JordanMilne
commented
7 years ago I don't think IPv6 can ever be safely supported by default since we're effectively relying on NAT for security. If you need IPv6 then you'll need to explicitly blacklist any ranges you own and manually enabled IPv6 support.
Should it be on by default? I'm kind of iffy on this, but I don't know enough about IPv6 as-deployed-by most people to say if it's dangerous one way or the other.
I get the feeling people may currently be relying on NAT / firewall rules to prevent external requests from getting in. With IPv4, if you use private ranges like you should, it's super easy to detect and block if an IP refers to something on the LAN (
192.x.x.x,10.x.x.x., etc.) Even if there's a service that's bound to0.0.0.0.But what about with IPv6? Say I've got an internal service that binds to
::on server X, and server Y running a site that uses Advocate on the same network. If server Y makes a request to server X's globally-routable IPv6 IP, do we have any guarantees as to how the packet will be routed? Might it be routed directly to server server X without hitting the external firewall?I'm concerned that if that is the case, users will be vulnerable to SSRF unless the servers are assigned ULAs, or if the organization is large enough to have a globally-routable block assigned to them for internal use, which be added to Advocate's blacklist.
TL;DR: We somewhat abuse the side-effects of IPv4 + NAT so we can tell by an address if the destination is likely on the LAN or not. Non-globally-routable (RFC1918 or otherwise) addresses are blocked, globally routable ones are not.
This doesn't appear to be possible with most IPv6 setups as LAN IPs usually == globally routable WAN IPs, frustrating the ability to prevent SSRF via checks in the client.
Is any of that actually a concern? Am I fundamentally misunderstanding IPv6? Any relevant IPv6 documentation is helpful!