is available. NAT was never designed for IPv6 as there are so many available that each host can have an IP address.

Any device that has open ports are not configured correctly and we should not blame IPv6 for that.

Yes, IPv6 is not to blame, and neither is NAT. You're (Afrihost) exposing potentially unpatched devices to WAN and as an ISP I'm sure Afrihost has taken the above into consideration once the wild west cowboys hear this. Good luck.

 

[AfriNatic]

Yes, IPv6 is not to blame, and neither is NAT. You're (Afrihost) exposing potentially unpatched devices to WAN and as an ISP I'm sure Afrihost has taken the above into consideration once the wild west cowboys hear this. Good luck.

But that is how each IP works that has IPv6 enabled? Am I missing something here?

It's up to the client whether they want to enable it on their side. It's disabled by default in the devices we send and clients can opt to enable it.

 

[deweyzeph]

That is exactly what IPv6 is about. NAT was designed for IPv4 and the challenges relating to the number of addresses that is available. NAT was never designed for IPv6 as there are so many available that each host can have an IP address.

Any device that has open ports are not configured correctly and we should not blame IPv6 for that.

This is potentially a huge issue though for inexperienced consumers. NAT at least provided some protection, but with IPv6 every device on your network is going to have a publically accessible IP address. A well-configured firewall at the router level is going to be very important, it's unrealistic to expect every device to be its own firewall.

 

[Mr Scratch]

But that is how each IP works that has IPv6 enabled? Am I missing something here?

Not at all, I know you understand how this all works. I'm just wishing you the best managing the internet cowboys once they hear Afrihost is open for business.

It's up to the client whether they want to enable it on their side. It's disabled by default in the devices we send and clients can opt to enable it.

This I like, make it opt-in until mass adoption is reached and the average Joe's IPv6 enabled router isn't trash.

Currently, NAT is the only thing standing between the cowboys and unpatched client devices, even though NAT was never intended for this purpose.

 

[AfriNatic]

Not at all, I know you understand how this all works. I'm just wishing you the best managing the internet cowboys once they hear Afrihost is open for business.



This I like, make it opt-in until mass adoption is reached and the average Joe's IPv6 enabled router isn't trash.

Currently, NAT is the only thing standing between the cowboys and unpatched client devices, even though NAT was never intended for this purpose.

Most devices including but not limited to OSx, Linux and Windows makes use of Temporary addresses. These will address the privacy concern that people have regarding a public address on hosts.

 

[Mr Scratch]

Most devices including but not limited to OSx, Linux and Windows makes use of Temporary addresses. These will address the privacy concern that people have regarding a public address on hosts.

Why does this matter when the targets are the unpatched systems?

Think IoT, CCTV, old Android boxes, etc

Are you guys hoping and praying all your clients are good at patching their consumer-grade devices that likely don't even have patches to apply?

A 10Gbit link, masscan and a few hours scanning 2c0f:f4c0::/32 (I'll do it for $50 lol) will find all those fun devices, pop root and suddenly Afrihost is running ZA's largest IPv6 botnet (and since you can infect over IPv6, but the network still has dual-stack, you can attack over a shared IPv4 IP. Good luck trying to find out which client(s) have the unpatched systems when it's a shared IPv4 with CGNAT)

 

[AfriNatic]

Why does this matter when the targets are the unpatched systems?

Think IoT, CCTV, old Android boxes, etc

Are you guys hoping and praying all your clients are good at patching their consumer-grade devices that likely don't even have patches to apply?

A 10Gbit link, masscan and a few hours scanning 2c0f:f4c0::/32 will find all those fun devices, pop root and suddenly Afrihost is running ZA's largest IPv6 botnet (and since you can infect over IPv6, but the network still has dual-stack, you can attack over a shared IPv4 IP. Good luck trying to find out which client(s) have the unpatched systems when it's a shared IP)

But is that not the same for every single ISP that has IPv6?

In fact if you scan an ISPs IPv4 ranges you will find the same issue already exist for years. It's definitely not something new.

We are offering native IPv6 support to clients. We are not forcing it onto anyone. We aren't hoping for anything we are simply getting the network ready for what will be forced upon everyone in the next 2 years or so.

ISPs are already implementing carrier grade NAT due to the constraints experienced with IPv4. IPv6 is the only logical solution to the issue and that is the reason it exists. If clients want to take advantage of that great if no then no problem but CGN is here to stay on IPv4.

 

[blunt]

I'm pretty sure the router handles the firewalling and if you'd want to expose a port it would be a matter of opening it for that specific IP on the routers firewall - no?

I highly doubt its a case of a totally unprotected connection to the internet for each device.

 

[Mr Scratch]

I'm pretty sure the router handles the firewalling and if you'd want to expose a port it would be a matter of opening it for that specific IP on the routers firewall - no?

I highly doubt its a case of a totally unprotected connection to the internet for each device.

No, this is true with IPv4 but not with native IPv6.

 

[Mr Scratch]

But is that not the same for every single ISP that has IPv6?

In fact if you scan an ISPs IPv4 ranges you will find the same issue already exist for years. It's definitely not something new.

We are offering native IPv6 support to clients. We are not forcing it onto anyone. We aren't hoping for anything we are simply getting the network ready for what will be forced upon everyone in the next 2 years or so.

ISPs are already implementing carrier grade NAT due to the constraints experienced with IPv4. IPv6 is the only logical solution to the issue and that is the reason it exists. If clients want to take advantage of that great if no then no problem but CGN is here to stay on IPv4.

Now you're missing the entire point. Anyways, good luck.

 

[Mr Scratch]

In fact if you scan an ISPs IPv4 ranges you will find the same issue already exist for years. It's definitely not something new.

One more thing just to address this, no, you are wrong. IPv4 had NAT, IPv6 will not. That is the difference. You are now exposing an entirely new class of exploitable devices directly to WAN that were previously "protected" by NAT.

 

[AfriNatic]

Common misconceptions about IPv6 security | APNIC Blog

Guest Post: I’ll seek to set the record straight for several of the most common misconceptions about IPv6 security.

blog.apnic.net

You can read up on that link how long it will take to port scan an IPv6 subnet with a 1Gbps connection. It will take a couple of years.

Even if an attacker are to find an open port to exploit the address might be temporary or the address might be recycled already and it no longer assigned to the host that had a port exposed.

It's almost impossible but not totally impossible I guess.

This does not just apply to Afrihost it applies to every single device connected to the internet even maybe a google router that is misconfigured somewhere in the world.

 

[Genisys]

Common misconceptions about IPv6 security | APNIC Blog

Guest Post: I’ll seek to set the record straight for several of the most common misconceptions about IPv6 security.

blog.apnic.net

You can read up on that link how long it will take to port scan an IPv6 subnet with a 1Gbps connection. It will take a couple of years.

Even if an attacker are to find an open port to exploit the address might be temporary or the address might be recycled already and it no longer assigned to the host that had a port exposed.

It's almost impossible but not totally impossible I guess.

This does not just apply to Afrihost it applies to every single device connected to the internet even maybe a google router that is misconfigured somewhere in the world.

I think you are missing the point entirely.

The point isn't how likely it is to find a device. The point is that there is firewall rules that need to be in place for IPv6 networks. If you don't tell a customer about the risk and how to fix it its the same as leaving them out in the open to fend for them self, and even worse if they come back to their computer two hours later to see there has been a crypto locker run on it, or someone accessed a network share with all their private information saved in it (and because they didn't know its accessible tot he world by the world they wouldn't know any better). Maybe they run a version of Windows with a DayZero vulnerability even? Playing the "Its an existing issue" card is also not on. Going from NAT to native IPv6 means your devices will now all be exposed to incoming traffic from the internet it wasn't exposed to before.

Besides that, reading about recycling IP addresses on IPv6 is also funny. IPv6 addresses is something that shouldn't change. Playing musical chairs doesn't take away the fact that devices are exposed to clearnet.

 

[blunt]

One more thing just to address this, no, you are wrong. IPv4 had NAT, IPv6 will not. That is the difference. You are now exposing an entirely new class of exploitable devices directly to WAN that were previously "protected" by NAT.

hmm interesting, and concerning indeed, particularly for IoT devices.

Log into Atlassian - MikroTik Documentation

help.mikrotik.com

i guess this is promising for me since i use MK at home on OS, for whenever that arrives.

I see on the DIR-825 you can add IP filters, I'd guess this is what would be required

 

[AfriNatic]

I think you are missing the point entirely.

The point isn't how likely it is to find a device. The point is that there is firewall rules that need to be in place for IPv6 networks. If you don't tell a customer about the risk and how to fix it its the same as leaving them out in the open to fend for them self, and even worse if they come back to their computer two hours later to see there has been a crypto locker run on it, or someone accessed a network share with all their private information saved in it (and because they didn't know its accessible tot he world by the world they wouldn't know any better). Maybe they run a version of Windows with a DayZero vulnerability even? Playing the "Its an existing issue" card is also not on. Going from NAT to native IPv6 means your devices will now all be exposed to incoming traffic from the internet it wasn't exposed to before.

Besides that, reading about recycling IP addresses on IPv6 is also funny. IPv6 addresses is something that shouldn't change. Playing musical chairs doesn't take away the fact that devices are exposed to clearnet.

This is a trial and feedback is really valuable. We would welcome any suggestions anyone have.