Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: IPv6 Day Started - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
IPv6 Day Started

IPv6 day officially started at midnight GMT. Over the next 24 hrs, a number of large web sites will be reachable via IPv6. For example Google, Yahoo and Facebook added AAAA records.

You can check yourself if you are able to receive the AAAA records with this nslookup command:

nslookup
> set type=AAAA
> www.facebook.com

Non-authoritative answer:
www.facebook.com    has AAAA address 2620::1c08:4000:face:b00c:0:2

The next 24 hrs bring a unique opportunity to test IPv6 and to experiment with it. I recommend that you setup at least a test system and attempt to connect to IPv6 via a tunnelbroker. You may also be able to use auto-configured 6-to-4 but it tends to be less reliable. See the end of this article for a number of free tunnel brokers.

Things to test:

  • ping Google: on unix, use ping6 www.google.com, on Windows, ping -6 www.google.com
  • measure latency via IPv4 and IPv6 and compare.
  • test if you can reach various IPv6 sites (http://isc.sans.edu has been dual stack for a while now)
  • can you detect the traffic with whatever tools you use (snort, tcpdump, windump, wireshark...)

More information about IPv6 day:

http://ipv6day.org

Tunnelbrokers:
http://www.ipv6day.org/action.php?n=En.GetConnected-TB


 


 

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Defending Web Applications Security Essentials - SANS Munich July 2019

Johannes

3558 Posts
ISC Handler
I'm out on two counts. My home router is not IPv6 ready. My ISP is not resolving their domains to an IPv6 address. I checked multiple DNS servers to verify. I can get IPv6 addresses resolved on domains know to have AAAA type records registered. Time for a new router anyway. ISP isn't as easy to fix.
G.Scott H.

48 Posts
looking good here: Tracing route to cache.l.google.com [2404:6800:4003:2::13]

Dual-stacked and working like charm. If your ISP is not supporting ipv6 tunnel and get the experience :)
Anonymous
IPv6 is just a hype! ;-)

My hardware is IPv6 ready, but I turned it off everywhere. I see no need for IPv6 now.
Anonymous
I beg to differ...

Y2K was Hype, because doing nothing was actually an acceptable solution for most people.

IPv6 is required, and it will have a major technical impact. Agreed, users should not see anything.

For myself, I connected using my Apple Airport with Hurricane Electric, it was a cinch.

Will be integrating my tunnel broker into the Fortigate soon, with a migration on home network.
Anonymous
So, when is http://isc.sans.edu going to get an AAAA record? Right now that nifty little "Validated by ipv6-test.com" link on the bottom of every single page confirms that this site is not IPv6 ready.
Anonymous
isc.sans.edu has a AAAA record:
isc.sans.edu has address 66.35.45.157
isc.sans.edu has IPv6 address 2001:470:1f11:e4b::50

Just the link at the bottom for the IPv6 test isn't quite right. It should point to
ipv6-test.com/…
(or maybe the test site is overloaded today)
Johannes

3558 Posts
ISC Handler
Dr. J...nope, the ipv6-test.com link hasn't been "Working Right" via isc.sans.edu for weeks, while it continues humming along just fine for many others.
Anonymous
Regarding the ISP comment in the top comment. A couple of weeks ago I sent a message off to my home ISP support (one of the MAJORS in Uncle Sugar) asking about IPv6. The message I got was not all that reassuring. The gist of the message was that I would be notified in time. Since my 10 year old DSL modem is from them, I was not very reassured.
KBR

63 Posts
can someone point me to a "how to" type of guide to figure out how all this works and to get it set up? Thanks in advance!
Kelleigh

2 Posts
I was all excited about this. Signed up for a Hurricane Electric 6to4 tunnel, and discovered my Cisco SA520 is a 6to4 fail.
bonsaiviking

5 Posts
I went to ipv6day.org and everything there talks about June 6, 2006 with the page being last modified on that day. Have I suddenly jumped back in time 5 years or are they running it again? [grin]

Oh, it looks like I missed it - it is June 9th here in the UK.
patermann

35 Posts
FYI, our firewall's "deny all else" rule was stopping IPv6 over IPv4 encapusation which was alarmingly high yesterday. So if anyone had an unusually high volume of denied traffic yesterday, look into your firewall settings pertaining to IPv6 traffic.
Ben-from-Security

1 Posts
Dreamhost makes a big deal of offering their customers free IPv6 addresses for every website you host with them, and makes it very easy to add AAAA records to your zones. However, their web servers are not yet configured to support IPv6 (thus sayeth ipv6-test.com).

Fail.
No Love.

37 Posts
YAY, isc.sans.edu finally renders via IPv6...and the little validation link now works too.

I wonder when they'll be fixing HTTPS access to the site; so that when accessing IPv6, a long red strike no longer runs through "HTTPS" in Chrome's url field.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!