Vista and IPv6 6to auto-tunneling - Journal of Omnifarious
Oct. 2nd, 2007
09:50 am - Vista and IPv6 6to auto-tunneling
Edit 2007-10-05: The information in this post is not completely accurate and it needs some revision.
In looking at the various logs I keep to monitor what's going on on my home network, I've noticed an interesting fact about Vista that I haven't seen published anywhere. This is something of a guess, but it's supported by the increased activity in my logs, the fact the packets are coming from the US, the User-Agent strings and the curious and regular form of most of the new IPv6 connections I've been seeing. This fact is that Vista is fairly aggressive in supporting IPv6.
Now, Windows XP supports IPv6 fairly passively right out of the box. If you put it on a network with other nodes that speak IPv6 and a router or DHCPv6 server advertising a prefix, it will happily pick it up and gain a globally routable IPv6 address. But Vista goes one step further. If it figures out that it's been assigned a globally routable IPv4 address it sets up its on 6to4 tunnel so its IPv4 address can be used to route IPv6 packets to it.
This is slightly worrisome as the IPv6 packets stuck inside the IPv4 packets represent a potential attack vector that may slide by all the filtering. But so far all the machines I've been able to portscan with some confidence that the computer at the IP I saw was still there look like they're heavily firewalled. This is better than I expected, but I did notice a different, more worrisome trend.
I expect that what firewall manufacturers will do when they learn of this is just block all IP packets with a protocol field of 41 (0x29), the IPv6 in IPv4 protocol. This is because in most Internet discussions IPv6 is treated either with "it will never happen" or "it's evil and stupid and NAT is enough". Basically, people are afraid of something new and don't want to have to learn it, so it's easier to dismiss it than embrace it.
I have some evidence that this is already happening. I think all the Vista originated 6to4 tunneled packets all have IPv6 addresses of the form
2002:hexip_upper16:hexip_lower16::hexip_. When I ping the associated IPv4 address I often get a response, but when I ping the IPv6 address I don't. But I do get a response in a very small number of cases. My guess is that something is filtering incoming IP packets with a protocol field of 41.
This means that whenever such computers try to visit my website (which has an IPv6 address) they will likely get absolutely nothing in response, or a long wait until the browser decides to fall back to IPv4.
This is actively hostile and wrong. IPv6 is happening. Learn it and get used to it. Fix your broken hardware and software. The specs have been relatively stable for the base protocol now for more than 4 years. There is no excuse for not knowing something about it.
- The TCP/IP Guide is a ridiculously comprehensive book and includes these bits of info:
- A whole section on IPv6: Internet Protocol Version 6 (IPv6) / IP Next Generation (IPng) (IPng was the old name for IPv6
- And in specific, this very helpful chapter: IPV6 Global Unicast Adresss Format
- This Wikipedia entry on 6 to 4 (IPv6 inside IPv4), though this isn't all that great.
- This Cisco page on 6 to 4 gateway routers that's fairly decent but has no decent overview, just an explosion of technical details. It does talk about how ISPs should do things to better support IPv6 though, so that's helpful.
- The Numbers Resource Organization maintains a helpful page that allows you to set up a nice nameserver for doing
PTRlookups of your 6to4 IPv6 addresses. Here is a link using their name: http://6to4.nro.net/. If you're running IPv6, your browser should be smart enough to go to the IPv6 version first. If it isn't, this IPv6 link should work: http://[2001:dc0:2001:7:2d0:b7ff:feb7:f7f9]/.
In fact, that's a big problem here. No pictures, no overview, just an explosion of technical detail. There are some sites that have an overview that are put up by the IPv6 task force, but they are so badly designed I don't want to link to them for fear of crashing someone's browser with the evilness.