How to handle home appliances and local services in the IPv6 world?

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.

JulioHM

Active member
Oct 25, 2020
37
15
Greetings!

I've been trying to find more details about how to manage services in my home network, but all I can find are basic tutorials about IPv6 addressing and low level FAQs.

My ISP recently provided an IPv6 capable router and now, surprisingly, every appliance in my home network has a global IPv6 address (2001:*). Initially, that sounds creepy as hell, but I understand that scanning IPv6 networks is considered a much harder task. Either way, having every internal service publicly avilable on the Internet is not at all desirable. That includes ssh, remote desktops, local DNS servers, personal media appliances.

On a side note, every device was also assigned a local ULA address (fd*), which only works in the local network.

As far as I can tell, I should configure all these services to bind to an ULA, instead of the public Global Unicast? Is that it? Can I expect that ULA addresses won't change over time? Should I be concerned about disabling Global Unicast addresses for any appliance that does not need it?

Thanks in advance for the help.
 
Oct 3, 2020
6
3
Greetings!

I've been trying to find more details about how to manage services in my home network, but all I can find are basic tutorials about IPv6 addressing and low level FAQs.

My ISP recently provided an IPv6 capable router and now, surprisingly, every appliance in my home network has a global IPv6 address (2001:*). Initially, that sounds creepy as hell, but I understand that scanning IPv6 networks is considered a much harder task. Either way, having every internal service publicly avilable on the Internet is not at all desirable. That includes ssh, remote desktops, local DNS servers, personal media appliances.

On a side note, every device was also assigned a local ULA address (fd*), which only works in the local network.

As far as I can tell, I should configure all these services to bind to an ULA, instead of the public Global Unicast? Is that it? Can I expect that ULA addresses won't change over time? Should I be concerned about disabling Global Unicast addresses for any appliance that does not need it?

Thanks in advance for the hel
This is a very pertinent point for me as well. I've a ISP Branded router combined to a Linux box (Ubuntu 16.04 & 18.04 LTS) that very definitely supports IPV6 addressing - Any opinions or advice on risks would be appreciated
 

JulioHM

Active member
Oct 25, 2020
37
15
I was having the same conversation on r/ipv6, and apparently home users are completely unprepared for this, even though ISPs are pushing IPv6 for broad usage.

The router I was serviced, for example, completely removes options for Firewall configuration. I'm still struggling to find some ground here without actually disabling IPv6 completely here.
 

PHolder

Well-known member
Sep 16, 2020
711
2
345
Ontario, Canada
I was once tasked with IPv6 transition work for an embedded system. Unfortunately we were stupidly still using manual/hard coded IP addresses. It's my belief the only sane way to manage an IPv6 network is to have every device be assigned an IP address via the network (DHCPv6 or equivalent) and also a DNS/host name. This way, hopefully all your firewall rules and other configuration can use host names.

If your supplied router isn't any good, I would recommend you invest in a stand alone firewall device (Netgate, Protectli, etc) that will let you configure and run the necessary DHCPv6 and DNS services.
 

EdwinG

Well-known member
Sep 24, 2020
45
14
I would ditto what @PHolder said.

Also, both LL (fe80::/10) and Global addresses are required for IPv6 Internet connectivity. ULA addresses are private addresses, and as far as I'm aware, no router will rewrite them.

To protect any IPv6 device from the large canon that's the network of networks, the best approach is to have a IPv6 firewall set up at your border and on the device.
 

JulioHM

Active member
Oct 25, 2020
37
15
I want to thank everyone for the responses. I can certainly manage my home setup eventually.

But I wonder what's been happening to everyone else, all other users who are signing up or upgrading their broadband contracts. As far as I can tell, ISPs everywhere are offering faster internet speeds while handing out cheap routers that have their custom firmware and IPv6 enabled out-of-the-box for every connected client.

I really doubt these companies are adding any cost with the concern that everything from everyone is being exposed. Sounds to me like a recipe for a disaster we'll eventually hear Steve talk about in his podcast.
 
  • Like
Reactions: rfrazier

PHolder

Well-known member
Sep 16, 2020
711
2
345
Ontario, Canada
Well, you do realize that a majority of smart phones are using IPv6 right? It hasn't quite turned out to be such a disaster... so I am unsure if the worry is founded.
 

Lob

What could possibly go wrong?
Nov 7, 2020
65
12
I am now a (double-) victim of CG-NAT (ISPs in both my homes) with IPv6 being my native stack. It's actually quite annoying as I have VPN concentrators on both connections but the seeming lack of IPv6 for my devices if I am off my network means I don't presently have these ports open. Add to that a teenager who does what he can to get around my controls, IPv6 in my network is annoying as DNS over IPv6 gets past those controls (but I may have to revisit this topic).

I did find a guide and "service" to provide an IPv4 address which redirects into my IPv6 box but it does not work for VPN traffic (it does for a web server).

So in this hybrid world, does anyone have a suggestion?
 

rfrazier

Well-known member
Sep 30, 2020
270
82
I have my own router sitting behind my cable modem. I have all IPv6 turned off in the router. I have found no reason to have IPv6 on inside my network. I WANT the NAT system, the one way valve if you like, between my network and the world. The extra security complications are just something I don't need.

May your bits be stable and your interfaces be fast. :cool: Ron
 

rfrazier

Well-known member
Sep 30, 2020
270
82
Well, you do realize that a majority of smart phones are using IPv6 right?
I know little about IPv6. But, the smartphones presumably have security and firewall technology built in that doesn't just let every Tom Dick and Harry packet to come through. IOT devices almost certainly don't have that, and probably assume the perimeter router takes care of things. For the ISP's to install routers that just let any old IPv6 packet come in, if that's what they do, is not only foolish, in my opinion, but criminally negligent.

May your bits be stable and your interfaces be fast. :cool: Ron
 

rfrazier

Well-known member
Sep 30, 2020
270
82
@PHolder I was acknowledging that the phones probably have protection. But, the IOT devices almost certainly don't. I would never want my IOT devices exposed to unfiltered incoming IPv6 (or IPv4) packets that aren't replies to something they initiated. Likewise, I would never want my PC exposed all the time either, firewall notwithstanding. That's why I don't put my PC in the DMZ all the time nor do I connect it directly to the cable modem.

May your bits be stable and your interfaces be fast. :cool: Ron
 

PHolder

Well-known member
Sep 16, 2020
711
2
345
Ontario, Canada
I would never propose that you explicitly expose any device to the barrage that is the Internet, but I also want to make clear one thing. IPv6 is a massive wasteland of empty space. Unlike IPv4, which is so crowded as to allow almost every valid IP address to be in use, IPv6 has virtually infinite empty space. Accordingly, a device sitting there quietly doing its job and not advertising its existence to anyone, is unlikely to be found by a random scan of any sort--this is the exact opposite of IPv4. In this case, there may well be some security in obscurity.
 
  • Like
Reactions: rfrazier

EdwinG

Well-known member
Sep 24, 2020
45
14
@rfrazier It might vary between ISPs, but my ISP's provided router-modem combo (SmartRG 505n) does have a preconfigured IPv6 firewall that's not allowing inbound connections, except for the mandatory ICMPv6.
Same goes for my previous ASUS RT-AC56U, ASUS RT-AC68U home routers, and my current Ubiquiti Unifi prosumer gateway.

The same concepts that applied to IPv4 apply to IPv6 when it comes to traffic filtering. It's just made easier to do. Instead of having to do port forwarding when you want to allow traffic in, you simply allow traffic going to an IP address on a specific layer 4 protocol and port (where applicable). If you want to, you can have multiple servers sharing the same port opened.
It's just that you don't have the NAPT "hack" involved. It's really pre-NAT IPv4 firewall filtering, but applied to the 2020 era (DENY by default, etc.).

I'm not trying to convince, just trying to shed some light on why it's not so "open" as one might initially seem. Obviously, ISPs should provide a proper default configuration for consumers.
 
Last edited:
  • Like
Reactions: rfrazier

rfrazier

Well-known member
Sep 30, 2020
270
82
@EdwinG Like I said, I don't know much about IPv6. Thanks for sharing this info. So, I'm totally cool with the idea that they're not letting all the packets in by default and that there's some filtering going on. I still would probably be inclined to put my own router behind the ISP's router or cable modem. I worry about misconfigurations. I remember @Steve beating on the subjects of UPNP and remote admin for years. I remember some of my routers, back in the day, having those things turned on by default. That's what burned into me a philosophy of checking every single setting. I also like the fact that all my internal devices are running on non routable addresses, IE 192.168.20.20. No way any external packets destined for that address will ever get here. So, if an IPv6 IOT device has a hard coded IP address that is globally routable, it's conceivable that an attacker could be pounding on the firewall trying to get in if they could somehow determine the address. I'm always willing to learn, and it's interesting exploring these implications. Unfortunately, the risks are higher than ever if you have a weak perimeter, especially with people using thermostats and such to gain a foothold to pivot from in your network.

@PHolder interesting point about the vast empty IP space. I seem to remember years ago that we could give every star in the sky an IP and still have a bunch left over, or something like that. I was able to get my head around the 4 octets of IPv4 pretty easy. Every time I start reading about IPv6, my head starts to explode.

May your bits be stable and your interfaces be fast. :cool: Ron
 

EdwinG

Well-known member
Sep 24, 2020
45
14
Edit 2020-01-14 22:51 EST: Added precision that the IPv4 screenshot is with NAPT enabled, and IPv6 is globally addressable.



I’m going to try to address some worries that could come from globally addressable IPv6 addresses.
I didn’t want this post to be long, but I just wanted to share the knowledge. And knowledge is known to be power :)

What’s NAPT (for those that never came across the term)
NAPT stands for Network Address and Port Translation.

It’s the most prevalent form of Network Address Translation. In NAPT, both the IPv4 address and port are rewritten.
In pure NAT, only the IPv4 address is changed, so if a port should be in use, your connection would fail using that port.

On hardcoded addresses
All devices have a hardcoded “IPv6 address.” It’s actually the MAC address.
The IPv6 stack uses the MAC address to build the link-local (private) IPv6 address, used for the communication on the local LAN. It’s always in the fe80::/10 subnet, on any given network.
Most devices I’ve run across don’t use the hardcoded address, but generate a dynamic one instead to avoid conflicts.

It is also sometimes used to build the global address, but most major software developers changed that behaviour a long time ago to generate a dynamic global IPv6 address instead with another temporary address for transient communications.
The global prefix is most likely provided by the ISP, or RIR if you’re in a large enough enterprise. My ISP assigns me a /56, giving me 8 bits for subnetting. For each subnet, the prefix is a /64 (per RFC standard).
The second 64-bit half of the 128-bit address comes from the device itself whether dynamically constructed or hardcoded from the MAC address.
You can’t communicate with the Internet without a properly assigned global address, it just does not work because of the router’s routing table.

Thus, an IoT device manufacturer can’t simply hardcode a globally accessible IPv6 address for their device unless they tunnel it to their own network. Something they could do over IPv4 as well. This scenario would be an outgoing connection in either protocol.

On UPnP
I don’t think UPnP and NAT-PMP are available on IPv6. PCP, which succeeded NAT-PMP, is.
I have UPnP/NAT-PMP disabled, so no experience there, but it would be the same approach on both protocols.

On attack surface
Having a single IPv4 address with NAPT or an IPv6 global subnet doesn’t really change the necessary precautions. As a baseline, you need the exact same rules for both, except for ICMPv6 that will be necessary for proper connectivity. You could even run an entire IPv4 network without NAPT and be as secure as a NAPT network.

I’m attaching screenshots at the bottom of the post with my inbound rules for both IPv4 and IPv6. IPv4 is with NAPT, and IPv6 is globally addressable.
There’s nothing secret there, since I don’t allow any WAN traffic inside except for ICMPv4 Echo to monitor my Internet connection—my monitoring provider only does IPv4 for now.
In light grey are the default gateway rules, and there’s a default deny all rule that’s not pictured. I can confirm it by running iptables -vnL or ip6tables -vnL on my gateway.

The default ICMPv6 rules are the minimal requirements for IPv6 to work, as that’s how a device receives the dynamic network configuration. It’s DHCP for an IPv6 world; DHCPv6 does not behave the same way as DHCPv4, so there is a learning curve there.

Summary on this entire point: your risk assessment over IPv6 is the same as IPv4. The only lost “feature” is the NAPT’s security by obscurity.

On port forwarding
Should I need to open a port, I would punch a hole in my IPv6 firewall for the specific destination IP address and transport layer port :)
Not much more complicated than that.

Let’s say I want to open port 443/tcp (non-negotiable) for two different dual-stack devices:
  • NAPT IPv4: With one IPv4 global address NAPT, that’s not possible. You can do it on two IPv4 global address NAPT and configure port forwarding for your destinations on your firewall.
  • Globally addressable IPv4 or IPv6: You configure your firewall to allow connection to destination IP address 1 and destination IP address 2 on protocol TCP and port 443.
In both cases, you can put elaborate rules, the connection must be over TLS, from this IP address, etc. No huge changes there :)

But it is much easier to understand what's going on underneath, and it really does what you tell it to. You don’t even need those NAT helpers to allow certain protocols to function.

Screen Shot 2021-01-14 at 21.36.09.png

Screen Shot 2021-01-14 at 21.55.45.png
 
  • Like
Reactions: rfrazier

rfrazier

Well-known member
Sep 30, 2020
270
82
@EdwinG Much of that is over my head so I don't have a lot to comment on. But, I get the generalities of what you described. Thanks for sharing the cool info.

May your bits be stable and your interfaces be fast. :cool: Ron
 
  • Like
Reactions: EdwinG