Thursday, November 17, 2011

IPv6 Transition Dangers

IPv6 has been right around the corner for a long time (13 years by my count).  I have just started embracing IPv6 for the home environment this year.  I bought a buffalo router running DD-WRT to replace the Linksys system we had been using for our home firewall/router.  You can shell into the underlying embedded linux  system and configure things directly.

I was able to configure a 6to4 tunnel on the router and get our home environment operational with IPv6.  I was motivated to do this to complete some testing for a client.

The downside is that ip6tables does not come with the version of DD-WRT I'm using.  You need to build the kernel module.  I got about half way through that and got distracted by other things, so I turned off our tunnel.  Perhaps I can get that set up over Thanksgiving break.

Former Cisco colleagues Darrin Miller and Sean Convery wrote up a very excellent threat analysis of IPv6 a few years back which you can find at Sean's IPv6 page.  Darrin was gracious enough to come and visit my class several years back, and he gave a very excellent presentation of the issues.  One of the big IPv6 issues he identify was the tunnel transition issues.  Even if my home router had IPv6 installed, my windows 7 system seems to have installed a 6to4 tunnel for me.  If the traffic is tunneled going past the border firewall there is no way it can make even the most basic checks that most home routers do to prevent or limit connections initiating from the outside.  Seems like that threat is coming true as predicted.

No comments:

Post a Comment