Take care of your biggest vulnerability - passwords!!: dashlane.com/networkchuck50 (50% off) with code NETWORKCHUCK50 Uncover the latest cybersecurity threat with NetworkChuck as we delve into a critical IPv6 flaw affecting all Windows users. Learn how hackers can exploit this vulnerability to gain remote access without any user interaction, and discover practical steps to protect your system. From understanding the intricacies of IPV6 to exploring effective mitigation strategies, this video is a must-watch for anyone looking to safeguard their digital environment. Stay informed and secure with expert insights and actionable advice. 🔥🔥Join the NetworkChuck Academy!: ntck.co/NCAcademy **Sponsored by Dashlane
You forgot to also mention that on your router, you could disable IPv6 that’s what I do… how else am I going to inspect all the traffic in my network without having extremely expensive gear to inspect IPv6
In the interest of full disclosure, I think it's important to stress that this is a Windows-specific bug in their IPv6 stack, not a *general* protocol bug.
Why we blame IPv6? Its Microsoft flaws, not IPv6... Just because Microsoft cannot handle their IPv6 stack its not the reason to blame a protocol which works flawless on Linux and Apple devices
@@NetworkChuck It's not the fault of ipv6 being relatively new. It's the fault of microsoft not ensuring enough that their tcp/ip stack is "memory safe". Buffer overflows are quite common in "C" (programming languag in witch the windows kernel was made in). And when dealing with such important things ensuring memory safety is a must. The issue isn't directly related in any way with with ipv6. And could happen in the implementation of any binary protocol like ipv4,tcp or UDP.
@@purewaterruler @NetworkChuck , me who is not an expert in networking things, can you explain this to me? Do you mean that the process of handling IPv6 packets by Windows is wrong? (I saw he said that it was patched). so technically it doesn't affect other OSes?
@@purewaterrulerignore the guy, these TH-camrs are a dime a dozen, next he will blame c code for being the reason for all hacks (maybe it's easier to get buffer overflows with it but still..).
Don't blame the IPv6 standard for Microsoft letting off by one errors slip into their kernel, please. Also don't say IPv6 is bad due to a lack of NAT, with IPv6 you can still have your consumer grade router run firewall duty. Speaking of which, most router/modems you get from ISPs are so ridiculously unsafe that NAT is not going to save you.
Yeah but most ISP routers are set to quasi map your public IPv6 address to your device intranet and/or MAC address. This sort of "surprise" privacy violation by deviating from standard firewall behaviour is creepy and unnacceptable.
Don't you mean, the "Microsoft contract states they have no liability for their actions which impact their customers, even if it impacts the bottom line, their technology, privacy and life of every customer and business on the planet" ?
@@ELEC7RO your argument makes no sense whatsoever, IPv6 has been implemented without issue in many operating systems, windows is the only one with an egregious security defect
Windows is a great security rich OS. It has this issue and bad security suppliers. What more could you want from the most widely used operating system. 😅
@@williamgraves-hx8om Most widely used OS? I think you forgot about the server market share which is at least 90% Linux. Even Micros**t uses Linux for their servers. Besides, widely used actually just makes the issue worse because more people are exposed.
@@yustwastaken I'm not a fan of Micros**t, but being spied on by the very provider of the OS is not a security issue, but a privacy one. Though, this doesn't make it any better and it is still an issue.
Its sad to see, that popular content creators like you are fueling the "IPv6 is bad" movement and therefore extend the "dual stack" period even more Any technical person can understand, that the IPv6 vulnerability is Windows specific but everyone else learns that "IPv6 is bad" there should be no good reason to not have broader IPv6 support now in 2024 other than skill issues inside ISP's, which is nothing new
also he is talking about NAT like it some kind of firewall.... it's just a translation layer people can still connect to your computer even with NAT...
It's true the video is badly constructed and leads to IPv6 fears instead of explaining what's at stake: sensationalism at its best. What's true in his video though is that IPv6 has some flaws that lead to vulnerabilities and critical environments like most big companies just don't use it because a stateful packet inspection firewall at enterprise scale costs crazy money, and for individuals too. But nowadays most ISPs provide router/boxes that provide basic stateful firewalls (not packet inspection tho) that provides the same protection NAT does, and for individuals at home that's pretty much enough unless you're crazy and start toying with opn/pfsense. It would've been advisable to tell them to check if their router/box has an IPv6 firewall (often labelled as this) in the video instead of... "hurry disable ipv6!" because many other devices use it on their network anyway and need it (phones, IoT...)
The truth is unmanaged network services are bad. That is true of SNMP, CIFS, whatever. Disabling IPv6 is one way to manage that service; just make sure you're really done it completely (especially on a business network) and aren't burying your head in the sand: that means blocking it on your switches and routers and alerting when route IPv6 services or tunnels appear on the network. This whole "IPv6 is hard... we don't understand it" is just lazy IT. It's not any more hard than any other technology. I've been using IPv6 for 23 years, back when the 6bone network existed and had native IPv6 when Sprint offered it and we had BGP6 peering with them.
Dude, same problem has happened on linux (back in 2015), its legitimately IPv6 problem. Honestly more of a hardware problem from the way I see it network card should have separate physical RAM/cpu that sandboxes this kind of stuff in a way thats safe from overflow.
This makes ipv6 as a whole sound like a problem. No it's not. Windows and Microsoft are the problem. The vulnerability is in how they implemented ipv6. Also lacking some core details, yeah "integer underflow" but you can't just tell it "please do an underflow", explaining what causes the underflow would've been nice. And it's ironic how you explain that ipv6 adoption is slow, and proceed to show how to disable ipv6 thus slowing it even more. If the fix was disabling stuff nothing would ever evolve, update your stuff don't disable it.
"Your device has an IPv6 address. This should scare you." No, it shouldn't. Residential gateways have a "default deny" firewall for inbound connections. If you come across an ISP for which this isn't the case, name and shame them, please, I'm begging you, because I'm certain you won't find one.
@@brentsaner - yours did have a "default deny" but you had that rule removed. JivanPal's statement was correct, and likely is still true, but they added a "permit any" rule in front per your request.
Hahaha, there is no such thing as a "Residential gateway." You have 100 different ISPs that have 300 different types of hardware and all do whatever they feel like with regard to IP addresses: nothing is standardized, nothing should be assumed.
@@LackofFaithify Who said anything about formal standards? Saying "there's no such thing as a residential gateway" is like saying "there's no such thing as a network switch" or "there's no such thing as a supermarket". These are broad, generic terms; of course such things exist. If you are indeed saying that you know of ISPs screwing up IPv6 deployments, then please name them as requested in my original comment, for everybody's benefit. The same goes for any ISP screwing up IPv4 deployments or other security concerns as well. If having an IPv6 address scares you, why doesn't having an IPv4 address also scare you?
If only Windows users could compile their own custom kernels like I do - no IPv6, no Wifi, no Bluetooth, no virtualization, just what's necessary for my programs to run my hardware. Good thing for the userspace, too: I can uninstall so many libs and tools I don't need - DHCPv6, zeroconf, bluetooth-agents, peripheral firmware blobs - I don't even run sshd unless I need it. This has resulted in fast, compact, reliable systems with zero attack surface; systems that still are able to run Steam games and so on. (Typing this on my AMD rig running openSUSE 15 and my custom Linux kernel.) Cheers!
A critical flaw exists in the development lifecycle of Microsoft’s operating systems and applications, rooted in a network protocol that does not pose issues for Linux, macOS, or BSD systems.
@@joeskleinEXACTLY this is a microsoft os created issue at least Linux isn't crap rush job simp coding Windows operating system is pointless nowadays I don't care how many people in the world use it it's absolutely garbage it always has been why can't people get that through their bloody heads???
@@joesklein Linux had and fixed this very same implementation problem in 2015, oh, it can happen if writing a new IPv4 implementation too. It is not ipv6 other than it happened to be ipv6 code in this case, it is not windows other than it happened to be windows in this case, it is a general failiure of networking protocol implementations implemented in C/C++, one that has come up before and will again. It comes down to a rather annoying thing, when getting a new packet, how much space do we allocate to store it in before we have the packet to measure it. Helpfully there is a bit of information in the header about how big the payload is, so read header allocate what it says the payload is, then start copying in the payload. Oh, one problem that value was wrong and so did not allocate enough space.
Why does having a routable IPv6 address mean not having a firewall? Also, having a memory overwrite attack, which somehow makes me feel nostalgic for the 90's, sounds like a badly written code issue, not a specification issue. At least if the implementation isn't part of the spec.
Having a routable IPv6 address does not inherently mean that there is no firewall protecting the device. However, the confusion often arises from the differences in how IPv4 and IPv6 handle address translation and security. 1. IPv4 NAT vs. IPv6 Global Addresses: • In IPv4, Network Address Translation (NAT) is commonly used to translate private IP addresses to a public one, which often serves as a rudimentary security layer by hiding internal network addresses from external networks. Because of NAT, devices with private IPv4 addresses are not directly reachable from the outside unless explicit port forwarding is configured. • In IPv6, NAT is generally not used, and devices can have globally routable IP addresses. This direct accessibility raises concerns that devices may be exposed to the internet without the protection that NAT seems to provide. However, this doesn’t mean that IPv6 devices are without firewalls. IPv6 was designed with the assumption that proper stateful firewalls would be in place to control traffic, rather than relying on NAT.
@@joesklein - globally routable doesn't mean directly accessible. The router should have at a minimum stateful firewall, and the Windows device should have the local firewall enabled. This is true for IPv6 as IPv4. Second, just because it is globally routable, there is no way to remotely identify the IPv6 LAN addresses without the IPv6 LAN device reaching out to the Internet first. There are many IPv6 solutions in place to mitigate the learning of fixed IPv6 addresses as well, mainly RFC 3041's Privacy Extensions and random IPv6 addressing. So IPv6 addresses are far from static, as both the network address is likely to change as is the node addressing.
As I understand it part of the problem with this bug is that it happens before it ever hits the firewall. The moment your windows machine receives a poisoned packet it causes the bug which allows remote code execution. It doesn't work with IPv4 and NAT because with that, the IP address isn't the address of your machine, it has to be translated and sent to the target machine which allows for security features to kick in before it gets there or something (I'm no code scientist). I don't know if this means there should or shouldn't be more security features for IPv6 built into the router but at the same time, there probably shouldn't be an overflow bug in microsoft's code that can happen merely by receiving a packet in the first place. They patched it so there no longer is but come on. Nobody else has this problem.
Don’t tell him that NAT is a Firewall Feature 🤫 But in all honesty, he either has no idea about IPv6 and network in general, or he just lies to get more clicks
@@StanleyPinchak IPv6 has the same "attack surface" as IPv4 has. Also, there are hundreds of millions of people (e.g. India) that wouldn't have access to the internet, so it is 100% necessary.
I’m sorry but the video thumbnail is completely nonsense… has nothing to do with the topic itself and it seems like a attention grabber for views since it’s clearly a over the top scare. But i get it… views = revenue
Yup, pure clickbait nonsense. I figured I'd hear NetworkChuck out... but like most clickbaiters, I'll mark them as "boy who cried wolf" and ignore in the future as a technically adjective resource. He could have just titled it, "IPv6 implementation in Microsoft gets hacked" and had plenty of clickbait draw without the misinformation.
1:20 REPEAT WITH ME 10x: NAT IS NOT A SECURITY FEATURE ! NAT IS NOT A SECURITY FEATURE ! NAT IS NOT A SECURITY FEATURE ! NAT IS NOT A SECURITY FEATURE ! NAT IS NOT A SECURITY FEATURE ! NAT IS NOT A SECURITY FEATURE ! NAT IS NOT A SECURITY FEATURE ! NAT IS NOT A SECURITY FEATURE ! NAT IS NOT A SECURITY FEATURE ! NAT IS NOT A SECURITY FEATURE !
Security by obscurity but still a defense mechanism by not routing internal resources but not necessarily blocking them or applying any advanced rules since you still have the option to establish a connection by initiating it from the internal resource
it absolutely is. does your router just forward packets internally from any random tcp connection initiated remotely? No. Your internal device has to initiate the connection. This is why STUN, port forwarding and UPNP are a thing.
@@ronaldhofman1726 Yes, but he’s talking about NAT in IPv4. And yes firewalling is the solution, always has been, even in the IPv4 days. Disclaimer: Technically there is NAT66 (or NPTv6), but for the love of humanity, don’t, just no.
Here i thought that maybe it would be something constructive, but no, same thing over and over again from people not understanding the paradigme change about IPv6. NAT isn't a security feature, the security feature is your firewall that block inbound non-tracked traffic before it gets translated. So no, IPv6 is not "less secure" than IPv4 as long as you have a properly configured firewall on both sides that do not let non-tracked inbound traffic get in. The whole video is like "IPv6 is the problem". No, the problem is a vulnerability in the implementation of IPv6 TCP/IP stack by Microsoft on Windows. It's not BECAUSE it's IPv6 related that IPv6 itself is the problem. Like you said, only Windows is vulnerable here. Also, disabling IPv6 at the OS level is the worst advice you can give, it can break core functions that the OS relies on if you don't know what you're doing. Also by saying that, you just contribute to the slowness of the IPv6 transition with more people saying the same things as i stated before over and over and over again. Please consider making a corrective video about this.
@kunka592 if you're a sysadmin / doing business maybe and that's MAYBE you should worry about it, then if you're a gamer / average joe just browsing the web, you probably have nothing to worry about it. IPv6 is disabled in my OS and router and my ISP isn't willing to give me a IPv6 address and I'm doing fine. I heard that it breaks Windows Email, but who the heck uses it anyway? That's right, businesses. If you're not a business = you're mostly fine.
@@kunka592he’s just talking shit, if your not relying on ipv6 just disable it and your fine. There’s still an option to use only link-local addresses also.
I just want to add that having NAT enabled is not the same as having a firewall and vice versa. A firewall will block any incoming IPv6 traffic just the same as incoming IPv4 regardless of having NAT rules enabled for x traffic or not.
Just cause you have a publicly routeable address does not mean anyone can reach it. NAT is not what protects you from the internet. Your firewall does. So your ipv6 address is just as protected by your router as your ipv4 address. Do better Network Chuck
Agreed that IPv6 is not automatically reachable behind a firewall. The point is that it makes it possible. But it's dangerous to assume security is in place. NAT is a barrier even though we wouldn't consider it a "security feature".
I selfhost server with public IPv6, one thing I've noticed there seems to be no bots scanning in IPv6 space. IPv4 starts to get hammered in few days, IPv6 just silence. And I suppose if someone finds my server, I can change IP and now they need to scan my whole /56 net which is multiple time bigger than whole IPv4 space or my single public IPv4 address.
@@finnderp9977 I do think this is a matter of time, their is some good techniques for IPv6 scanning, but on average the people running IPv6 servers on the public Internet are a little bit more knowledgeable so not the low hanging fruit.
@@finnderp9977 I agree I have over 10k scans a day that are blocked by firewall block lists and about 100 every day that will hit my servers and start brute force attacks until the fail2ban kicks in. All of that is with IPv4. In the IPv6 space I have never had a port scan against my servers.
@@DylanClements98 - still gonna need to Proxy and/or have some dual-homed solutions to reach the IPv4-only Luddite websites and mail servers, and DNS servers if you run your own resolver without forwarding.
0:02 : "Has just been discovered" (It has been disclosed since more than two weeks). I felt like content quality on NC channel has dropped lately. Maybe holiday time consequence today...
From my point of view it is exactly that part in most of networking tutorials, step one deactivate IPv6, which causes the problem not evolving the IPv6 environment. And it is becoming more and more necessary as you don’t get a global IPv4 anymore with new providers. E.g. fiebre providers. At least if you don’t buy in for a business contract.
Disabling IPv6 may be an easy stop gap but I would have thought the better solution would be making sure the firewall both at the router and on the local machine was correctly configured
you say this as if it's the entire IPV6's fault. no it's just microsoft writing memory-unsafe code. also disabling IPv6 will NOT solve the issue. the IPv6 stack is just told to ignore the packets, but this exploit doesn't care. the IPv6 packet is still being read, even if it's just ignoring them all.
A critical flaw exists in the development lifecycle of Microsoft’s operating systems and applications, rooted in a network protocol that does not pose issues for Linux, macOS, or BSD systems.
Honestly, we don't know enough details about this IPv6 vulnerability in Windows to know that last part, it depends on where in the IPv6 stack the problem is.
MSFT says that disabling IPv6 mitigates it so... it has something to do with IPv6 thus being not completely on MSFT's side. Unless... they're lying to us!
If you’re not relying on ipv6 turn it off and you’ll be fine. If you tell a device to ignore packets, they aren’t being processed. If you’re still worried do some pcap and investigate.
I'm deeply sorry, but I think your spreading the wrong information here : The flaws you referenced are mostly problems in the MS Windows IPv6 software stack, not in IPv6 the protocol itselfs. Spreading wrong information about the protocol will not be useful to help people understanding it in more details. It's true that people aren't familiar with v6, and network engineer are getting up to speed on that, but as for v4, we need firewalls to protect our Lans. If your CPE doesn't do it by default, that's a problem. Opnsense filters that by default, and most of the other device also do (at least the one I encountered).
Computers should be directly reachable except as blocked by firewall. It would bring back everyone being able to run a server on their own personal hardware among other good things. The internet has been missing this for some time and it is important.
I have been working with it since 2000, and have been focusing on securing IPv6 over that time. Problem is Microsoft, as Linux, BSD and MAC OS are constantly meeting the operational and security requires for cloud, business, and ISP's.
@weekendwarrior3420 Well, of course everyone needs an IP that won't exhaust. ipv4 is already exhausted, and besides, this type of vulnerability is only in Microsoft, not in Linux or Mac. It's Microsoft's fault. IP addresses are crucial for accessing the internet. How are people going to access the internet if they can't get an IP? Also, widespread adoption will make it more secure day by day.
@@jalish.mahmud dude, unfortunately many ISPs (like mine) won't provide users with IPv6... that's not entirely our fault. Given that, I'll keep IPv6 disabled for the time being as my ISP isn't willing to expend money revamping their systems to accommodate new technologies. Maybe in the future... maybe.
It is relatively new Made me laugh so hard... I First Heard that ipv4 will be replaced "soon" in my Network course at University. That was Back in 1999. So while the Standard might be new, it was implemented 25 years ago. Ipv4 was turning 18 that year. And its Not ipv6 which is flawed, Windows is.
I'm sorry, but this video is a bit misleading. No one can connect to your toilet through IPv6 from the internet, especially when, by default, there are no open inbound port rules on the router to the IPv6 address of your toilet. NAT is not a crutch for a firewall/ACL.
Usually I’m a huge fan of your videos, but this one is just painful to watch. This issue is entirely on Microsoft not being able to write secure kernel code and has nothing to do with the IPv6 standard. Recommending disabling IPv6 is like recommending disabling UDP. With this video you showed everyone that there is a lot for you to learn when it comes to networking.
"We don't really need it right now" Chuckles in no IPv4 from some of my ISPs. It's easy to say if you already have a v4, but even then some services, mine included, have started hosting things on v6 only networks too, which v4 only clients complain to me about, and all I can do is shrug my shoulders and say complain to your ISP
@@papahuge 😂...my point was more around why just disable IPv6 instead of learning it? I mean TUGIDs are a thing that mitigate most of what Chuck brought up as a flaw and there are many other configs than take privacy to a whole new level. With a bit of learning effort IPv6 can be a thousand times better than ipv4, but this advice is not very good. Especially for an educational youtuber
Microsoft has so many vulnerabilities, risking you, your family, business and country, of privacy, security and so much more. Its simple, move to Linux, MACOS, BSD, and run Microsoft as a VM or docker container.
No, it's more like bolting a door shut permanently because the lock doesn't work well. If nobody even needs to use the door, what difference does it make? The average user doesn't care about your lofty IPv6 adoption goals. Anyways, knowing multiple ways of dealing with a problem is always good so you can make an informed decision.
it's not a protocol problem but a windows problem. and a patch was released on the same day it was discovered. if you can't update that's a you problem i guess. NetworkChuck is just harming the internet as a whole with this alarmist video
@@dreamsneezer8668 1. I'd argue that more people than know it really do depend on IPv6 these days, or at least use it. 2. Turning IPv6 off, or burning the house to get rid of all the rodents, is definitely a solution to the problem. It's just not the best solution in most cases.
Disabling IPv6 in windows does NOT!!! protect you from this exploit, as the vulnerability is earlier in the stack. Disabling the interface therefore does nothing. Also, i would disagree with the statement that ipv6 is not needed yet. Many websites/services already prefer serving their content via IPv6 (Google, TH-cam, Netflix...) and depending on yours and your ISPS network configuration, it can help with P2P applications and reducing latency due to NAT.
@@pedromain based on the statisitics by companies like Google, etc. the answer is: they are, because when a provider doesn't have enough IPv4, they will use "Carrier Grade NAT" which often makes it slower.
"Disabling the interface therefore does nothing" Honestly, as far as I know, we don't know yet. I think people really don't want to disclose information to make it easier for bad actors to figure it out.
NAT was only "security" back when routers where stateles... they aren't anymore though... and... people shouldn't really be vulnerable unless in a hotel wifi or something. Telling them to turn of IPv6 instead of updating is going to hurt IPv6 adoption significantly, as they're definitely not going to turn it back on any time soon. They'll just forget
Good. Let the experts sort out IPv6 and then roll it out to consumers in 50 years when it is reasonably tested. NAT IPv4 is plenty good for consumers for the foreseeable future.
So... what I'm hearing is (and feel free to correct me if I'm off-base here) is that there are people out there running dual-stack (v4 and v6) networks that failed to take into consideration that IPv6 can be publicly reachable and didn't configure proper firewall rules at the edge to ensure that their machines are not publicly reachable? IPv6 isn't the problem here, it's lazy netadmins and home routers with bad default IPv6 policies. In this specific case, it's also MS for writing garbage IPv6 code in their network stack.
This is also extremely uncommon as far as I'm aware. But I guess we'll see what happens, if the exploit gets known in the wild, how many people do install updates and do have their firewall enabled.
Firewall rules should still stop someone else on the internet from accessing your public ipv6 address. NAT itself isn't security... Most firewalls will provide you with a firewall rule the moment ipv6 is detected whether it be slaac or dhcp6. Up to you what you do from there on. Ipv6 is not the problem with this vulnerability, its the crap software that's been designed in such a way to allow for this vulnerability. Many countries outside the western and anglo sphere use ipv6 primarily. Simply disabling it won't solve your issue if that's the only way you can reach the internet. Just keep your OS up to date when patches come through. Also from my experience with Isps here in Australia we don't get assigned ipv6 (unless you ask to have it along with ipv4) so not too sure how different it is for you guys in the US.
Fun Fact: IPv1, IPv2, and IPv3 were prototypes of the IP system that were never publicly released, but definitely existed. IPv5 was a version of IPv4 that was designed for server to Server communications (rather than server to client), but it was needlessly complex, and so nobody ever adopted it. IPv7 is currently in development and is supposed to be a faster and more secure version of IPv6.
Speaking as a security professional, the correct fix for this issue is to apply the relevant patch, not disable the relevant feature. Yes, IPv6 implementations (read: vendor code) are less vetted than older IPv4 implementations and will have more undiscovered vulnerabilities (this is the nature of software), but it doesn’t mean we should turn it off. This approach hurts progress towards global IPv6 adoption.
Please don't do this in a business environment. You have no idea how much of the Windows infrastructure (including AD, Exchange, etc.) are built around IPv6. This breaks so many things and causes so many weird issues on Windows Networks.
Compete FUD. I'm very much an IPv6 advocate, but it can be blocked at the network level and never harm anything. We have GPOs disabling it on all LAN adapters, block it on L2 & L3 switches and monitor for it on our network taps.
While this is technically correct, ie. No NAT on IPv6, and addresses being globally routable, all those packets and data are still going through your home router, which also remains a Gateway between your LAN and WAN. Packets being IPv6 doesn't mean they automatically get to skip routing tables, nor do they get to magically bypass firewall rules unless you've REALLY misconfigured something. Don't go telling people to disable IPv6 entirely because Microsoft cares more about shoving Spyware and bloatware into their garbage OS than producing a solid IPv4 and/or IPv6 network stack. For one thing, you'd be surprised how much local stuff relies on there at least being link-local addresses available. Apple products for one, particularly iOS make heavy use of IPv6 and while they will fall back to IPv4 for most things, going from a cell network with IPv6 connectivity to a LAN without it can look like broken local LAN/WAN to many people. Plus, if you REALLY want IPv6 NAT for some reason rather than just running a router that is configured correctly for consumer IPv6 networks, you can totally do that. It's just a giant headache when you start getting into real world use ... so basically the same endless headaches that NAT causes in the IPv4 space. Which forced us to come up with ugly-ass hacks, workarounds and security holes just so people can (hopefully) manage a direct connection for services that need it.
Your globally routable address must still pass through the physical interfaces of your router, and if your router firewall is configured correctly it will still protect you. Globally routable addressing in and of itself is not dangerous. Microsoft just dropped the ball.
NAT is not a security feature, but a dirty hack, to handle the scarcity of IPv4-addresses. The problem is also not IPv6 but, that too few people invested in deploying IPv6 and developing a stable network stack - namely Microsoft.
A critical flaw exists in the development lifecycle of Microsoft’s operating systems and applications, rooted in a network protocol that does not pose issues for Linux, macOS, or BSD systems. Yes, Microsoft has SCARED THE LIVING FUCK OUT OF ME, since 1988.
Won't having default IPv6 rules in a firewall prevent this? Just because NAT isn't a feature of IPv6 doesn't mean that there are now no firewalls and local networks, at least based on how I understand IPv6😊
IPv4 ran out about 15+ years ago, but it was already distributed globally. Google, Cisco, Microsoft, and other content providers lied/exaggerated to convince other networks to convert. Typical "in 3 years, the Internet will crash" extinction lies. Most companies knew it was true, so the conversion process was slow. Even now, the Internet runs on IPv4 and iPv6 dual stack with the majority of the traffic being IPv4.
This IPv6 problem isn't as big of a deal as people make it out to be. first of all windows has IPv6 disabled by default. You're primarily running on IPv4. If you're worried about a problem like this, make a rule in the firewall to prevent any unauthorized IPv6 packets from getting input into your system. You'll be fine. This way if you need to use IPv6 it'll be handled by your router since almost every router runs using the Linux kernel which doesn't have this problem you'll be fine. This mostly affects people like network chalk who deal with IT work as a lot of sis admins use IPv6 to directly log into their servers once again most servers use Linux which doesn't have this problem. There is a hot fix for servers if you want to install it on your home system; however, I'm sure once Microsoft perfects the fix it'll get passed down in updates.
What I like with IPv6 is the ability to assign temporary ipv6 addresses per app. So technically every app can use their own IP and thrash it as soon as you exit the app. So if you thibk aome ddosing you? Just relaunch every app and your done
For once i do not liked a NetworkChuck Video, yes IPV6 is not firewall enought by some routers, but it's not IPV6 fault, it's ISP's, Router makers, and Microsoft :(
That "knock" at 2:30 seriously had me JUMP out of bed as I watch this in the middle of the night with headphnones on. Picking my heart up off the floor right now. LOL Thanks Chuck!
Had problems with cable IPTV boxes. They would stop working because the update server had only IPV6. So on a IPV4 network eventually the TV box would stop working. It needed IPV6 to update the software. Just be aware that this could happen.
Maybe Microsoft should consider opening the source of a few critical Windows subsystems, such as the network stack, and let the community do the work for them. Can't, because of NDAs? Maybe the ReactOS one is better, so drop the proprietary one and use the ReactOS one.
Yaaay! Time to leave all previous functionality behind and relearn a whole new system that works totally different and barely works most of the time. Did I mention that everything you were used to working won't work anymore? YAY!
@@ELEC7RO barely works? Sounds about like the experiences i had trying to do useful work on a windows machine.. Probably fine if you just want to watch some youtube or do other mindless webcrap, but useless for much else
BTW these attack vectors such as ping of death have been used against ipv4 as well. ipv6 IS new and ISP have not been changing because they do not really have to. The router gear they use (Frame-relays etc) rely more on MAC address translation Also I noticed you didn't mention IPv6-via-IPv4 that many ISP's are using as a stop gap.
Omg I don't know what to do... *Logs into router and adds v6 firewall rule to drop incoming v6 connection unless related or established on /48 prefix* IPv6 is the greatest invention, just be good at firewalling, you can firewall v6 prefixes the same way as v4 nat.
I know THIS problem is Microsoft's, but... IPv6 is a failure overall. During design they cut proposed good features and added other useless or potentially dangerous ones. Add the fact most ISPs implement it either badly or not at all over a decade (p.s. it was launched publicly 2012 not 2017 as you said) after launch and you got a failure! I'll wait for IPv8 for them to fix the problems.
3:44 that information is wrong, link-local addresses aren't public addressable, FE80 is tied to the mac address, its local to the link layer, thus it can't pass over the router.
Ok for us newbs, english please. I am pretty sure my computer is being hacked. The screen goes blank randomly, and my cpu usage is 80-90% when I am only online. Plus I use recommended passwords that Microsoft browser recommends.
Your video claims there's a problem in IPv6... Yet all the problems you discuss are issues in windows, not IPv6.. Maybe you should make a video about why windows security is so terrible instead?
Maybe because windows isn't the less secure, being the largest os on earth and being constantly attacked by hundreds of thousands of hackers, it still manage to be used by critical organizations around the world. If linux had a large userbase like windows it would have all kinds of nasty viruses and it already has some vulnerabilities
I really want to learn more about IPv6 and how to secure it, I thought our network firewalls still protect IPv6 despite it not using nat, because I need it enabled on my network, our cable boxes from our ISP don't seem to work correctly when its disabled
If you have a basic consumer router, just ensure that the Stateful Packet Inspection (SPI) firewall is enabled. This will prevent unsolicited packets from the Internet from reaching your devices on your LAN, unless you specifically open ports on your router and devices.
Take care of your biggest vulnerability - passwords!!: dashlane.com/networkchuck50 (50% off) with code NETWORKCHUCK50
Uncover the latest cybersecurity threat with NetworkChuck as we delve into a critical IPv6 flaw affecting all Windows users. Learn how hackers can exploit this vulnerability to gain remote access without any user interaction, and discover practical steps to protect your system. From understanding the intricacies of IPV6 to exploring effective mitigation strategies, this video is a must-watch for anyone looking to safeguard their digital environment. Stay informed and secure with expert insights and actionable advice.
🔥🔥Join the NetworkChuck Academy!: ntck.co/NCAcademy
**Sponsored by Dashlane
Hey Chuck this comment is 18 hours old on a 1 hour old video post ... riddler
I am selling the CEH exam ticket cheaper than the cost (ordinary CEH, Not practical) please help me
firewall use secure your port or more done filter add
You forgot to also mention that on your router, you could disable IPv6 that’s what I do… how else am I going to inspect all the traffic in my network without having extremely expensive gear to inspect IPv6
Have always disabled it for ever and ever. Reading up on it made me decide not to implement. Hope I never need it in my lifetime.
In the interest of full disclosure, I think it's important to stress that this is a Windows-specific bug in their IPv6 stack, not a *general* protocol bug.
And does not impact MAC OS, Linux, or BSD.
Why we blame IPv6? Its Microsoft flaws, not IPv6... Just because Microsoft cannot handle their IPv6 stack its not the reason to blame a protocol which works flawless on Linux and Apple devices
Not blaming IPv6. It's just a reality that something relatively "new" will be prone to errors and mistakes when developing for it.
@@NetworkChuckyou absolutely were blaming it on ipv6
"The worst part is, it's how ipv6 works" right in the beginning of the video.
@@NetworkChuck It's not the fault of ipv6 being relatively new. It's the fault of microsoft not ensuring enough that their tcp/ip stack is "memory safe". Buffer overflows are quite common in "C" (programming languag in witch the windows kernel was made in). And when dealing with such important things ensuring memory safety is a must.
The issue isn't directly related in any way with with ipv6. And could happen in the implementation of any binary protocol like ipv4,tcp or UDP.
@@purewaterruler @NetworkChuck , me who is not an expert in networking things, can you explain this to me?
Do you mean that the process of handling IPv6 packets by Windows is wrong? (I saw he said that it was patched). so technically it doesn't affect other OSes?
@@purewaterrulerignore the guy, these TH-camrs are a dime a dozen, next he will blame c code for being the reason for all hacks (maybe it's easier to get buffer overflows with it but still..).
this is why i only use ipv5
İpv5 user before gta6💀
Edit:Wow didnt expect that much likes.thank y'all🤍
OH YEAH
Crazy shit 😢
We got ipv5 before gtavi
😂😅
Don't blame the IPv6 standard for Microsoft letting off by one errors slip into their kernel, please. Also don't say IPv6 is bad due to a lack of NAT, with IPv6 you can still have your consumer grade router run firewall duty. Speaking of which, most router/modems you get from ISPs are so ridiculously unsafe that NAT is not going to save you.
Yeah but most ISP routers are set to quasi map your public IPv6 address to your device intranet and/or MAC address. This sort of "surprise" privacy violation by deviating from standard firewall behaviour is creepy and unnacceptable.
Standard. lulz
Don’t blame IPv6 for Microsoft’s failures.
*This*
Don't you mean, the "Microsoft contract states they have no liability for their actions which impact their customers, even if it impacts the bottom line, their technology, privacy and life of every customer and business on the planet" ?
Don't blame the OS for vulnerabilities in barely tested barely adopted somewhat new messy protocols
@@ELEC7RO It was a vulnerability in Windows' implementation of IPv6, not IETF's specification of the protocol. Microsoft clearly gets the blame here.
@@ELEC7RO your argument makes no sense whatsoever, IPv6 has been implemented without issue in many operating systems, windows is the only one with an egregious security defect
"IPv6 keeps getting hacked" or rather "Windows keeps getting hacked"
Windows is a great security rich OS. It has this issue and bad security suppliers. What more could you want from the most widely used operating system. 😅
@@williamgraves-hx8om what about not getting spied on by Microsoft
Except it’s not always windows, but IPv6 for some reason or another in many systems being implemented badly, think outside the box
@@williamgraves-hx8om Most widely used OS? I think you forgot about the server market share which is at least 90% Linux. Even Micros**t uses Linux for their servers.
Besides, widely used actually just makes the issue worse because more people are exposed.
@@yustwastaken I'm not a fan of Micros**t, but being spied on by the very provider of the OS is not a security issue, but a privacy one. Though, this doesn't make it any better and it is still an issue.
Its sad to see, that popular content creators like you are fueling the "IPv6 is bad" movement and therefore extend the "dual stack" period even more
Any technical person can understand, that the IPv6 vulnerability is Windows specific but everyone else learns that "IPv6 is bad"
there should be no good reason to not have broader IPv6 support now in 2024 other than skill issues inside ISP's, which is nothing new
also he is talking about NAT like it some kind of firewall.... it's just a translation layer people can still connect to your computer even with NAT...
It's true the video is badly constructed and leads to IPv6 fears instead of explaining what's at stake: sensationalism at its best.
What's true in his video though is that IPv6 has some flaws that lead to vulnerabilities and critical environments like most big companies just don't use it because a stateful packet inspection firewall at enterprise scale costs crazy money, and for individuals too.
But nowadays most ISPs provide router/boxes that provide basic stateful firewalls (not packet inspection tho) that provides the same protection NAT does, and for individuals at home that's pretty much enough unless you're crazy and start toying with opn/pfsense.
It would've been advisable to tell them to check if their router/box has an IPv6 firewall (often labelled as this) in the video instead of... "hurry disable ipv6!" because many other devices use it on their network anyway and need it (phones, IoT...)
Reminds me of the guy on linkedin screaming about dns being hacked everyday
IPv6 is clown world.
The truth is unmanaged network services are bad. That is true of SNMP, CIFS, whatever. Disabling IPv6 is one way to manage that service; just make sure you're really done it completely (especially on a business network) and aren't burying your head in the sand: that means blocking it on your switches and routers and alerting when route IPv6 services or tunnels appear on the network. This whole "IPv6 is hard... we don't understand it" is just lazy IT. It's not any more hard than any other technology. I've been using IPv6 for 23 years, back when the 6bone network existed and had native IPv6 when Sprint offered it and we had BGP6 peering with them.
Denying the current internet protocol is silly, they hacked a WINDOWS lame code, not IPv6.
The incoming Package is bigger than expected and so it OVERWRITES THE NEXT RAM PAGE ? Really ? how is this possible AGAIN AND AGAIN ?
0:23 Bro, it's not IPv6 fault, it's Windows and Microsoft for creating shitty spyware, I mean, software 💀
Funny how my Mac is just fine 😂
Dude, same problem has happened on linux (back in 2015), its legitimately IPv6 problem. Honestly more of a hardware problem from the way I see it network card should have separate physical RAM/cpu that sandboxes this kind of stuff in a way thats safe from overflow.
@@DJSOUNDWAVE and ofcourse linux users and temple os users too
@@mapu1 You don't know what you are talking about. The problem was coding mistakes in Windows , specifically tcpip.sys.
@@DJSOUNDWAVEI’m running mac but how does that affect our vulnerability in this context?
"Windows keeps getting hacked"!
This has nothing to do with the design of IPv6 and everything to do with bad code from Microsoft.
This makes ipv6 as a whole sound like a problem. No it's not. Windows and Microsoft are the problem. The vulnerability is in how they implemented ipv6. Also lacking some core details, yeah "integer underflow" but you can't just tell it "please do an underflow", explaining what causes the underflow would've been nice. And it's ironic how you explain that ipv6 adoption is slow, and proceed to show how to disable ipv6 thus slowing it even more. If the fix was disabling stuff nothing would ever evolve, update your stuff don't disable it.
I was about to talk this.
Also completely assuming that there won't be a firewall on the router to provide the same security benefits of NAT.
migration to ipv6 should have been completed years ago...
And don’t use Windows
He has no idea 😂
"Your device has an IPv6 address. This should scare you."
No, it shouldn't. Residential gateways have a "default deny" firewall for inbound connections. If you come across an ISP for which this isn't the case, name and shame them, please, I'm begging you, because I'm certain you won't find one.
Mine doesn't! But I also asked them to disable any inbound filtering because I do it on my border myself. Small ISPs are the best.
@@brentsaner - yours did have a "default deny" but you had that rule removed. JivanPal's statement was correct, and likely is still true, but they added a "permit any" rule in front per your request.
@@JivanPal I'm on ipv6 for more than 5 years, guess how many connection attempts to my SSH were done? I can count on fingers 😂
Hahaha, there is no such thing as a "Residential gateway." You have 100 different ISPs that have 300 different types of hardware and all do whatever they feel like with regard to IP addresses: nothing is standardized, nothing should be assumed.
@@LackofFaithify Who said anything about formal standards? Saying "there's no such thing as a residential gateway" is like saying "there's no such thing as a network switch" or "there's no such thing as a supermarket". These are broad, generic terms; of course such things exist.
If you are indeed saying that you know of ISPs screwing up IPv6 deployments, then please name them as requested in my original comment, for everybody's benefit. The same goes for any ISP screwing up IPv4 deployments or other security concerns as well.
If having an IPv6 address scares you, why doesn't having an IPv4 address also scare you?
The problem isn't with IPv6, the problem with with Microsoft's IPv6 implementation. This problem doesn't exist with Linux
If only Windows users could compile their own custom kernels like I do - no IPv6, no Wifi, no Bluetooth, no virtualization, just what's necessary for my programs to run my hardware.
Good thing for the userspace, too: I can uninstall so many libs and tools I don't need - DHCPv6, zeroconf, bluetooth-agents, peripheral firmware blobs - I don't even run sshd unless I need it.
This has resulted in fast, compact, reliable systems with zero attack surface; systems that still are able to run Steam games and so on. (Typing this on my AMD rig running openSUSE 15 and my custom Linux kernel.) Cheers!
@@dipi71 by the way, I use Ubuntu
“A critical flaw in IPv6 has just been discovered.” No it hasn’t.
A critical flaw exists in the development lifecycle of Microsoft’s operating systems and applications, rooted in a network protocol that does not pose issues for Linux, macOS, or BSD systems.
@@joeskleinEXACTLY this is a microsoft os created issue at least Linux isn't crap rush job simp coding Windows operating system is pointless nowadays I don't care how many people in the world use it it's absolutely garbage it always has been why can't people get that through their bloody heads???
@@joesklein Linux had and fixed this very same implementation problem in 2015, oh, it can happen if writing a new IPv4 implementation too. It is not ipv6 other than it happened to be ipv6 code in this case, it is not windows other than it happened to be windows in this case, it is a general failiure of networking protocol implementations implemented in C/C++, one that has come up before and will again. It comes down to a rather annoying thing, when getting a new packet, how much space do we allocate to store it in before we have the packet to measure it. Helpfully there is a bit of information in the header about how big the payload is, so read header allocate what it says the payload is, then start copying in the payload. Oh, one problem that value was wrong and so did not allocate enough space.
@@EwanMarshallMicrosoft needs to git repo code surely fixed by now from the community
Why does having a routable IPv6 address mean not having a firewall? Also, having a memory overwrite attack, which somehow makes me feel nostalgic for the 90's, sounds like a badly written code issue, not a specification issue. At least if the implementation isn't part of the spec.
Having a routable IPv6 address does not inherently mean that there is no firewall protecting the device. However, the confusion often arises from the differences in how IPv4 and IPv6 handle address translation and security.
1. IPv4 NAT vs. IPv6 Global Addresses:
• In IPv4, Network Address Translation (NAT) is commonly used to translate private IP addresses to a public one, which often serves as a rudimentary security layer by hiding internal network addresses from external networks. Because of NAT, devices with private IPv4 addresses are not directly reachable from the outside unless explicit port forwarding is configured.
• In IPv6, NAT is generally not used, and devices can have globally routable IP addresses. This direct accessibility raises concerns that devices may be exposed to the internet without the protection that NAT seems to provide. However, this doesn’t mean that IPv6 devices are without firewalls. IPv6 was designed with the assumption that proper stateful firewalls would be in place to control traffic, rather than relying on NAT.
Buffer overflows still happen
@@joesklein - globally routable doesn't mean directly accessible. The router should have at a minimum stateful firewall, and the Windows device should have the local firewall enabled. This is true for IPv6 as IPv4. Second, just because it is globally routable, there is no way to remotely identify the IPv6 LAN addresses without the IPv6 LAN device reaching out to the Internet first. There are many IPv6 solutions in place to mitigate the learning of fixed IPv6 addresses as well, mainly RFC 3041's Privacy Extensions and random IPv6 addressing. So IPv6 addresses are far from static, as both the network address is likely to change as is the node addressing.
As I understand it part of the problem with this bug is that it happens before it ever hits the firewall. The moment your windows machine receives a poisoned packet it causes the bug which allows remote code execution.
It doesn't work with IPv4 and NAT because with that, the IP address isn't the address of your machine, it has to be translated and sent to the target machine which allows for security features to kick in before it gets there or something (I'm no code scientist).
I don't know if this means there should or shouldn't be more security features for IPv6 built into the router but at the same time, there probably shouldn't be an overflow bug in microsoft's code that can happen merely by receiving a packet in the first place. They patched it so there no longer is but come on. Nobody else has this problem.
This video feels like he never heard of a firewall, touting NAT as a security feature is bad advice. Shame of you, you should know better.
Don’t tell him that NAT is a Firewall Feature 🤫
But in all honesty, he either has no idea about IPv6 and network in general, or he just lies to get more clicks
@@Felix-ve9hsOr IPV6 is a giant attack surface that is unnecessary.
@@StanleyPinchak IPv6 has the same "attack surface" as IPv4 has. Also, there are hundreds of millions of people (e.g. India) that wouldn't have access to the internet, so it is 100% necessary.
@@StanleyPinchakdon’t use eui 64 and if you do protect all your MAC addresses, but generally speaking ipv6 is more secure
Clickbait...very disappointed in Chuck on this one. I expect better of someone who touts himself an IT security expert.
I’m sorry but the video thumbnail is completely nonsense… has nothing to do with the topic itself and it seems like a attention grabber for views since it’s clearly a over the top scare. But i get it… views = revenue
Yup, pure clickbait nonsense. I figured I'd hear NetworkChuck out... but like most clickbaiters, I'll mark them as "boy who cried wolf" and ignore in the future as a technically adjective resource. He could have just titled it, "IPv6 implementation in Microsoft gets hacked" and had plenty of clickbait draw without the misinformation.
I really hope there's a follow up to this. However, at least he did mention it by CVE.
1:20 REPEAT WITH ME 10x:
NAT IS NOT A SECURITY FEATURE !
NAT IS NOT A SECURITY FEATURE !
NAT IS NOT A SECURITY FEATURE !
NAT IS NOT A SECURITY FEATURE !
NAT IS NOT A SECURITY FEATURE !
NAT IS NOT A SECURITY FEATURE !
NAT IS NOT A SECURITY FEATURE !
NAT IS NOT A SECURITY FEATURE !
NAT IS NOT A SECURITY FEATURE !
NAT IS NOT A SECURITY FEATURE !
It's not, but it has a security benefit.
Security by obscurity but still a defense mechanism by not routing internal resources but not necessarily blocking them or applying any advanced rules since you still have the option to establish a connection by initiating it from the internal resource
it absolutely is. does your router just forward packets internally from any random tcp connection initiated remotely? No. Your internal device has to initiate the connection. This is why STUN, port forwarding and UPNP are a thing.
There is no NAT in IPV6 , prefix delegation makes every devices reachable from the internet so, address it in your firewall
@@ronaldhofman1726 Yes, but he’s talking about NAT in IPv4. And yes firewalling is the solution, always has been, even in the IPv4 days.
Disclaimer: Technically there is NAT66 (or NPTv6), but for the love of humanity, don’t, just no.
Do some research and change that title p. You're damaging IPv6 with that headline
Martha Stewart: ...And that's a good thing.
@@StanleyPinchak That's a very bad thing, as it's objectively wrong
A TH-camr generating clickbait? What do you expect?
Microsoft will come and steal all Chuck's coffee.
What the hell is this video, man?
Here i thought that maybe it would be something constructive, but no, same thing over and over again from people not understanding the paradigme change about IPv6.
NAT isn't a security feature, the security feature is your firewall that block inbound non-tracked traffic before it gets translated.
So no, IPv6 is not "less secure" than IPv4 as long as you have a properly configured firewall on both sides that do not let non-tracked inbound traffic get in.
The whole video is like "IPv6 is the problem". No, the problem is a vulnerability in the implementation of IPv6 TCP/IP stack by Microsoft on Windows. It's not BECAUSE it's IPv6 related that IPv6 itself is the problem. Like you said, only Windows is vulnerable here.
Also, disabling IPv6 at the OS level is the worst advice you can give, it can break core functions that the OS relies on if you don't know what you're doing. Also by saying that, you just contribute to the slowness of the IPv6 transition with more people saying the same things as i stated before over and over and over again.
Please consider making a corrective video about this.
I totaly agree!
Please list one core function that disabling IPv6 breaks because I sure haven't noticed any.
@kunka592 if you're a sysadmin / doing business maybe and that's MAYBE you should worry about it, then if you're a gamer / average joe just browsing the web, you probably have nothing to worry about it. IPv6 is disabled in my OS and router and my ISP isn't willing to give me a IPv6 address and I'm doing fine. I heard that it breaks Windows Email, but who the heck uses it anyway? That's right, businesses. If you're not a business = you're mostly fine.
@@kunka592he’s just talking shit, if your not relying on ipv6 just disable it and your fine. There’s still an option to use only link-local addresses also.
what if i want to make a minecraft server @home? if i disable ipv6 then nobody can reach it ----> cgnat
I just want to add that having NAT enabled is not the same as having a firewall and vice versa. A firewall will block any incoming IPv6 traffic just the same as incoming IPv4 regardless of having NAT rules enabled for x traffic or not.
@yusisushi-yt Exactly
Just cause you have a publicly routeable address does not mean anyone can reach it. NAT is not what protects you from the internet. Your firewall does. So your ipv6 address is just as protected by your router as your ipv4 address. Do better Network Chuck
Agreed that IPv6 is not automatically reachable behind a firewall. The point is that it makes it possible. But it's dangerous to assume security is in place. NAT is a barrier even though we wouldn't consider it a "security feature".
I selfhost server with public IPv6, one thing I've noticed there seems to be no bots scanning in IPv6 space. IPv4 starts to get hammered in few days, IPv6 just silence. And I suppose if someone finds my server, I can change IP and now they need to scan my whole /56 net which is multiple time bigger than whole IPv4 space or my single public IPv4 address.
@@NetworkChuck loved your episode on docker networking :)
@@finnderp9977 I do think this is a matter of time, their is some good techniques for IPv6 scanning, but on average the people running IPv6 servers on the public Internet are a little bit more knowledgeable so not the low hanging fruit.
@@finnderp9977 I agree I have over 10k scans a day that are blocked by firewall block lists and about 100 every day that will hit my servers and start brute force attacks until the fail2ban kicks in. All of that is with IPv4. In the IPv6 space I have never had a port scan against my servers.
I've switched to IPv6 all over and we are using it at our datacenter too :p But no windows computers, so hey ;)
ipv6 is so much easier to deal with, no chance of nat-ing anywhere
@@DylanClements98 - still gonna need to Proxy and/or have some dual-homed solutions to reach the IPv4-only Luddite websites and mail servers, and DNS servers if you run your own resolver without forwarding.
0:02 : "Has just been discovered" (It has been disclosed since more than two weeks).
I felt like content quality on NC channel has dropped lately. Maybe holiday time consequence today...
Listening to this in my car. 2:31 made me think someone was legit banging on my passenger door
Using a nice set of headphones. I stopped and went checked my front door. 🥴
Glad I wasn’t the only one that had that lol
FR I did the same thing in my room
I went to my 90yrs old neighbors door to ask if everything is allright
Same here, i had my earbuds on and i thought someone was banging the door. 😂
Correction: Windows keeps getting hacked, IPv6 is fine on Linux and Unix. 😊
I love IPv6 because my ISP holds me behind a CGNAT so I can't port forward
I was able to just contact my isp to remove the cgnat and got a dedicated IP the same day. Did you try too?
@@KAMIOUKA It would double my bill to get one, so no thanks
@@rexsceleratorum1632 lol it was free for me
From my point of view it is exactly that part in most of networking tutorials, step one deactivate IPv6, which causes the problem not evolving the IPv6 environment.
And it is becoming more and more necessary as you don’t get a global IPv4 anymore with new providers. E.g. fiebre providers. At least if you don’t buy in for a business contract.
That knock at 2:31 scared the sh!t out of me lol
Stereo also LOL
Ditto!
Same here. I had my headphones on and though someone was knocking on my wall.
my right ear didnt like that at all. 😠
same.
So, it's not IPv6 that's the problem, but it's windows not implementing it correctly that's the problem?
Disabling IPv6 may be an easy stop gap but I would have thought the better solution would be making sure the firewall both at the router and on the local machine was correctly configured
Intentionally disabling and not using IPv6 in 2024 is a crime against humanity.
@Dm_YTNetworkChuck sorry?
So the best way to fix and accelerate the process of IPV6 adoption is to disable it. Yay.
If the current solution (NAT) works, people won't bother switching to something else (at least with any particular speed).
So bottom line, use a firewall as you do with v4…
you say this as if it's the entire IPV6's fault. no it's just microsoft writing memory-unsafe code.
also disabling IPv6 will NOT solve the issue. the IPv6 stack is just told to ignore the packets, but this exploit doesn't care. the IPv6 packet is still being read, even if it's just ignoring them all.
A critical flaw exists in the development lifecycle of Microsoft’s operating systems and applications, rooted in a network protocol that does not pose issues for Linux, macOS, or BSD systems.
Honestly, we don't know enough details about this IPv6 vulnerability in Windows to know that last part, it depends on where in the IPv6 stack the problem is.
Citation needed. Anyway, I have IPv6 disabled in my router as well.
MSFT says that disabling IPv6 mitigates it so... it has something to do with IPv6 thus being not completely on MSFT's side. Unless... they're lying to us!
If you’re not relying on ipv6 turn it off and you’ll be fine. If you tell a device to ignore packets, they aren’t being processed. If you’re still worried do some pcap and investigate.
I'm deeply sorry, but I think your spreading the wrong information here : The flaws you referenced are mostly problems in the MS Windows IPv6 software stack, not in IPv6 the protocol itselfs. Spreading wrong information about the protocol will not be useful to help people understanding it in more details. It's true that people aren't familiar with v6, and network engineer are getting up to speed on that, but as for v4, we need firewalls to protect our Lans. If your CPE doesn't do it by default, that's a problem. Opnsense filters that by default, and most of the other device also do (at least the one I encountered).
Good thing he says Microsoft and pops up a Windows logo at the 5 second mark. You can't miss it.
Computers should be directly reachable except as blocked by firewall. It would bring back everyone being able to run a server on their own personal hardware among other good things. The internet has been missing this for some time and it is important.
They don’t want you using your own hardware that’s the issue, they push the cloud so hard cus it makes it easier for them to spy and steal
Never had any problems whit IPv6 been hacked, used IPv6 for over 10 years.
I have been working with it since 2000, and have been focusing on securing IPv6 over that time. Problem is Microsoft, as Linux, BSD and MAC OS are constantly meeting the operational and security requires for cloud, business, and ISP's.
Its not IPv6's fault, it's Microsoft's. Do research.
Disabling it is not a solution. You showing how to disable it is making its adoption even slower. IPv6 is not the villain here. Microsoft is.
@weekendwarrior3420 Well, of course everyone needs an IP that won't exhaust. ipv4 is already exhausted, and besides, this type of vulnerability is only in Microsoft, not in Linux or Mac. It's Microsoft's fault. IP addresses are crucial for accessing the internet. How are people going to access the internet if they can't get an IP? Also, widespread adoption will make it more secure day by day.
@weekendwarrior3420 buddy you are just showing your stubbornness and that's totally fine. that's your choice.
@@jalish.mahmud dude, unfortunately many ISPs (like mine) won't provide users with IPv6... that's not entirely our fault. Given that, I'll keep IPv6 disabled for the time being as my ISP isn't willing to expend money revamping their systems to accommodate new technologies. Maybe in the future... maybe.
@@GabrielVilanova-n3p yeah i had connection of this type of ISP. Then i switched.
@weekendwarrior3420 good for you
It is relatively new Made me laugh so hard... I First Heard that ipv4 will be replaced "soon" in my Network course at University.
That was Back in 1999. So while the Standard might be new, it was implemented 25 years ago. Ipv4 was turning 18 that year.
And its Not ipv6 which is flawed, Windows is.
And IPv6 by default was introduced in Windows since Vista, that's 2006.
@@autohmae yes, and Windows was late Back then. Others Had it for years at that time.
Running a stateful firewall at the network boundary with IPv6 gets you the same effective security as IPv4 NAT.
Hello DDoS
I'm sorry, but this video is a bit misleading. No one can connect to your toilet through IPv6 from the internet, especially when, by default, there are no open inbound port rules on the router to the IPv6 address of your toilet.
NAT is not a crutch for a firewall/ACL.
What flaw in IPv6? This is a Windows vulnerability that’s exploited via IPv6.
Smells like Microsoft wrote a shoddy IPv6 stack in the early 2000s, and as adoption grows, it comes back to bite them.
Usually I’m a huge fan of your videos, but this one is just painful to watch.
This issue is entirely on Microsoft not being able to write secure kernel code and has nothing to do with the IPv6 standard.
Recommending disabling IPv6 is like recommending disabling UDP.
With this video you showed everyone that there is a lot for you to learn when it comes to networking.
Joke's on the hackers, I've got incoming IPv6 traffic blocked on my firewall.
"We don't really need it right now" Chuckles in no IPv4 from some of my ISPs. It's easy to say if you already have a v4, but even then some services, mine included, have started hosting things on v6 only networks too, which v4 only clients complain to me about, and all I can do is shrug my shoulders and say complain to your ISP
1. Microsoft Problem
2. IPv6 is normaly filtered on the router already that outgoing Traffic is allowed, incomming not.
Chuck: let's disable IPv6...
Me (an engineer working for an RIR): 😢...ok
Do iT!
@@papahuge 😂...my point was more around why just disable IPv6 instead of learning it? I mean TUGIDs are a thing that mitigate most of what Chuck brought up as a flaw and there are many other configs than take privacy to a whole new level. With a bit of learning effort IPv6 can be a thousand times better than ipv4, but this advice is not very good. Especially for an educational youtuber
Instead of saying IPv6 has problem
I guess we should say *Windows* has problem
switching off IPv6 - definitely not a solution, its like burn your house for rodent issues
Microsoft has so many vulnerabilities, risking you, your family, business and country, of privacy, security and so much more. Its simple, move to Linux, MACOS, BSD, and run Microsoft as a VM or docker container.
No, it's more like bolting a door shut permanently because the lock doesn't work well. If nobody even needs to use the door, what difference does it make? The average user doesn't care about your lofty IPv6 adoption goals. Anyways, knowing multiple ways of dealing with a problem is always good so you can make an informed decision.
If you aren’t dependent on it and running dual stack without even knowing it (like most average folks) turning it off is definitely a solution
it's not a protocol problem but a windows problem. and a patch was released on the same day it was discovered. if you can't update that's a you problem i guess.
NetworkChuck is just harming the internet as a whole with this alarmist video
@@dreamsneezer8668 1. I'd argue that more people than know it really do depend on IPv6 these days, or at least use it.
2. Turning IPv6 off, or burning the house to get rid of all the rodents, is definitely a solution to the problem. It's just not the best solution in most cases.
Disabling IPv6 in windows does NOT!!! protect you from this exploit, as the vulnerability is earlier in the stack. Disabling the interface therefore does nothing. Also, i would disagree with the statement that ipv6 is not needed yet. Many websites/services already prefer serving their content via IPv6 (Google, TH-cam, Netflix...) and depending on yours and your ISPS network configuration, it can help with P2P applications and reducing latency due to NAT.
I feel like websites are faster when they are ipv6.
@@pedromain based on the statisitics by companies like Google, etc. the answer is: they are, because when a provider doesn't have enough IPv4, they will use "Carrier Grade NAT" which often makes it slower.
"Disabling the interface therefore does nothing"
Honestly, as far as I know, we don't know yet. I think people really don't want to disclose information to make it easier for bad actors to figure it out.
Disabling IPv6 in Windows **DOES** protect you from this exploit.
Absolute bullshit! The security issue is NOT and IPv6 flaw ... but yet another security hole in Microsoft Windows!
NAT was only "security" back when routers where stateles... they aren't anymore though... and... people shouldn't really be vulnerable unless in a hotel wifi or something. Telling them to turn of IPv6 instead of updating is going to hurt IPv6 adoption significantly, as they're definitely not going to turn it back on any time soon. They'll just forget
Good. Let the experts sort out IPv6 and then roll it out to consumers in 50 years when it is reasonably tested. NAT IPv4 is plenty good for consumers for the foreseeable future.
So... what I'm hearing is (and feel free to correct me if I'm off-base here) is that there are people out there running dual-stack (v4 and v6) networks that failed to take into consideration that IPv6 can be publicly reachable and didn't configure proper firewall rules at the edge to ensure that their machines are not publicly reachable?
IPv6 isn't the problem here, it's lazy netadmins and home routers with bad default IPv6 policies. In this specific case, it's also MS for writing garbage IPv6 code in their network stack.
This is also extremely uncommon as far as I'm aware. But I guess we'll see what happens, if the exploit gets known in the wild, how many people do install updates and do have their firewall enabled.
Firewall rules should still stop someone else on the internet from accessing your public ipv6 address. NAT itself isn't security...
Most firewalls will provide you with a firewall rule the moment ipv6 is detected whether it be slaac or dhcp6. Up to you what you do from there on.
Ipv6 is not the problem with this vulnerability, its the crap software that's been designed in such a way to allow for this vulnerability.
Many countries outside the western and anglo sphere use ipv6 primarily. Simply disabling it won't solve your issue if that's the only way you can reach the internet. Just keep your OS up to date when patches come through.
Also from my experience with Isps here in Australia we don't get assigned ipv6 (unless you ask to have it along with ipv4) so not too sure how different it is for you guys in the US.
Fun Fact:
IPv1, IPv2, and IPv3 were prototypes of the IP system that were never publicly released, but definitely existed. IPv5 was a version of IPv4 that was designed for server to Server communications (rather than server to client), but it was needlessly complex, and so nobody ever adopted it. IPv7 is currently in development and is supposed to be a faster and more secure version of IPv6.
“we’re kinda slow at adopting ipv6”
“here’s how you disable ipv6”
As if IPv6-NAT and firewalls doesn't exist ... 🤷♂
How to lose credibility in one video right here.
Speaking as a security professional, the correct fix for this issue is to apply the relevant patch, not disable the relevant feature. Yes, IPv6 implementations (read: vendor code) are less vetted than older IPv4 implementations and will have more undiscovered vulnerabilities (this is the nature of software), but it doesn’t mean we should turn it off. This approach hurts progress towards global IPv6 adoption.
all the windows desktops: AAAAAAAAAAAAAAAAAAAAA
Linux servers: *happy penguin noises*
Please don't do this in a business environment. You have no idea how much of the Windows infrastructure (including AD, Exchange, etc.) are built around IPv6. This breaks so many things and causes so many weird issues on Windows Networks.
funny enough, windows is entirely the problem here lol
In a proper business environment the users who blindly follow advice in these videos won't have access to change that setting.
Compete FUD. I'm very much an IPv6 advocate, but it can be blocked at the network level and never harm anything. We have GPOs disabling it on all LAN adapters, block it on L2 & L3 switches and monitor for it on our network taps.
@@jroysdon the number of support ticket I've had to investigate and resolve at multiple enterprises says otherwise.
While this is technically correct, ie. No NAT on IPv6, and addresses being globally routable, all those packets and data are still going through your home router, which also remains a Gateway between your LAN and WAN. Packets being IPv6 doesn't mean they automatically get to skip routing tables, nor do they get to magically bypass firewall rules unless you've REALLY misconfigured something.
Don't go telling people to disable IPv6 entirely because Microsoft cares more about shoving Spyware and bloatware into their garbage OS than producing a solid IPv4 and/or IPv6 network stack. For one thing, you'd be surprised how much local stuff relies on there at least being link-local addresses available. Apple products for one, particularly iOS make heavy use of IPv6 and while they will fall back to IPv4 for most things, going from a cell network with IPv6 connectivity to a LAN without it can look like broken local LAN/WAN to many people.
Plus, if you REALLY want IPv6 NAT for some reason rather than just running a router that is configured correctly for consumer IPv6 networks, you can totally do that. It's just a giant headache when you start getting into real world use ... so basically the same endless headaches that NAT causes in the IPv4 space. Which forced us to come up with ugly-ass hacks, workarounds and security holes just so people can (hopefully) manage a direct connection for services that need it.
Not the fault of ipv6 though
Your globally routable address must still pass through the physical interfaces of your router, and if your router firewall is configured correctly it will still protect you. Globally routable addressing in and of itself is not dangerous.
Microsoft just dropped the ball.
That knock on the door sounded so real it scared the poo out of me...
Clickbait title. Microsoft and Windows keep getting hacked. Not iPv6. Be better.
This news is about a week old. For security issues, that's VERY old....
Has microsoft patched ipv6 relay vulnerability that they told in like 2018 that they won't patch? No? Surprise.
We need more ipv6 videos. It’s not talked about enough and what can be done with it
Hold on, what about firewalls and proxies?
The firewall has been configured to let the clickbait through
NAT is not a security feature, but a dirty hack, to handle the scarcity of IPv4-addresses. The problem is also not IPv6 but, that too few people invested in deploying IPv6 and developing a stable network stack - namely Microsoft.
THAT SCARED THE LIVING FUCK OUT OF ME
the knock in 2:30
Totally same bro. I was also looking at my door before it
same! I literally thought someone was at the door lol
A critical flaw exists in the development lifecycle of Microsoft’s operating systems and applications, rooted in a network protocol that does not pose issues for Linux, macOS, or BSD systems. Yes, Microsoft has SCARED THE LIVING FUCK OUT OF ME, since 1988.
Won't having default IPv6 rules in a firewall prevent this? Just because NAT isn't a feature of IPv6 doesn't mean that there are now no firewalls and local networks, at least based on how I understand IPv6😊
How many years has it been since IPv4 is ran out?
Can't ISPs Nat a Nat? Or was it Pat?
@@chuckchan4127 CGNAT
IPv4 ran out about 15+ years ago, but it was already distributed globally. Google, Cisco, Microsoft, and other content providers lied/exaggerated to convince other networks to convert. Typical "in 3 years, the Internet will crash" extinction lies. Most companies knew it was true, so the conversion process was slow. Even now, the Internet runs on IPv4 and iPv6 dual stack with the majority of the traffic being IPv4.
😂😂😂 little behind bud...
This IPv6 problem isn't as big of a deal as people make it out to be. first of all windows has IPv6 disabled by default. You're primarily running on IPv4. If you're worried about a problem like this, make a rule in the firewall to prevent any unauthorized IPv6 packets from getting input into your system. You'll be fine. This way if you need to use IPv6 it'll be handled by your router since almost every router runs using the Linux kernel which doesn't have this problem you'll be fine. This mostly affects people like network chalk who deal with IT work as a lot of sis admins use IPv6 to directly log into their servers once again most servers use Linux which doesn't have this problem. There is a hot fix for servers if you want to install it on your home system; however, I'm sure once Microsoft perfects the fix it'll get passed down in updates.
What I like with IPv6 is the ability to assign temporary ipv6 addresses per app. So technically every app can use their own IP and thrash it as soon as you exit the app.
So if you thibk aome ddosing you? Just relaunch every app and your done
For once i do not liked a NetworkChuck Video, yes IPV6 is not firewall enought by some routers, but it's not IPV6 fault, it's ISP's, Router makers, and Microsoft :(
Always run OpenWRT on the consumer router
That "knock" at 2:30 seriously had me JUMP out of bed as I watch this in the middle of the night with headphnones on. Picking my heart up off the floor right now. LOL Thanks Chuck!
Why is only windows vulnerable to this?
because it is an exploit in windows
@@graffitiwriter "Money over fixing security vulnerability which impact Microsoft's customers"
When you flush DNS and all of a sudden your smart toilet is like "wut?"
clickbaity title and wrong explination, ipv6 is good
Anyone can say anything on the internet, why do you not explain yourself ?
Had problems with cable IPTV boxes. They would stop working because the update server had only IPV6. So on a IPV4 network eventually the TV box would stop working. It needed IPV6 to update the software. Just be aware that this could happen.
Sorry but this is the worst video you've ever made. I'm really disappointed in its quality of research and the conclusion.
💀
can you not put door knocking noises so real when im wearing 7.1 surround headphones at 4am... haha
Damn, your headphones have 7 speakers and one subwoofer?
@@The_S1syphus yeah bro. look them up. if u watch movies or especially gaming it will change ur world lol.
@@The_S1syphus technically no. but they might as well be. can hear from all around. front, sides and rear.
Maybe Microsoft should consider opening the source of a few critical Windows subsystems, such as the network stack, and let the community do the work for them. Can't, because of NDAs? Maybe the ReactOS one is better, so drop the proprietary one and use the ReactOS one.
can you really call yourself a network professional if you can't understand IPv6 like at all
What are you on about? It is a Windows issue and their implementation and has nothing to do with the protocol.
How to keep your self safe: switch to Linux.
Many such cases
Yaaay! Time to leave all previous functionality behind and relearn a whole new system that works totally different and barely works most of the time. Did I mention that everything you were used to working won't work anymore? YAY!
As a dedicated Fedora user, I really wish people would stop implying it were so simple.
@@ELEC7RO barely works? Sounds about like the experiences i had trying to do useful work on a windows machine.. Probably fine if you just want to watch some youtube or do other mindless webcrap, but useless for much else
@@404unknownuser I could say the exact same thing for a linux or mac machine.
BTW these attack vectors such as ping of death have been used against ipv4 as well.
ipv6 IS new and ISP have not been changing because they do not really have to. The router gear they use
(Frame-relays etc) rely more on MAC address translation
Also I noticed you didn't mention IPv6-via-IPv4 that many ISP's are using as a stop gap.
Omg I don't know what to do... *Logs into router and adds v6 firewall rule to drop incoming v6 connection unless related or established on /48 prefix* IPv6 is the greatest invention, just be good at firewalling, you can firewall v6 prefixes the same way as v4 nat.
Or use NAT66
@Text_YTNetworkChuck Ah yes good ol fakes
I know THIS problem is Microsoft's, but...
IPv6 is a failure overall. During design they cut proposed good features and added other useless or potentially dangerous ones.
Add the fact most ISPs implement it either badly or not at all over a decade (p.s. it was launched publicly 2012 not 2017 as you said) after launch and you got a failure!
I'll wait for IPv8 for them to fix the problems.
3:44 that information is wrong, link-local addresses aren't public addressable, FE80 is tied to the mac address, its local to the link layer, thus it can't pass over the router.
That’s what he said
Ok for us newbs, english please. I am pretty sure my computer is being hacked. The screen goes blank randomly, and my cpu usage is 80-90% when I am only online. Plus I use recommended passwords that Microsoft browser recommends.
Core 5 short on memory.
If you think NAT is a security feature there is a bit of a hole in your understanding. IPv6 for everything.
Your video claims there's a problem in IPv6... Yet all the problems you discuss are issues in windows, not IPv6.. Maybe you should make a video about why windows security is so terrible instead?
Maybe because windows isn't the less secure, being the largest os on earth and being constantly attacked by hundreds of thousands of hackers, it still manage to be used by critical organizations around the world. If linux had a large userbase like windows it would have all kinds of nasty viruses and it already has some vulnerabilities
I really want to learn more about IPv6 and how to secure it, I thought our network firewalls still protect IPv6 despite it not using nat, because I need it enabled on my network, our cable boxes from our ISP don't seem to work correctly when its disabled
If you have a basic consumer router, just ensure that the Stateful Packet Inspection (SPI) firewall is enabled. This will prevent unsolicited packets from the Internet from reaching your devices on your LAN, unless you specifically open ports on your router and devices.
Good luck spoting a machine into that kazillion IPv6 lol