IPv6 Auto Configuration from Static Windows Configuration

Had an interesting issue today that has some significant security implications. I was working on an isolated test network. I had a DHCP assigned v4 address. This network is currently not using v6.

I had been having trouble accessing a few services, but since I was setting up a new system, did not really think much of it. Finally I had ssh take forever to come, but it did work, then it was responsive. Because I have seen issues with IPv6 on some of our networks, I did an ifconfig. I had the IPv4 address I expected, but I also had an IPv6 address from a network that we were supposed to be totally isolated from. Start the fire drill … trace all the connections … look at all the services. Where is this address coming from?

Turns out it was coming from a Windows box (XP, I think) that had a hard coded IPv6 address on it. This box was temporarily connected to our test network, but the IPv6 configuration had not been updated. I had both Mac OSX & Linux auto-configuring IPv6 addresses from this source.

The kicker was that this box is not a server, not a router, just a regular Windows client. — Yes it could provide services, but maybe only to a select few?

Here is the impact that really scares me: If I have this configuration and someone has v6 on but not getting something from a router, say at your favorite hotspot: everything that I have shared but firewalled only to those on my network is accessible. A network address based firewall filter is useless.


Leave a Comment