Announcement

**SteveRiley** · Jun 11, 2012, 07:54 PM

Originally posted by vinnywright View Post

did you take a look at my nmap results ........do you think I'm reasonably secure using miredo ?

Teredo, by itself, isn't so bad -- but because it advertises a globally unique IPv6 address to the Internet and also has to sit on a UDP port awaiting incoming traffic, it exposes your computer to potential attack. This is typical for anything that performs NAT traversal. The success of any attack depends on what else is running on your computer and how you've configured your tunnel adapter.

A Symantec paper covers the risks rather well, even though it's six years old. It gets technical -- IPv6 is a complicated protocol; to assume that it's automatically more secure is a very bad assumption. I predict that during these early days of IPv6 we'll see an increase in attacks, mostly because bad guys will get very good at finding misconfigured IPv6 security controls.

My advice: unless you really need Teredo to do something, I'd suggest stopping your experiment soon. There was some effort a couple years ago to beef up Teredo's validation, but the efforts have largely gone nowhere. Trawling through Google will reveal some half-hearted attempts to explain away the weaknesses, but they are just that: explanations. Fundamentally, allowing unauthenticated tunnels through a private network is a bad idea.

**SteveRiley** · Jun 11, 2012, 07:58 PM

Originally posted by GreyGeek View Post

I notice that there are two Tayga apps in the repository. Time to experiment some more!

6rd is probably a better option for you, and SIIT might also work. But I don't have any hands-on experience with these particular protocols.

**GreyGeek** · Jun 12, 2012, 06:38 AM

Here's my plan:
Yesterday I replaced my old wireless router with one which supports IPv6. Today I am going to get TW to replace their modem with one which supports IPv6. Then I am going to make my wireless work in IPv6 only, and use tnat64 from the repository to connect to IPv4 websites.

Workable?

**dibl** · Jun 12, 2012, 07:32 AM

Originally posted by GreyGeek View Post

Today I am going to get TW to replace their modem with one which supports IPv6.

Is the TW modem the only limiting factor for TW customers? I had the impression, from where I'm not sure, that the ISPs have other infrastructure that prevents IPv6 connectivity. Have you discussed it with TW?

(Curious TW customer here .....).

Thanks GG!

**SteveRiley** · Jun 12, 2012, 01:25 PM

Originally posted by GreyGeek View Post

Here's my plan:
Yesterday I replaced my old wireless router with one which supports IPv6. Today I am going to get TW to replace their modem with one which supports IPv6. Then I am going to make my wireless work in IPv6 only, and use tnat64 from the repository to connect to IPv4 websites.

Workable?

A NAT64 translator usually won't work properly without a DNS64 to synthesize appropriate AAAA records. totd appears to be the Linux tool that will do this for you. I don't have any personal experience with any of the Linux NAT64/DNS64 stuff yet, though, so I can't offer an opinion on how well these utilities behave.

**GreyGeek** · Jun 12, 2012, 02:47 PM

Originally posted by dibl View Post

Is the TW modem the only limiting factor for TW customers? I had the impression, from where I'm not sure, that the ISPs have other infrastructure that prevents IPv6 connectivity. Have you discussed it with TW?

(Curious TW customer here .....).

Thanks GG!

As I understand it, hardware which needs to inspect packets to determine where they go must use DOCSIS 3.0 in order to work in an IPv6 environment. Equipment which simply passes packets along isn't affected by nor will affect IPv6 packets.

TW has reported that they are "IPv6 ready" and that "1%" of their customer base is on IPv6 already. I suspect that they are rolling out the business class users first, then premium users, etc... But, your cable modem has to use DOCSIS 3.0 or it can't do IPv6. My modem is a Cisco DCP2100R2, which uses DOCSIS 2.0. So, I am going to get it replaced one way or another. If TW doesn't agree to a swap, or wants to "rent" a DOCSIS 3 class router to me, then I will decline the offer, buy a Motorola SB6121 and call them up and give them the serial number and MAC address and tell them to activate it.

**dibl** · Jun 12, 2012, 03:11 PM

Thanks GG. I have a SB5101 on my end of my TW cable, so I'll wait and see how you fare with them and plan my migration accordingly.

**GreyGeek** · Jun 12, 2012, 11:13 PM

Originally posted by dibl View Post

Thanks GG. I have a SB5101 on my end of my TW cable, so I'll wait and see how you fare with them and plan my migration accordingly.

Oops... "The SB5101 cable modem is a high-speed ultra-broadband data solution incorporating DOCSIS 2.0 technology."

**dibl** · Jun 13, 2012, 05:08 AM

Originally posted by GreyGeek View Post

Oops... "The SB5101 cable modem is a high-speed ultra-broadband data solution incorporating DOCSIS 2.0 technology."

Precisely so -- thus my need to plan a migration! ;-)

**GreyGeek** · Jun 13, 2012, 09:11 PM

Found a couple of interesting tools:

nm-tool

Code:

:~$ sudo nm-tool
[sudo] password for jerry: 


NetworkManager Tool


State: connected (global)


- Device: eth0 -----------------------------------------------------------------
  Type:              Wired
  Driver:            atl1c
  State:             unavailable
  Default:           no
  HW Address:        38:60:77:78:40:C8


  Capabilities:
    Carrier Detect:  yes


  Wired Properties
    Carrier:         off




- Device: wlan0  [GreyGeek] ----------------------------------------------------
  Type:              802.11 WiFi
  Driver:            rtl8192ce
  State:             connected
  Default:           yes
  HW Address:        74:DE:2B:36:E4:35


  Capabilities:
    Speed:           72 Mb/s


  Wireless Properties
    WEP Encryption:  yes
    WPA Encryption:  yes
    WPA2 Encryption: yes


  Wireless Access Points (* = current AP)
    WIN_f0a6:        Infra, 2C:E4:12:46:F0:A5, Freq 2412 MHz, Rate 54 Mb/s, Strength 80 WPA WPA2
    BettyBoop:       Infra, C0:C1:C0:24:95:3C, Freq 2412 MHz, Rate 54 Mb/s, Strength 80 WPA2
    linksys:         Infra, 00:13:10:89:75:0D, Freq 2437 MHz, Rate 11 Mb/s, Strength 100
    5dfe:            Infra, 20:4E:7F:7A:09:02, Freq 2412 MHz, Rate 54 Mb/s, Strength 100 WPA WPA2
    belkin.fec:      Infra, 08:86:3B:29:8F:EC, Freq 2462 MHz, Rate 54 Mb/s, Strength 69 WPA WPA2
    *GreyGeek:       Infra, 20:AA:4B:3A:85:E3, Freq 2462 MHz, Rate 54 Mb/s, Strength 67 WPA2
    GarberNetgear:   Infra, 2C:B0:5D:81:97:BE, Freq 2422 MHz, Rate 54 Mb/s, Strength 79 WPA2
    WIN_A9E8:        Infra, 4C:17:EB:20:A9:E7, Freq 2412 MHz, Rate 54 Mb/s, Strength 85 WPA WPA2
    The Alois Family:Infra, 00:1E:58:32:BB:35, Freq 2412 MHz, Rate 54 Mb/s, Strength 79 WPA


  IPv4 Settings:
    Address:         192.168.1.100
    Prefix:          24 (255.255.255.0)
    Gateway:         192.168.1.1


    DNS:             207.69.188.186
    DNS:             207.69.188.187
    DNS:             192.168.1.1
:~$

and
routel

Code:

:~$ routel
         target            gateway          source    proto    scope    dev tbl
        default        192.168.1.1                   static           wlan0 
   169.254.0.0/ 16                                              link  wlan0 
   192.168.1.0/ 24                   192.168.1.100   kernel     link  wlan0 
      127.0.0.0          broadcast       127.0.0.1   kernel     link     lo local
     127.0.0.0/ 8            local       127.0.0.1   kernel     host     lo local
      127.0.0.1              local       127.0.0.1   kernel     host     lo local
127.255.255.255          broadcast       127.0.0.1   kernel     link     lo local
    192.168.1.0          broadcast   192.168.1.100   kernel     link  wlan0 local
  192.168.1.100              local   192.168.1.100   kernel     host  wlan0 local
  192.168.1.255          broadcast   192.168.1.100   kernel     link  wlan0 local
2001:4978:f:580::/ 64                                   kernel           sixxs 
        fe80::/ 64                                   kernel           sixxs 
        fe80::/ 64                                   kernel           wlan0 
        default    2001:4978:f:580::1                                    sixxs 
        default        unreachable                   kernel              lo unspec
            ::1                 ::                     none              lo local
2001:4978:f:580::2                 ::                     none              lo local
fe80::4878:f:580:2                 ::                     none              lo local
fe80::76de:2bff:fe36:e435                 ::                     none              lo local
        ff00::/ 8                                                     sixxs local
        ff00::/ 8                                                     wlan0 local
        default        unreachable                   kernel              lo unspec
jerry@jerry-Aspire-7739:~$

Don't know what those two "unreachable" defaults are, but I'm assuming that there can be only one default.

and, not a new tool, but some interesting output:
ip r s t all

Code:

:~$ ip r s t all
default via 192.168.1.1 dev wlan0  proto static 
169.254.0.0/16 dev wlan0  scope link  metric 1000 
192.168.1.0/24 dev wlan0  proto kernel  scope link  src 192.168.1.100  metric 2 
broadcast 127.0.0.0 dev lo  table local  proto kernel  scope link  src 127.0.0.1 
local 127.0.0.0/8 dev lo  table local  proto kernel  scope host  src 127.0.0.1 
local 127.0.0.1 dev lo  table local  proto kernel  scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo  table local  proto kernel  scope link  src 127.0.0.1 
broadcast 192.168.1.0 dev wlan0  table local  proto kernel  scope link  src 192.168.1.100 
local 192.168.1.100 dev wlan0  table local  proto kernel  scope host  src 192.168.1.100 
broadcast 192.168.1.255 dev wlan0  table local  proto kernel  scope link  src 192.168.1.100 
2001:4978:f:580::/64 dev sixxs  proto kernel  metric 256 
fe80::/64 dev sixxs  proto kernel  metric 256 
fe80::/64 dev wlan0  proto kernel  metric 256 
default via 2001:4978:f:580::1 dev sixxs  metric 1024 
unreachable default dev lo  table unspec  proto kernel  metric -1  error -101 hoplimit 255
local ::1 via :: dev lo  table local  proto none  metric 0 
local 2001:4978:f:580::2 via :: dev lo  table local  proto none  metric 0 
local fe80::4878:f:580:2 via :: dev lo  table local  proto none  metric 0 
local fe80::76de:2bff:fe36:e435 via :: dev lo  table local  proto none  metric 0 
ff00::/8 dev sixxs  table local  metric 256 
ff00::/8 dev wlan0  table local  metric 256 
unreachable default dev lo  table unspec  proto kernel  metric -1  error -101 hoplimit 255
jerry@jerry-Aspire-7739:~$

You'll notice that in the "nm-tool" listing are the other "AP"'s local to me, and among them, mine has the lowest signal strength at 67%, and I am only 10' from my wireless router! This is the same problem that my other wireless, the WR1043ND, gave me. I am beginning to suspect that it is a problem with the cable modem from TimeWarner.

**SteveRiley** · Jun 13, 2012, 11:27 PM

Originally posted by GreyGeek View Post

Don't know what those two "unreachable" defaults are, but I'm assuming that there can be only one default.

It's intentional. Remember that in IPv6, automatic address assignment doesn't include a default gateway. Instead, IPv6 issues neighbor discovery probes, looking for routers on the same link as your interface. As the stack finds routers, it builds a routing table.

Now imagine that something happened, and all your neighbor routers died. Your routing table would be empty, and applications would send datagrams, receive no responses, and just keep trying over and over again. To prevent this, IPv6 automatically creates a default "unreachable" route on each local interface and assigns it a metric of -1, which means "always least preferred" -- you can see this in your ip r s t all output.

Under ordinary situations, when your computer has found a router, its entry in your route table will include a better metric, and "unreachable" is ignored. But when all your links die, and there are no routers to reach, your IPv6 stack falls back to the "unreachable" route. Thus, it can inform applications that the destination is, well, unreachable. At this point, it's up to the application to determine what to do, but at least it doesn't have to sit there and keep guessing all day.

Originally posted by GreyGeek View Post

You'll notice that in the "nm-tool" listing are the other "AP"'s local to me, and among them, mine has the lowest signal strength at 67%, and I am only 10' from my wireless router! This is the same problem that my other wireless, the WR1043ND, gave me. I am beginning to suspect that it is a problem with the cable modem from TimeWarner.

See my reply in the other thread. I was asking where you got that list from; now I know. I also wrote some more about signal strength, wireless frequencies, and NIC capabilities.

**GreyGeek** · Jun 14, 2012, 09:42 AM

That clears up a lot of fog in my brain about IPv6!!! Thanks, Steve!

**SteveRiley** · Jun 14, 2012, 09:59 AM

My pleasure.

**dibl** · Jun 14, 2012, 10:05 AM

Originally posted by GreyGeek View Post

... mine has the lowest signal strength at 67%, and I am only 10' from my wireless router! This is the same problem that my other wireless, the WR1043ND, gave me. I am beginning to suspect that it is a problem with the cable modem from TimeWarner.

I think I remember reading that you are having "line-dropping" kinds of issues too -- is that correct? Because, if it is, when it happened to me it turned out to be an issue with the physical cable to the house. And of course first I had to replace the cable modem, before I was able to convince TW that there was something wrong on their side of the modem. They have an ability (if you can get to the correct geek) to test the "reflection" of a test signal to your modem, which gives an indication of the conductivity of the cable. In my case, the guy said it was obvious that the reflected signal was only half as strong as it should be, indicating a lot of excess signal loss over the cable. Also it was not stable -- it was rising and falling in strength as he was observing it. I got a new cable in a few days, and among other things the installer found that a cover/shield on the utility box had been installed in such a way as to pinch the cable to my house, probably compromising the insulation and/or or the shield layer, but not the center conductor.

**GreyGeek** · Jun 14, 2012, 11:29 AM

You may be on to something there, Dibl. I went outside and noticed that a root of a tree along the path where the cable was laid was pushing out of the ground next to the trunk, and embedded in the root, almost entirely, was a cable. But, it was too big for the typical coax and is probably the fiber optic cable that was laid in the early 1990's and is still dark.

I followed the cable to the pedestal and saw this:

all out in the open, no protection from dust, dirt, rain, ice or snow. The last time that connection was touched was when we dropped cable tv five years ago.

Announcement

IPv6 Day

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Users Viewing This Topic