[CentOS] IPV4 is nearly depleted, are you ready for IPV6?

Tue Dec 7 17:12:24 UTC 2010
David Sommerseth <dazo at users.sourceforge.net>

On 07/12/10 16:49, Bob McConnell wrote:
> Gavin Carr wrote:
>> On Mon, Dec 06, 2010 at 08:55:17PM -0500, Bob McConnell wrote:
>>>> 3) When I connect my IPV6 refrigerator with its automatic inventory
>>>> system tracking every RFID-enabled carrot I use, won't I be making my
>>>> shopping habits visible to all those annoying advertisers?  Or, in
>>>> other words, am I compromising my privacy?  Actually, although such
>>>> dissemination of information can be blocked by a correctly designed
>>>> firewall, I suspect the "Free IPv6 DSL Modem and Router, Sponsored by
>>>> <your-favorite-commercial-site>" that comes with your ISP contract,
>>>> would err on the side of promiscuity.
>>> Why yes, yes you are giving up some of your privacy. And unless you have
>>> the time and are willing and able to learn how to configure firewalls
>>> for each device and application you use, or have the money to pay
>>> someone else you trust to do it for you, there is very little to protect
>>> you from the rest of the world.
>>
>> That's at least overstated, and at worst complete FUD. Generic modems and
>> routers will be configured as they are now - with stateful firewalls
>> blocking all incoming traffic, except for streams initiated internally. 
>> Outgoing connections that would have worked before via NAT continue to
>> work, but without NAT. Stateful firewalls are still stateful firewalls.
>>
>> Where are you giving up some of your privacy? The number of hosts on
>> your internal network? So allocate 256 ips (or 65k, if you like) to every
>> host and use a random ip from that set for every distinct service or 
>> outgoing connection.
>>
>> There _is_ more information leakage with ipv6, in the sense that you are 
>> using a real ip from an internal machine on the connection. But the 
>> point is that the security benefit of that is largely illusory, security
>> by obscurity.
> 
> No, it is not FUD, it is a real concern by people with much to lose. 
> Those of you evangelizing this new, and still unproven technology can't 
> seem to recognize this simple fact.

This is FUD.  IPv6 has been talked about and worked on for about 15
years, the early talks about IPv6 started in the early 1990's.  It's
been implemented in most OSes over the last 10 years.  It's been
available to users for a long time.  But a reluctant market who is not
willing to change until it's absolutely needed have delayed the
implementation.  Now we're running out of IPv4 addresses pretty soon,
and system admins and network implementers begins to feel the heat.

  <http://datatracker.ietf.org/wg/ipv6/>

Notice that the IETF IPv6 Working Group concluded their work Jun 2007.
For more information, also check out:

  <http://www.ipv6actnow.org/info/statement/>

Based on the list of supporters, it also seems to quite proven.  I meet
every day more and more Internet services which provides both IPv4 and
IPv6 services.  IPv6 is in production many places already.  Did you know
that these sites already provide IPv6?

  <http://ipv6.google.com>
  <http://www.v6.facebook.com>
  <http://www.heise.de>

None of them are small.  A-Pressen, a Norwegian media group, is looking
into rolling out IPv6 to the vast majority of on-line newspapers.  That
IPv6 is unproven, is simply a false statement.

> I consider that information leakage to be very significant. It 
> advertises the presence of another computer with explicit information on 
> where to reach it. Regardless of the firewall, none of which are 
> perfect, this increases the exposure of my systems in an adverse 
> fashion. It increases my risk of being penetrated by someone I probably 
> don't want rummaging around in my files. But I don't see any additional 
> protection being offered to replace what is being taken away.

There is no more information leakage in IPv6 compared to IPv4.  In IPv4
and IPv6 you still have to use public IP addresses to communicate with
the rest of the world.  The only difference with IPv4 + NAT is that all
computers on the inside uses your firewalls public IP address.  That's
actually an even worse situation in my opinion.  As that tells an
attacker where your firewall is.  With IPv6, you can have your firewall
with whatever IPv6 address you want, and an attacker don't know if he is
hitting a firewall or the destination host.  Which means the attacker
will know *less* about the attack vector than with IPv4.

And due to the enormous address space IPv6 gives each single site, doing
a brute-force attack against more IP addresses will be a never-ending
story.  Try to double 4.294.967.296 32 times, and you'll have the number
of addresses available *only to you* in *one* /64 subnet.  If you then
even introduce IPv6 Privacy Extensions, which will randomise and change
the IPv6 address regularly, an attacker will shoot at a moving target.
Then put this "moving target" behind a firewall which doesn't provide
access from the outside to the inside (only from inside to outside), and
the attacker will not know if he hits or not.

(This is seen from an IPv6 client side perspective, as for the server
side perspective, the situation is more or less identical to IPv4)

And if you're afraid if you're firewall "drops its pants", then place
two ore more firewalls in cascade.  If one of them fails, the second or
the following one(s) will cover it.

If you have a need for a totally "secret network", each network adapter
can be assigned with as many IPv6 addresses you would like, so those
machines you like to give access to the rest of the world may have that
and those who are purely internal may be that as well, on a separate
subnet not being routed outside your network.  You can even put them in
a separate VLAN which is not routed to the outside at all, thus keeping
that network only to yourself.

And if you insist on having all clients using *one* IP address out to
the world, you have network proxies, like Squid [1].  This is a more
proper way to do what you want, instead of abusing NAT as a security
feature.  NAT was not created for security.  It was created to prolong
the lifetime for IPv4.


kind regards,

David Sommerseth


[1] <http://wiki.squid-cache.org/Features/IPv6>