archive

If you have the August 13, 2024—KB5041580 update. You’re good.

You are viewing a single thread.
View all comments View context
3 points

can you tell me if any device in an IPv6 LAN can just assign itself more IP v6 adresses and thereby bypass any fw rule?

permalink
report
parent
reply
3 points

Not if your firewall router is setup right (strict mac address filtering)

permalink
report
parent
reply
1 point

so back to the beginning of this thread: ipv6 in home lans is likely to be unsafe due to the defaults in some/many/most routers? and those ipv6 devices can in these szenarios escalate their permissions be spawning new ip adresses that would overcome lazy output fw rules?

thanks for all the explaining here so far!

or if i upload a malicious apk to some smartTV and have a it spawn a dhvpv6 server and then spawn a new virtual device that would be given an IP by my fake dhcpv6 to bypass. and we all can use macaddresschanger.

so you say with macfiltering the router would still prevent unwanted direct connections between my c&c server and some malicious virtual device? that’d be cool, but i dont understand how.

permalink
report
parent
reply
4 points

ipv6 in home lans is likely to be unsafe due to the defaults in some/many/most routers?

no

and those ipv6 devices can in these szenarios escalate their permissions be spawning new ip adresses

yes and this is not “escalating their permissions”, it is in fact the expected behavior with Privacy Extensions (RFC 4941) where devices will probably have multiple addresses at the same time that are used for outgoing connections

that would overcome lazy output fw rules?

any router that doesn’t have deny as the default rule for WAN->LAN traffic (probably not many) is trash, and if you’re filtering LAN->WAN traffic (not really usual for a home network) then you want default deny there too, but at that point that is not an ipv6 problem

or if i upload a malicious apk to some smartTV and have a it spawn a dhvpv6 server and then spawn a new virtual device that would be given an IP by my fake dhcpv6 to bypass. and we all can use macaddresschanger.

rogue dhcp is not an ipv6 exclusive problem

so you say with macfiltering the router would still prevent unwanted direct connections between my c&c server and some malicious virtual device? that’d be cool, but i dont understand how.

yes, firewall rules can work based on mac addresses, not sure exactly what you mean

permalink
report
parent
reply
10 points
*

IPv6 has two main types of non-broadcast addresses to think about: link-local (fe80::) and public.

A device can self-assign a link-local address, but it only provides direct access to other devices connected to the same physical network. This would be used for peer discovery, such as asking every device if they are capable of acting as a router.

Once it finds the router, there are two ways it can get an IP address that can reach the wider internet: SLAAC and DHCPv6. SLAAC involves the device picking its own unique address from the block of addresses the router advertises itself as owning, which is likely what you’re concerned about. One option for ensuring a device can’t just pick a different address and pretend to be a new device is by giving it a subset of the router’s full public address space to work with, so no matter what address it picks, it always picks something within a range exclusively assigned to it.

Edit: I butchered the explanation by tying to simplify it. Rewrote it to try again.

permalink
report
parent
reply
2 points

thanks.

permalink
report
parent
reply
6 points

In most cases, the router advertises the prefix, and the devices choose their own IPv6. Unless you run DHCPv6 (which really no-one does in reality, I don’t even think android will use it if present).

It doesn’t allow firewall bypass though, as the other commenter noted.

permalink
report
parent
reply
3 points
*

DHCPv6 is very much in use with large ISPs. SLAAC only lets you get a single /64 (one network) from the ISP, but if you use DHCPv6, which is also provided ISP side, you can often request a /60 to get you 16 networks to use. Also, DHCPv6 doesn’t base the IPv6 address off the MAC address like SLAAC does, so it is better for device privacy.

Why Android does not support DHCPv6 is beyond me. It’s honestly quite ridiculous as it makes configuring LAN-side DNS and other things a lot easier.

permalink
report
parent
reply
2 points

Unless you run DHCPv6 (which really no-one does in reality)

Question for you since I have very little real world IPv6 experience: generally you can provide a lot of useful network information to clients via DHCP, such as the DNS server, autoconfig info for IP phones, etc. how does a network operator ensure that clients get this information if it’s not using DHCPv6?

permalink
report
parent
reply
2 points

ok. thank you. stuff like this just made me wonder: https://en.avm.de/service/knowledge-base/dok/FRITZ-Box-7590/573_Configuring-IPv6-in-the-FRITZ-Box/

for linux etc they suggest du enable dhcpv6 and i cant figure out where they adress this in their firewalls. still learning.

permalink
report
parent
reply
2 points

Yeah, I butchered my answer by trying to simplify the process. I rewrote it in a hopefully more accurate but still simple to understand way.

permalink
report
parent
reply
5 points

How would that bypass the firewall?

permalink
report
parent
reply
3 points

Honestly, I think most fear of IPv6 is just borne out of ignorance and assigning their understanding of IPv4 onto IPv6 and making assumptions.

permalink
report
parent
reply
5 points

assigning their understanding of IPv4 onto IPv6 and making assumptions.

This is also what makes it more difficult to learn, unfortunately.

permalink
report
parent
reply

Technology

!technology@lemmy.world

Create post

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


Community stats

  • 15K

    Monthly active users

  • 6.7K

    Posts

  • 154K

    Comments