Ever wonder why Fingbox can't support IPv6?

PoohPooh Member, Beta Tester Posts: 674
500 Likes 500 Comments 25 Answers 100 Agrees
✭✭✭✭✭
edited August 2019 in Fingbox
The current v1 & v2 Fingbox's rely on exploiting a weakness of the ARP protocol to allow ARP (Address Resolution Protocol ) poisoning. This is where the Fingbox tells blocked devices that it is the local internet Gateway rather than the real one. It then receives the packets and disposes of them ( @Gidster & @VioletChepil feel free to chime in if I've any details incorrect here).

When IPv6 first came out, ARP was deprecated and NDP (Neighbor Discovery protocol) was introduced, which in itself is a superset of IRDISC (ICMP Router Discovery), ARP & ICMP v4 (ICMP Redirect). In addition to this, SEND (Secure Neighbor Discovery) can also be implemented, which uses RSA keypairs to generate cryptographically generated addresses that further block the ability of other devices to pretend to be the gateway.

Upshot of this is that IPv4 is exploitable, IPv6 is hardened. Hence why, as of right now, Fingbox is stuck working best on IPv4 addresses.
People say nothing is impossible, but I do nothing every day.
Tagged:
VioletChepilTheCustomCaveHronosMarcjnieveleSJ47Andrea

Comments

  • VioletChepilVioletChepil London, UKMember Posts: 2,471
    100 Answers 500 Likes 1000 Comments 100 Agrees
    ✭✭✭✭✭✭
    This looks great, I've promoted it. I don't have anything to add but will check in with the team here. We've got a national holiday in one of our offices, so the turnaround may be slower! 

    Community Manager at Fing

    Pooh
  • SJ47SJ47 Member Posts: 11
    5 Likes Photogenic Name Dropper First Comment
    Hi @Pooh, a long time ago, in 2017 to be more precise, I wrote a couple of blog entries on my first impressions of the fing box (https://www.ewodju.net/posts/fingbox-part1/ & https://www.ewodju.net/posts/fingbox-part2/) where I noticed that quite some functionality fails in a dual-stacked network. Telenet, a Belgian ISP has been providing IPv6 for quite some time (with its occasional quirks, like a router with a crashed IPv4 stack and a working IPv6 stack; real fun to troubleshoot). I tried to figure out what hack was used to block devices on the WiFi and the wired network but never thought of fiddling around with the ARP tables. In any case, as you correctly state, the thing fails in the V6 world. I believe the hardware design should be re-engineered to support the V6 world and be even better in the V4 space.
    1. the device should be put inline
    2. the dual nic must be galvanic closed when power is off
    anyways, I think that even it in its present incarnation the fing box should support at least some IPv6 to give some insight in a V6 network.
  • PoohPooh Member, Beta Tester Posts: 674
    500 Likes 500 Comments 25 Answers 100 Agrees
    ✭✭✭✭✭
    SJ47 said:
    anyways, I think that even it in its present incarnation the fing box should support at least some IPv6 to give some insight in a V6 network.
    Fingbox does support IPv6 - as long as you don't want to block anything. Sadly it's an all or nothing type of thing with the Fingbox - If your router is pushing IPv6 addresses then there's no way the Fingbox can block any devices with an IPv6 address since the IPv6 mechanisms take over and stop the ARP poisoning from working.
    People say nothing is impossible, but I do nothing every day.
  • SJ47SJ47 Member Posts: 11
    5 Likes Photogenic Name Dropper First Comment
    Hi @Pooh, a long time ago, in 2017 to be more precise, I wrote a couple of blog entries on my first impressions of the fing box (https://www.ewodju.net/posts/fingbox-part1/ & https://www.ewodju.net/posts/fingbox-part2/) where I noticed that quite some functionality fails in a dual-stacked network. Telenet, a Belgian ISP has been providing IPv6 for quite some time (with its occasional quirks, like a router with a crashed IPv4 stack and a working IPv6 stack; real fun to troubleshoot). I tried to figure out what hack was used to block devices on the WiFi and the wired network but never thought of fiddling around with the ARP tables. In any case, as you correctly state, the thing fails in the V6 world. I believe the hardware design should be re-engineered to support the V6 world and be even better in the V4 space.
    1. the device should be put inline
    2. the dual nic must be galvanic closed when power is off
    anyways, I think that even it in its present incarnation the fing box should support at least some IPv6 to get some visibility.
  • PoohPooh Member, Beta Tester Posts: 674
    500 Likes 500 Comments 25 Answers 100 Agrees
    ✭✭✭✭✭
    SJ47 said:

    anyways, I think that even it in its present incarnation the fing box should support at least some IPv6 to get some visibility.
    It does support many IPv6 features. However the trade off is that you lose the ability to block if you have IPv6 enabled on the local network.
    People say nothing is impossible, but I do nothing every day.
    Hronos
Sign In or Register to comment.