The Risks of IPV6 - Sky Routers

[itsanewlifeforme]

If you want your router to continue performing as an effective Hardware firewall, this discussion is for you.

This post is intended to promote discussion and the 'fleshing out' of a very important topic - maintaining the firewall security as provided by your sky router.

Sky routers were effective hardware firewalls whilst on the previous ipv4 firmware. Now that sky are transitioning to ipv6 (forced firmware updates - ipv6 settings - activated) I am asking:

Might we need to change any of the settings on the router - to ensure we maintain the same level of router level firewall security, for our home routers?

[Myself - I am on adsl - sky unlimited - Sr102]



Check your connection:

IPv6 test - IPv6/4 connectivity and speed test

My broadband connection provision is ipv4, but my router has been updated to run ipv6 firmware, which is active.



Switch Security Blog - IPv6 insecurities on “IPv4-only” networks. 26/08/2014.

IPv6 insecurities on “IPv4-only” networks | SWITCH Security-Blog

"Food for thought. These are just three examples that show how IPv6 can affect your network security, even though you have never consciously deployed IPv6. Are you sure your firewalls filter (tunnelled) IPv6 traffic?"



Sophos - Why IPv6 Matters for Your Security - By James Lyne, Head of Global Security Research

https://www.sophos.com/en-us/securit...h-to-ipv6.aspx

"Don’t enable IPv6 until you’re fully ready. Many platforms come with IPv6 enabled by default, but make sure it’s switched off until properly configured. Many current firewalls focus exclusively on IPv4 and will not filter IPv6 traffic at all—leaving systems completely exposed. Disable unnecessary services and check the ports and protocols used by the services you need. Running IPv6 by default could allow attackers to bypass security controls and wreak havoc."



Searchsecuirty: Address IPv6 security before your time runs out

Address IPv6 security before your time runs out

"Secondly, IPv4 and IPv6 will co-exist for some time, so it will become common for allegedly “IPv4-only” nodes to communicate with IPv6 nodes through the aid of transition or co-existence technologies. This means attackers can more easily obfuscate attacks using IPv4 and IPv6."



Statetech Magazine: How to Protect Upgraded IPv6 Networks - Be aware that the protocol presents different security concerns than its predecessor. Sep 17,2003.

How to Protect Upgraded IPv6 Networks | StateTech Magazine

"4.(sic) Compensate for the loss of Network Address Translation.Network Address Translation (NAT) is a commonly used IPv4 network technology that, as a side effect of its function, provides a layer of protection in front of IPv4-enabled devices by concealing them from direct contact with external networks. Unfortunately, because there's no counterpart to NAT in IPv6 devices, those that were previously protected by NAT may now be directly exposed to attack. This is particularly true on home networks where there are no other perimeter security controls in place. To mitigate this, ensure that any device running IPv6 is protected by a host-based or network-based firewall, at a minimum, that blocks unwanted incoming traffic."

"1. Recognize the risks of dual-stack configurations. In a dual-stack configuration, a device simultaneously supports IPv4 and IPv6. Firewall rule sets and other security controls that stop unwanted IPv4 traffic are unlikely to be effective at stopping any IPv6 traffic..."

"2. Disable and block IPv6 where it's not needed."

"Limit the permitted forms of IPv6 tunneling. Tunneling encapsulates IPv6 packets within IPv4 packets. Each permitted form of IPv6 tunneling presents an additional attack vector and can conceal traffic from security examination."



arstechnica: Filtering out the bad guys

IPv6 firewalling knows no middle ground | Ars Technica

"If you have a router or home gateway that supports IPv6, make sure that it, too, filters IPv6. A stateful filter that allows outgoing connections and return traffic, but not incoming connections is closest to the IPv4 NAT filtering functionality."

"To implement simple security for IPv6 in, for example, a DSL- or Cable Modem-connected home network, the broadband gateway/router should be equipped with stateful firewall capabilities. These should provide a default configuration where incoming traffic is limited to return traffic resulting from outgoing packets (sometimes known as reflective session state). There should also be an easy interface which allows users to create inbound 'pinholes' for specific purposes such as online-gaming."



Avast Security Blog:

https://blog.avast.com/tag/avast-2015/

A.{Second Post - Nov 29th, 2014}:

"In fact, a proper IPv6 firewall requires quite some processing power and RAM, so it’s no wonder that many of the cheap routers don’t have that functionality at all (or it’s not working properly).

The remediation is relatively simple: Just disable IPv6 on the router. In most cases, this shouldn’t have any impact on other services, unless they require IPv6 (in which case, it would be good to replace the router with something better which is IPv6 certified)."

B.{Seventh Post - Nov 4th, 2014}

"5. Devices on your network are accessible from internet. This happens when Internet Protocol version 6 (IPv6 ) is enabled on the router and the devices get IPv6 addresses that are not firewalled. The problem is not primarily in the protocol, but in the router, which is not able to secure the devices with these addresses."

So given sky is still running an ipv4 only provision - should we be changing anything on our routers - e.g disabling ipv6 - until the isp is using it exclusively? How can we maintain the level of security - provided by our routers - before the ipv6 firmware updates.

Is this even something that we need to worry about?

All thoughts welcome!!!

[speedyrite]

Check your connection:

My broadband connection provision is ipv4, but my router has been updated to run ipv6 firmware, which is active.

I think it's worth noting that, at the time of writing, a new firmware is being rolled out that will support IPv6 - BUT, except for a group of trial users, IPv6 has not yet been deployed on the Sky network. So, for the majority of us who have had the update, the firmware is active but IPv6 itself is not active on the WAN connection - effectively it's still IPv4 only. Will be interesting to see how/when they roll out IPv6 connectivity!

[Isitme]

Speedyrite is correct. Not all lines have been enabled for IPv6. Mine is and only fails on the fact that Sky have not yet set up IPv6 DNS servers.



Whether there is a security risk, I don't know but rather doubt it.

[gymno]

Sagem 2504n users have had IPV6 firmware running since january 2014 & i haven't heard any horror stories yet.

[Shonk]

Speedyrite is correct. Not all lines have been enabled for IPv6. Mine is and only fails on the fact that Sky have not yet set up IPv6 DNS servers.



Whether there is a security risk, I don't know but rather doubt it.

What latency penalty do you get on the ping test

Here's my 6in4 as comparison its firewalled at the router and using a 48

[Shonk]

oh and from this sky has an ipv6 firewall

we are getting allocated a /56
so total IP addresses 4722366482869645213696

http://www.ipv6.org.uk/wp-content/up...6Councilc1.pdf

[coipu]

I rather think there are no horror stories yet because it hasn't been worth naughty people's time yet. Once there are more targets there will be more flaws, history has shown us this much at least.

[gorebrush]

To answer the original question "What will I have to change?" I'm 99% sure the answer will be "nothing".

The only cases users may have problems is when they have devices that cannot support IPv6 on their network interfaces, but I am talking about very old devices.