IPv6 necessary? recommended? or don't bother?


#1

In another thread @Eliter commented:

…But if all you are doing is sending a couple emails here and there, you only need an IPv4 (and I recommend using IPv6 too) address.

Which begs the question … IF IPv6 is available, should I request it from my ISP and should I use it? Why or why not?
I have noticed that Digital Ocean now has IPv6 ‘available’ on request … should we be requesting it? And if we do how will that impact DNS? Is there an IPv6 glue record?


#2

I go in charging with a full YES. The IPv4 address space is depleting, and depleting fast. Depletion has been anticipated since the late 1980s, and top-level exhaustion occurred on 24 September 2015 where four out of the five global authorities for passing out IPv4 addresses across the world exhausted their IPv4 addresses (according to Wikipedia ). IPv4 is NOT the future, it is a technology that only exists because we are dragging it along. It is dead weight. It will cost the Internet and everyone using it more money, because I imagine a scarce resource like an IP address will make the price of itself go up. This is also why I say you are supporting Internet freedom by supporting IPv6 as much as you can.

The IPv6 address space has approximately 3.4×10^38 addresses, whereas IPv4 only has less than 4,294,967,296. The IPv4 address space is a small number, considering that your smartphone, your home, your work, all your hobby servers each have its own IP address, and everyone else in the world. Now, we’re going to have freaking light bulbs, cars, toilets, fish tanks, and dogs that are each assigned IP addresses, and with companies expanding their networks to 3rd world countries and all the way out on farms (a farmer literally paid $383,500 to have fiber optic to his farm, so he could check grain prices - link ), there are a lot more people who are going to be added to our global, public network. The public internet is no longer a fun hobby, it is a need. With Wi-Fi protocols coming out that support unlicensed 900MHz (you can get slow 100kbps Wifi from 1-2 miles away), we will now be able to support street lights, electric meters, etc., which will all have IP addresses.

The other side of that is that there is Network Address Translation (NAT) that reduces the amount of public IP’s taken up in the world. Basically, if you don’t know already, your ISP doesn’t have (and doesn’t like to give) many public IP addresses to customers. Both IPv4 and IPv6 support private IP address blocks. What a private IP address is, is your router (DHCP server, to get technical) assigns every device in your house a private IP address. When your device connects to a public IP address, it goes through your router, to your ISP, and eventually to wherever it goes. To the rest of the world, your device is talking from a public IP address. So NAT turns a public IP into a private IP (going into the home network, from the outside world) if it is responding to outbound traffic (you must port forward otherwise), and a private IP into a public IP (when going out of the home network). I am NOT a networking guy, I just know enough to get by. Please look this particular one up, as NAT is fuzzy even for me. However, I know that NAT allows for households to live with just one IP address.

The other thing is that IPv4 and IPv6 don’t cross-over. You must either connect with one, or connect using the other. An advantage of having an IPv6-enabled server is that you can cater to the small amount of clients/servers that only support IPv6. For example, Vultr ( link ) has a package that makes it cheaper to go without an IPv4 address, which I imagine is appealing to some customers.

There are also some other technical advantages as well. I don’t understand them but here they are from https://www.networkcomputing.com/networking/six-benefits-ipv6 :

  1. More Efficient Routing
    IPv6 reduces the size of routing tables and makes routing more efficient and hierarchical. IPv6 allows ISPs to aggregate the prefixes of their customers’ networks into a single prefix and announce this one prefix to the IPv6 Internet. In addition, in IPv6 networks, fragmentation is handled by the source device, rather than the router, using a protocol for discovery of the path’s maximum transmission unit (MTU).
  2. More Efficient Packet Processing
    IPv6’s simplified packet header makes packet processing more efficient. Compared with IPv4, IPv6 contains no IP-level checksum, so the checksum does not need to be recalculated at every router hop. Getting rid of the IP-level checksum was possible because most link-layer technologies already contain checksum and error-control capabilities. In addition, most transport layers, which handle end-to-end connectivity, have a checksum that enables error detection.
  3. Directed Data Flows
    IPv6 supports multicast rather than broadcast. Multicast allows bandwidth-intensive packet flows (like multimedia streams) to be sent to multiple destinations simultaneously, saving network bandwidth. Disinterested hosts no longer must process broadcast packets. In addition, the IPv6 header has a new field, named Flow Label, that can identify packets belonging to the same flow.
  4. Simplified Network Configuration
    Address auto-configuration (address assignment) is built in to IPv6. A router will send the prefix of the local link in its router advertisements. A host can generate its own IP address by appending its link-layer (MAC) address, converted into Extended Universal Identifier (EUI) 64-bit format, to the 64 bits of the local link prefix.
  5. Support For New Services
    By eliminating Network Address Translation (NAT), true end-to-end connectivity at the IP layer is restored, enabling new and valuable services. Peer-to-peer networks are easier to create and maintain, and services such as VoIP and Quality of Service (QoS) become more robust.
  6. Security
    IPSec, which provides confidentiality, authentication and data integrity, is baked into in IPv6. Because of their potential to carry malware, IPv4 ICMP packets are often blocked by corporate firewalls, but ICMPv6, the implementation of the Internet Control Message Protocol for IPv6, may be permitted because IPSec can be applied to the ICMPv6 packets.

EDIT: One more downside of IPv6 is that there are more addresses. This may have the same effect as printing money, the more you print (in this case, the more IP addresses you have available), the more it is worthless. Hackers now have more room to just switch their IPv6 address if they get caught on a blacklist, or want to just switch it for whatever reason. That isn’t to say that GeoIP (that is, associating their IP address with their location) doesn’t still exist, and that there are ways around it. Currently, if an attacker wants to change their IPv4 address, they can still do that easily (not AS easily though), so this is a weak argument anyways.


#3

At the moment I recommend against attaching any IPv6 IP addresses to a Mail-in-a-Box because fail2ban, the service that monitors for brute force login attacks, can’t effectively monitor for those attacks on IPv6 because the address space is so large there’s nothing preventing an attacker from using a different (source) IPv6 address on each request


#4

@JoshData
I have one question: if you recommend against attaching any IPv6 IP addresses, why there is nothing done to handle it in proper way? My VPS provider e.g. is not offering the possibility to disable IPv6 and so my MiaB server gets an IPv6 IP assigned.

I just disabled IPv6 in Ubuntu and that broke my MiaB server. It was not possible to start dovecot and nginx. Fortunately I found the following topic with a solution:

But with the next update the changes will get removed and I’ll have to do it again?


#5

There is something that fights this. UFW is configured to DENY requests by default. If there are no rules for IPv6 in UFW (installed with MIAB) then IPv6 requests will just get denied.


#6

No one’s done the work yet to figure out what to do.


#7

I should have looked at that, otherwise I would have changed it immediately.

I question the effectiveness of banning/following IP addresses. If you had a mail server, joshdata.com and I wanted to spam you with get rich quick schemes, chances are, you will block it. All I need to do is change my server’s IPv4 address (which isn’t that hard to do with Digital Ocean, just take a snapshot of an image and create another instance based on the image), which renders your attempt to block my spam via banning useless.

This is why we have gray listing, which not only follows IP addresses, but domain and sender addresses. This is also why we have spamassassin, which takes an analytic approach to fighting spam, not an IP-discriminatory approach. As to protecting unauthorized access, set a policy that bans IP addresses that try too many times. Also, importantly, have secure passwords (or use SSH keys!). What is to say fail2ban catches a sufficient amount of bad IP addresses either? If there’s an option to report a bad IP to fail2ban, an attacker could make fail2ban worthless by reporting everyone (including good IP addresses), and if there is no reporting option fail2ban will not have a database populated enough to cover all the IP addresses possible.

If geoIP is what is approached, I believe IPv6 addresses also can be traced back to their IP address and location.


#8

This is exactly what failtoban does. Josh has noted that there are some limitations with IPv6 though that he finds unsurmountable.


#9

Just Googled it. fail2ban seems to have IPv6 support now. Maybe no one was aware, or Google crawled April Fool’s pages. Anyway, sounds exciting! I am hoping this will encourage people to participate in a making the Internet a more free place to be!

EDIT: Interesting read: https://serverfault.com/questions/631160/banning-ipv6-addresses


#10

The more I read about IPv6, the more I am convinced that it needs to be adopted.

ISP’s like Verizon, T-Mobile, Sprint all roll out IPv6 capability, with talks about getting rid of IPv4 to simplify their network and reduce cost.

Yes, most servers support IPv4, but to appease to the majority user, it is worth to consider that it will increase availability and usability by enabling IPv6. Otherwise, when these ISP’s make the FULL switch to IPv6, users that refuse to ignore the other facts as mentioned, will NOT be able to access their mail from their phones, which is a very useful function!


#11

But are there really no rules created, if the MiaB server get’s an IPv6 assigned and integrates it everywhere? I’m asking, because I didn’t checked it out.

I see. As there is already a more or less simple solution given (see the linked topic above or here, one more time) would it be difficult to include it in the next updates?

Or does it make no sense for now and it would be a more clean solution to get fail2ban to work with IPv6 (as @Eliter mentioned fail2ban should have IPv6 support now)?


#12

No rules made for IPv6 AFAIK. But with a default of DENY ALL in all chains, any IPv6 connection will just be blocked anyway.


#13

FYI: Fail2ban does block IPv6 addresses but what worked well for IPv4 (blocking the exact IP address that attempted to login to your server more than x times in y minutes) does not work so well for IPv6.

The reason is that with IPv6, ISPs assign you a block of addresses rather than a single address. So even if you block the exact address, the attacker just hops onto a new IP address to which he is entitled. There are schemes to block entire ranges of IPv6 addresses instead of just a single address but AFAIK, there is no consensus on how big an IP block to deny - too small and you don’t cover all the attackers IPs, too large and you possibly deny legitimate users that just happen have IPs “close to” the attacker.

And to complicate matters further, each ISP can decide how big/small an address they assign customers. To completely block all IPs from one attacker, you would need to know exactly how big an address space he was assigned by his ISP…doesn’t seem tractable :frowning:


#14

Even if the IPv6 was assigned to the server and was integrated into the MiaB server? I mean there were an AAAA record created for the box.example.com domain and checked if there exists a PTR record for the appropriate IPv6.

But to be sure I could test which ports are open (if there are any at all), if you tell me which terminal command I need to check it out.


#15

Exactly! One VPS provider will give me a /32 and another will give me a /64 while one will only give me 1 IPv6 address … so blocking the range assigned to that user will block many OTHER legitimate users.


#16

There is actually a way to counter the issues you guys mentioned. Yes, ISP’s can and do practice giving users blocks of IP addresses, and there is no way to absolutely tell how big of a block the attacker has.

HOWEVER, you can methodically predict how big their block is. Please see this stackexchange discussion answers: https://serverfault.com/questions/631160/banning-ipv6-addresses real good read!

You can see a pattern of offending IP addresses. If you block an IP, and another one in the same block starts offending, then you just block the next level up, until you’ve blocked high enough up. This is a temporary solution as well.

It also depends on your paradigm about banning IP addresses. Does it really add enough security by banning offending IP addresses that it will hurt to add IPv6?

I was reading on this answers in the link that all it does is reduce noise on the logs. Maybe it would also increase performance, depending.

I would also look to every other professional company out there. Google and Microsoft enable IPv6 themselves, so it honestly can’t be that bad of an idea to enable IPv6. In fact, the Internet society and Google have campaigns for more people to adopt IPv6.


#17

I think the thing to consider when blocking IPv6’s is this.

The minimum subnet size - which is mandated by the requirements to support SLAAC is a /64. Private addressing also means that the IPv6 address a single host presents to the outside world changes (particularly when you consider Microsoft Windows), but will still be in that /64.

So would blocking based on the /64 prefix be a way to go rather than blocking individual IPv6 addresses?

It does have the drawback that you block everyone on that prefix at once, but it should be pointed out that this already happens with IPv4 and NAT. Everyone behind a NAT router which is on a blocked public IPv4 address ends up being banned from the same server as it is.

Tim


#18

I use Linode. Their ipv6 is /64. They will give you additional ipv6 addresses at no additional charge.

Don’t know yet about ipv4.

Dennis


closed #19

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.