Adventures in IPv6

18 February 2017

Because I use a home ISP that supports IPv6 and has done for quite a few years, I have been using IPv6 for some time. But recently a problem meant that I was losing IPv6 connectivity. IPv4 was working fine so only a minor hiccup. But the process of investigating this I learnt quite a bit about IPv6 and I thought I would document this here. It might help someone else.

Addresses

IPv6 addresses are 128 bits long and are written down in a standard notation, this looks like:
fe80::224:d7ff:feec:e7ec
::1
2a00:1450:4009:80f::200e

It is rare to have a completely populated address, so the notation allows for shortening the bits of the address that are zero. So the address ::1 is all zero except for the last bit. Also the CDIR format of showing the number of significant bits is often used. When used in some commands the interface to send on is specified with a %eth0 suffix

There are several types of IP address, and they can be recognised by the most significant part of the address. These are the ones I came across.

::1/128 this is the loopback address same as 127.0.0.1
fe80::/64 anything staring with fe80 is a link local address. A bit like 10.x.x.x or 192.168.x.x and can only be used on a single link
ff0X::   These are multicast addresses. the most useful ones are
ff02::1 All nodes in the link-local
ff02::2 All routers in the link-local

Configuration

IPv6 has been designed for auto-configuration, so an endpoint should not have to have anything set in order to use a network. Everything is automatic.

The link local address is automatically calculated from the MAC address of the interface, it should be there for any interface that is connected regardless of the network supporting IPv6 or not. You can display the IP addresses with ifconfig (or ipconfig on windows) or ip -6 address show

Neighbor discovery protocol allows the discovery the link local addresses of locally connected interfaces. We do this with a ping or as it is more formally known via Internet Control Message Protocol version 6 (ICMPv6) to a multicast address.

$ ping6 -c2 ff02::1%eth0

$ ping6 -c2 ff02::1%eth0
PING ff02::1%eth0(ff02::1%eth0) 56 data bytes
64 bytes from fe80::3e98:c0ee:51ae:b461%eth0: icmp_seq=1 ttl=64 time=0.072 ms
64 bytes from fe80::1e74:dff:fe2c:b897%eth0: icmp_seq=1 ttl=64 time=2.53 ms (DUP!)
64 bytes from fe80::3e98:c0ee:51ae:b461%eth0: icmp_seq=2 ttl=64 time=0.059 ms

--- ff02::1%eth0 ping statistics ---
2 packets transmitted, 2 received, +1 duplicates, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.059/0.887/2.532/1.163 ms

This should give you a response form the link local of that interface, and anything else that has an IPv6 interface on that network segment. But

$ ping6 -c2 ff02::2%eth0
PING ff02::2%eth0(ff02::2%eth0) 56 data bytes
64 bytes from fe80::1e74:dff:fe2c:b897%eth0: icmp_seq=1 ttl=64 time=2.58 ms
64 bytes from fe80::1e74:dff:fe2c:b897%eth0: icmp_seq=2 ttl=64 time=0.946 ms

--- ff02::2%eth0 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.946/1.764/2.582/0.818 ms

will only give responses from routers on the segment. So now we have local addresses sorted, we need to get a routeable IPv6 address. There are a number of ways this can happen, most commonly this uses Stateless Address Autoconfiguration (SLAAC).

The steps in getting a Global scope IPv6 address then are first to find the router. This is either from the response to a Router Solicitation (RS) ICMPv6 message, or from just listening as a router will periodically send out a Router Advertisement (RA).

Wireshark Capture

Wireshark capture of IPv6 address auto-configuration

Lets step through the auto-configuration process. The first step is setting the Link Local address, this is configured from the MAC address, but there still could be conflicts. in packet 83 we send a neighbour solicitation out for the address we want to use. If nobody responds then we go ahead and use that address, packet 97.

The next important bit is the Router Solicitation, and Router Advertisement. Routers will send out a Router Advertisement periodically to the multicast address ff02::1 periodically, but can be prompted by Router Solicitation, packets 118 & 119. The Router Advertisement is displayed in the packet analysis window, and we can see the Prefix information as well as DNS servers from the router.

Next is packet 141 where we send out a Neighbor Solicitation for 2001:8b0:1679:ea38:cf58:def3:b993:1412 to check that nobody else is using this address. If nobody replies then we go and use this address.


Password Managers

7 February 2017

Lastpass Screenshot

I am constantly surprised that ordinary people don’t use password managers. I would expect most security professionals to use them, but even there I find many do not use a password manager.

So what is a Password manager? Basically a database that stores usernames and passwords for you. The data is encrypted with a master password so you do have to remember that one password. When you visit a site or start an application that needs a password the password manager fills in the credentials for you.

Why is this better than what I do at the moment? If you don’t use a password manager then you must be doing one of the following:

1. Use the same password, or a small set of passwords on many sites.

This is a bad idea, mostly because if one of those sites is compromised then you will need to change your password on all the sites you have used that password on. Can you remember all of those sites? How long will it take you to do that?

2. Write passwords down.

Actually this is not too bad, as long as you look after the password book. You can do some things to make sure that if the book is stolen then it doesn’t immediately compromise all your passwords. But if you lose that book how do you go about changing your passwords?

3. Use an algorithm to generate the password for each site.

It could be paper based or something you can remember and do in your head or a combination. Usually you use the domain name of the site to work out your password. The problem here is if that site is compromised then you have to change your password, lots of these and you have a long list of exceptions, or alternative methods for passwords. It will soon become unmanageable.

Software to the rescue.

So the answer is to use a password safe software. There are a number of systems available. I recommend both lastpass and keepass. Lastpass is internet based, and implemented through a browser plugin whereas keepass is an application you run locally on your machine.

Both allow you to store usernames, passwords and the URL of the login page. Both have a master password to encrypt the password store, and only decrypt the password in memory on the local machine.

Keepass has a local database, but this can be synced with other machines with a Dropbox, GDrive, OneDrive, or even sftp. Because the database is only decrypted in memory this is safe. Keepass is open source and there are clients for all desktop operating systems, and some mobile as well. There is a huge range of extensions to extend the basic functionality.

I personally use lastpass, but I also regularly export my keystore and import it into keepass so I have a backup.

So why is this good.

1. you have a different password on every site. OK if you don’t have this when you start you can progress towards this. Because you only have to remember one password, there is no effort in having a different password for every site.

2. You use long, randomly generated passwords. These systems will generate a new password for you, so you may as well make it long and complex as you don’t have to remember it. And that makes you much more secure. So when you set up a new account or change an existing password, generate it randomly and a make it 16 characters long (if the site accepts this).

3. Your password manager checks the domain you are visiting and will only enter the amazon password into the page at amazon.com not amason.com amaz0n.com amazom.com arnazon.com

4. Use your password manager as your bookmarks, if you need to visit your bank, select it in the password manager and it will go there and log you on.

5. Use you password manager to store password recovery information. Because you are using a password manager you don’t need to be able to recover a forgotten password, but some sites insist on this. Never answer the security questions with the correct information, if they want your mothers maiden name put something random in there, otherwise it may be possible to have your account taken over using the password recovery process.

6. You can use this to store and auto fill other sensitive information like Name, address, credit card numbers etc. This avoids storing cards on a website, from where it may be compromised. And because it is automated just as fast as having the website store the data.

So if you have read this far you should be totally convinced and ready to start using a password manager now. Well done.