Practical IPv6 Setup and Security for your Home

good morning everyone um my name is uh Christal SOS I'm from University of Delaware uh I'm a graduate student there uh and uh thank you all for coming this morning uh I'm going to talk about um IP IPv6 setup for you for your home uh and uh some security imp uh implications of it uh and uh I want to thank Chase for uh showing me this idea and helping me set it up so uh uh before I go into it let's ask the question why should we bother to uh to do this why would we want to uh transition our home network from V4 to V6 uh I mean V4 has been uh we've been

using it for a long time it's stable uh it's uh it's good it works uh so um uh probably a lot of you know that uh when internet service provider gives you a V4 address there's usually only one public address and if you're trying to connect to your internal Network outside um uh outside of it like let's say if you're at work or you're in an airport something like that uh you need to set up something like for forwarding uh or uh VPN so you would need to like go inside the router and twidle around with the settings and then if um if let's say you P you p number changes then you had to go back inside

your router and configure that uh so uh IPv6 it uh it actually uh in the V6 RFC uh there's a requirement that your internet service provider will give you a sl64 allocation uh so uh uh V6 address it's it's 128 bits so that means you have two to the 128 addresses total and then if somebody gives you a SL 64 allocation uh that means you have uh 2 to the 64 public routable um addresses so uh if we do the ma 2 to the 32 that's four roughly 4 billion right uh and uh we know that's around nine zeros right uh so if we multiply four billions that's four billions that's around uh um that's around 18 uh

um that's around 18 zeros right uh so uh that's a whole lot of IP addresses that we can use that are public uh and uh V6 it's it's actually uh it's not really being widely used uh it's just out there and it's something that's uh already configured in all of our computers automatically already and uh it's it's just it's out there but we don't really use it uh so uh the two ways you can actually us as users is host users can get this six addresses is through uh Native support through our ISP or through uh tunnel techniques uh so uh let's actually look at uh what percentage of users are actually IPv6 enabled so uh this is a

chart I took a couple days ago of that from Google and it shows you uh when out of all the people that visit Google what percentage of them have V6 enabled so what percentage are actually using V6 addresses and you can see the total number is only 7.4% uh and it's uh broken down into native and toning technique so you can see most people are using native um so uh in um the way that the public address is allocated is there's usually um there's five different organizations around the world that gives give out these addresses and uh the one that we uh mostly hear about are Aaron and R Aaron is the one uh that functions in North

America and ripe is the one that's functions mostly in Europe uh and um so these are called Regional internet registries and then uh local internet registers are they customers so they get their uh they get the assignments and then they either uh allocate these assignments to their customers which is us or they assign it to themselves so uh here on the left hand side is um uh the illustration from from Aron uh the North American sector and it shows you uh ipv4 allocation requests uh for instance in June have been around 261 the number of requests uh the number of V6 allocations have only been uh 26 in June so you can see that number is much

lower uh so on the on the left hand side um sorry on the right hand side you can uh uh see a graph from right which is the um European uh i r r and uh it shows that the blue line is the number of um IPS that already have a dual stack so they give both V4 V6 address and the red line represents the number of ips that only give out a V4 address so you can see the trend is moving towards the V4 V6 dual stack uh so Comcast which is probably one of the leading isps out there is now starting to roll out a dual V4 vstack um uh solution so um on their on their website uh they in

late 2013 they had a a statement that 25% of their customers have uh are support dual V4 V6 addresses so um it's my assumption that since then that number has increased much much larger to the point where now uh in the region of Delaware maybe in Maryland um Comcast offers a dual V4 V V6 uh stack uh so if you want to find out if if if you're a Comcast customer and you want to find out if you have V6 enabled uh what you can do is uh you can check your modem online to see whether is V6 enabled so you would you would go to this website uh see if uh there's a check mark next to your

modem and if it is uh what you do is you unplug your net your na box or your router uh you throw it somewhere and you you um you connect your computer directly to uh to your modem and uh if you have your V6 address you should get a128 address and then uh there are websites online where you can check your V6 status so if you go to tpv 6.com uh it will tell you if your V6 is hooked up Rand you go so it'll it'll give you some information about uh uh your ISP and then you can further you can do a IPv6 test to Google to see whether there's connectivity uh so uh this side uh this

address actually is only a 128 so if you if you want to have a sl64 address then uh you can um buy uh a cheap product from eBay and uh you can turn on um V6 from there but now the router has to have V6 capability so it has to be IPv6 capable uh so a ding Crowder uh when you turn it on it'll have a ghcp which uh with the slash 12 128 and slash uh 64 address I'm not sure if you guys can see this is this no okay um can you guys see this got an fp8 and you got your yeah so here you can see that this is a sl64 addressor uh yes so this actually this

is uh I have config at my computer uh so you can uh um you can see here that this is a sl64 address so that means uh we have four billion stamps four billion address that we can use that are public so if Compass does not give you a V6 address yet or if you're using another IP you can still get a V6 address uh using tunneling so um here uh you can see in the cloud there's a 541 colum one uh point of presence uh and these are different point points of presences that uh are just out there they're free that you can um just uh create an account uh log in uh and uh

use so um and then you can see uh inside your network need to have a Gateway of some sort so uh your gateway is your uh tunnel endpoint so in your gateway you have a 5 for one colum two address and then on the on another interface towards your internal Network you have another uh V6 address like let's say here the assignment is A51 column one so that these two addresses are actually given to you by your uh tunneling uh vendor so uh the the two that we know about that we use are uh Hurricane Electric uh and they actually they can give you 408 prefix too uh if you request it so that's if you want to set

up V6 networks inside of the V6 networks uh see you have an even B bigger address Bas uh the only cat is that uh when you set up a tunnel with Hurricane Electric the Gateway needs to be added to the DMZ zone of the router uh because it's just a it's a native 6 and four tunnel so you use just regular Linux tunnel technique but um uh it needs to be actually publicly accessible the other uh tuning provider is uh I know of his six and you can actually um do the tunneling without touching the router so you don't need to put anything in DMZ and it actually it uh it dials out to your uh

point of presence to your pop uh and um it also has a heartbeating technique where if you have a dynamic ipv for address from your IP that changes constantly this hardbeat will uh update that address uh remotely so that it always keeps track of where you

are uh so so if you um so you can actually don't need to have the Gateway and the router separate you can consolidate to consolidate them into one device so for me I have a I have a old router probably I bought it seven years ago uh and it doesn't have V6 support so what I did was I uh updated the firmware to openwrt and uh I downloaded the six client which is it's called I IQ so you just turn that on uh and it'll you'll it'll generate uh V V6 address for you it'll give you that V6 address that you can then use in your internal Network and uh so this address A5 A5 uh

41 col1 you need to stack the assign that uh both in this in this scenario and in the F scenario you need to actually manually assign this address and uh you need to set up forwarding in your gateway and uh set up the appropriate firewell uh rules for V6 forwarding uh when do that on your internal interface I you need to start up radv which is uh that's um that sends routing advertisements and that's a stess auto configuration that then the internal devices uh will receive and then will automatically get a V6 address so the clients actually they don't need to do anything it's a light uh it's like a lightweight DHCP uh server except that the clients they

don't actually run a DHCP client they just automatically get its addresses and this is this is called uh slack St list aut configuration so um when uh you get these addresses you usually get two addresses uh and the first address is is actually is derived from your Mac address so you can see up top that my the first V6 address is is similar to to the MAC address and you can actually from that address you can uh guess what you can derive what the Mac addess is so obviously this is a security issue because if you're using that as your Source IPv6 address and then some dude add some server is listened to that traffic he can see what the source

address is and then he can derive the MAC address and he can actually track track down each user because he'll always have that uh V6 address so um you can enable privacy extensions that will uh generate uh a random V6 address that is then used by default so uh you can see the second address is the random address and then if you ping Google that will be the the default address that's being used so uh uh to enable this uh in Linux at uh cctl you would um you would turn this on and I also noticed that of the the Arch Linux we suggest that you turn the other two um options on uh uh however when I

did that I noticed that I got a whole bunch of different V6 addresses which is okay but I mean you just kind of like see like five or six different V6 addresses all of a sudden but uh you those addresses are still being used rather than your uh address that's derived from your Mac uh so um another cool feature that I want to make you guys aware of is the uh irr I mentioned earlier a rip it actually provides you a web interface through which you can check your connectivity and this is actually this is both for V4 and V6 which you can do uh what you do is you apply online and they give you this probe which I have

picture here uh and you can plug it into your network and it's a passive device uh it doesn't do anything uh except for uh when some when R issues a request for scan it will issue a scan from that probe to your location that you specify uh so here I'm doing a test to my Comcast V6 address uh on their Network and IT issues uh a trac rout probe uh from all over the world from these little devices all over the world and that will probe uh my address to see the way they connect to it so you can see here that uh they have addresses from uh from Italy from Japan from Germany uh and

then you can click any of them and you can see the trace rout Trace so it's it's really cool thing uh there's uh two YouTube videos that I thought were really cool about it the second one talks more about the infrastructure and U how it's set up because the website is actually very very nice it's very responsible and very interactive so it's kind of interesting to see how all that data is being generated uh so um there are of course security implementations when something becomes more complicated uh becomes more of a security uh issue uh and that's just for anything so uh when we look at IPv6 we need to look at uh from a users

perspective so if I'm a home user and I'm running V6 uh what can happen to me what should I be aware of well so if let's say my father walks in into my house and gets the V6 address uh then he doesn't he's not aware of that you know he's just has a V6 address and he public TR if anybody else could attack so one of the things that we can do is that we can uh set um a VLAN on the uh internal interface so that only people that are on that VLAN can get a V6 address uh so that will mitigate the issue and uh privacy extension probably need to be turn on uh and you guys know snort and

pfSense actually support V6 so uh you can uh enable uh traces through snort in V6 and uh you can generate a wide list of uh all your devices so all the devices that you know about this can be done actually with the DHCP version 6 probably can't be done with RV that I showed earlier because you need to uh give only V6 addresses to those devices that you know uh so uh I showed earlier that you can uh set up a V6 Gateway in your network so uh let's imagine the scenario where you have a unsecure access point and then somebody comes into your network hacks your box and then starts up something like uh IQ

and hands out V6 addresses to everybody in internal Network what will happen is that the traic will pass through pass through that uh Rog note and he'll be he will become a man in the middle so that he can uh view modify the traffic do anything that he wants with it um so uh if you if you really want to get rid of that I guess you can just you can turn off uh V6 which is it's kind of like what we do uh what the IT department does the University of Delaware I think uh like based on what I've talked about with some people uh and uh you can uh you can detect new V6

addresses that come on um you uh to do that you if you pin uh ff02 the multicast address and you need to specify the interface that you're going out of you can see all your uh V6 adjusts on the network and then you can generate uh a wir less for your devices that are on there and if you see a new one you can tell them you can uh uh ban them from connection uh and uh there there's also uh really cool utilities uh at uh from uh the hacker Choice uh it's uh they have stuff like uh finding out what uh V6 suggestes on your network uh doing V6 flooding uh um sending men in the middle attacks

with V6 and stuff like that um there there's a lot of stuff out there um and uh so uh the thing with V6 is that it's a lot more complicated than V4 uh it's it's more than just addressing there's actually some protocol stuff going on there so it's important to educate yourself about these six and know uh what capabilities are uh with the V4 uh is still uh the M techniques still highest host but you can still get into the network uh so you need to get into the habit of uh assuming that this internal uh nodes are eventually going to be public uh and get to the technique of being able to secure them

correctly um so uh this concludes my talk if you have any questions I'll have to take them

yeah