• Lemminary@lemmy.world
    link
    fedilink
    English
    arrow-up
    107
    arrow-down
    1
    ·
    5 months ago

    Hah! Joke’s on you. I accidentally restarted my PC and updated it without wanting to.

    • Trainguyrom@reddthat.com
      link
      fedilink
      English
      arrow-up
      29
      arrow-down
      1
      ·
      5 months ago

      IPv6 genuinely made some really good decisions in its design, but I do question the default “no NAT, no private network prefixes” mentality since that’s not going to work so well for average Janes and Joes

      • pivot_root@lemmy.world
        link
        fedilink
        English
        arrow-up
        29
        arrow-down
        1
        ·
        edit-2
        5 months ago

        No NAT doesn’t mean no firewall. It just means that you both don’t have to deal with NAT fuckery or the various hacks meant to punch a hole through it.

        Behind NAT, hosting multiple instances of some service that uses fixed port numbers requires a load-balancer or proxy that supports virtual hosts. Behind CGNAT, good luck hosting anything.

        For “just works” peer to peer services like playing an online co-op game with a friend, users can’t be expected to understand what port forwarding is, let alone how it works. So, we have UPnP for that… except, it doesn’t work behind double NAT, and it’s a gaping security hole because you can expose arbitrary ports of other devices if the router isn’t set up to ignore those requests.

        • ᕙ(⇀‸↼‶)ᕗ@lemm.ee
          link
          fedilink
          English
          arrow-up
          2
          ·
          5 months ago

          can you tell me if any device in an IPv6 LAN can just assign itself more IP v6 adresses and thereby bypass any fw rule?

          • pivot_root@lemmy.world
            link
            fedilink
            English
            arrow-up
            7
            ·
            edit-2
            5 months ago

            IPv6 has two main types of non-broadcast addresses to think about: link-local (fe80::) and public.

            A device can self-assign a link-local address, but it only provides direct access to other devices connected to the same physical network. This would be used for peer discovery, such as asking every device if they are capable of acting as a router.

            Once it finds the router, there are two ways it can get an IP address that can reach the wider internet: SLAAC and DHCPv6. SLAAC involves the device picking its own unique address from the block of addresses the router advertises itself as owning, which is likely what you’re concerned about. One option for ensuring a device can’t just pick a different address and pretend to be a new device is by giving it a subset of the router’s full public address space to work with, so no matter what address it picks, it always picks something within a range exclusively assigned to it.

            Edit: I butchered the explanation by tying to simplify it. Rewrote it to try again.

            • r00ty@kbin.life
              link
              fedilink
              arrow-up
              6
              ·
              5 months ago

              In most cases, the router advertises the prefix, and the devices choose their own IPv6. Unless you run DHCPv6 (which really no-one does in reality, I don’t even think android will use it if present).

              It doesn’t allow firewall bypass though, as the other commenter noted.

                • r00ty@kbin.life
                  link
                  fedilink
                  arrow-up
                  2
                  ·
                  5 months ago

                  Best thing to do to test the firewall is run some kind of server and try to connect to your ipv6 on that port.

                  Like I’ve said in other posts, routers really should block incoming connections by default. But it’s not always the case that they do.

              • Trainguyrom@reddthat.com
                link
                fedilink
                English
                arrow-up
                1
                ·
                5 months ago

                Unless you run DHCPv6 (which really no-one does in reality)

                Question for you since I have very little real world IPv6 experience: generally you can provide a lot of useful network information to clients via DHCP, such as the DNS server, autoconfig info for IP phones, etc. how does a network operator ensure that clients get this information if it’s not using DHCPv6?

                • r00ty@kbin.life
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  5 months ago

                  You can include some information in router advertisements, likely there will be rfcs for more. Not sure of the full list of stuff you can advertise.

                  For sure I’m quite sure I had dns servers configured this way. I’ll check when not on a phone to see what options there are.

              • pivot_root@lemmy.world
                link
                fedilink
                English
                arrow-up
                1
                ·
                5 months ago

                Yeah, I butchered my answer by trying to simplify the process. I rewrote it in a hopefully more accurate but still simple to understand way.

                • r00ty@kbin.life
                  link
                  fedilink
                  arrow-up
                  2
                  arrow-down
                  1
                  ·
                  5 months ago

                  Yep, it’s all good. In my opinion, IPv6 routers should just be dropping incoming connections by default. If you want to run services you give your machine a static IPv6 and open ports on that IP/port specifically. It’s actually easier than NAT because you don’t need to translate ports and each IP can use the same ports (multiple web servers on 80/443).

              • Blaster M@lemmy.world
                link
                fedilink
                English
                arrow-up
                1
                ·
                edit-2
                5 months ago

                DHCPv6 is very much in use with large ISPs. SLAAC only lets you get a single /64 (one network) from the ISP, but if you use DHCPv6, which is also provided ISP side, you can often request a /60 to get you 16 networks to use. Also, DHCPv6 doesn’t base the IPv6 address off the MAC address like SLAAC does, so it is better for device privacy.

                Why Android does not support DHCPv6 is beyond me. It’s honestly quite ridiculous as it makes configuring LAN-side DNS and other things a lot easier.

                • r00ty@kbin.life
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  5 months ago

                  Dhcpv6-pd is used by isps for prefix delegation, which most routers support now (not so when my isp first started with it).

                  But for advertising prefixes on a lan most networks use router adverts.

                  They’re different use cases though.

            • r00ty@kbin.life
              link
              fedilink
              arrow-up
              4
              ·
              5 months ago

              Honestly, I think most fear of IPv6 is just borne out of ignorance and assigning their understanding of IPv4 onto IPv6 and making assumptions.

              • pivot_root@lemmy.world
                link
                fedilink
                English
                arrow-up
                2
                ·
                5 months ago

                assigning their understanding of IPv4 onto IPv6 and making assumptions.

                This is also what makes it more difficult to learn, unfortunately.

                • r00ty@kbin.life
                  link
                  fedilink
                  arrow-up
                  1
                  arrow-down
                  1
                  ·
                  5 months ago

                  That’s true. But there are not many differences. It’s just, the differences there are, are crucial to understanding it.

            • ᕙ(⇀‸↼‶)ᕗ@lemm.ee
              link
              fedilink
              English
              arrow-up
              2
              ·
              5 months ago

              so back to the beginning of this thread: ipv6 in home lans is likely to be unsafe due to the defaults in some/many/most routers? and those ipv6 devices can in these szenarios escalate their permissions be spawning new ip adresses that would overcome lazy output fw rules?

              thanks for all the explaining here so far!

              or if i upload a malicious apk to some smartTV and have a it spawn a dhvpv6 server and then spawn a new virtual device that would be given an IP by my fake dhcpv6 to bypass. and we all can use macaddresschanger.

              so you say with macfiltering the router would still prevent unwanted direct connections between my c&c server and some malicious virtual device? that’d be cool, but i dont understand how.

              • 2xsaiko@discuss.tchncs.de
                link
                fedilink
                English
                arrow-up
                1
                ·
                5 months ago

                ipv6 in home lans is likely to be unsafe due to the defaults in some/many/most routers?

                no

                and those ipv6 devices can in these szenarios escalate their permissions be spawning new ip adresses

                yes and this is not “escalating their permissions”, it is in fact the expected behavior with Privacy Extensions (RFC 4941) where devices will probably have multiple addresses at the same time that are used for outgoing connections

                that would overcome lazy output fw rules?

                any router that doesn’t have deny as the default rule for WAN->LAN traffic (probably not many) is trash, and if you’re filtering LAN->WAN traffic (not really usual for a home network) then you want default deny there too, but at that point that is not an ipv6 problem

                or if i upload a malicious apk to some smartTV and have a it spawn a dhvpv6 server and then spawn a new virtual device that would be given an IP by my fake dhcpv6 to bypass. and we all can use macaddresschanger.

                rogue dhcp is not an ipv6 exclusive problem

                so you say with macfiltering the router would still prevent unwanted direct connections between my c&c server and some malicious virtual device? that’d be cool, but i dont understand how.

                yes, firewall rules can work based on mac addresses, not sure exactly what you mean

        • Trainguyrom@reddthat.com
          link
          fedilink
          English
          arrow-up
          2
          ·
          5 months ago

          Honestly the more I think about it the more I realize I’m wrong. I was thinking someone could enable a server on their client device without realizing it but the firewall on the router would still need to be modified in that situation, and anything not requiring firewall modifications would be just as much of a security hole on IPv4

          • Encrypt-Keeper@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            edit-2
            5 months ago

            Yeah it’s a common trip up. We’re all so used to the way that things are done in IPv4 that our natural response is to try and apply IPv4 logic to IPv6, but you’re absolutely right.

            Many people think NAT is a security feature but but that’s only a coincidence and it doesn’t do anything a firewall doesn’t already do. And if we take it one step further we can actually see that a firewall and IPv6 is actually more secure than NAT. The only inherent risk of port warding in NAT is that the IP you’re forwarding to is ultimately arbitrary. Think, have a port open to SMB for a publicly accessible file sharing container, then later ditching it and via DCHP your laptop picks up that old IP and now voila you’ve technically exposed your laptop. It’s not quite that simple but that’s the essence of it.

            But with IPv6, IPs are no longer arbitrary. When you allow access in certain ports to a certain machine and that machine goes away, that rule will always only allow access to nowhere.

        • Blackmist@feddit.uk
          link
          fedilink
          English
          arrow-up
          2
          ·
          5 months ago

          Not the person you were replying too, but I was there when we had modems and raw-dogged the internet.

          The average person clicks “Yes” on everything without reading it, has no idea what a firewall is, and they never update anything unless it does it without asking.

          Having things accessible from outside your network is great if you’re a network nerd and that’s what you want, but most people are going to be in a world of unprotected shit. Especially in a world of pointlessly online devices. I don’t trust any of those fuckers to have their shit in order.

          • pivot_root@lemmy.world
            link
            fedilink
            English
            arrow-up
            3
            ·
            5 months ago

            I would assume/hope the default setting for a consumer router would still be to drop incoming connections. That should suffice for the average person as long as ISPs don’t make it easy to disable that without actually understanding what the consequences are.

            • Blackmist@feddit.uk
              link
              fedilink
              English
              arrow-up
              1
              ·
              5 months ago

              I would also assume that to be the default, but unfortunately the first Google search for “why doesn’t my smart fridge work from my phone when I leave the house” will be a set of instructions for turning that feature off.

              NATs and port forwarding is annoying, but it’s also very manual, and only lets you fuck up one device at a time.

              • Blaster M@lemmy.world
                link
                fedilink
                English
                arrow-up
                3
                ·
                5 months ago

                Then the instructions are bad. They should be how to open the firewall port for that device, which is almost the same as setting a NAT port forward, with the same limitation of only exposing one device.

                • Blackmist@feddit.uk
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  5 months ago

                  Yeah, but that’s going to involve knowing what the device is called on the router, or knowing what the address is.

                  I’m afraid the great age of computer literacy has come and gone.

                  If anything it makes me want routers to not even allow a blanket whitelist for all devices…

      • r00ty@kbin.life
        link
        fedilink
        arrow-up
        2
        ·
        5 months ago

        Routers simply need to block incoming unestablished packets (all modern routers allow for this) to replicate NAT security without NAT translation. Then you just punch holes through on IP addresses and ports you want to run services on and be done with it.

        Now, some home routers aren’t doing this by default, but they absolutely should be. That’s just router software designers being bad, not IPv6’s fault, and would get ironed out pretty quick if there was mass adoption and IPv4 became the secondary system.

        To be clear, this is not a reason not to be adopting IPv6.

        • Archer@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          5 months ago

          Routers simply need to block incoming unestablished packets

          This is called a firewall

    • Joelk111@lemmy.world
      link
      fedilink
      English
      arrow-up
      20
      arrow-down
      1
      ·
      edit-2
      5 months ago

      As a tech nerd who self hosts stuff, I’m more like “what is IPV6 and why is it causing me issues, I can’t figure this out, I guess I’ll disable it, wow my problems are fixed now.” I guess I can see why people don’t like it, as it’s caused me issues, but just because I don’t understand it doesn’t mean it’s dumb. I’d need to understand how it works before I could say it’s dumb.

      I should probably spend the time to learn about it, but I already have a full time job where I work on computers all day, I’d rather focus on my other hobbies while I’m at home.

      • pivot_root@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        1
        ·
        5 months ago

        It’s not terribly difficult to learn when you avoid trying to relate it to IPv4 concepts. Particularly: forget about LAN addresses and NAT, and instead think about a large block of public addresses being subdivided between local devices.

        • lightnsfw@reddthat.com
          link
          fedilink
          English
          arrow-up
          4
          ·
          5 months ago

          instead think about a large block of public addresses being subdivided between local devices.

          Thinking about all my devices being exposed like that gives me the heebie jeebies. One public facing address hiding everything else on a private network is much less frightening to my monkey brain.

          • Blaster M@lemmy.world
            link
            fedilink
            English
            arrow-up
            5
            ·
            5 months ago

            This is what a firewall is for. Blocks inbound to the whole subnet space. Better than a NAT, which can open a port through STUN or simply a malformed packet.

      • Daemon Silverstein@thelemmy.club
        link
        fedilink
        English
        arrow-up
        2
        ·
        5 months ago

        Back in the days I had an ISP that offered me IPv6 network, it was really easy to self host things over the internet, because IPv6 is unique to all devices, so the server had its own IPv6 global address, which I could access from anywhere with IPv6 connectivity. No more dealing with port forwarding (considering that the ISP didn’t block the forwarding of ports). Just a firewall setting and voila, the service was accessible. It’s that simple.

    • yeehaw@lemmy.ca
      link
      fedilink
      English
      arrow-up
      10
      arrow-down
      18
      ·
      5 months ago

      Ye fuck ipv6 lol. I still have no need to move to it lol.

      • SRo@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        16
        arrow-down
        3
        ·
        5 months ago

        IP4 is running out, that’s the problem. Or better, IP4 is hoarded by companies and they don’t give them up. The insane amount of network devices every human being uses on a daily basis doesn’t make the situation better. It exploded the last 10 years and only gets worse. The fuckery ISPs are doing to solve it without IP6 is insane, fuck cgnats and co. The whole networking world would be so much better to get it over with and adopt IP6 everywhere and let the hoarders drown in their mountain of IP4.

        • lightnsfw@reddthat.com
          link
          fedilink
          English
          arrow-up
          2
          ·
          5 months ago

          My ISP gave me a IPV6 router. I have it bridged (or whatever the right term is) to another router that serves IPV4 addresses to all my devices. Worked well so far with the added bonus that the ISP can’t see what’s going on within my network.

        • yeehaw@lemmy.ca
          link
          fedilink
          English
          arrow-up
          7
          arrow-down
          8
          ·
          5 months ago

          Old tale, I know, but just cause v4 is running out on the internet it doesn’t stop anyone from using it in their homes. I manage some ASNs on the internet. I have no need yet to worry about implementing v6 on the inside.

          • Serinus@lemmy.world
            link
            fedilink
            English
            arrow-up
            8
            arrow-down
            1
            ·
            5 months ago

            The thing is that if IPv6 were actually adopted, it would be straight up better. For everyone. It’s easier to use if it’s all the networking instead of just a niche case.

              • r00ty@kbin.life
                link
                fedilink
                arrow-up
                1
                ·
                5 months ago

                It’s really not though. ISPs are a problem, but every hosting provider I’ve used has offered IPv6. It’s really trivial to setup IPv6 name DNS, and host a website on both IPv4 and IPv6. I just do it by default now.

                Once it becomes the default to deploy to both, if IPv4 died then the IPv6 side would just keep working.

                For DNS, you can make a single glue record contain an IPv4 and IPv6 address.
                DNS just needs A and AAAA records for the Name servers. NS records still point to the hostname as normal.

                For Web servers, the web server just needs to bind to the IPv6 address(es). Then in DNS just have an A and AAAA record for each website hostname. The server name directives will cover both.

                There really isn’t much to it right now. The technology is mature now. It used to be a pain, but now it isn’t.

  • M0oP0o@mander.xyz
    link
    fedilink
    English
    arrow-up
    53
    arrow-down
    12
    ·
    5 months ago

    “Compromises all devices running … an IPv6 address.”

    Oh so no one is effected. (other then network nerds, and they are not real)

    • froh42@lemmy.world
      link
      fedilink
      English
      arrow-up
      23
      ·
      edit-2
      5 months ago

      IPV6 is already rolled out in parts of the world. My provider has a Dual Stack lite architecture, the home connection is over IPV6, IPV4 is normally being tunneled via V6 through a provider grade NAT.

      As I AM a network nerd, I pay for a dedicated IPV4 address every month, so I can reach my stuff from outside from old IPV4 only networks.

      So when I plug in my router, connect a windows machine and just google stuff then all this traffic will be IPV6 without me configuring anything.

      It’s so great fun having the attack surface being doubled by dual stack setups.

        • froh42@lemmy.world
          link
          fedilink
          English
          arrow-up
          7
          ·
          5 months ago

          Because behind the carrier grade NAT I don’t get a routable IPV4 at all, so no inbound connections.

          With the IPV4 I use I do use dyndns now, so I can resolve it from outside.

          • AnUnusualRelic@lemmy.world
            link
            fedilink
            English
            arrow-up
            3
            arrow-down
            1
            ·
            5 months ago

            Some ISPs have basically destroyed their segment of the Internet, turning it into a cable tv network.

    • Hal-5700X@sh.itjust.worksOP
      link
      fedilink
      English
      arrow-up
      12
      ·
      edit-2
      5 months ago

      IPv6 is enabled by default on windows.

      EDIT Here’s how to disable it. If you can’t on your modem/router. Open the network menu from the icon in bottom right of screen > right click on the network you are connected to and click “status” > In the popup click on the “Properties” button > You’ll get another popup with the name of your network adapter in a top line/box and a secondary box with a list of things in it > Look for the entry “Internet Protocol Version 6 (TCP/IPv6)” and uncheck the box in front of it > click OK.

    • x00z@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      5 months ago

      Looking at the IP logs of the users on a website of mine shows that many people are already using IPv6 alongside IPv4. Some ISPs even don’t use IPv4 anymore unless you pay extra (Germany/Austria)

    • Scrollone@feddit.it
      link
      fedilink
      English
      arrow-up
      0
      ·
      5 months ago

      Unfortunately (or fortunately, it depends on how you see it), some providers are already on IPv6. My Italian ISP has IPv6 with CGNAT, so all its users are on IPv6 without even knowing what it is.

      • M0oP0o@mander.xyz
        link
        fedilink
        English
        arrow-up
        1
        ·
        5 months ago

        Dang Italian network nerds! That will teach them for believing in a better tech future.

  • bruhduh@lemmy.world
    link
    fedilink
    English
    arrow-up
    22
    ·
    5 months ago

    Yay, new Xbox jailbreak method, can’t wait for new modded warfare videos about it

  • Blaster M@lemmy.world
    link
    fedilink
    English
    arrow-up
    15
    arrow-down
    3
    ·
    5 months ago

    To note: It shows even Windows Server 2008 as affected. Since MS is only testing against OSses they support, it is possible this has existed as a problem all the way back since IPv6 was first introduced to Windows XP.

    Also, for all of you “disable IPv6 because I don’t understand it” people… unless you are running Windows 8 or older, just update Windows. IPv4 has been out of addresses for so long that CGNAT is a thing, which means connectivity problems when you’re hosting stuff, and more latency and packet drops from ISP routers getting saturated with NAT tasks. IPv6 is alive on the internet since 2011 and very much used on the internet, does not tie up routers by requiring NAT translation, and therefore just performs better. Plus, if you use your network printer’s or network device’s link-local ipv6 to connect locally, you will never have to deal with static ip address or changing ipv4 lan address pain, as link-local (non-routable on the internet) addresses don’t change unless you force it.

      • Malfeasant@lemm.ee
        link
        fedilink
        English
        arrow-up
        1
        ·
        5 months ago

        I did that years ago, and they said basically “never”. Then a couple years later all of a sudden, there it was.

  • GluWu@lemm.ee
    link
    fedilink
    English
    arrow-up
    8
    arrow-down
    2
    ·
    5 months ago

    I just updated and now my audio sounds like shit.

      • GluWu@lemm.ee
        link
        fedilink
        English
        arrow-up
        2
        ·
        5 months ago

        One restart post-update restarts changed it and helped, but something was still off. Took me like 30 minutes but it looks like my nvidia HDMI audio output got reset to a really low 16 bit sample rate. Got that set back to a decent 24 bit and its closer, but something is still off. I don’t think I had any settings/levels/enchanments.

        • ColeSloth@discuss.tchncs.de
          link
          fedilink
          English
          arrow-up
          2
          ·
          5 months ago

          Sounds like windows changed your audio driver. I’d download the most recent audio driver available through nvidia, then uninstall your current audio driver in device manager and manually install nvidias.

  • LaggyKar@programming.dev
    link
    fedilink
    English
    arrow-up
    5
    arrow-down
    1
    ·
    5 months ago

    This would presumably mainly be an issue for computers open to the internet. So not so much for home PCs, unless the router’s firewall is opened up.

    • r00ty@kbin.life
      link
      fedilink
      arrow-up
      9
      ·
      5 months ago

      I’ve not read the CVE but assuming it works on any IPv6 address including the privacy extensions addresses, it’s a problem. Depending on what most routers do in terms of IPv6 firewalling.

      My opinion is, IPv6 firewalls should, by default, offer similar levels of security to NAT. That is, no unsolicited incoming connections but allow outgoing ones freely.

      In my experience, it’s a bit hit-and-miss whether they do or not.

      Now, if this works on privacy extension addresses, it’s a problem because the IPv6 address could be harvested from outgoing connections and then attacked. If not, then scanning the IPv6 space is extremely hard and by default addresses are assigned randomly inside the /64 most people have assigned by their ISP means that the address space just within your own LAN is huge to scan.

      If it doesn’t work on privacy extension IPs, I would say the risk is very low, since the main IPv6 address is generally not exposed and would be very hard to find by chance.

      Here’s the big caveat, though. If these packets can be crafted as part of a response to an active outgoing TCP circuit/session. Then all bets are off. Because a popular web server could be hacked, adjusted to insert these packets on existing circuits/sessions in the normal response from the web server. Meaning, this could be exploited simply by visiting a website.

      • Toribor@corndog.social
        link
        fedilink
        English
        arrow-up
        4
        ·
        5 months ago

        IPv6 firewalls should, by default, offer similar levels of security to NAT

        I think you’re probably right. We had decades of security experts saying that NAT is not a firewall and everyone on the planet treated it like one anyway. Now we’re overexposed for a no-NAT IPV6 internet.

      • LarmyOfLone@lemm.ee
        link
        fedilink
        English
        arrow-up
        2
        ·
        5 months ago

        What about torrenting through a VPN with IPv6? Would that make you vulnerable to this exploit?

        • r00ty@kbin.life
          link
          fedilink
          arrow-up
          1
          ·
          5 months ago

          I think it depends on all the caveats I mentioned. If it could have worked with an outgoing connection, then someone with a bad client could execute it for sure. The VPN wouldn’t protect you.

      • LaggyKar@programming.dev
        link
        fedilink
        English
        arrow-up
        1
        ·
        5 months ago

        Harvesting IP addresses shouldn’t be a problem, since the firewall shouldn’t allow packets from a peer you haven’t talked to first. But true, if you can be attacked in response by a server you’re connecting to that would be bad.

    • RvTV95XBeo@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      1
      ·
      5 months ago

      For a professional sysadmin’s home network? Maybe. For the average Joe who probably has their 12-year-old toaster still connected to their wifi? I wouldn’t bank on it.

  • MehBlah@lemmy.world
    link
    fedilink
    English
    arrow-up
    5
    arrow-down
    1
    ·
    5 months ago

    I tried to roll out ipv6 when I was sysadmin for a small ISP. ARIN gave me a /32 block with no fuss. I started handing them out only to discover most routers at the time couldn’t use them. Not much has changed. No one offers them and I just turned it off at my present job. None of my windows machine have the ipv6 stack enabled.