13 May
2017
13 May
'17
8:05 a.m.
On 13 May 2017, at 13:54, Tony Langdon
<vk3jed(a)vkradio.com> wrote:
Actually, a lot of routers block all inbound traffic by default, so the
situation shouldn't change too much. Scanning my IP will be too
inefficient with IPv6 as well, because the address space is vast, and
the majority of IPs in a given network are unused. Will be interesting
to see how malware adapts.
Let me show you a practical example :)
Imagine that you are sitting behind a misconfigured IPv6 router which doesn't block
incoming connection. A hotel hotspot
for example. I guess it's going to be commonplace.
Now, you are visiting a website. Thanks to RFC4941 your computer has a temporary IPv6
address used for the purpose of
originating outgoing connections. That address, moreover, doesn't have any identifying
information.
So, you visit the website. The website uses an advertising system that of course wants to
track you. You are using
"private" settings in your browser so that it doesn't store cookies or
website data. However, you happen to have
your trusty ssh daemon listening. Which is not unusual. Who hasn't forgotten to
disable it now and then?
Now, the advertiser tries to connect to your ssh daemon. Finding it with a scan
wouldn's be feasible, of course,
there are too many addresses to try. But you have revealed it by visiting the website and,
hence, downloading an
ad from the dodgy ad server. The dodgy ad server knows your IPv6 address and connects
back. Your ssh
server offers a public host key, which is indeed an identifiable data. They will know that
you are the same user
who visited yesterday from the airport in another city.
I like to compare IPv4 to land war (you are protected behind a strong defense) and IPv6 to
maritime war. Finding
you beyond the horizon can be really difficult unless you reveal yourself by turning on
the radar (ie, visiting that website,
joining a file sharing p2p network, sending an email through a provider that displays all
the IP addresses in the
mail headers, whatever).
There is a simple solution to this. Programs listening on INADDR_ANY shouldn't receive
incoming connections
by default, so daemons such as ssh or whatever you have there running shouldn't
receive it unless specified by the
programmer (it can be important in certain cases).
But for now your temporary addresses are treated like, well, IPv6 address by all the OSs I
have tried. So your
ssh is listening on all of them ;)
Borja.