ipv6 home router experiments

2022-07-08 #networking

KubeCon this year featured a panel discussion of IPv6 adoption. One of the panelists mentioned in passing that many organizations are unprepared for the security implications IPv6. With IPv4, most addresses were hidden by NAT; with IPv6, addresses are publicly routable. Firewalls can block external traffic, but might not be configured correctly.

So I did an experiment on my home network. Would enabling IPv6 expose my devices on the public internet?

I found an “IPv6” panel in my router configuration. First, I changed the “Internet Connection Type” drop-down menu to “Auto Detect”, then the Netgear router switched to “Pass Through”. I guess my ISP supports IPv6?

Screenshot of IPv6 Internet Connection Type “Pass Through” in router settings

Yes! My devices were assigned IPv6 addresses!

Screenshot of ip a command showing an IPv6 address

From a computer outside my network, I tried to ping the IPv6 address:

Screenshot of ping6 receiving responses for the IPv6 address

Success! The address is reachable and responding to ICMPv6 pings.

Next, I tried an HTTP request to a server listening on port 1313.

Screenshot of curl for the IPv6 address receiving a 200 OK response

Yep, that worked too!

It seems that my Netgear router does not provide an IPv6 firewall. (It does, however, block external IPv4 traffic; I got no response from ping or curl to the router’s public IPv4 address.)

Here’s a difference, though. With IPv4, when I exposed ssh port 22 to the public internet, I’d see hundreds of failed login attempts per day. This hasn’t happened with IPv6 – in the last month, I’ve seen zero attacks. Why?

I looked up the prefix of the IPv6 address and found the organization that’s providing my internet service. They’ve reserved a /32 subnet (2⁹⁶ possible addresses). By capturing ICMPv6 packets with tcpdump -v -i en0 icmp6, we can see the router advertising a /64 prefix:

Screenshot of IPv6 router advertisement

My ISP is assigning addresses from a subnet 2³² times larger than the entire IPv4 internet. I’m not sure if they are using different prefixes for other apartments (they certainly have enough to do so!), but even so, that’s a lot of address space for not-very-many devices.

The IPv6 address space is so massive that it’s impractical to find a target by scanning. That’s helpful, but not enough – we still need firewalls in IPv6. Obscurity ≠ security and all that.