IPv6 fully open

IPv6 is a "Brand New World" for me. So far, I have confirmed that my Orbi router responds to ICMP (ping) on the public IPv6 address.

Attempt to ping my Windows PC failed, but appears to be because I had not opened the Windows Firewall for ICMPv6.

Honestly, I am not certain how much IPv6 has in common with IPv4.  I believe the whole point was to eliminate NAT and allow every device to have a unique public address.  Perhaps security is the responsibility of the device in this new world?

Glad to have a new adventure.  Please be patient as I come up to speed on IPv6.

After opening Windows Firewall to ICMPv6, I was also able to ping my Windows 10 PC through LTE connection (a) to the IPv6 address, (b) to the Temporary IPv6 address, but (c) not to the (deprecated) Temporary IPv6 address.  Part of the IPv6 standard is creation of "temporary" IPv6 addresses which Windows stops using after one week.  (The SLAAC Protocol)

It seems to me that IPv6 is a bit different than IPv4.  In IPv4, the NAT protocol keeps anyone on the internet from learning the actual LAN IP address of a device.  When a port is "forwarded" on the router, it is the port number that leads incomming packets directly to the device (server).  There can be only one target of port forwarding.  That's why  doing things like access to multiple servers or IP cameras is such a chore.  Each one of them has to be connected to a different external port number.

IPv6 makes it possible to learn the actual IPv6 address of a device but not until it makes a connection.  If someone wants to hack my web server on IPv4, they just send a connect request to my public IP, port 80.  No response? Try 8080.  No response, try 443?  Oh, heck, just try to connect to all 65,000 ports. No connection?  Move on to a different public IP address.

With IPv6, there are some ungodly number of potential IP addresses. Does somebody try each one ?

But wait, when I make a server available on the internet, then I have to publish the IP address.  (Same as IPv4.) Once I publish it, people can connect to it and attempt to log in (or whatever).

Internet security is damned complicated.  For me, the "jury is still out" on what sort of a vulnerability it is to allow Orbi to use IPv6.

---

@CrimpOn wrote:

After opening Windows Firewall to ICMPv6, I was also able to ping my Windows 10 PC through LTE connection (a) to the IPv6 address, (b) to the Temporary IPv6 address, but (c) not to the (deprecated) Temporary IPv6 address.  Part of the IPv6 standard is creation of "temporary" IPv6 addresses which Windows stops using after one week.  (The SLAAC Protocol)

 

It seems to me that IPv6 is a bit different than IPv4.  In IPv4, the NAT protocol keeps anyone on the internet from learning the actual LAN IP address of a device.  When a port is "forwarded" on the router, it is the port number that leads incomming packets directly to the device (server).  There can be only one target of port forwarding.  That's why  doing things like access to multiple servers or IP cameras is such a chore.  Each one of them has to be connected to a different external port number.

 

IPv6 makes it possible to learn the actual IPv6 address of a device but not until it makes a connection.  If someone wants to hack my web server on IPv4, they just send a connect request to my public IP, port 80.  No response? Try 8080.  No response, try 443?  Oh, heck, just try to connect to all 65,000 ports. No connection?  Move on to a different public IP address.

 

With IPv6, there are some ungodly number of potential IP addresses. Does somebody try each one ?

 

But wait, when I make a server available on the internet, then I have to publish the IP address.  (Same as IPv4.) Once I publish it, people can connect to it and attempt to log in (or whatever).

 

Internet security is damned complicated.  For me, the "jury is still out" on what sort of a vulnerability it is to allow Orbi to use IPv6.

---

Thanks for checking on yours, so it sounds like you are seeing the same as me then, right?

I think what you are describing sounds more like "security by obscurity" to me which isn't really security but I know what you mean. It's definitely less likely someone would brute force find your IPv6 address. I think more likely would be they get your address from you visiting a website (malicious or not). Some sites do log IP's of visitors. If that was the case, and they "got" your IPv6 address somehow I definitely wouldn't want them to be able to directly access my devices.

I'm also pretty new to IPv6, so I'm not familiar with what other brands or enterprise devices do these kinds of IPv6 firewalls. From what I know about IPv6 though, I would thinking you'd be able to configure specific devices (or specific ports on devices) to be accessible from outside the firewall. And since Orbi doesn't have settings like that, I was expecting all connections from outside to be blocked for IPv6.

---

@shark1987 wrote:

---

I'm also pretty new to IPv6, so I'm not familiar with what other brands or enterprise devices do these kinds of IPv6 firewalls. From what I know about IPv6 though, I would thinking you'd be able to configure specific devices (or specific ports on devices) to be accessible from outside the firewall. And since Orbi doesn't have settings like that, I was expecting all connections from outside to be blocked for IPv6.

---

If I use my Windows PC to connect to a web site using IPv6 addressing, then for certain it will collect my IPv6 address. But what can they do with it?   My Windows firewall will block attempt to connect unless I specifically open create firewall rules to allow connection.  I imagine Linux firewall does the same.  Aha, but I am running a web server on that computer that accepts IPv6 connections. In that case, I am expecting connections and have protection in place to repel unwanted advances.

I also have no idea what other routers do with regard to IPv6.  There is probably a forum somewhere were really knowledgeable people answer questions about IPv6, but I have no idea where it would be.

---

@CrimpOn wrote:

---

@shark1987 wrote:

---

I'm also pretty new to IPv6, so I'm not familiar with what other brands or enterprise devices do these kinds of IPv6 firewalls. From what I know about IPv6 though, I would thinking you'd be able to configure specific devices (or specific ports on devices) to be accessible from outside the firewall. And since Orbi doesn't have settings like that, I was expecting all connections from outside to be blocked for IPv6.

---

If I use my Windows PC to connect to a web site using IPv6 addressing, then for certain it will collect my IPv6 address. But what can they do with it?   My Windows firewall will block attempt to connect unless I specifically open create firewall rules to allow connection.  I imagine Linux firewall does the same.  Aha, but I am running a web server on that computer that accepts IPv6 connections. In that case, I am expecting connections and have protection in place to repel unwanted advances.

 

I also have no idea what other routers do with regard to IPv6.  There is probably a forum somewhere were really knowledgeable people answer questions about IPv6, but I have no idea where it would be.

---

Well in my case these web servers are, for example, for smart devices in my home. They were really only meant to be accessible only on your LAN and I would never intentionally put them out on the internet (like for IPv4, i would have never set up a port forward for them). They may or may not even have username/passwod login, but even if they do I wouldn't necessarily trust them to implement great security (especially years after any updates on some of these types of devices).

---

@shark1987 wrote:

---

Well in my case these web servers are, for example, for smart devices in my home. They were really only meant to be accessible only on your LAN and I would never intentionally put them out on the internet (like for IPv4, i would have never set up a port forward for them). They may or may not even have username/passwod login, but even if they do I wouldn't necessarily trust them to implement great security (especially years after any updates on some of these types of devices).

---

That's amazing.  These smart devices support IPv6 but not IPv4?  I have exactly zero IoT devices that support IPv6. If the server platform is Windows or Linux, it should be possible to restrict IPv4 connections to the local LAN and allow no IPv6 connections (in, not out).