IP address security

Are there any security issues with the type of IP address you use, which is the more securer the dynamic or the static type.

James

Not really no. If you are static, you would be slightly easier to track, but web sites don't track via IP anyway (they use cookie, flash cookie etc)

In theory, a static IP is less secure since that's the one you always have, but to be honest either are equally insecure if there's a lack of security at the user's end of things.

It's not the IP as such, so much as the presence. If you have a NAT router between the IP and the PC (so to speak), it's far more difficult for nasties to probe up to the PC. On top of that, a software firewall on the PC is a must.

When I first got connected on 56k, I had a software firewall and no NAT. My firewall had regular probes. Since getting a NAT router, there are next to no nasties appearing on my software firewall.

A static IP is good for certain things. See here:

http://www.zytrax.com/isp/faqs/static.htm

As far as I know, some speedtesters log your tests by IP, so keeping a record of your tests might be a problem with a dynamic one. If you reboot the router the dynamic IP will probably change (but not always).

If you are static, you would be slightly easier to track, but web sites don't track via IP anyway

So who does/can track and how can you avoid it if the tracking is covert?

In such a scenario is dynamic really any more secure?

Not really.

If someone was targetting an IP, a static one would be 'always there', and said owner of the IP would be targetted. If someone targetted a dynamic IP it would change owners periodically, so the owner of a dynamic IP would be difficult to target by IP.

That wouldn't stop an authority from tracing someone using a dynamic IP for illicit purposes though.

If you have reason to believe your IP is being / will be targetted, consult with your ISP.

Thanks for your views

f you have reason to believe your IP is being / will be targetted, consult with your ISP.

There is no reason but then there is no way of knowing for any of us if it was.


James

I suppose you know that it isn't just probes?

Every website you visit gets to see your IP address at that time. No escape from that as the internet system needs it to work.

In reply to a post by RobertoS:

No escape from that as the internet system needs it to work.

So no point in worrying.

In reply to a post by camieabz:

So no point in worrying.

I think a lot depends whether you're worried about tracking or snooping... ignoring cookies, both should be reasonably covered if you stick to IPv6 sites, with inherent IPSec.

Might limit your choices a bit though

I'd like to emphasize that IPv6 is not more secure, but less used, so therefore less used by nasties. Kind of why MACs are considered more secure.

In reply to a post by camieabz:

I'd like to emphasize that IPv6 is not more secure

Not sure about that... aiui most of the security enhancements that can be grafted on to IPv4 (and hence it can't be taken for granted that they are present) are an inherent requirement of IPv6.

IPSec being the obvious example.

pg.31

Conclusion on last page

Not to mention that IPv6 and IPv4 will have to work side by side for a long time to come. Not sure if that's double the security or double the potential for security breaches.

Although IPv6 offers better security (larger address space and the use of encrypted communication), the protocol also raises new security challenges. Ultimately, the new protocol creates as many new security problems as it solves old ones. And if that is not enough, the transition from the old protocol stack to the new one may present even more challenges, something that will guarantee plenty of fun for security network professionals in the foreseeable future.

To be expected I suppose... but at least it was designed with security in mind, not just growed as an ad hoc system for geeks, so maybe the white hats will have some advantage over the black ones this time.

In reply to a post by billford:

Although IPv6 offers better security (larger address space and the use of encrypted communication), the protocol also raises new security challenges. Ultimately, the new protocol creates as many new security problems as it solves old ones. And if that is not enough, the transition from the old protocol stack to the new one may present even more challenges, something that will guarantee plenty of fun for security network professionals in the foreseeable future.

To be expected I suppose... but at least it was designed with security in mind, not just growed as an ad hoc system for geeks, so maybe the white hats will have some advantage over the black ones this time.

Perhaps, but doesn't IPv6 also encode the hardware MAC for the NIC into each machine's assigned IP address (in the second /64)?

> On top of that, a software firewall on the PC is a must.

Well I suppose if you have no idea of what services you are running on your PC then this might be true. But in that case you'd be better off not connecting to the Internet.

As for me, I have SSH accepting only certificate-based log-ins and a public web server. A firewall would serve no purpose in this scenario.

> Perhaps, but doesn't IPv6 also encode the hardware MAC for the NIC into
> each machine's assigned IP address (in the second /64)?

That's one way of doing it ( stateless auto-configuration ) but you can also assign arbitrary addresses by DHCPv6 or just set them manually to whatever clever hex mnemonic you like.

Are you the same Anon poster as the OP?

It's just that the last response makes you sound as if you're 'all techie' which doesn't go hand in hand with the original post

Obviously TBB will be able to tell if you are the same Anon if you have a static IP or are still on the same dynamic one

No it wasnot me,you were right when you said

It's just that the last response makes you sound as if you're 'all techie' which doesn't go hand in hand with the original post tongue

James

It's free to register on TBB and it helps everyone...

A firewall is a must on any internet connected network. Multiple firewalls are good for separating trusted network zones from untrusted ones, and even layering different levels of trust. But on a home network a router with built in firewall (and not just NAT) and a software firewall on each PC (windows firewall should be sufficient at this level of trust on a well managed network) should be a minimum.

A local firewall may not be needed on every device that resides within a trusted network zone, but that network zone must be protected by one firewall at the very least, and that firewall must let through as few services as possible, and be capable of deep packet inspection on those services it does let through to scan for potential viruses and other nasties. Very few consumer or SOHO routers have a good enough firewall to act as the only firewall protecting a trusted network.

In reply to a post by Anonymous:

No it wasnot me,you were right when you said

It's just that the last response makes you sound as if you're 'all techie' which doesn't go hand in hand with the original post tongue

James

It's best to register if you intend to post James , or even just to read. It stops all all the in-thread adverts for a start, lets you edit yoyr posts for up to 12 hours, and saves any confusion.

Threads with multiple Anon posts are a nightmare, especially when the sucon one starts with "I'm having thje same problem ...".

Free, and you do not get spammed !

OOps! Sorry b4dger. I didn't get as far as your post. Threaded mode plus vino.

In reply to a post by Anonymous:

> Perhaps, but doesn't IPv6 also encode the hardware MAC for the NIC into
> each machine's assigned IP address (in the second /64)?

That's one way of doing it ( stateless auto-configuration ) but you can also assign arbitrary addresses by DHCPv6 or just set them manually to whatever clever hex mnemonic you like.

Well, yes, except that some commentators would have it that DHCPv6 was never fully specified and is proving to be a nightmare to set up a working implementation over PPP. See Adrian Kennard's (AAISP) blog:- DHCP over PPP

I claim no expertise or special knowledge for myself and, like many others I suspect, I am only trying to get up-to-speed in readiness for the wider use of IPv6. It seems to become complicated when delving into IPv6CP and associated factors, if only I understood it . See:- IPv6CP vs DHCPv6

I highly respect AK's skills, but he is doing something very different to LAN DHCPv6 deployments ( which work very well, I can attest ). I don't normally deal with stuff at the PPP level so I cannot comment on the validity of his approach as an ISP.

Regardless of why, setting the /48 prefix via DHCPv6 over PPP still allows the hosts on the client network set their actual addresses in any way they like.

For example, router advertisements can forward the prefix to the hosts for stateless auto-config ( using MAC ) or each host could set its address based on a hash of timestamp with hostname and change this every few seconds.

Such is the address space of a delegated /48 that every IP packet could have a unique originating address, if that's what you want.

Or you could name each host using only hex characters and just bung the hostname into the address. And you can have vanity addresses such as 2001:8a1:cc21::feed:f1d0.

IPv6 addressing is very flexible compared to the days of old.

--
v6 guy

Hmmm, thanks. I need to do a lot more reading yet!

And as it is normal for devices to have 'global' IPv6 addresses (as opposed to NATed private addresses on IPv4). it is possible to establish an IPSec tunnel between any 2 (co-operating) IPv6 systems.