So my ISP recently announced that they support IPV6 so I enabled it in my router. I've been using it since then and didn't notice anything good nor bad. Today I wa son Reddit and mentioned that I was using Google's DNS for IPV4 and IPV6 then one dude said "do not enable IPV6 if you are using IPV4" so I started wondering what all that is about. He didn't reply back to me when I asked for the reasoning behind this. Is there anything bad doing this that I am missing. I searched on Google and this is one post I read: Now I have to mention that I have been having issues with the connection on my Galaxy S20+ when I connect to WiFi, a speedtest would show regular speeds but when browsing one of the forums that I frequent usually (Notebook Review Forum) my phone would have a hard time connecting to that site or would take ages to load, if I disabled my WiFi and just used regular data it's fast and snappy again so I'm not sure if enabling IPV6 has anything to do with this but I will disable it for now. Just wanted to get the PROs opinion on this.
It would be good to get an update on this situation... I understood that it is evolving somewhat, and am unsure whether to still turn off/block ipv6
I don't know if it's a placebo effect but I am finding the loading of sites much faster now. I will try browsing that Notebook Review Forum on my phone for a while if it works then all my suffering all these days could have been from IPV6
True and as also stated above it will slow things down. Most of the ISPs I have used don't support it yet anyway. I don't think there are many websites that are IPv6 only yet anyway, and to my understanding most of them are in China. As I don't read Chinese I'm not too worried about it. It will be an issue someday, but that someday seems to be very slow in coming. If your ISP does support it and you have it enabled it allows ALL of you devices to be individually identified from the internet as there won't be any NAT.
Somehow that's rubbish. It is necessary to have all those people having access to the web because IPv4 is full. Some providers only give IPv6 ips and that for ever to a special Port and customer is not able to change it. nevertheless it means nothing to security. In case of Windows 10 it will malfunctioning if IPv6 is internally not activated. But - in some routers it is possible to have IPv6 disabled - and that could mean in worst case that you cant connect to the web because (read above) IPv4 ip were no longer applied.
if you have the option then disable/harden if you are not an advanced user, I am a noob so I disable Spoiler REM disable netsh int ipv6 isatap set state disabled netsh int ipv6 6to4 set state disabled netsh interface teredo set state disable netsh interface ipv4 set global mldlevel=none REG ADD "HKLM\System\CurrentControlSet\Services\Tcpip6\Parameters" /v "DisabledComponents" /t REG_DWORD /d "255" /f REM harden REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "DeadGWDetectDefault" /t REG_DWORD /d 0 /f REG ADD "HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters" /v "SynAttackProtect" /t REG_DWORD /d 00000002 /f REG ADD "HKLM\System\CurrentControlSet\Services\Tcpip\Parameters" /v "EnablePMTUDiscovery" /t REG_DWORD /d 0 /f REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "KeepAliveTime" /t REG_DWORD /d 3000000 /f REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Netbt\Parameters" /v "NoNameReleaseOnDemand" /t REG_DWORD /d 1 /f it is not inherently more insecure but it is often used by attackers to setup backdoors, especially when ipv6 is misconfigured, because the technology is not well understood there was a wave of attacks based on ipv6 tunneling that IDPS systems would not pick up (separate rule sets for ipv4 and 6, and 6 is often ignored) Consequently, it also makes it easy for an intruder who has already gained access to a local subnetwork to announce rogue routes and routers to spread the infection, or to route multiple compromised systems through tunnels under control, set dual stack stealthy communication. - best regards
If the attacker is already inside your locale network then there was something wrong since beginning. You screw the wrong nuts and in your case you make your windows malfunctioning. Never screw anything if you are not aware of the results, that's all I wanted to tell you. Tips and tricks from the web are not customizable to all systems. And in fact they don't cover a way out if you got in trouble, forums are full of questions about this and need help out to recover functionality of a product. Hardening windows is a solution for people who got scared by other opinions which do not know better or try to sell a product. Best example are antivirus-vendors, they do scare people to sell their product while the built-in windows defender is equal or better and is covered from the rest of windows settings. It doesn't need kernel drivers which makes the whole system unstable and unsafe because of leaks. If hardware = router is vulnerable I suggest getting updates or a newer safer hardware.
I agree. It is usually an /64 block, so there are 2^64 = 18,446,744,073,709,551,616 possibilities. Just have some form of brute force scanning protection and you're safe. And you still can firewall devices so you're not exposed...
I wasn't aware of this; just turned off IPv6 (in the router and in Windows) since, as you say, it's unlikely to have an impact. Is there any workaround for the loss of NAT when IPv6 is enabled?
@ Brummelchen long story short if you don't know how to setup ipv6 and you don't understand the technology it is better to disable, I disable and hardening can save you from cve-2019-0708 for example so it is not so useless, backward compatibility and too many services is what makes the system more vulnerable (powershell 2.0, net framework 3.5, SMB), a change in a rule could indicate a breach, having one set yourself makes you learn to recognize patterns also I don't feel safe with MS defender because a typical hacker would learn to hack MS defender first then other security products, the literature is full of MS defender hacks and vulnerabilities, but less is known about other security products, any script kid would try to get his feet wet with defender first, especially since he can just find the hack, wfp rules from third party firewalls are also better than windows firewall (WF), which allows outgoing connections from "legitimate apps", and reverting WF rules is not too difficult I agree though that defender is much better now than it was yesterday, especially since EMET best
I marked red what you'd better have written because you speak of yourself and not for me. this cve do not apply to current windows os versin 8.1 and 10, only windows 7 and older and winServ 2008 which are out of support. to read here https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 pointless argument! that's your point of view, anyhow defender is only one wheel of windows security concept. that's ever told from experienced people - dont rely on an antivirus only, it will fail some day. but its your decision. just read https://www.wilderssecurity.com/thr...port-udp-239-255-255-250.428946/#post-2949496 thats multicast as written (SSDP) and not dangerous. https://en.wikipedia.org/wiki/Simple_Service_Discovery_Protocol i think we two should stop it right here.
@Brummelchen as you wish, I like talking to you just as with anybody else, you seam to be jumping to conclusions too fast or not reading text, yes I know about the cve is for vista and I wasn't referring to you when I said "if you don't know how" and I don't rely on AV alone, I generally speak with a high level of abstraction but the forum is not ideal for that or to convey emotions, I also tried to shorten my text, in the end some people understand me wrong lol, it doesn't matter if the cve is for vista or windows 10, I just mentioned BlueKeep because it is prime example that hardening could save you even if you had vista, there are plenty of undocumented vulnerabilities and hardening can save you from some vulnearbilities, unexpectedly so to speak (abstract thinking my friend..), "rdp open to the Internet" is asking for trouble regardless of vista or 10. about ipv6: 1) Teredo-style IPv6 over UDP tunneling, bypasses the NAT devices and firewalls, and IDPS system must dig much deeper to un-encapsulate a IPv6 traffic of UDP, static SIT or 6to4 auto SIT type. At least sanitize traffic before the IDPS. Some routers are not designed to unroll these tunneling protocols to analyze and to apply rules directly, if IPv6 is not provided or supported, any form of above mentioned traffic is spotted and considered abnormal and its what I aim for 2) because IPv6 networks are big, rate limiting or ip filtering is unpractical 3) log analysis is more difficult on IPV6, as an address can be written in different ways (long/ short) 4) more completex neighbor discovery protocol (which translates into vulnerabilities and bugs: NS – NA messages or DAD) 5) many underground tools are ipv6 related, they seem to be the vast majority and favor the attacker 6) ipv6 subprotocol Multicast Listener Discovery (MLD) attacks at local link that said I don't believe there is a whole lot of a difference running ipv6 or 4, just that ipv6 requires extra care and it seams a tiny bit less secure especially if misconfigured
@Brummelchen I never said I am an expert, case in point I come here to learn about defence and security, asking lots of questions some stupid some less so, but what you say is a bit controversial? On Windows systems, SSDP service controls communication for the Universal Plug and Play feature (uPnP), with this you can seek uPnP vulnerabilities or get useful information on devices (during reacon phase), it recemmended to be disabled in most hardening guides or on sites about defence and pentesting as it is an extended local plug and play to the Internet
IPv6 is useless on a private network (LAN). The main reason IPv6 exists is that IPv4 address allocation (WAN) is exhausted, IPv6 does provide some benefits but nothing you're going to need on a simple home network. Microsoft/Apple ought to be disable IPv6 by default unless it's really needed by your CPE.
