
IPv6 Address Unmasking via UPnP - fanf2
https://blog.talosintelligence.com/2019/03/ipv6-unmasking-via-upnp.html
======
zrm
It should be noted that there are two main protocols for mapping ports, UPnP
and Port Control Protocol (or NAT-PMP, which is PCP version 0).

UPnP is _dramatically_ more complicated and has correspondingly more
implementation bugs. If you need to have something enabled on your router for
mapping ports, use Port Control Protocol and disable UPnP.

------
JohnFen
It's been well known since it first existed that UPnP is a security nightmare.
If anyone really wants to use it, extra care should be taken to ensure that it
is never exposed beyond your LAN, although it's far better to just disable it
entirely.

It's too much to expect non-techies to know this, but they really, really need
to be informed about it.

~~~
snaky
Non-techies usually don't care about anything but convenience, informed or
not.

------
aboutruby
I never realized an IPv6 likely contains the MAC address of the host, how did
people not realized how terrible this design is.

~~~
sliken
IPv6 Privacy Extension as defined in RFC 4941 is commonly implemented and
prevents this from being an issue.

~~~
JohnFen
"Prevents" is overstating this a bit. The IPv6 Privacy Extension is a hack
that doesn't completely mitigate this sort of problem. It's just better than
nothing, and is all we have.

~~~
sliken
How so?

With IPv4 you reveal the IP of your IP Masq/Nat router, which is often inside
your home/business. It can be dynamic or static, but generally changes pretty
slowly. There might be a single person behind that IP, or 100s.

With IPv6 your /64 is often inside your home/business. It can be dynamics or
static, but generally changes pretty slowly. There might be a single person
behind that /64, or 100s. Different outgoing connections see different IPv6
addresses, and they change over time (slowly).

Most importantly just like a mac address, the outgoing connections never use
the IPv6 address based on mac address.

So how does the privacy extension not protect the privacy of users by hiding
the mac address?

~~~
JohnFen
> So how does the privacy extension not protect the privacy of users by hiding
> the mac address?

I never said it didn't. I stated that people overstate the protection the
facility provides, not that it didn't provide protection.

The deficiencies of the privacy extensions have been discussed widely for
years. A quick internet search will show the various criticisms and responses
better than any reply I can make here will.

I should, however, clarify what I was trying to say -- I was not trying to say
the privacy extensions aren't worthwhile. They're great, and people should use
them!

What I was trying to say is that people often think of them as a panacea or a
100% solution. They aren't exactly that (what is?), and the nature of the
design of the privacy extensions are such that they make other important
network management activities more difficult.

My main criticism of PE (and it's not a showstopper sort of criticism) is that
the extensions are hacky and it shows. They were thought up after-the-fact to
try to mitigate a security mistake made in the original IPv6 protocol.

~~~
sliken
Sure, but the original parent was complaining about the mac address (not any
larger privacy issues) and the PE does a good job of hiding the mac address
and is enable by default in many common operating systems (Mac, Windows,
Ubuntu, etc.)

------
cm2187
Is there a way to gather the list of all domains/subdomains, etc? Because if
they are servers, it is unlikely there isn't a dns entry against each of these
ipv6.

Same question for reverse dns?

~~~
subway
Most nameservers disallow zone transers (requesting the full zone file),
preventing this. Additionally it's more and more common for IPs to have a
fixed generic PTR that just describes the IP instead of the host, and for a
lot of hosts to not even have dns records. (My last webapp never bothered with
dns for the dozens of ephemeral webserver instances).

------
bee-boop-19
Is it possible to get a ELI5 version of the impact of this?

~~~
fulafel
> This allows us to enumerate a particular subset of active IPv6 hosts which
> can then be scanned.

So if you have turned off the firewall in your CPE, someone might heave an
easier time scanning your network, without having to find your ip address from
a http access log or using webrtc etc.

The property of scanning resitance due to address sparsity in IPv6 is not very
strong (nor is it meant to be a security boundary) and there are many things
like this that can go around it.

------
segfaultbuserr
The question is, why is UPnP even needed on IPv6?

~~~
xxpor
I assume to open the firewall. If you're going to run IPv6 at home, you
probably want the firewall equivalent of NAT: Connections are allowed
outbound, but not inbound unless on a specifically whitelisted IP/port.

~~~
JohnFen
You can continue to use NAT with IPv6. If/when I have to run IPv6 on my LAN, I
plan on doing exactly that. I explicitly don't want outside connections to be
made directly to arbitrary machines inside my LAN. I have a DMZ for a solid
reason.

~~~
icedchai
Almost nobody uses NAT with IPv6. There's not much reason to. You want a
firewall, not NAT.

~~~
JohnFen
Well, a router more than a firewall. Either way, a mechanism to do this is
essentially a NAT.

What I want is a single IP address that is exposed to the internet at large,
which is serviced by various different servers behind the firewall depending
on the ports. The outgoing traffic from these servers should be from the same
single IP address.

That's a NAT in my book.

~~~
icedchai
Technically, this is PAT: port address translation. Why do you want this?

