cancel
Showing results for 
Search instead for 
Did you mean: 

Posting IP addresses - how much to mask?

jelv
Community Veteran
Posts: 26,786
Thanks: 990
Fixes: 10
Registered: ‎10-04-2007

Posting IP addresses - how much to mask?

If we make public posts which have the public IPv6 address of our router (e.g. output from nslookup or a tracert), how much should we mask out? (For IPv4 we'd post something like 80.229.*.*)
jelv (a.k.a Spoon Whittler)
   Why I have left Plusnet (warning: long post!)   
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£14.40/month)
Mobile: iD mobile (£4/month)
5 REPLIES 5
MJN
Pro
Posts: 1,216
Thanks: 109
Fixes: 4
Registered: ‎26-08-2010

Re: Posting IP addresses - how much to mask?

If you want to follow the same principle, and hide anything that sets you apart from the next customer, then mask everything after the first 32 bits e.g. 2a02:16c8:x:x:x:x:x:x
Even though so-called 'privacy' addresses will randomise the last 64 bits your delegated prefix (bits 33 to 56) will always stay the same (on this trial) and so could be used to single you out.
You could show some more of the prefix (e.g. upto, say, bit 48) but it'll reduce the size of the haystack you'd be hiding in for little if any gain - the first 32 bits are sufficient to identify it as a Plusnet address but nothing more.
dragon2611
Grafter
Posts: 283
Registered: ‎20-10-2013

Re: Posting IP addresses - how much to mask?

None of it,
But then I don't care who knows my IP address as lets face it any server I communicate with either over IPv4 or IPv6 will get my V4 and V6 address respectively.
Biggest worry i'd have if I managed to upset someone enough that they try to DDOS me, in terms of knowing my IP address I'd hope I've setup my firewalls well enough that knowing the IP address isn't going to achieve much other than allow you to connect to any services I've chosen to expose to the internet.
That said It wouldn't surprise me if someone who knew what they were doing could find a way in if they really wanted to, only takes one vulnerable service exposed or a mistake in a config somewhere or some idiot installing a Trojan onto a machine on the network.
MJN
Pro
Posts: 1,216
Thanks: 109
Fixes: 4
Registered: ‎26-08-2010

Re: Posting IP addresses - how much to mask?

You are forgetting a key point to IPv6 deployment - we are a long way off knowledge and feature parity with IPv4, particularly when it comes to security.
A consequence of this is that many, indeed I would even go as far as saying most, IPv6 deployments currently are not configured in as secure a manner as their corresponding IPv4 connections. I would wager that the vast majority of those that have enabled IPv6, whether native or tunneled, did not implement full protective measures from the off. Rather, this seems to come as the second step (if that!).
This is down to a combination of lack of security support in products (or more difficult to access/ e.g. no GUI-configurable firewall) and a whole manner of new exploits unique to IPv6. Furthermore, the typical modus operandi has been flipped on its head with devices who used to be 'protected' by virtue of an IPv4 NAT now being potentially fully exposed to the (IPv6) Internet.
There is therefore very good reason to hide your public IPv6 address currently unless you are absolutely sure about the security that you have in place. I am not hence why I don't post the full details. The fact my address appears on logs of services I connect to is besides the point - those services, or rather the people behind them, are not where I believe the threat to be coming from.
chrcoluk
Community Veteran
Posts: 1,990
Thanks: 5
Registered: ‎11-12-2013

Re: Posting IP addresses - how much to mask?

Well my ipv6 servers do have equal firewall security to ipv4.  It just seems consumer based routers are behind server operating systems and commercial grade routers.
Also opensource firmwares seem advanced enough on ipv6.  ddwrt, tomato, openwrt.
Most routers have 2 firewalls.
One firewall which is transparent on a default deny policy, when a NAT rule is created a appropriate rule also gets made on the firewall.  Second firewall usually the visible one which will typically be some kind of SPI firewall.  I tend to disable SPI firewall's on home routers due to the processing overhead.
MJN
Pro
Posts: 1,216
Thanks: 109
Fixes: 4
Registered: ‎26-08-2010

Re: Posting IP addresses - how much to mask?

It's not just the equipment support for IPv6 that matters but rather configuring them correctly. As you know, there are a whole variety of vulnerabilities and exploits unique to IPv6, and no doubt many currently-unknown ones yet to come.