ipv6 for home / small business — part 1

about:

In this series I will discuss connecting via ipv6 to the outside world, and back.

In this first post, I will peek at ipv6 in my cable-modem router. We are talking about a decent cable modem from compal: Gateway-CH6643E

docsis_7594

The router itself is about 3 years old, routes coax-cable-internet to LAN and WiFi using NAT, and it is capable of doing this via ipv4 as well as ipv6. The latter has been slowly rolled out by my provider, telenet.be, owned by Liberty Global.

some ipv6 basics

In January 2014 I noticed that my PC showed a “global” IPV6 address:
inet6 addr: 2a02:1811:e100:e100::27ff:fe2d:ba0c/64 Scope:Global

Global ipv6 addresses in 2014 must start with a binary 001 mask /3
This means that in practice, the hex global addresses currently assigned, must start with a 2 (0010) or a 3 (0011).

So any ipv6 address starting with 2 or 3 in the highest position is a global unicast address. IPV6 Global Unicast addresses are routable on the ipv6 internet.

Before I only ‘owned’ an ipv6 link local unicast address:
inet6 addr: fe80::76d4:35ff:fe80:b46c/64 Scope:Link

Link-local unicast addresses start with a binary 11111110 10 mask /10 In practice, the hex form of the address always starts with fe8 (1111 1110 1000),
fe9 (1111 1110 1001), fea (1111 1110 1010) or feb (1111 1110 1011).

The link-local address is most often self generated containing a unique MAC-address or by using a pseudo randomizing algorithm. Link local addresses are not routable on the internet.

Another very important address is ::1 the local loopback address; you’re familiar with it in the ipv4 world as 127.0.0.1

If you’re interested in reading a routing table in ipv6 it is important to know that the default gateway points to ::

in the ipv4 world known as 0.0.0.0

the router

What does my cable router tell me:

LAN-configuration:

LAN-subnet-ipv4: 10.0.1.0/24
LAN-subnet-ipv6: 2a02:1811:e100:e100::/64
LAN-IPv4: 10.0.1.1
LAN-IPv6: 2a02:1811:e100:e100:5e35:3bff:fe5c:8b35

WAN-configuration:

IPv4-adres: 94.225.67.23/19
IPv6-adres: 2a02:181f:1:4142:29fc:39b:2213:df3e

the network ipv4

In ipv4 we see two networks connected to the docsis router:

A private 10.0.1.0/24 with 254 host-ip-adresses and a public address routable on the internet. The 32bit private address is divided into a 24bit net-id and 8 bits for hosts. The docsis will do Network-Address-Translation.

The public address resides into a large ISP metro-net 94.225.64.0-94.225.95.255 with 19 bits reserved for the network and 13 bits for hosts (leaving up to 8000+ addresses in this network).

the network ipv6

There are two networks connecting to the docsis router. Both are global unicast networks.

Basically this means that “our” ipv6 network, on the right side of the docsis router, — 2a02:1811:e100:e100::/64 — is reachable from outside and routable on the internet. This is not a private ip-range, and there is no NAT, only pure routing.

In my case there was no danger for visitors from outside, since the docsis router in default ipv6 settings, functions as a firewall blocking all traffic that has not been originating/initiated from inside. However this might not be the case with your isp and/or with your access-router. It might be a good thing to check this as soon as you discover global unicast ipv6 addresses on your systems.

From a hacker’s point of view the ipv6 world today is a paradise of unprotected machines as well as a desert where these machines are extremely difficult to find.

The network assigned to me has 64bit assigned as network portion: 2a02:1811:e100:e100// . This is a HUGE network, and I can do with it what I want !!! Every hex-number contains four bits. These 16 hex-numbers (2a02:1811:e100:e100) are fixed for my network.

There is another 64 bits space left for me to fill in. While in the unaware state, unaware that my machines had given themselves an ipv6 address, these addresses were created on a temporary base and semi-random.

If a hacker could guess my net-ID, (s)he could then randomly test addresses in that 64 bit space. This is however rather unlikely today:

2 to the power of 64 is 1.800 000 000 000 000 000. I can devide my own network space into 4 billion networks, the size of today’s ipv4 internet.
In most lottery systems around the globe, today, you have a chance of one out of 10 billion to win. The hacker has a chance of 4 out of 2 quintillion to correctly guess an address. It’s still very lonely in the ipv6 internet 🙂

If you randomly test 100 ipv4 addresses in today’s internet, I’m sure you get more than 10 responses. If you randomly test 1 000 000 global unicast ipv6 addresses, your response is probably going to be zero.

 

Next Some Hands ON

… –>> Where do I start … that will be the subject of next post.