Your forum username:
Do you already have an account?
Forgot your password?
  • Log in or Sign up


    Welcome to Sky User - The Unofficial Support Forum for everything Sky! - Proudly helping over 65k members.


    Advertisement

    Results 1 to 8 of 8
    Like Tree3Likes
    • 1 Post By Isitme
    • 1 Post By gymno
    • 1 Post By Shonk

    The Risks of IPV6 - Sky Routers

    This is a discussion on The Risks of IPV6 - Sky Routers within the Sky Broadband help forums, part of the Sky Broadband help and support category; If you want your router to continue performing as an effective Hardware firewall, this discussion is for you. This post ...

    1. #1
      itsanewlifeforme's Avatar
      itsanewlifeforme is offline Sky User Member
      Exchange:
      Broadband ISP: New House - No TV
      Router: New house - no broadband
      Sky TV: Nothing yet
      Join Date
      Mar 2011
      Posts
      23
      Thanks
      4
      Thanked 0 Times in 0 Posts

      The Risks of IPV6 - Sky Routers

      If you want your router to continue performing as an effective Hardware firewall, this discussion is for you.

      This post is intended to promote discussion and the 'fleshing out' of a very important topic - maintaining the firewall security as provided by your sky router.

      Sky routers were effective hardware firewalls whilst on the previous ipv4 firmware. Now that sky are transitioning to ipv6 (forced firmware updates - ipv6 settings - activated) I am asking:

      Might we need to change any of the settings on the router - to ensure we maintain the same level of router level firewall security, for our home routers?

      [Myself - I am on adsl - sky unlimited - Sr102]



      Check your connection:

      IPv6 test - IPv6/4 connectivity and speed test

      My broadband connection provision is ipv4, but my router has been updated to run ipv6 firmware, which is active.



      Switch Security Blog - IPv6 insecurities on “IPv4-only” networks. 26/08/2014.

      IPv6 insecurities on “IPv4-only” networks | SWITCH Security-Blog

      "Food for thought. These are just three examples that show how IPv6 can affect your network security, even though you have never consciously deployed IPv6. Are you sure your firewalls filter (tunnelled) IPv6 traffic?"



      Sophos - Why IPv6 Matters for Your Security - By James Lyne, Head of Global Security Research

      https://www.sophos.com/en-us/securit...h-to-ipv6.aspx

      "Don’t enable IPv6 until you’re fully ready. Many platforms come with IPv6 enabled by default, but make sure it’s switched off until properly configured. Many current firewalls focus exclusively on IPv4 and will not filter IPv6 traffic at all—leaving systems completely exposed. Disable unnecessary services and check the ports and protocols used by the services you need. Running IPv6 by default could allow attackers to bypass security controls and wreak havoc."



      Searchsecuirty: Address IPv6 security before your time runs out

      Address IPv6 security before your time runs out

      "Secondly, IPv4 and IPv6 will co-exist for some time, so it will become common for allegedly “IPv4-only” nodes to communicate with IPv6 nodes through the aid of transition or co-existence technologies. This means attackers can more easily obfuscate attacks using IPv4 and IPv6."



      Statetech Magazine: How to Protect Upgraded IPv6 Networks - Be aware that the protocol presents different security concerns than its predecessor. Sep 17,2003.

      How to Protect Upgraded IPv6 Networks | StateTech Magazine

      "4.(sic) Compensate for the loss of Network Address Translation.Network Address Translation (NAT) is a commonly used IPv4 network technology that, as a side effect of its function, provides a layer of protection in front of IPv4-enabled devices by concealing them from direct contact with external networks. Unfortunately, because there's no counterpart to NAT in IPv6 devices, those that were previously protected by NAT may now be directly exposed to attack. This is particularly true on home networks where there are no other perimeter security controls in place. To mitigate this, ensure that any device running IPv6 is protected by a host-based or network-based firewall, at a minimum, that blocks unwanted incoming traffic."

      "1. Recognize the risks of dual-stack configurations. In a dual-stack configuration, a device simultaneously supports IPv4 and IPv6. Firewall rule sets and other security controls that stop unwanted IPv4 traffic are unlikely to be effective at stopping any IPv6 traffic..."

      "2. Disable and block IPv6 where it's not needed."

      "Limit the permitted forms of IPv6 tunneling. Tunneling encapsulates IPv6 packets within IPv4 packets. Each permitted form of IPv6 tunneling presents an additional attack vector and can conceal traffic from security examination."



      arstechnica: Filtering out the bad guys

      IPv6 firewalling knows no middle ground | Ars Technica

      "If you have a router or home gateway that supports IPv6, make sure that it, too, filters IPv6. A stateful filter that allows outgoing connections and return traffic, but not incoming connections is closest to the IPv4 NAT filtering functionality."

      "To implement simple security for IPv6 in, for example, a DSL- or Cable Modem-connected home network, the broadband gateway/router should be equipped with stateful firewall capabilities. These should provide a default configuration where incoming traffic is limited to return traffic resulting from outgoing packets (sometimes known as reflective session state). There should also be an easy interface which allows users to create inbound 'pinholes' for specific purposes such as online-gaming."



      Avast Security Blog:

      https://blog.avast.com/tag/avast-2015/

      A.{Second Post - Nov 29th, 2014}:

      "In fact, a proper IPv6 firewall requires quite some processing power and RAM, so it’s no wonder that many of the cheap routers don’t have that functionality at all (or it’s not working properly).

      The remediation is relatively simple: Just disable IPv6 on the router. In most cases, this shouldn’t have any impact on other services, unless they require IPv6 (in which case, it would be good to replace the router with something better which is IPv6 certified)."

      B.{Seventh Post - Nov 4th, 2014}

      "5. Devices on your network are accessible from internet. This happens when Internet Protocol version 6 (IPv6 ) is enabled on the router and the devices get IPv6 addresses that are not firewalled. The problem is not primarily in the protocol, but in the router, which is not able to secure the devices with these addresses."

      So given sky is still running an ipv4 only provision - should we be changing anything on our routers - e.g disabling ipv6 - until the isp is using it exclusively? How can we maintain the level of security - provided by our routers - before the ipv6 firmware updates.

      Is this even something that we need to worry about?

      All thoughts welcome!!!
      Last edited by Saturday; 25-07-15 at 10:49 AM.


    2. Advertisement
    3. #2
      speedyrite's Avatar
      speedyrite is offline Sky User Member
      Exchange: WMDRO
      Broadband ISP: Sky Fibre Unlimited Pro
      Router: Sky Hub SR101 + Huawei HG612
      Sky TV: NOW TV
      Join Date
      Sep 2006
      Posts
      2,287
      Thanks
      347
      Thanked 154 Times in 148 Posts
      Blog Entries
      1

      Re: The Risks of IPV6 - Sky Routers

      Quote Originally Posted by itsanewlifeforme View Post
      Check your connection:

      My broadband connection provision is ipv4, but my router has been updated to run ipv6 firmware, which is active.

      I think it's worth noting that, at the time of writing, a new firmware is being rolled out that will support IPv6 - BUT, except for a group of trial users, IPv6 has not yet been deployed on the Sky network. So, for the majority of us who have had the update, the firmware is active but IPv6 itself is not active on the WAN connection - effectively it's still IPv4 only. Will be interesting to see how/when they roll out IPv6 connectivity!
      ++ speedyrite ... powered by Sky Broadband since 2007 ++

    4. #3
      Isitme's Avatar
      Isitme is offline Sky User Moderator
      Exchange: Bannockburn
      Broadband ISP: Sky Fibre Unlimited
      Router: Sky Hub SR102
      Sky TV: Sky+ HD
      Join Date
      Dec 2006
      Location
      Central Scotland
      Posts
      34,132
      Thanks
      64
      Thanked 1,641 Times in 1,602 Posts

      Re: The Risks of IPV6 - Sky Routers

      Speedyrite is correct. Not all lines have been enabled for IPv6. Mine is and only fails on the fact that Sky have not yet set up IPv6 DNS servers.

      The Risks of IPV6 - Sky Routers-ipv6.jpg

      Whether there is a security risk, I don't know but rather doubt it.
      speedyrite likes this.

      TomD


      Please note the views and recommendations in my posts are my own and in no way reflect the views of SkyUser.


      Useful Utilites

      http://www.nirsoft.net/utils/wifi_information_view.html/ TCPOptimiser /Test Socket

      Note - When downloading always select the Custom install or you will end up with stuff you don't want.





    5. #4
      gymno's Avatar
      gymno Guest
      Exchange:
      Broadband ISP:
      Router:
      Sky TV:

      Re: The Risks of IPV6 - Sky Routers

      Sagem 2504n users have had IPV6 firmware running since january 2014 & i haven't heard any horror stories yet.
      speedyrite likes this.

    6. #5
      Shonk's Avatar
      Shonk is offline Sky User Member
      Exchange:
      Broadband ISP: Sky Fibre Unlimited Pro
      Router: Asus RT-AC88U
      Sky TV: Sky+ HD
      Join Date
      Mar 2010
      Posts
      1,461
      Thanks
      7
      Thanked 118 Times in 113 Posts

      Re: The Risks of IPV6 - Sky Routers

      Quote Originally Posted by Isitme View Post
      Speedyrite is correct. Not all lines have been enabled for IPv6. Mine is and only fails on the fact that Sky have not yet set up IPv6 DNS servers.

      Click image for larger version. 

Name:	IPv6.JPG 
Views:	626 
Size:	73.8 KB 
ID:	5785

      Whether there is a security risk, I don't know but rather doubt it.
      What latency penalty do you get on the ping test

      Here's my 6in4 as comparison its firewalled at the router and using a 48



      Last edited by Shonk; 25-07-15 at 06:57 AM.

    7. #6
      Shonk's Avatar
      Shonk is offline Sky User Member
      Exchange:
      Broadband ISP: Sky Fibre Unlimited Pro
      Router: Asus RT-AC88U
      Sky TV: Sky+ HD
      Join Date
      Mar 2010
      Posts
      1,461
      Thanks
      7
      Thanked 118 Times in 113 Posts

      Re: The Risks of IPV6 - Sky Routers

      oh and from this sky has an ipv6 firewall

      we are getting allocated a /56
      so total IP addresses 4722366482869645213696

      http://www.ipv6.org.uk/wp-content/up...6Councilc1.pdf
      Last edited by Shonk; 25-07-15 at 10:59 AM.
      speedyrite likes this.

    8. #7
      coipu's Avatar
      coipu is offline Sky User Member
      Exchange: EADER
      Broadband ISP: Sky Fibre Unlimited
      Router: pfSense 2.3.4(i386)
      Sky TV: Cord Cut
      Join Date
      Dec 2012
      Location
      Wherever I lay my VPN
      Posts
      493
      Thanks
      28
      Thanked 35 Times in 33 Posts

      Re: The Risks of IPV6 - Sky Routers

      I rather think there are no horror stories yet because it hasn't been worth naughty people's time yet. Once there are more targets there will be more flaws, history has shown us this much at least.

    9. #8
      gorebrush's Avatar
      gorebrush is offline Sky User Member
      Exchange: UK
      Broadband ISP: Sky Fibre Unlimited Pro
      Router: VM pfSense 2.3.2-RELEASE-p1 on ESX 6
      Sky TV: Sky Q Silver
      Join Date
      Nov 2008
      Location
      UK
      Posts
      1,109
      Thanks
      22
      Thanked 26 Times in 26 Posts

      Re: The Risks of IPV6 - Sky Routers

      To answer the original question "What will I have to change?" I'm 99% sure the answer will be "nothing".

      The only cases users may have problems is when they have devices that cannot support IPv6 on their network interfaces, but I am talking about very old devices.
      Current Sync 79999/19999

     

     

    Tags for this Thread

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •  
    SkyUser - Copyright © 2006-2017. SatDish and NewsreadeR | SkyUser is in no way affiliated with Sky Broadband / BSkyB
    RIPA NOTICE: NO CONSENT IS GIVEN FOR INTERCEPTION OF PAGE TRANSMISSION