[colug-432] tunnelled IPv6 -- was: Looking for info on Columbus

Wed Mar 9 11:49:10 EST 2011

On Wed, 9 Mar 2011, Richard Troth wrote:

> I HAVE NOT gotten external V6 routing, but am sending this report now
> for the sake of discussion.  Discuss!

The first thing, which seems obvious but should be said, is 
that once external routing is in place, with no nat, is that 
all services which are network reachible, are now reachible to 
anyone able to set up an IPv6 tunnel themselves.

That includes blackhats, and although the size of the IP space 
in v6 is beyond mind-boggling, there is no security in that 
obscurity.  Red Hat derived distributions support iptables in 
a configuration file:
 	/etc/sysconfig/ip6tables    (notice the '6')
which is sourced before a network connection is brought up.

It is not at all clear to me if or how one sets up traditional 
'tcp wrappers' in v6

The sponsors of sixxs all seem to have fine credentials and 
employers, but that tunnel broker and its services [some of 
which are not under the direct comtrol of the project 
sponsors] are subject to take-over just like anything else on 
the internet.  [cue: D Rumsfeld 'unknown unknowns' quip as to 
how it is done], and if compromised, the routing tables offer 
a roadmap as to what subnets to probe, and potentially to do 
traffic pattern analysis

> I need to resume my olde v6 DNS experiments.  (a subdomain with just
> quad A records, also add usable quad A records to the parent domain)

We set our DNS interface up to handle maintenance, and to 
answer queries for such records.  I need to do some testing 
here

> Open questions:  Can I use the tunnel space for hosts?  (64 bits of
> addressing.  Why throw it away?)

Once routing is in place, subject to your decisions on 
security policy, you can finally set up that 'I want a pink 
pony' tribute website that the internet has longed for ;)

> What security concerns are there with the absence of NAT?

as above

> ... I mean, for
> example, Steve VanSlyck just got SSH presence.  Guessing he is like me
> and that box fronts a number of other machines.  With a V6 tunnel, I
> can supposedly not have to worry about TWC or SWB changing my wired V4
> address.  Can I also route to/from the other machines?

Yes -- I forget if we have had the discussion, but remote 
support, and particularly Apple's remote desktop are using 
IPv6 through such tunnelling mediated by certificate based 
authentication behind the scenes, to my understanding

> ... Is that safe?

Security is about probabilities, and is a process.  An 
absolute without qualification like: 'safe' makes for an 
unanswerable question.  But the quick answer is: no, not 
without doing hardening, keeping up with software updates, and 
all 'the usual suspects' better practices to manage the attack 
surfaces

Thanks for the narrative, Richard !

-- Russ herrold