The IPv6 digital dilemma

We are now entering the time of permanent IPv6 presence. 6th june is ‘IPv6 Launch Day‘ and following this, we’ll expect quite a large number of companies enabling IPv6 on their services, lots of ISP’s will make IPv6 available to their customers and you need to ask now, are you ready to accept the new and improved, the unknown and available, secure and open network standard now, later or never?
My first impression of IPv6 after reading some material was, ‘yes and no’, and it still is. I’ve made steps to improving my setup, I’ve tested and tested and still remain hesitant because I cannot suggest to anyone, neither home users or companies that they implement IPv6 now… But if your decision is to try and test, I can make some suggestions…
Whatever they say about stuff included with IPv6, IPsec, protocol differences etc., remember it’s only as secure as your least secure item on the network – so find your lowest common denominator and figure out how you’ll apply security and some will find easy ways of doing monitoring and auditing, while others will quickly notice that they’ve got none at all.
Lots of users will have hands on experience with their loggers, Event Viewer, syslog, console log etc. But there will be new issues with IPv6. My immediate realization and my experience:
  • Mostly not reading the log *all the time* and missing most stuff… for my parts, it’s ok since it’s mostly firewalled and ACL’s in the appropriate location
  • Firewalls and AntiVirus apps, not knowing anything about IPv6
  • IPv6 traffic which *I* don’t know anything about, like toredo tunnels and others (HE.NET, Freenet…)
  • Services defaulting to IPv6 servers with variable reliability and added delays, DNS issues with PTR records, hosts.allow messed up, all accurate responses to unexpected queries and traffic
Several accidental issues popped up after IPv6 enabled services where introduced, i.e. the service is implemented and tested and the AAAA record is added to the DNS and the service starts to popup *and failing*, why?
  • Routing and response issues, local firewall not accepting the new traffic. The new traffic isn’t as easy as “tcp port X is opened, and we respond”, oh no, we’ve got to worry about advertisments and neighbour discovery and this will be your issue if you’ve got rogues on your network because you’ll have to trust your neighbours or use software and correct configuration to ensure your traffic is secure. After configuring neighbour discovery and accepting the correct packages from the router, traffic starts to flow and ACL’s drop traffic again.
  • IPv6 addresses in ACL’s are commonly wrapped with []’s and the subnet mask *following*, i.e. [2001:470::]/32 (Hurricane Electric).
  • IPv6 isn’t correctly supported on all operating systems. Our users had MacOSX Leopard, which had problems with manual configuration and Snow Leopard which doesn’t correctly allow neighbour advertisments with ip6fw unless you strip PowerPC code from the binary…
  • On any network with a router advertisment daemon, any linux, MacOSX and many Windows Vista and all Windows 7 machines will popup with and IPv6 address. Windows XP machines shouldn’t do it unless specifically enabled.
  • Operating Systems *don’t* block IPv6 traffic by default. Your firewall may be *oblivious* to IPv6 traffic. You may have services which are enabled, fully protected on IPv4 – but they’ll be visible on IPv6 and may be hacked, even if they *are* the secure services. Do you watch your laptop or work machine for attempts to authorize users, the SSH daemon or SMB/CIFS services? Usually we just *block* access to authentication services but there are always servers which will allow this and if you don’t start dropping connections, you may be opening up a system for infinite hack attempts on generally secured services.
If you think you’re part of a network which is *too large to scan* – because your smallest network is 64 bits large, and your machine or server is hidden somewhere – remember many devices are servers, and will present AAAA records and PTR records may give away some information. A local machine will be able to discover the neighbours, so your immediate danger of ‘scanning’ is already a part of your neighbourhood. Also, this is all about discovery and when you start accessing services, you’ll start to leave your footprints and your digital fingerprint will be all over the internet and a port scanning device, sniffer or data mining tools will start collecting IPv6 addresses and information. Remember that the default setup for router advertisments will use your network cards MAC address (ethernet address) and when you move to a new network, you’ll already carry a identifier which can be datamined. IPv6 does have some methods of randomizing your IPv6 address for security. This will of course make it more difficult to maintain AAAA and PTR records and some services will refuse connection from addresses missing the PTR records or have a mismatch between AAAA and PTR (RFC931).
One contingency plan was to make the address space enourmously large, but it will be filled. Several vendors, users and companies will simply make lots and lots of networks, spend their CPU cycles in routing and ACL’s for a simpler setup, but it’s not a good solution. It’s an situation where a secure webserver may be hosted in a dedicated /64 network because we can’t as yet break it down to /120 and then manage that by ACL on the routing level BUT we can do it on a local level – if you implement strict policies, know your devices and have trustworthy management and auditing, but it’s a management nightmare which needs solutions. There will be many views on how to implement security and they are all important because security will be required.

 

My suggestions?
  • If you have a System Administrator, make sure he’s up to date, and that he’s met IPv6 people and knows what’s what.
  • If you don’t have a System Administrator, get advice – should you do it and how.
  • Get into the habit of audit and monitoring, free tools include ntop and cacti
  • Realize that there are holes which you cannot cover, since they may be your published application
  • Backup, backup and backup
  • Your system may be viable for separating services and users, this will make ACL’s and firewalls manageable… sort of
  • Remember your digital footprint. You may want to reduce it and if so, use the privacy extensions but it’s an addon to security, it’s not “the security”
  • Because native IPv6 will create a direct connection between nodes, each node should include security of some sort. Although you can implement a firewall on your routers, it’s not a solutions but an interim fix while you apply your internal IPv6 deployment and solve your internal issues.
Björn R. (My opinions are my own)

Framkoma á netinu

Mikið er rætt um framkomu á netinu og margir foreldrar hafa heyrt af málum eins og að skilmálar samskiptavefa banni notkun þeirra fyrir börn undir 13 ára aldri. ISNIC minnir á vefi eins og SAFT sem innihalda  leiðbeiningar um net-notkun barna og aðgengi að netinu, sér í lagi í heimatölvum.

Ekki eru það bara börnin sem verða fyrir aðkasti á netinu og öllum mikilvægt að vafra um netið á ábyrgan hátt og því gildir að muna að það sem þú gerir og segir á netinu getur verið skráð í fjölmörgum vefþjónum út um allann heim og oft eru gögn sem sett eru fram í mesta sakleysi notuð af aðilum sem ekki hafa rétt til þess. Einnig þarf að lesa skilmála þar sem þú skilur eftir þig gögn, því þeir gefa oft þeirri veitu ótakmarkaðan rétt til að nota gögnin – fá loforð eru gefin um að gera það ekki. Slóð þín á netinu er því eins og fingrafar, notkun vafra er eins og stimpill um þig – og margir vefir geta notað þitt fingrafar, oft í saklausum tilgangi og til þæginda, stundum til að birta þér auglýsingar sem henta þér betur en stundum í neikvæðum og óæskilegum tilgangi.

Fólk sem notar vefinn ætti einnig að kynna sér góð og gömul skrif um stafræna hegðun, svokallaða Netiquette bók eftir Virgina Shea. Þótt ekki sé fjallað um það allra nýjasta, gilda reglur um framkomu og framsetningu yfir það sem fólk gerir á netinu í dag.

Áður fyrr notuðu menn  ógagnvirka vefi, spjallborð (t.d. news) og tölvupóst. Í dag nota menn þennan og hinn samskiptavefinn, fólk skilur eftir myndir og myndbönd hér og þar og getur spjallað við fólk yfir vef/vafra, smáskilaboðakerfi (IM), beint yfir samskiptavefi, með símtölum (t.d. Skype og líkum hugbúnaði), IRC virkar ennþá og sumir spjalla beint gegnum tölvuleikina sína. Flestir einstaklingar og fyrirtæki nota þó ennþá mest vef og tölvupóst. Við viljum því leggja ríka áherslu á að fólk vandi sig og geri sitt til að fræða eða fræðast um notkun þessara hluta til að forða sér og öðrum frá allskonar vandamálum sem mis-notkun þeirra getur skapað.

Við sjáum því miður oft tölvuskeyti með óæskilegt innihald – allt frá spam pósti og vírusum, í persónuleg svör þar sem fólk missir stjórn á sköpunargáfu sinni og sendi flottu tölvupóstana með risastórum myndum í stafrænni undirskrift. Þessi mál get því undið upp á sig, þar sem e-h hefði getað tekið stuttan tíma og verið skýrt, er umvafið málaflutning eða gagnamagni sem engin þörf var á. Sama kemur fyrir þegar samskiptavefir eru notaðir af aðilum sem verkfæri til að fremja heimskupör eða verra, fólk á það til að missa stjórn á sér.

Sérstaklega áhugavert er að lesa ofangreint rit – og leggja á minnið að þú sérð ekki hinn aðilann og átt það til að lesa ranglega í textann – og hinn aðilinn upplifir alveg það sama – því ber að gæta þess að innihaldið sem skrifað er sé skýrt og jafnvel hnitmiðað og að forðast langlokur.

Annars er okkar ósk að notendur internetsins getið notið þess með okkur og átt þar góðar stundir.