IPv6 Trial

AfriNatic

Afrihost Rep
Staff member
Joined
Nov 18, 2016
Messages
3,244
How does the router know what IPv6 addresses to allocate to each device sitting behind the router?

The router will act as a relay to the DHCPv6 server on our side.

Leases granted are for 30 days.

You can do an IP config test on a pc and see that you get a public IPv6 address from Afrihost.
 

Mr Scratch

Expert Member
Joined
May 15, 2013
Messages
4,770
The router will act as a relay to the DHCPv6 server on our side.

Leases granted are for 30 days.

You can do an IP config test on a pc and see that you get a public IPv6 address from Afrihost.

Hold on, you're exposing LAN devices directly to the IPv6 WAN?

No NAT? No firewall?

Big big balls, I hope all your clients have every device on their LAN patched.
 

AfriNatic

Afrihost Rep
Staff member
Joined
Nov 18, 2016
Messages
3,244
Hold on, you're exposing LAN devices directly to the IPv6 WAN?

No NAT? No firewall?

Big big balls, I hope all your clients have every device on their LAN patched.

That is exactly what IPv6 is about. NAT was designed for IPv4 and the challenges relating to the number of addresses that is available. NAT was never designed for IPv6 as there are so many available that each host can have an IP address.

Any device that has open ports are not configured correctly and we should not blame IPv6 for that.
 

Mr Scratch

Expert Member
Joined
May 15, 2013
Messages
4,770
That is exactly what IPv6 is about. NAT was designed for IPv4 and the challenges relating to the number of addresses that is available. NAT was never designed for IPv6 as there are so many available that each host can have an IP address.

Any device that has open ports are not configured correctly and we should not blame IPv6 for that.

Yes, IPv6 is not to blame, and neither is NAT. You're (Afrihost) exposing potentially unpatched devices to WAN and as an ISP I'm sure Afrihost has taken the above into consideration once the wild west cowboys hear this. Good luck.
 

AfriNatic

Afrihost Rep
Staff member
Joined
Nov 18, 2016
Messages
3,244
Yes, IPv6 is not to blame, and neither is NAT. You're (Afrihost) exposing potentially unpatched devices to WAN and as an ISP I'm sure Afrihost has taken the above into consideration once the wild west cowboys hear this. Good luck.

But that is how each IP works that has IPv6 enabled? Am I missing something here?

It's up to the client whether they want to enable it on their side. It's disabled by default in the devices we send and clients can opt to enable it.
 

deweyzeph

Executive Member
Joined
Apr 17, 2009
Messages
8,329
That is exactly what IPv6 is about. NAT was designed for IPv4 and the challenges relating to the number of addresses that is available. NAT was never designed for IPv6 as there are so many available that each host can have an IP address.

Any device that has open ports are not configured correctly and we should not blame IPv6 for that.

This is potentially a huge issue though for inexperienced consumers. NAT at least provided some protection, but with IPv6 every device on your network is going to have a publically accessible IP address. A well-configured firewall at the router level is going to be very important, it's unrealistic to expect every device to be its own firewall.
 

Mr Scratch

Expert Member
Joined
May 15, 2013
Messages
4,770
But that is how each IP works that has IPv6 enabled? Am I missing something here?

Not at all, I know you understand how this all works. I'm just wishing you the best managing the internet cowboys once they hear Afrihost is open for business.

It's up to the client whether they want to enable it on their side. It's disabled by default in the devices we send and clients can opt to enable it.

This I like, make it opt-in until mass adoption is reached and the average Joe's IPv6 enabled router isn't trash.

Currently, NAT is the only thing standing between the cowboys and unpatched client devices, even though NAT was never intended for this purpose.
 

AfriNatic

Afrihost Rep
Staff member
Joined
Nov 18, 2016
Messages
3,244
Not at all, I know you understand how this all works. I'm just wishing you the best managing the internet cowboys once they hear Afrihost is open for business.



This I like, make it opt-in until mass adoption is reached and the average Joe's IPv6 enabled router isn't trash.

Currently, NAT is the only thing standing between the cowboys and unpatched client devices, even though NAT was never intended for this purpose.

Most devices including but not limited to OSx, Linux and Windows makes use of Temporary addresses. These will address the privacy concern that people have regarding a public address on hosts.
 

Mr Scratch

Expert Member
Joined
May 15, 2013
Messages
4,770
Most devices including but not limited to OSx, Linux and Windows makes use of Temporary addresses. These will address the privacy concern that people have regarding a public address on hosts.

Why does this matter when the targets are the unpatched systems?

Think IoT, CCTV, old Android boxes, etc

Are you guys hoping and praying all your clients are good at patching their consumer-grade devices that likely don't even have patches to apply?

A 10Gbit link, masscan and a few hours scanning 2c0f:f4c0::/32 (I'll do it for $50 lol) will find all those fun devices, pop root and suddenly Afrihost is running ZA's largest IPv6 botnet (and since you can infect over IPv6, but the network still has dual-stack, you can attack over a shared IPv4 IP. Good luck trying to find out which client(s) have the unpatched systems when it's a shared IPv4 with CGNAT)
 

AfriNatic

Afrihost Rep
Staff member
Joined
Nov 18, 2016
Messages
3,244
Why does this matter when the targets are the unpatched systems?

Think IoT, CCTV, old Android boxes, etc

Are you guys hoping and praying all your clients are good at patching their consumer-grade devices that likely don't even have patches to apply?

A 10Gbit link, masscan and a few hours scanning 2c0f:f4c0::/32 will find all those fun devices, pop root and suddenly Afrihost is running ZA's largest IPv6 botnet (and since you can infect over IPv6, but the network still has dual-stack, you can attack over a shared IPv4 IP. Good luck trying to find out which client(s) have the unpatched systems when it's a shared IP)

But is that not the same for every single ISP that has IPv6?

In fact if you scan an ISPs IPv4 ranges you will find the same issue already exist for years. It's definitely not something new.

We are offering native IPv6 support to clients. We are not forcing it onto anyone. We aren't hoping for anything we are simply getting the network ready for what will be forced upon everyone in the next 2 years or so.

ISPs are already implementing carrier grade NAT due to the constraints experienced with IPv4. IPv6 is the only logical solution to the issue and that is the reason it exists. If clients want to take advantage of that great if no then no problem but CGN is here to stay on IPv4.
 

blunt

Expert Member
Joined
May 1, 2006
Messages
3,014
I'm pretty sure the router handles the firewalling and if you'd want to expose a port it would be a matter of opening it for that specific IP on the routers firewall - no?

I highly doubt its a case of a totally unprotected connection to the internet for each device.
 

Mr Scratch

Expert Member
Joined
May 15, 2013
Messages
4,770
I'm pretty sure the router handles the firewalling and if you'd want to expose a port it would be a matter of opening it for that specific IP on the routers firewall - no?

I highly doubt its a case of a totally unprotected connection to the internet for each device.

No, this is true with IPv4 but not with native IPv6.
 

Mr Scratch

Expert Member
Joined
May 15, 2013
Messages
4,770
But is that not the same for every single ISP that has IPv6?

In fact if you scan an ISPs IPv4 ranges you will find the same issue already exist for years. It's definitely not something new.

We are offering native IPv6 support to clients. We are not forcing it onto anyone. We aren't hoping for anything we are simply getting the network ready for what will be forced upon everyone in the next 2 years or so.

ISPs are already implementing carrier grade NAT due to the constraints experienced with IPv4. IPv6 is the only logical solution to the issue and that is the reason it exists. If clients want to take advantage of that great if no then no problem but CGN is here to stay on IPv4.

Now you're missing the entire point. Anyways, good luck.
 

Mr Scratch

Expert Member
Joined
May 15, 2013
Messages
4,770
In fact if you scan an ISPs IPv4 ranges you will find the same issue already exist for years. It's definitely not something new.

One more thing just to address this, no, you are wrong. IPv4 had NAT, IPv6 will not. That is the difference. You are now exposing an entirely new class of exploitable devices directly to WAN that were previously "protected" by NAT.
 

AfriNatic

Afrihost Rep
Staff member
Joined
Nov 18, 2016
Messages
3,244

You can read up on that link how long it will take to port scan an IPv6 subnet with a 1Gbps connection. It will take a couple of years.

Even if an attacker are to find an open port to exploit the address might be temporary or the address might be recycled already and it no longer assigned to the host that had a port exposed.

It's almost impossible but not totally impossible I guess.

This does not just apply to Afrihost it applies to every single device connected to the internet even maybe a google router that is misconfigured somewhere in the world.
 

Genisys

Honorary Master
Joined
Jan 12, 2016
Messages
10,771

You can read up on that link how long it will take to port scan an IPv6 subnet with a 1Gbps connection. It will take a couple of years.

Even if an attacker are to find an open port to exploit the address might be temporary or the address might be recycled already and it no longer assigned to the host that had a port exposed.

It's almost impossible but not totally impossible I guess.

This does not just apply to Afrihost it applies to every single device connected to the internet even maybe a google router that is misconfigured somewhere in the world.
I think you are missing the point entirely.

The point isn't how likely it is to find a device. The point is that there is firewall rules that need to be in place for IPv6 networks. If you don't tell a customer about the risk and how to fix it its the same as leaving them out in the open to fend for them self, and even worse if they come back to their computer two hours later to see there has been a crypto locker run on it, or someone accessed a network share with all their private information saved in it (and because they didn't know its accessible tot he world by the world they wouldn't know any better). Maybe they run a version of Windows with a DayZero vulnerability even? Playing the "Its an existing issue" card is also not on. Going from NAT to native IPv6 means your devices will now all be exposed to incoming traffic from the internet it wasn't exposed to before.

Besides that, reading about recycling IP addresses on IPv6 is also funny. IPv6 addresses is something that shouldn't change. Playing musical chairs doesn't take away the fact that devices are exposed to clearnet.
 

blunt

Expert Member
Joined
May 1, 2006
Messages
3,014
One more thing just to address this, no, you are wrong. IPv4 had NAT, IPv6 will not. That is the difference. You are now exposing an entirely new class of exploitable devices directly to WAN that were previously "protected" by NAT.
hmm interesting, and concerning indeed, particularly for IoT devices.


i guess this is promising for me since i use MK at home on OS, for whenever that arrives.

I see on the DIR-825 you can add IP filters, I'd guess this is what would be required
 

AfriNatic

Afrihost Rep
Staff member
Joined
Nov 18, 2016
Messages
3,244
I think you are missing the point entirely.

The point isn't how likely it is to find a device. The point is that there is firewall rules that need to be in place for IPv6 networks. If you don't tell a customer about the risk and how to fix it its the same as leaving them out in the open to fend for them self, and even worse if they come back to their computer two hours later to see there has been a crypto locker run on it, or someone accessed a network share with all their private information saved in it (and because they didn't know its accessible tot he world by the world they wouldn't know any better). Maybe they run a version of Windows with a DayZero vulnerability even? Playing the "Its an existing issue" card is also not on. Going from NAT to native IPv6 means your devices will now all be exposed to incoming traffic from the internet it wasn't exposed to before.

Besides that, reading about recycling IP addresses on IPv6 is also funny. IPv6 addresses is something that shouldn't change. Playing musical chairs doesn't take away the fact that devices are exposed to clearnet.

This is a trial and feedback is really valuable. We would welcome any suggestions anyone have.
 
Top