Announcement

**vinnywright** · Jun 08, 2012, 12:54 PM

@GreyGeek all editing the /etc/gai.config dose is get your addresses sorted to prefer IPv6 ....I think!!

I did some nmaping on my IP and THINK I'm ok even without ufw but I would like someone that knows better than me to chime in hear ........like @SteveRiley (you are a security man arnt ya )

hear are the scans I ran

vinny@Vinnys-HP-G62:~$ nmap -A -P0 209.102.243.176

Starting Nmap 5.21 ( http://nmap.org ) at 2012-06-08 14:35 EDT
Nmap scan report for docsis-cbm-4-176.nclxtn.lexcominc.net (209.102.243.176)
Host is up.
All 1000 scanned ports on docsis-cbm-4-176.nclxtn.lexcominc.net (209.102.243.176) are filtered

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 201.72 seconds

and the IPv6

vinny@Vinnys-HP-G62:~$ nmap -A -P0 -6 2001:0:53aa:64c:1c7d:560e:2e99:c4f

Starting Nmap 5.21 ( http://nmap.org ) at 2012-06-08 14:40 EDT
Nmap scan report for 2001:0:53aa:64c:1c7d:560e:2e99:c4f
Host is up (1.00s latency).
All 1000 scanned ports on 2001:0:53aa:64c:1c7d:560e:2e99:c4f are filtered

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.32 seconds

VINNY

**GreyGeek** · Jun 08, 2012, 03:56 PM

mmm... looks like your IPv6 connection is filtered, VINNY!

**GreyGeek** · Jun 09, 2012, 11:59 AM

Well, VINNY, I got my SixXS tunnel set up awhile ago and have been playing with it.

The test gives me the same readings, 9/10. I suspect that I don't have a 10 because I don't have an IPv6 DNS sets.

Setting up the SixXS tunnel requires:
1) Create an account. They require complete name and address info and a reason why you want a tunnel. After you submit your application you wait until you get an email from them. It will either be a rejection, or it will contain your account name and password.

2) If accepted, you are given a URL to go to where you select your PoP. Any PoP you select MUST give you an access time of under 100ms. Mine pinged out at 28ms. Then you apply for a tunnel for the PoP you selected, also stating why you selected it. I said it was closest to my home town and it pinged well under 100ms.

3) IF your tunnel request is accepted then open Muon and install "aiccu". During installation the aiccu package will ask for your SixXS account name and password. After you enter those two items the package sets up your IPv6 tap. It will have a label of "sixxs".

That's it. Works just like the miredo package except you don't have to go through the application process. There is another thing with SixXS, ISK. These are "credits" which are explained here: https://www.sixxs.net/faq/account/?faq=credits

...
When the credit count is 15 ISK or lower, you will not be able to request new tunnels, subnets or NS entries. This is the so called lower credit threshold/boundary. Note that users with very low credits will automatically be disabled by our robot.
...

My initial credit setting was 10 ISK, so I cannot ask for a subnet or another tunnel, not that I'd need one. But, on the other hand, since I have a dynamic tunnel type I can't loose credits.

Dynamic Tunnels

As dynamic (AYIYA and heartbeat) tunnels won't be up all the time it will only receive a 5 ISK bonus after it has been created for one week. After that uptime credits will be given every two weeks when the tunnel is alive.

One can't lose any credits with a dynamic tunnel but the tunnel must be up if you want to receive credits.
Cost Table

The current default cost table is:

Action		Cost
Adding a reverse DNS server	debits	1
Approving a subnet request	debits	4
Approving a tunnel request	debits	5
Deleting a subnet	debits	50
Deletion of a tunnel	debits	25
Moving a tunnel's endpoint / Change Tunnel Type	debits	15
Removing a reverse DNS server	debits	1
Requesting a subnet	debits	10
Requesting a tunnel	debits	10
Static tunnel IPv6 endpoint didn't ping for a day	debits	5
Static tunnel IPv6 endpoint didn't ping for a week (autodisable)	debits	50
The host pinged yet another week	credits	5

The "must be up" phrase means that it must respond to a ping.

SixXS IPv6 : 2001:yourtunnel::1/64
Your IPv6 : 2001:yourtunnel::2/64

You can ping6 the PoP tunnel: "ping6 2001:yourtunnel::1" and if you get a packet listing their end of your tunnel is working.

My approval email listed my tunnel type as "Tunnel Type: Dynamic (ayiya)", which means that I can't loose credits for not being up 100% of the time. BUT, you must use NTP timing to maintain your system time at difference of less than 120 seconds from atomic time or your connection attempt will be refused.

For wireless router users SixXS is somewhat of a pain, having to get approval twice (and explaining your reasons why), but once you get your second email notifying you that your tunnel has been set up, then you can install aiccu and fill in your account id and password. After that it appears to behave exactly like miredo and gives the same test scores to me. The tunnel server for miredo is also free and the miredo process is entirely transparent. No id or password is necessary. From my Chromium point of view the performances are the same.

The big question is how reliable and fast is SixXS compared to teredo-debian.remlab.net (an alias for teredo.remlab.net), which miredo uses?

**vinnywright** · Jun 09, 2012, 12:42 PM

Originally posted by GreyGeek View Post

Well, VINNY, I got my SixXS tunnel set up awhile ago and have been playing with it.

The big question is how reliable and fast is SixXS compared to teredo-debian.remlab.net (an alias for teredo.remlab.net), which miredo uses?

wow sounds like a pain compared to miredo.
are their any advantages to using SixXS over miredo?

incidentally I cant ping either my IPv4 or my IPv6 address

but I guess the IPv6 is working as I get this as soon as I start firefox

vinny@Vinnys-HP-G62:~$ sudo netstat -tuanp
[sudo] password for vinny:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 855/rpcbind
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 3475/dnsmasq
tcp 0 0 0.0.0.0:36789 0.0.0.0:* LISTEN 1027/rpc.statd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1241/cupsd
tcp 0 0 127.0.0.1:2628 0.0.0.0:* LISTEN 1257/0
tcp 0 0 192.168.2.3:58661 199.7.52.72:80 TIME_WAIT -
tcp 0 0 192.168.2.3:44825 173.255.193.141:80 TIME_WAIT -
tcp 0 0 192.168.2.3:46493 74.125.137.17:443 TIME_WAIT -
tcp6 0 0 :::111 :::* LISTEN 855/rpcbind
tcp6 0 0 ::1:631 :::* LISTEN 1241/cupsd
tcp6 0 0 :::53504 :::* LISTEN 1027/rpc.statd
tcp6 0 0 2001:0:53aa:64c:3:50008 2607:f8b0:4002:802::443 ESTABLISHED 9305/firefox
udp 0 0 127.0.0.1:53 0.0.0.0:* 3475/dnsmasq
udp 0 0 0.0.0.0:68 0.0.0.0:* 3471/dhclient
udp 0 0 0.0.0.0:111 0.0.0.0:* 855/rpcbind
udp 0 0 0.0.0.0:45329 0.0.0.0:* 1278/avahi-daemon:
udp 0 0 0.0.0.0:45382 0.0.0.0:* 1027/rpc.statd
udp 0 0 0.0.0.0:603 0.0.0.0:* 855/rpcbind
udp 0 0 127.0.0.1:779 0.0.0.0:* 1027/rpc.statd
udp 0 0 0.0.0.0:5353 0.0.0.0:* 1278/avahi-daemon:
udp 0 0 0.0.0.0:44424 0.0.0.0:* 3580/miredo
udp6 0 0 :::111 :::* 855/rpcbind
udp6 0 0 :::59545 :::* 1278/avahi-daemon:
udp6 0 0 :::45301 :::* 1027/rpc.statd
udp6 0 0 :::603 :::* 855/rpcbind
udp6 0 0 :::5353 :::* 1278/avahi-daemon:

the tcp6 line with firefox in it means it's an IPv6 connection .......doesn't it?

O and I am on wireless...............

VINNY

O 1 more incidentally this test http://test-ipv6.com/ gives me 7/10 on both IPv4 &IPv6
this one gives me a IPv6 prefer d by your browser http://ipv6-test.com/
and this one gives me an excellent http://ds.testmyipv6.com/
Excellent!

Excellent!

Excellent!

**GreyGeek** · Jun 09, 2012, 05:44 PM

I think that's what the tcp6 means, VINNY.

Here's the technical output of that test on my box:

Test with IPv4 DNS record		ok (0.894s) using ipv4
Test with IPv6 DNS record		ok (0.851s) using ipv6 uschi02.sixxs.net yourorg
Test with Dual Stack DNS record		ok (0.836s) using ipv6 uschi02.sixxs.net yourorg
Test for Dual Stack DNS and large packet		ok (0.729s) using ipv6 uschi02.sixxs.net yourorg
Test IPv4 without DNS		ok (0.229s) using ipv4
Test IPv6 without DNS		timeout (15.014s)
Test IPv6 large packet		ok (0.777s) using ipv6 uschi02.sixxs.net yourorg
Test if your ISP's DNS server uses IPv6		bad (1.980s)

It gave me a 9/10.

The other test gave me:

When both protocols are available, your browser usesIPv6

Your internet connection is IPv6 capable
2001:4978:f:580::2
cl-1409.chi-02.us.sixxs.netYour.org

Address type isGlobal Unicast / Native IPv6

Your internet connection is IPv4 capable
24.223.250.93
user-0cdvuit.cable.mindspring.comEarthlink

The last test gave me:

Excellent!

You are successfully using IPv6 to connect to this server!

Your IPv6 address is 2001:4978:f:580::2.

The ::2 address is the PoP SixXS supplied to me. My IPv6 IP is the same address except that it ends in ::1.

So, the thing I need to do is grab a hold of some IPv6 DNS numbers.

BTW, this URL: http://v6.testmyipv6.com/ipv6_prefixes.html reveals some very interesting capabilities of your IPv6 connection.

**GreyGeek** · Jun 09, 2012, 06:00 PM

The speed test on the second test URL you listed, VINNY (the bar graph didn't copy):

Your speed test results
IPv4

Earthlink
24.223.250.93

11.8 Mbit/s
1.47 Mbytes/s

IPv6
Your.org
2001:4978:f:580::2

3.92 Mbit/s
502 Kbytes/s

I repeated the test several times and the best speed I got was slightly less than my IPv4 speed.

**GreyGeek** · Jun 09, 2012, 06:02 PM

I spoke too soon. I ran the speed test again and got these results:

IPv4
Earthlink
24.223.250.93

9.53 Mbit/s
1.19 Mbytes/s

IPv6
Your.org
2001:4978:f:580::2

11.1 Mbit/s
1.39 Mbytes/s

IPv6 won in this test, so it's speed seems to be highly variable.

**vinnywright** · Jun 09, 2012, 08:03 PM

@GreyGeek
yes mine is erratic as well but stays close to the IPv4 results ...........laughably slow at around 118-114 Kbytes/s (cheapest windstream $35.00 a month)

VINNY

**Snowhog** · Jun 10, 2012, 05:09 PM

Originally posted by GreyGeek View Post

BTW, this URL: http://v6.testmyipv6.com/ipv6_prefixes.html reveals some very interesting capabilities of your IPv6 connection.

From their http://v6.testmyipv6.com/ and clicking on the IPv6-only Test link, I get:

Congratulations, you have connected to a server that will display your method of connectivity, either IPv6 (preferred) or IPv4 (old and crusty). This page is fairly plain and non-flashy for a reason -- decreased bandwidth for testing applications and devices that are using limited-bandwidth connectivity and/or limited support for advanced HTML/XHTML features.

Excellent!

You are successfully using IPv6 to connect to this server!

Your IPv6 address is 2001:0:53aa:64c:3813:52b9:b7dc:9d94.

But clicking on the Dual-Stack (IPv6 & IPv4) Test I get:

You are connecting to this server via IPv4, your address being 72.35.98.107.
It's time to step up to IPv6!
If you can't get native IPv6 transport from your ISP, please check into using a tunnel broker. Click here to find a list of tunnel brokers.

f your browser is able to connect to the IPv6-only Test, yet using the Dual-Stack Test returns a page with a red box stating that you are using IPv4, then your browser and/or IP stack in your machine are preferring IPv4 over IPv6, which is undesired/broken behavior.

The Dual-Stack Test is meant to test whether your client is choosing IPv6 over IPv4 when making a connection to the server since it is known on the Internet with both IPv6 and IPv4 addresses. The proper behavior of your client, assuming that the IPv6-only test works for you, is that the Dual-Stack Test would have an identical result to the IPv6-only test and confirming that you are preferring IPv6 over IPv4 when connecting to a dual-stack destination. If the result is a page with a red box stating that you are using IPv4, then your browser and/or IP stack are preferring IPv4 over IPv6, which is undesired/broken behavior.

Okay, so I can connect via IPv6 or IPv4, but my client (Chromium ?) is using IPv4 over IPv6. Is this something I can change?

Found this, but I would like an "expert" opinion on what it will actually do: Configure your Ubuntu box as a IPv6 router

**vinnywright** · Jun 10, 2012, 05:20 PM

Originally posted by Snowhog View Post

Okay, so I can connect via IPv6 or IPv4, but my client (Chromium ?) is using IPv4 over IPv6. Is this something I can change?

edit your /etc/gai.config as I described earlier .........

VINNY

EDDIT in post #22 .....

**SteveRiley** · Jun 11, 2012, 04:50 PM

Wow, what a thread to catch up on. You guys have been doing some pretty neat investigation, was fun to read.

I'm sure you've realized now what Teredo is: a tunneling protocol that allows IPv6 capable hosts to communicate on IPv4 networks like the Internet. By installing and configuring miredo, you're creating a virtual tunnel adapter whose address is in the 2001:0::/32 range, the dedicated range for Teredo clients. The other end of your Teredo connection is to a Teredo relay someplace on the Internet. A Teredo server (not the same thing as a relay) takes care of configuring the tunnel when you first connect. A number of public servers and relays exist.

When your computer sends traffic to the IPv6 Teredo adapter, it's actually IPv4 datagrams that then get encapsulated in IPv6. These are forwarded to the Teredo relay, which un-encapsulates the traffic and forwards it to its IPv4 destination.

A Teredo address reveals clues about its construction. After the first 32 bits, the next 32 bits (the ones you guys have been asking about) are the IPv4 address of the Teredo server that configured your tunnel. The next 16 bits are flags, the next 16 bits are an obfuscation of the IPv4 UDP port via which your client is tunneling, and the final 32 bits are an obfuscation of your IPv4 address.

Teredo is actually kind of a sucky protocol, and it's on the dinosaur path. It has a number of security issues, not least in that it creates tunnels that bypass NAT devices. It's a useful tool for routing around many firewalls, unfortunately. If I were building an enterprise network, I'd block it completely. There are much better ways to accomplish this particular form of IPv6 transition, namely NAT64/DNS64.

**vinnywright** · Jun 11, 2012, 06:02 PM

Originally posted by SteveRiley View Post

Wow, what a thread to catch up on. You guys have been doing some pretty neat investigation, was fun to read.

Teredo is actually kind of a sucky protocol, and it's on the dinosaur path. It has a number of security issues, not least in that it creates tunnels that bypass NAT devices. It's a useful tool for routing around many firewalls, unfortunately. If I were building an enterprise network, I'd block it completely. There are much better ways to accomplish this particular form of IPv6 transition, namely NAT64/DNS64.

Hummm so would this NAT64/DNS64 work with my crusty old router that may/may not be IPv6 capable ?

heck my ISP is not even using IPv6 yet ....or at least "host" dose not return any AAAA records for it.

did you take a look at my nmap results ........do you think I'm reasonably secure using miredo ?

we value your opinion

VINNY

**SteveRiley** · Jun 11, 2012, 07:30 PM

NAT64/DNS64 is a much simpler method of allowing IPv6 hosts to communicate with IPv4 hosts. It avoids tunneling and doesn't require that your ISP's DNS server return AAAA records. Even if your ISP is completely IPv6-clueless, you can make your internal home network IPv6-only with the purchase of a NAT64/DNS64 gateway.

Interestingly enough, even Microsoft, the inventor of Teredo, is deprecating it in favor of NAT64/DNS64. All that client/server/relay/broker stuff is really brittle and I'm glad to see it going away.

**GreyGeek** · Jun 11, 2012, 07:52 PM

Not everything is accessible with NAT64, such as SIP, Skype, MSN, Google talk, and sites with IPv4 literals.

Oops! :eek:

I notice that there are two Tayga apps in the repository. Time to experiment some more!

**SteveRiley** · Jun 11, 2012, 07:54 PM

Originally posted by vinnywright View Post

did you take a look at my nmap results ........do you think I'm reasonably secure using miredo ?

Teredo, by itself, isn't so bad -- but because it advertises a globally unique IPv6 address to the Internet and also has to sit on a UDP port awaiting incoming traffic, it exposes your computer to potential attack. This is typical for anything that performs NAT traversal. The success of any attack depends on what else is running on your computer and how you've configured your tunnel adapter.

A Symantec paper covers the risks rather well, even though it's six years old. It gets technical -- IPv6 is a complicated protocol; to assume that it's automatically more secure is a very bad assumption. I predict that during these early days of IPv6 we'll see an increase in attacks, mostly because bad guys will get very good at finding misconfigured IPv6 security controls.

My advice: unless you really need Teredo to do something, I'd suggest stopping your experiment soon. There was some effort a couple years ago to beef up Teredo's validation, but the efforts have largely gone nowhere. Trawling through Google will reveal some half-hearted attempts to explain away the weaknesses, but they are just that: explanations. Fundamentally, allowing unauthenticated tunnels through a private network is a bad idea.

Announcement

IPv6 Day

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment