Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Vista and IPv6 6to4 auto-tunneling (not completely correct)

Omnifarious (11933) writes | more than 6 years ago

Security 0

In looking at the various logs I keep to monitor what's going on on my home network, I've noticed an interesting fact about Vista that I haven't seen published anywhere. This is something of a guess, but it's supported by the increased activity in my logs, the fact the packets are coming from the US, the User-Agent strings and the curious and regular form of most of the new IPv6 connections I've been seeing. This fact is that Vista is fairly aggressive in supporting IPv6.

In looking at the various logs I keep to monitor what's going on on my home network, I've noticed an interesting fact about Vista that I haven't seen published anywhere. This is something of a guess, but it's supported by the increased activity in my logs, the fact the packets are coming from the US, the User-Agent strings and the curious and regular form of most of the new IPv6 connections I've been seeing. This fact is that Vista is fairly aggressive in supporting IPv6.

Now, Windows XP supports IPv6 fairly passively right out of the box. If you put it on a network with other nodes that speak IPv6 and a router or DHCPv6 server advertising a prefix, it will happily pick it up and gain a globally routable IPv6 address. But Vista goes one step further. If it figures out that it's been assigned a globally routable IPv4 address it sets up its on 6to4 tunnel so its IPv4 address can be used to route IPv6 packets to it.

This is slightly worrisome as the IPv6 packets stuck inside the IPv4 packets represent a potential attack vector that may slide by all the filtering. But so far all the machines I've been able to portscan with some confidence that the computer at the IP I saw was still there look like they're heavily firewalled. This is better than I expected, but I did notice a different, more worrisome trend.

I expect that what firewall manufacturers will do when they learn of this is just block all IP packets with a protocol field of 41 (0x29), the IPv6 in IPv4 protocol. This is because in most Internet discussions IPv6 is treated either with "it will never happen" or "it's evil and stupid and NAT is enough". Basically, people are afraid of something new and don't want to have to learn it, so it's easier to dismiss it than embrace it.

I have some evidence that this is already happening. I think all the Vista originated 6to4 tunneled packets all have IPv6 addresses of the form 2002:hexip_upper16:hexip_lower16::hexip_upper16:hexip_lower16. When I ping the associated IPv4 address I often get a response, but when I ping the IPv6 address I don't. But I do in a very small number of cases. My guess is that something is filtering incoming IP packets with a protocol field of 41.

This means that whenever such computers try to visit my website (which has an IPv6 address) they will likely get absolutely nothing in response, or a long wait until the browser decides to fall back to IPv4.

This is actively hostile and wrong. IPv6 is happening. Learn it and get used to it. Fix your broken hardware and software. The specs have been relatively stable for the base protocol now for more than 4 years. There is no excuse for not knowing something about it.

Useful links

In fact, that's a big problem here. No pictures, no overview, just an explosion of technical detail. There are some sites that have an overview that are put up by the IPv6 task force, but they are so badly designed I don't want to link to them for fear of crashing someone's browser with the evilness.

cancel ×

0 comments

Sorry! There are no comments related to the filter you selected.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>