Segmenting Safe Zones in IPv6

Thursday, May 24, 2012

Jayson Wylie


Where is it safe to surf my browser around here? 

Is this email message not really clicking on my DHL package tracking information?

Why does my Intrusion Prevention System flare up on sources located in APNIP, RIPE… LACNIC?

I truly believe in a global presence and access to all the safe content for people around the world.  But, in America, there is an expression commonly know as, ”A few have ruined it for the rest of us.”

That may or may not be the case, but there are a lot of things that are no-no’s to most of us who are aware of the situation, but pop-ups are still telling the uneducated user to install “X” anti-virus application and, nope, it’s ransom ware. 

Now the victim has to give their credit card number to criminals to get back access to the system and data. Better cancel the card.

I’m sure this isn’t the first contemplation on alternative scenarios, but I feel that light-net versus dark-net areas of the Internet should be composed. Call it “Safe Haven” or a “Playground” where children can go play while we look away. This would be in lieu of parental controls but not supervision.

IPv6 has created a vast address space and only portions are taken up by the typical allocations. I’m sure telecom systems could come up with an intuitive way or Windows 8 icon to be able to locally address oneself and then only have access to the safe network’s constrained by ACLs, rules, monitoring and such.

Host domains would have to be under some scrutiny as to their offerings and thus would be fewer, but access could still be tunneled and monitored to IPv4 or other off-zone IPv6 sites with capacity appliance.

Problematic activity and behaviors that adversely affect the rest of the user’s in “E-Paradise” would be identified and access denied as well investigations in cases where Trojan variants create financial fraud.

A paid for, theme based, segmented and constrained IPv6 sub-network would provide users with some feeling of safety in an environment where that is not well offered today.

Possibly Related Articles:
Information Security
Security Awareness internet Network Security Monitoring Blacklist IPv6 online safety Segmentation Subnets
Post Rating I Like this!
Michael Johnson This is one of the possible thought-provoking implications of IPv6 I hadn't previously considered, and it's one that might cause more problems than it solves. I've always held that the Internet should carry traffic regardless of content, and enable everyone to communicate securely without interference. I hope IPv6 is implemented in a way that facilitates this, so we'd have a more solid foundation on which to build what some people call the 'Internet of Things'.

Here's my main reservation: who draws the line between 'light-net' and 'dark-net'? Which political, religious and commercial pressure groups would influence that decision? Is the idea even workable, considering the 'Internet of Things' would eventually lead to fragmentation of IPv6 address blocks?

There's also a sociological dimension to this. The Internet must be unrestricted for actual information and new ideas to be communicated, people should be exposed to the anarchism that contributed massively to the development of the Internet from the late 1980s - the evolution that comes with the conflict of ideas, values and beliefs. We sometimes hear experts say that security is often a people problem, so instead we should encourage responsibility and the kind of self-education that isn't possible in an AOL-type 'walled garden'.
Jayson Wylie IPv6 security is a bit lackluster for security and I don't mean that it can't encrypt tunnels with IPSEC. There is a bit of a false belief that all end-nodes on the Internet have the same universal access to all other connected networks.

One of the prime IPv4 features that allowed us to keep on the IPv4 track while expanding is Network Address Translation(NAT) or more likely it's done by port(PAT) translations.

This allows the use of RFC 1918 address space internally and translates to public allocated addresses externally to allow communication between the private address spaces and public nodes.

IPv6 does not implement NAT at this point which lays out a good flat network especially when most operators aren't up to speed on setting IPV6 related blocking rules.

NAT isn't full proof protection if internal DNS queries go external. DNS queries are the new enumeration technique for IPv6 and there needs to be some protections from that quality.

Setting the environment of a globally accessible internet lends access to all and that includes those with malicious intent.

A "Wall-Garden" based on theme or provider can be a money maker for those who maintain the environment as well providing safe travel through the mess that is not openly connected and accessible to any node with an IP address.

I'm not suggesting information censorship but creating a safe world where one does not have to think twice about hitting on a tiny url or going to some pages that come up in a search engine.

There would be possible proactive and aggressive annihilation of nefarious actors, scams and code that effect the one's who don't know better and I believe that to be a large portion.

I would say that the Internet in a noble concept should allow access from home PCs to anywhere else addresses and connected. However, there is a lot of dark places that are able to be connected to with things that fall under illegal activity termed by the Government.

Protect people from themselves and clean up the maleficence that has grown up from an all-access. The biggest problem is getting malware from user mouse-click interactions.

I think anyone can morally can choose between light and dark nets content. So if you are browsing illegal pornography you probably know that not right. If you child hits the same site it's more that the connections are there versus their intent for the destination.

I want to leave with one good example of application. Isolate a large smart phone network using local IPv6 addresses and that may help open-source technologies like Droid keep clean.

It would surely identify undesired egress communications going outside the 'Safe Segment' but we are not there yet with developed security appliance or monitoring system development.

One can dream...
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.