Should I deploy an IPv4-only server?
The CIS (Centre for Internet Security) Benchmarks recommend disabling IPv6 to reduce the attack surface on our systems. I don't know enough about networking to understand whether this is a good idea if you are trying to serve clients that might include IPv4-only and IPv6-only clients.
Can an IPv4-only server deal with IPv6-only clients?
4 Replies
I don't think that IPv6 is any more or less secure than IPv4… IP is a set of protocols and, as such, only enable inter-network communication. It's the things that are on either end of that communication that are insecure. So, CIS gets a big raspberry from me for making a recommendation like "disabling IPv6 to reduce the attack surface"…they should know better.
I have IPv6 enabled because I use it…so do lots of other people (e.g., US/EU governments & US/EU/NATO militaries). Every piece of a modern Linux kernel is IPv6-aware…and has been for a long time. These days, it's mostly only apps that are not IPv6-aware…
Most of the attacks I see are IPv4. Here's a sample since Saturday, 1/16/2020 @ 00:00 PST (attacks are the Found/Ban pairs):
2021-01-16 07:56:06,953 fail2ban.filter [844]: INFO [sshd] Found 142.44.218.192 - 2021-01-16 07:56:06
2021-01-16 07:56:07,558 fail2ban.actions [844]: NOTICE [sshd] Ban 142.44.218.192
2021-01-16 15:07:13,733 fail2ban.actions [844]: NOTICE [dovecot] Unban 35.131.184.211
2021-01-16 19:56:35,730 fail2ban.filter [844]: INFO [sshd] Found 69.164.193.40 - 2021-01-16 19:56:35
2021-01-16 19:56:35,731 fail2ban.filter [844]: INFO [sshd] Found 69.164.193.40 - 2021-01-16 19:56:35
2021-01-16 19:56:35,849 fail2ban.actions [844]: NOTICE [sshd] Ban 69.164.193.40
2021-01-16 19:56:38,621 fail2ban.filter [844]: INFO [sshd] Found 69.164.193.40 - 2021-01-16 19:56:38
2021-01-16 19:56:39,058 fail2ban.actions [844]: NOTICE [sshd] 69.164.193.40 already banned
2021-01-16 19:56:42,604 fail2ban.filter [844]: INFO [sshd] Found 69.164.193.40 - 2021-01-16 19:56:42
2021-01-16 19:56:43,063 fail2ban.actions [844]: NOTICE [sshd] 69.164.193.40 already banned
2021-01-16 19:56:54,922 fail2ban.filter [844]: INFO [sshd] Found 69.164.193.40 - 2021-01-16 19:56:54
2021-01-16 19:56:55,077 fail2ban.actions [844]: NOTICE [sshd] 69.164.193.40 already banned
2021-01-16 21:50:27,299 fail2ban.filter [844]: INFO [sshd] Found 23.239.31.169 - 2021-01-16 21:50:27
2021-01-16 21:50:27,342 fail2ban.filter [844]: INFO [sshd] Found 23.239.31.169 - 2021-01-16 21:50:27
2021-01-16 21:50:27,476 fail2ban.actions [844]: NOTICE [sshd] Ban 23.239.31.169
2021-01-16 21:50:28,045 fail2ban.filter [844]: INFO [sshd] Found 23.239.31.169 - 2021-01-16 21:50:27
2021-01-17 01:16:36,963 fail2ban.filter [844]: INFO [sshd] Found 188.217.172.44 - 2021-01-17 01:16:36
2021-01-17 01:16:37,017 fail2ban.filter [844]: INFO [sshd] Found 188.217.172.44 - 2021-01-17 01:16:37
2021-01-17 01:16:37,247 fail2ban.actions [844]: NOTICE [sshd] Ban 188.217.172.44
2021-01-17 14:43:55,527 fail2ban.actions [844]: NOTICE [sshd] Unban 76.109.57.66
2021-01-18 04:17:55,527 fail2ban.filter [844]: INFO [sshd] Found 13.76.248.253 - 2021-01-18 04:17:55
2021-01-18 04:17:55,847 fail2ban.actions [844]: NOTICE [sshd] Ban 13.76.248.253
As you can see, 100% of the attacks are via IPv4. From my experience, the attack surface is much greater using IPv4. I can count the number of IPv6 attacks on my Linode since 2013 on one hand.
You write:
Can an IPv4-only server deal with IPv6-only clients?
No. You can set up various (bi-directional) tunneling schemes…usually on your router(s):
https://www.cisco.com/c/en/us/support/docs/ip/ip-version-6/25156-ipv6tunnel.html
However, the recipients of this tunneled traffic have to be able to deal with it…or you have to enable some facility in the network stack to de-tunnel it. You may as well just turn on IPv6 and save yourself a lot of admin pain and on-going maintenance. IMHO, there is no downside to this.
-- sw
Thanks for the thorough answer! I did suspect that IPv6 clients wouldn't be able to interact directly with an IPv4 server. I just haven't seen this explicitly stated anywhere, after a few searches.
I suspect that CIS was trying to recommend against the use of redundant protocols, in case there are as-yet undiscovered vulnerabilities in the relatively immature IPv6 stack.
That might be practical in some controlled settings, but in the context of providing a server to a general internet audience, what you've said makes me think that I have to go dual stack for the foreseeable future.
Thanks!!
From https://linux.die.net/HOWTO/Linux+IPv6-HOWTO/basic-history-ipv6-linux.html
The first IPv6 related network code was added to the Linux kernel 2.1.8 in November 1996 by Pedro Roque. It was based on the BSD API
From https://kernel.org
mainline: 5.11-rc4 2021-01-18
stable: 5.10.8 2021-01-17
stable: 5.9.16 [EOL]
longterm: 5.4.90 2021-01-17
longterm: 4.19.168 2021-01-17
longterm: 4.14.216 2021-01-17
longterm: 4.9.252 2021-01-17
longterm: 4.4.252 2021-01-17
linux-next: next-20210118 2021-01-18
All of this is a long way from 1996 (25 years ago)! If the IPv6 implementation in the modern Linux kernel hadn't improved since then, we'd all be using FreeBSD, and, IMHO, enjoying it a lot more ;-)
You write:
I have to go dual stack for the foreseeable future.
That would be more like the rest of your natural life :-)
-- sw
You could probably implement something like dhcpv6 to translate client ipv6 addresses into different ipv6 addresses due to the potential MAC address issue.
But yeah other than that it's mainly just that it's another vector. Also it can be handled separately than ipv4. For example, using iptables does nothing against ipv6. You'd want to implement ipv6tables rules in that case doing essentially the same stuff as ipv4 since it's no more secure but just as capable as ipv4.
Also there's a bug in Ubuntu 18.04 LTS. Sysctl.conf doesn't seem to disable ipv6.
it can be disabled in: /etc/default/grub
https://www.linode.com/community/questions/17409/how-do-i-remove-my-ipv6-from-my-linode
I was using Wireguard with pi-hole (dns ad block/malware domain blackhole). Turns out it doesn't block them on Android without disabling ipv6 on the server. And Andoid security apps don't tend to be so great.
My game server also got hit by an ipv6 ddos attack once lol, but that's due to someone targeting a particular game.