Log in

No account? Create an account

Vista and IPv6 6to auto-tunneling - Journal of Omnifarious

Oct. 2nd, 2007

09:50 am - Vista and IPv6 6to auto-tunneling

Previous Entry Share Next Entry

Edit 2007-10-05: The information in this post is not completely accurate and it needs some revision.

In looking at the various logs I keep to monitor what's going on on my home network, I've noticed an interesting fact about Vista that I haven't seen published anywhere. This is something of a guess, but it's supported by the increased activity in my logs, the fact the packets are coming from the US, the User-Agent strings and the curious and regular form of most of the new IPv6 connections I've been seeing. This fact is that Vista is fairly aggressive in supporting IPv6.

Now, Windows XP supports IPv6 fairly passively right out of the box. If you put it on a network with other nodes that speak IPv6 and a router or DHCPv6 server advertising a prefix, it will happily pick it up and gain a globally routable IPv6 address. But Vista goes one step further. If it figures out that it's been assigned a globally routable IPv4 address it sets up its on 6to4 tunnel so its IPv4 address can be used to route IPv6 packets to it.

This is slightly worrisome as the IPv6 packets stuck inside the IPv4 packets represent a potential attack vector that may slide by all the filtering. But so far all the machines I've been able to portscan with some confidence that the computer at the IP I saw was still there look like they're heavily firewalled. This is better than I expected, but I did notice a different, more worrisome trend.

I expect that what firewall manufacturers will do when they learn of this is just block all IP packets with a protocol field of 41 (0x29), the IPv6 in IPv4 protocol. This is because in most Internet discussions IPv6 is treated either with "it will never happen" or "it's evil and stupid and NAT is enough". Basically, people are afraid of something new and don't want to have to learn it, so it's easier to dismiss it than embrace it.

I have some evidence that this is already happening. I think all the Vista originated 6to4 tunneled packets all have IPv6 addresses of the form 2002:hexip_upper16:hexip_lower16::hexip_upper16:hexip_lower16. When I ping the associated IPv4 address I often get a response, but when I ping the IPv6 address I don't. But I do get a response in a very small number of cases. My guess is that something is filtering incoming IP packets with a protocol field of 41.

This means that whenever such computers try to visit my website (which has an IPv6 address) they will likely get absolutely nothing in response, or a long wait until the browser decides to fall back to IPv4.

This is actively hostile and wrong. IPv6 is happening. Learn it and get used to it. Fix your broken hardware and software. The specs have been relatively stable for the base protocol now for more than 4 years. There is no excuse for not knowing something about it.

Useful links

In fact, that's a big problem here. No pictures, no overview, just an explosion of technical detail. There are some sites that have an overview that are put up by the IPv6 task force, but they are so badly designed I don't want to link to them for fear of crashing someone's browser with the evilness.

Current Mood: [mood icon] contemplative
Current Music: Dyna - Other Side


[User Picture]
Date:October 2nd, 2007 08:51 pm (UTC)
Interesting...I had heard of the IPng but didn't know about IPv6. Thanks for the info.
(Reply) (Thread)
Date:October 3rd, 2007 06:13 pm (UTC)
Not only supporting it, but actively and rapidly patching security vulns. I know I wrote at least one IPv6 bulletin.
(Reply) (Thread)
[User Picture]
Date:October 3rd, 2007 07:14 pm (UTC)

Interesting. I've been thinking of trying to write a power-user friendly write-up of IPv6 in general and 6to4 tunneling in specific. Was any of the information in this helpful to you?

(Reply) (Parent) (Thread)