Don't enable IPV6?

Discussion in 'other firewalls' started by Spartan, Jun 14, 2020.

  1. Spartan

    Spartan Registered Member

    Joined:
    Jun 21, 2016
    Posts:
    757
    Location:
    Dubai
    So my ISP recently announced that they support IPV6 so I enabled it in my router. I've been using it since then and didn't notice anything good nor bad.

    Today I wa son Reddit and mentioned that I was using Google's DNS for IPV4 and IPV6 then one dude said "do not enable IPV6 if you are using IPV4" so I started wondering what all that is about. He didn't reply back to me when I asked for the reasoning behind this. Is there anything bad doing this that I am missing.

    I searched on Google and this is one post I read:

    Now I have to mention that I have been having issues with the connection on my Galaxy S20+ when I connect to WiFi, a speedtest would show regular speeds but when browsing one of the forums that I frequent usually (Notebook Review Forum) my phone would have a hard time connecting to that site or would take ages to load, if I disabled my WiFi and just used regular data it's fast and snappy again so I'm not sure if enabling IPV6 has anything to do with this but I will disable it for now.

    Just wanted to get the PROs opinion on this.
     
  2. drhu22

    drhu22 Registered Member

    Joined:
    Aug 21, 2010
    Posts:
    422
    It would be good to get an update on this situation... I understood that it is evolving somewhat, and am unsure whether to still turn off/block ipv6
     
  3. Spartan

    Spartan Registered Member

    Joined:
    Jun 21, 2016
    Posts:
    757
    Location:
    Dubai
    I don't know if it's a placebo effect but I am finding the loading of sites much faster now. I will try browsing that Notebook Review Forum on my phone for a while if it works then all my suffering all these days could have been from IPV6
     
  4. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    1,244
    Location:
    UK
    i assume you flushed your caches when trying without ip v6?
     
  5. Spartan

    Spartan Registered Member

    Joined:
    Jun 21, 2016
    Posts:
    757
    Location:
    Dubai
    I didn't but thanks for the reminder
     
  6. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    334
    Location:
    Island of Woman
    ipv6 is bad for security reasons, theoretically easier to find/enumerate network devices
     
  7. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    5,783
    Location:
    USA
    True and as also stated above it will slow things down. Most of the ISPs I have used don't support it yet anyway. I don't think there are many websites that are IPv6 only yet anyway, and to my understanding most of them are in China. As I don't read Chinese I'm not too worried about it. It will be an issue someday, but that someday seems to be very slow in coming. If your ISP does support it and you have it enabled it allows ALL of you devices to be individually identified from the internet as there won't be any NAT.
     
  8. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    3,361
    Somehow that's rubbish. It is necessary to have all those people having access to the web because IPv4 is full. Some providers only give IPv6 ips and that for ever to a special Port and customer is not able to change it. nevertheless it means nothing to security. In case of Windows 10 it will malfunctioning if IPv6 is internally not activated. But - in some routers it is possible to have IPv6 disabled - and that could mean in worst case that you cant connect to the web because (read above) IPv4 ip were no longer applied.
     
  9. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    334
    Location:
    Island of Woman
    if you have the option then disable/harden if you are not an advanced user, I am a noob so I disable
    REM disable
    netsh int ipv6 isatap set state disabled
    netsh int ipv6 6to4 set state disabled
    netsh interface teredo set state disable
    netsh interface ipv4 set global mldlevel=none
    REG ADD "HKLM\System\CurrentControlSet\Services\Tcpip6\Parameters" /v "DisabledComponents" /t REG_DWORD /d "255" /f

    REM harden
    REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "DeadGWDetectDefault" /t REG_DWORD /d 0 /f
    REG ADD "HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters" /v "SynAttackProtect" /t REG_DWORD /d 00000002 /f
    REG ADD "HKLM\System\CurrentControlSet\Services\Tcpip\Parameters" /v "EnablePMTUDiscovery" /t REG_DWORD /d 0 /f
    REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "KeepAliveTime" /t REG_DWORD /d 3000000 /f
    REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Netbt\Parameters" /v "NoNameReleaseOnDemand" /t REG_DWORD /d 1 /f
    it is not inherently more insecure but it is often used by attackers to setup backdoors, especially when ipv6 is misconfigured, because the technology is not well understood there was a wave of attacks based on ipv6 tunneling that IDPS systems would not pick up (separate rule sets for ipv4 and 6, and 6 is often ignored)

    Consequently, it also makes it easy for an intruder who has already gained access to a local subnetwork to announce rogue routes and routers to spread the infection, or to route multiple compromised systems through tunnels under control, set dual stack stealthy communication.
    - best regards
     
    Last edited: Sep 20, 2020 at 7:30 AM
  10. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    3,361
    If the attacker is already inside your locale network then there was something wrong since beginning. You screw the wrong nuts and in your case you make your windows malfunctioning. Never screw anything if you are not aware of the results, that's all I wanted to tell you. Tips and tricks from the web are not customizable to all systems. And in fact they don't cover a way out if you got in trouble, forums are full of questions about this and need help out to recover functionality of a product.

    Hardening windows is a solution for people who got scared by other opinions which do not know better or try to sell a product. Best example are antivirus-vendors, they do scare people to sell their product while the built-in windows defender is equal or better and is covered from the rest of windows settings. It doesn't need kernel drivers which makes the whole system unstable and unsafe because of leaks.

    If hardware = router is vulnerable I suggest getting updates or a newer safer hardware.
     
  11. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    1,148
    Location:
    Member state of European Union
    I agree.

    It is usually an /64 block, so there are 2^64 = 18,446,744,073,709,551,616 possibilities. Just have some form of brute force scanning protection and you're safe. And you still can firewall devices so you're not exposed...
     
  12. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,032
    Location:
    USA
    I wasn't aware of this; just turned off IPv6 (in the router and in Windows) since, as you say, it's unlikely to have an impact. Is there any workaround for the loss of NAT when IPv6 is enabled?
     
    Last edited: Sep 20, 2020 at 11:41 AM
  13. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    334
    Location:
    Island of Woman
    @
    Brummelchen
    long story short if you don't know how to setup ipv6 and you don't understand the technology it is better to disable, I disable
    and hardening can save you from cve-2019-0708 for example so it is not so useless, backward compatibility and too many services is what makes the system more vulnerable (powershell 2.0, net framework 3.5, SMB), a change in a rule could indicate a breach, having one set yourself makes you learn to recognize patterns
    also I don't feel safe with MS defender because a typical hacker would learn to hack MS defender first then other security products, the literature is full of MS defender hacks and vulnerabilities, but less is known about other security products, any script kid would try to get his feet wet with defender first, especially since he can just find the hack, wfp rules from third party firewalls are also better than windows firewall (WF), which allows outgoing connections from "legitimate apps", and reverting WF rules is not too difficult
    I agree though that defender is much better now than it was yesterday, especially since EMET
    best
     
    Last edited: Sep 20, 2020 at 4:45 PM
  14. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    5,783
    Location:
    USA
    I am unaware of any workarounds. I don't think there are intended to be any by design.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.