Help me understand Windows 7 file-sharing security, in the presence of IPv6

[VirtualLarry]

With IPv4, and a NAT router, none of the local LAN IPs are reachable from the internet, unless you intentionally use the DMZ or port-forwarding feature of your router.

Now that IPv6 is upon us, and the "death of NAT", how do I protect myself from roaming internet hackers?

My understanding is that there is a link-local IPv6 address, as well as a global IPv6 address, assigned to each NIC on the LAN that supports IPv6.

My question is, how does Windows 7 file-sharing work with that?

Does it only bind to the link-local IPv6 address? In which case, I probably wouldn't have to worry that it is routable.

Or does it bind to everything, and now I have to worry about crafting firewall rules to deny incoming access to Windows 7 file-sharing on all of my boxes?

 

[Gryz]

I don't know the inner workings of Microsoft's magic. So I can not answer your question directly.

But if I knew the answer, and it was: "it binds to a link-local address", would that be good enough for you ? Do you trust me to give you the right answer ? Would you trust Microsoft's manuals ? Even if you tested it yourself, do you trust it that Microsoft might not change the behaviour in one of their upcoming patches ? If you trust Microsoft to do the right with thing file-sharing, would they also do the same thing with RDP ? Or would RDP be reachable via IPv6 from all over the Internet ? What about other MS applications ? What about other applications ?

The answer is, no matter what Microsoft does with link-local addresses, you can not trust all the software on your PC. And you'll have to use additional security. That means a firewall. Hopefully your cable/dsl-router has built-in firewall features. And hopefully it has an easy GUI, so you can configure it. And hopefully it has no glaring bugs. And hopefully you know what you are doing, because mistakes are easily made.

The IPv6-community has always yelled that it would be a benefit for everybody if we would get rid of NAT alltogether. When pointed to the side-effect that NAT has for security, they always cheered "NAT is no security, you'll need a real firewall anyway". Ignoring the fact that hundreds of millions of simple endusers have depended on this side-effect for their security. With reasonable success.

My ISP does IPv6 to every customer. It is the first thing I disable when I configure stuff. Both on my PC as on my router. I might start using IPv6 some day. Because I'll be forced. But it won't happen in the next decade. And when I enable IPv6, the second thing I will do will be to enable NAT for IPv6. I like NAT.

I hope someone here knows the answer to your question.
I am very interested to find out.

PS. If you have CIFS running on IPv6 now, you should be able to do "netstat -a" and see for yourself to which addresses the applications bind themselves.

 

[lif_andi]

Firewalls are the reason your computer has not been invaded by nasty aliens. Firewalls will keep doing that for you for as long as you have it turned on, regardless of IP version number. Also I'm pretty sure that you can trust MS to not leave your computer wide open for the fun of it. Regardless of what many people think, they take security seriously. So relax, and remember to keep your firewall turned on, and your seatbelt fastened.

 

[Railgun]

Personally, I always disable my Windows FW. I let Windows be an OS and a FW be a FW.

That said, you still have to permission inbound requests. If there wasn't a FW, I wouldn't want a SW FW that Windows is to handle the crap that would come in.

 

[Red Squirrel]

My guess is it will be a crap chute and they'll end up bringing NAT back. I see multiple issues that will arise from lack of NAT:

1: No self control of your local network's IP addressing. Ex: I have a 10.x.x.x all to myself, and I can do what I want with it. With IPv6 you will get IP assignments from your ISP. If you change ISP, all your IPs change and you have to go update all your DNS records and anything that points to IPs. Imagine a big company like Google that has lot of printers. Their service provider changes the range on them or they change service providers. Now an IT guy has to run around and change all the IPs on the printers while server techs update DNS and change server IPs etc. Not feasible. I suppose you could use DHCP static mappings instead of setting it on each device, but still have to go through all the entries and change it.

2: ISPs may see dollar signs and instead of giving you a /64 or whatever the standard states, they'll give you maybe 8 IPs, then you'll have to pay extra to get more.

3: Lack of central management. Since the IPs will be routable to the internet, and not to your own local device, you will need to protect each device individually. If your internet goes down, they also wont be able to talk to each other. People who really know what they are doing will probably be able to setup a local router that does internal routing and also acts as a central firewall, but the average joe wont know how to do that and they'll just throw in a Linksys or Dlink switch and call it a day, since NAT routers will no longer exist/work with IPv6.

What I foresee is either traditional NAT will make a come back, or, assuming ISPs don't start to get cheap with how many IPs they give you, we might see a 1:1 NAT standard, that way your local IPs stay local but when they go out they bind to their own external IP.

TBH I'm actually surprised it's taking so long for IPv6 to come in, because the last IPv4 range was actually used up several years back. Guess some must have been released/sold/bought and ISPs are managing ok.

 

[Railgun]

My guess is it will be a crap chute and they'll end up bringing NAT back. I see multiple issues that will arise from lack of NAT:

1: No self control of your local network's IP addressing. Ex: I have a 10.x.x.x all to myself, and I can do what I want with it. With IPv6 you will get IP assignments from your ISP. If you change ISP, all your IPs change and you have to go update all your DNS records and anything that points to IPs. Imagine a big company like Google that has lot of printers. Their service provider changes the range on them or they change service providers. Now an IT guy has to run around and change all the IPs on the printers while server techs update DNS and change server IPs etc. Not feasible. I suppose you could use DHCP static mappings instead of setting it on each device, but still have to go through all the entries and change it.


TBH I'm actually surprised it's taking so long for IPv6 to come in, because the last IPv4 range was actually used up several years back. Guess some must have been released/sold/bought and ISPs are managing ok.

You assume that google and the like don't have their own space. The ISP is independent. If I'm allocated some IP space, I can go to Verizon, L3, Bob's Internet-o-Rama and advertise my space with no affect on my back end save for the border router.

And regarding the last point, we are not out of IPv4 space. The RIRs are just issuing under a different plan.

 

[lif_andi]

My guess is it will be a crap chute and they'll end up bringing NAT back. I see multiple issues that will arise from lack of NAT:

1: No self control of your local network's IP addressing. Ex: I have a 10.x.x.x all to myself, and I can do what I want with it. With IPv6 you will get IP assignments from your ISP. If you change ISP, all your IPs change and you have to go update all your DNS records and anything that points to IPs. Imagine a big company like Google that has lot of printers. Their service provider changes the range on them or they change service providers. Now an IT guy has to run around and change all the IPs on the printers while server techs update DNS and change server IPs etc. Not feasible. I suppose you could use DHCP static mappings instead of setting it on each device, but still have to go through all the entries and change it.

2: ISPs may see dollar signs and instead of giving you a /64 or whatever the standard states, they'll give you maybe 8 IPs, then you'll have to pay extra to get more.

3: Lack of central management. Since the IPs will be routable to the internet, and not to your own local device, you will need to protect each device individually. If your internet goes down, they also wont be able to talk to each other. People who really know what they are doing will probably be able to setup a local router that does internal routing and also acts as a central firewall, but the average joe wont know how to do that and they'll just throw in a Linksys or Dlink switch and call it a day, since NAT routers will no longer exist/work with IPv6.

What I foresee is either traditional NAT will make a come back, or, assuming ISPs don't start to get cheap with how many IPs they give you, we might see a 1:1 NAT standard, that way your local IPs stay local but when they go out they bind to their own external IP.

TBH I'm actually surprised it's taking so long for IPv6 to come in, because the last IPv4 range was actually used up several years back. Guess some must have been released/sold/bought and ISPs are managing ok.

1. In IPv6 you have total control over your local addressing scheme. Google it. There are different types of addresses, and your NIC can have multiple IPv6 addresses simultaneously.

2. Although there really is no way of knowing, I think we can speculate that IP address prices will go way down (given that we can have 3.4×10^38 addresses, which is a lot btw) and ISPs will just charge you for their services (routing, tech, tech support etc).

3. You can have all the central management you will want. Like with all things computer, if you know what you're doing, you can rule your own world.

We are taking several shortcuts to extend the life of IPv4, for some valid reasons and some not so valid. Mobile users are getting 10.x.x.x numbers and I've seen people in the US actually having non-routable IP addresses from some ISPs. We are reaching a breaking point, and the dam will brake.

 

[Red Squirrel]

Not everyone will be able to afford getting their own space though, and even then, isn't it still controlled by the ISP? If they switch ISP then wouldn't they have to buy ranges from their new ISP? Or is there a way to "port out" IP addresses like with phone numbers?

 

[lif_andi]

The primary reason ISPs rule the internet, is because they control the routing, and they own the forwarding equipment. Control the paths, and you control the internet

Us guys here on Anand, we can start competing with the internet, using IPv6 numbers, just get some good switches and routers and lets go

But guys, you should google something serious about IPv6 and learn about it a little, its really not so bad.

 

[Railgun]

Not everyone will be able to afford getting their own space though, and even then, isn't it still controlled by the ISP? If they switch ISP then wouldn't they have to buy ranges from their new ISP? Or is there a way to "port out" IP addresses like with phone numbers?

ISPs don't own any of it. The RIRs do, and subsequently IANA does. ISPs are given blocks, albeit larger ones just as google, Apple, etc do.

 

[Red Squirrel]

How does that work for routing then? I always thought the ISPs controlled how traffic gets routed, and setup all the routes and what not. Or does that change with ipv6, and the routing protocols just work globally? So if I have IP address range starting with 1.2.3.4 (I know that's not ipv6 but just an example) I can plug my equipment literally anywhere in the world with that IP and it still works?

 

[Railgun]

How does that work for routing then? I always thought the ISPs controlled how traffic gets routed, and setup all the routes and what not. Or does that change with ipv6, and the routing protocols just work globally? So if I have IP address range starting with 1.2.3.4 (I know that's not ipv6 but just an example) I can plug my equipment literally anywhere in the world with that IP and it still works?

It doesn't work like that and really starts towards a different topic. But there are general rules and guidelines to how it works from an ISP level and other entities.

 

[VirtualLarry]

Firewalls are the reason your computer has not been invaded by nasty aliens. Firewalls will keep doing that for you for as long as you have it turned on, regardless of IP version number. Also I'm pretty sure that you can trust MS to not leave your computer wide open for the fun of it. Regardless of what many people think, they take security seriously. So relax, and remember to keep your firewall turned on, and your seatbelt fastened.

But if the CIFS service is listening on the IPv6 address, how do I firewall it off from the internet, but still allow my LAN access? If all of my IPv6 IPs are public?

My understanding is that the NIC gets assigned a local (LAN) IPv6, and a public IPv6, somehow derived from the ISP-advertised prefix, and the NIC's MAC address.

So, possibly, the firewall knows the difference between the LAN prefix and the ISP prefix as far as the IPv6 IPs go. Let's hope so.

It really wasn't so long ago, with dial-up modems connected to the Internet with Windows 9x, that one could simply connect to a certain port on a random IP address, access the hidden "C$" share, and have read/write access to the computer's OS root directory!

I really hesitate to "trust" MS in this matter.

Edit: Also, I don't think that is it firewalls, per se, that have kept consumer PCs safe, but rather, NAT. If you left the Windows 7 firewall enabled, but set it to "home" network, but had all of the PCs in DMZ (hypothetically - just assume for this example that you have more than one public IPv4 address), wouldn't your Windows' file-sharing ports be exposed just the same?

 

[Gryz]

When I used the word "firewall" in this thread, I meant a device at the edge of your network that filters and monitors traffic coming into your network. That device can be a separate device. Or it could be your access-router, that is configured with ACLs and other security features. As long as it is physically between your internal network a the big bad outside world.

I did not mean "some random piece of software that runs on your PC".

The idea of firewalls was: you have a hard shell that protects you from the outside. And then you can have a soft and squishy "inside". It means you focus your attention for security on the firewall. And you can relax about the security of all the interal devices.

Then Microsoft came, and totally wrecked terminology (like they always do). Putting software on your PC might help a bit. But if I didn't trust Microsoft to implement proper security in their CIFS implementation, why would I trust them when they build a software firewall ?

 

[Gryz]

But if the CIFS service is listening on the IPv6 address, how do I firewall it off from the internet, but still allow my LAN access? If all of my IPv6 IPs are public?

By having a firewall (a device) between your internal network and the outside world. All traffic entering your network can then be filtered. All your security-policy should be configured on the firewall.

My understanding is that the NIC gets assigned a local (LAN) IPv6, and a public IPv6, somehow derived from the ISP-advertised prefix, and the NIC's MAC address.

Correct.

So, possibly, the firewall knows the difference between the LAN prefix and the ISP prefix as far as the IPv6 IPs go. Let's hope so.

You are talking about the software-firewall on a server, right ? As I mentioned before, I wouldn't trust it. But yes, it could make a distinction, But you probably will have to configure it manually.

The reason is, if you only want to use link-local addresses, then machines on another subnet inside your internal network would not be able to connect to the file-server. That would cause a lot of confusion on small and medium networks, that consist of multiple subnets. So you can bet your ass that Microsoft does what they always do. They give preference to convenience over security. And the CIFS server will be allowed to accept connections from off its own subnet. And then a firewall can not know whether a remote subnet is part of your home-network, or somewhere far away in china.

Edit: Also, I don't think that is it firewalls, per se, that have kept consumer PCs safe, but rather, NAT. If you left the Windows 7 firewall enabled, but set it to "home" network, but had all of the PCs in DMZ (hypothetically - just assume for this example that you have more than one public IPv4 address), wouldn't your Windows' file-sharing ports be exposed just the same?

Yes. And yes, you are correct that you need additional security over what MS is offering. A configured firewall could be a solution (a separate device, or ACLs on your access-router). But NAT does have the side-effect that it works as a fantastic state-full firewall too. No UDP gets in, unless there was already a UDP-flow in the outgoing direction. No TCP-connection gets in, unless it was initiated by a machine on your internal network. Exactly what we want. And no configuration required. And thus almost no chances to mess it up with human mistakes.

 

[VirtualLarry]

Yes. And yes, you are correct that you need additional security over what MS is offering. A configured firewall could be a solution (a separate device, or ACLs on your access-router). But NAT does have the side-effect that it works as a fantastic state-full firewall too. No UDP gets in, unless there was already a UDP-flow in the outgoing direction. No TCP-connection gets in, unless it was initiated by a machine on your internal network. Exactly what we want. And no configuration required. And thus almost no chances to mess it up with human mistakes.

Will future consumer firewalls offer an "Adaptive Firewall" for use with IPv6, basically the same firewall features of NAT, without the NAT. So all incoming is automatically denied, to all internal IPv6 addresses, unless an outbound connection was made, then it allows incoming packets to that port and that IPv6 IP.

Because that's about the only way it should work, for a consumer firewall. Otherwise, you have to hardcode IPs and include/exclude rules, which is a pain.

 

[Gryz]

Will future consumer firewalls offer an "Adaptive Firewall" for use with IPv6, basically the same firewall features of NAT, without the NAT. So all incoming is automatically denied, to all internal IPv6 addresses, unless an outbound connection was made, then it allows incoming packets to that port and that IPv6 IP.

I don't know if vendors will offer that in their consumer-grade access-routers. But they should. Because without this level of security, IPv6 is going to be very painful for 99% of ISP's clients.

As I said, my ISP offers IPv6 to all of their customers. The router they give you is a Fritzbox. Very nice little router, with lots of features and frequent software updates. And of course it does IPv6. However, it doesn't seem to have any ACLs. You can configure a list of websites you want to block. And you can configure DMZ-holes in your IPv4 NAT. But I don't see any options in the GUI to configure real access-lists (IPv4 or IPv6). If such an elaborate router doesn't have these features, I fear the worst for other brands.

Of course IPv6-zealots will say that you can't attack an IPv6-router on your home network, because the attacker doesn't know its mac-address, and thus won't know the full IPv6 address of the box it wants to attack. I am not even going to explain why that is bullocks.

Because that's about the only way it should work, for a consumer firewall. Otherwise, you have to hardcode IPs and include/exclude rules, which is a pain.

I fully agree. Yes, it will be a pain. Yes, people will make mistakes.
I am not sure if this will be fixed. I would personally want to see more network-devices that are truly plug-and-play. No configuration required. Or maybe a minimal config required.

However, it seems the industry loves to make stuff more complex. SDN (Software Defined Networking) is a prime example of this. Most (professional!) customers seem to hardly understand how networking works today. And SDN will increase complexity many-fold. Just to solve the problems of a few big networks. It seems the industry is going into the wrong direction. But I disgress ...