My next class:
Network Monitoring and Threat Detection In-DepthSingaporeNov 18th - Nov 23rd 2024

IPv6 and isc.sans.org

Published: 2010-01-12. Last Updated: 2010-01-12 17:10:33 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)

I spent some time last week to analyze the IPv6 traffic isc.sans.org receives. To do so, I considered the last 90 days worth of logs. The full report can be found here.

A quick summary: IPv6 is still used by only 1.3% of hosts connecting to isc.sans.org. This is a considerable increase from about a year ago, which was about 0.5%. But the number of hits is still small. I am not able to proof this in every single case, but the overwhelming use of tunnels suggests that most if not all of these users would be able to reach isc.sans.org via IPv4. The connection speed via IPv4 would probably be faster. For myself, the latency to isc.sans.org via IPv6 is about double what it is via IPv4. Most of the overhead comes from the latency of my tunnel connection at home. The round-trip time from isc.sans.org to our tunnel broker is only 12ms.

One of the important lessons from this analysis: A large number of hosts connecting to us appears to use automatically configured tunnels like 6to4 or Teredo. These tunnels are sometimes not managed, resulting in hosts unintentionally exposed to IPv6. Many firewalls are not configured to limit IPv6 or associated tunneling protocols, or don't even have the ability to do so. These hosts may be "naked" when it comes to IPv6.

Highlights:

  • We had IPv6 connections from about 13 thousand hosts.
  • about 2,500 of these used 6to4 (2002::/16 addresses) and 550 used Teredo.
  • only a very small fraction (815) of the IPs had PTR records configured for reverse DNS resolution.

 Full report: http://isc.sans.org/presentations/ipv6q42009.pdf (PGP Signature)

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: ipv6
2 comment(s)
My next class:
Network Monitoring and Threat Detection In-DepthSingaporeNov 18th - Nov 23rd 2024

Comments

I was one of the persons running IPv6. I installed Debian squeeze a few weeks ago and IPv6 is switched on [i found out]. It gave me problems reaching some websites, also the isc,sans.org website. I switched off IPv6 and the problems are over. If you have firefox with the ShowIp addon and you see green IP's beginning with 2002:: than you know IPv6 is switched on.
I have IPv6 PTRs configured on servers, but workstations have privacy extensions enabled and PTRs would defeat the purpose. Even with IPv4 making any decision based on PTRs is pretty obsolete.

Diary Archives