The Sad State of Consumer IPv6

Image Credit: Guido Sorarù, CCA 4.0 license.

IPv6 on home routers is in a sorry, sorry state. I got the itch to learn IPv6 networking and started with testing several high-end home routers to see which units might best meet my educational and experimental needs. I figured that once I identified a solid fit, my new (potentially used, but new-to-me) device would become part of my home lab of networking hardware that I use for everything from penetration testing to reverse engineering.

I was very disappointed with each device I tested. Not one met the basic qualifications for being usable by default in my very common situation. I found that the devices I tested lack support for IPv6 as a first-class choice to get connected. At best it’s functional, but more often the feature is disabled by default if not also broken or missing entirely.

The Fine and the Fancy

Let’s begin with a relatively new release, high-end home router: the NETGEAR Nighthawk RAXE500. This router comes with an eye-watering $600 list price, with the product page confidently flashing all the bells and whistles one could expect: everything from advanced mesh capabilities, Wi-fi 6e, 12 streams (marketing: more accurately the listing refers loosely to the MU-MIMO capabilities of the unit), and… you guessed it! IPv6 support. Surely IPv6 should be working on such an expensive and recently released device from a leading brand in networking hardware. This is not some Chinese no-name, but NETGEAR.

Wow, what a piece of junk this turned out to be!

Firstly, IPv6 is disabled by default. You won’t even find it on the main configuration pages, like some shameful forgotten step son that we force to sleep under the stairs. The unit is configured to assume IPv4 by default. IPv6 is the future, and this is a horrible default because it encourages users to build on outdated technologies, but later I see this choice was made because the support for modern IPv6 is poor. If you dig through some scary Advanced Configuration, you can find an IPv6 feature to enable with incomplete options for getting connected.

Most modems from ISPs now come with built-in routing features. If you’re lucky, you can enable IP Pass-through to yield full control of your home network to your shiny new router, but in my case my ISP does not allow this. The ISP modem acts as the primary router and must issue the IPv6 address and Prefix Delegation (the address range assigned to your home). This means that when devices configure an IPv6 address, they need to consult the RA (Router Advertisement) from the ISP modem, but this router has no option to forward or proxy such requests, blocking IPv6 address distribution. While it does offer DHCPv6 which looks like this would work on the surface, popular platforms like Android don’t support this mode for privacy reasons, resulting in a fundamentally broken user experience by default for most users. I see why IPv6 is disabled by default; because it is broken in the common case.

Even if you manage to get it working, there are zero IPv6 firewall options besides enable and disable. This means hosting IPv6 services with this device is practically impossible. It just doesn’t work.

The Working Man’s Router

Next, I tested the extremely popular and economical TP-Link Archer C7, well known for its wide, global distribution and accessibility to non-technical audiences. From the product page, we can observe by the 802.11ac support level that this product is a little dated. It shares yesteryear’s design with many other models that use almost the same visual design language. One can find this model and its siblings almost anywhere. However, most consumers aren’t going to purchase the most expensive option. TP-Link dominates the grocery store shelves in my area. It’s cheap, and it gets the job done quickly for most people. It tries to be what the working men and woman want–solve the problem and move on with the day.

For the firmware I was testing, it looks like IPv6 is enabled by default. This is a very good first step! However, I’m told by my colleagues that this is often not the case. Still, I must give credit where it’s due. IPv6 enabled by default should be the minimum requirement when it now represents almost half of all Internet traffic.

However, this turns out to be a potentially dangerous default because this router did not ship with an IPv6-compatible firewall. True, it was able to obtain and issue an IPv6 address, but any website you visit gets your client IP and could port scan your device. If you have any open ports or insecure services (common for devices expected to operate on a trusted LAN) the device could be accessed directly without the user’s permission. For a router to be minimally worthy of the Internet, it must implement some kind of firewall to prevent unsolicited connections to devices operating behind it. Instead, the device relies on probably nobody will guess your client IP address to avoid public port scans, and it hopes most websites you visit are relatively trustworthy or won’t go through such effort to scan the client and look for vulnerabilities. Maybe, maybe!

From a product design engineering point of view, it’s quite easy to forget to implement an IPv6 firewall because on IPv4, NAT has an interesting side effect of protecting clients from unsolicited connections. When a packet comes in, the router must use the translation table to look up the correct client to which the packet must be forwarded. This creates a kind of accidental firewall because unsolicited packets have no table entry and cannot be routed because there is no existing connection state. The router doesn’t know what to do, so it must drop the packet. With IPv6, each device has a globally unique public IP address without requiring the use of NAT, so without careful consideration, poorly configured routers can leave your home network vulnerable.

The Silver Lining

I tested a few other devices, but allow me to save time and eyeballs by directly telling you that mostly IPv6 has issues on consumer networks. It’s more of an added-value feature or afterthought rather than the backbone of the new Internet that it was intended to be. You’re lucky if it works, but expect issues in many popular configurations: some obvious, some more insidious security issues that are less apparent.

Still, there is hope!

The good news is that because of the steady advance of technology, it’s more common now that your ISP device is not just a modem but a router/modem combo that provides all-in-one services from connectivity (modem) to distribution (router and wireless access point, AP). This is easy for consumers to use because configuration and management becomes more of an ISP responsibility. If I did nothing to configure my network–only use the ISP provided network and Wi-fi, IPv6 works great by default. It’s only the moment you try to take matters into your own hands that the house of cards comes tumbling down and you see the truth that IPv6 support is a second-class citizen in the consumer world. Maybe it works, maybe it doesn’t.

By the way, this blog? No IPv6 support, because my hosting provider doesn’t offer it, and there are almost no IPv6-only users. Practically everyone at least has IPv6 even if it has to go through ugly CG-NAT and can reach a public IPv4. Sorry sorry, but I have to go with whomever is cheapest 😁





Leave a Reply

Your email address will not be published. Required fields are marked *

Recents from Henfred