Today’s title comes from the movie Marathon Man with Dustin Hoffman as the lead. I must admit that I haven’t seen it. The concept sounds scary enough, though: someone is expected to know information which they simply don’t possess. Somewhere in the movie the lead character is mistaken for a spy, perhaps and finds himself in a dentist chair where he is asked repeatedly this question.
Believe it or not, we have a very big security problem at the moment and few people are focusing much attention on it. Let me explain…
For a long time, we’ve all enjoyed the Internet. Packets of information are sent here and there. The underlying mechanism is usually called TCP/IP and that last “IP” part is described as version 4 or simply IPV4. Within all these specifications, there’s the concept of the sending computer’s address and the recipient’s. These “IP addresses” are critical to delivering content. A popular IP address is
18.104.22.168 which is Google’s primary DNS server. There are four numbers in each case, separated by periods.
A good analogy here is the zipcode system in place at the United States Postal Service, for example. Some five-digit combination of codes like
90210 points to a specific post office. If you were fortunate enough to have a P.O. box there, 90210 plus that box number would allow you to receive your copy of Beverly Hills Magazine or similar.
Often, though, cities grow bigger and the USPS needs to break up zipcodes (re-issuing new ones) or other clever methods to accommodate more and more people. They decided to extend the five-digit system to add four more digits to the end. An example might be
In a similar fashion, the Internet got more popular and something needed to be done. We ran out of IP addresses a long time ago, to be honest. There’s only so many individual computers which may be addressed using those four numbers from the IPV4 section above.
For decades, they’ve been putting off doing anything serious about this problem because of some reasonably-good workarounds. The best of these is to have everyone inside their own homes, businesses and even colleges use what is essentially, an unusable set of IP addresses. The technical term is a private IP address range. Buy a Netgear router for your home, plug it in and I could reasonably guess that your new home router now has the IP address of
192.168.0.1 just like other consumers. In one way, it’s not really a valid, routable address but things just work because of some trickery involved.
So, making those four-number styles of IP addresses longer in theory might make everything better, right? For two decades now, various people have been pushing hard to add those extra numbers to everyone’s computers, to every router, to all routing software, to all computer operating systems, to all software development kits.
Imagine thousands and thousands of ants silently working hard to build something that most of us cannot see, don’t understand and then one day twenty years later we find out that some huge anthill has taken over. The work happened so slowly that we didn’t take much notice.
IPV6 is here and we didn’t even know it. In fact, few know anything about it at all.
Unfortunately, the current system is what everyone understands. If you ask the average computer geek to “issue an IPV6 address” you will be met by a blank stare, shortly followed by hostility in many cases. Nobody wants to deal with these new addresses. Nobody wants to test their computers with these new addresses. Nobody wants to test their software or their websites with these new addresses.
I will go further to suggest that nobody knows how to do any of these things.
Too Long, Didn’t Read
Here’s an excerpt from the Wikipedia page on IPV6. Part of the problem is that these technical descriptions are written by people who don’t understand that end-users ultimately must understand what’s being talked about.
The 128 bits of an IPv6 address are represented in 8 groups of 16 bits each. Each group is written as four hexadecimal digits (sometimes called hextets) and the groups are separated by colons (:). An example of this representation is 2001:0db8:0000:0000:0000:ff00:0042:8329.
For convenience, an IPv6 address may be abbreviated to shorter notations by application of the following rules.
- One or more leading zeroes from any groups of hexadecimal digits are removed; this is usually done to either all or none of the leading zeroes. For example, the group 0042 is converted to 42.
- Consecutive sections of zeroes are replaced with a double colon (::). The double colon may only be used once in an address, as multiple use would render the address indeterminate. RFC5952 recommends that a double colon not be used to denote an omitted single section of zeroes.
An example of application of these rules:
- Initial address: 2001:0db8:0000:0000:0000:ff00:0042:8329
- After removing all leading zeroes in each group: 2001:db8:0:0:0:ff00:42:8329
- After omitting consecutive sections of zeroes: 2001:db8::ff00:42:8329
The loopback address, 0000:0000:0000:0000:0000:0000:0000:0001, may be abbreviated to ::1 by using both rules.
As an IPv6 address may have more than one representation, the IETF has issued a proposed standard for representing them in text.
For most computer professionals, avoidance has been their interaction with this feature.
The problem, then, is our network security globally. Silently, people are adding a routing feature into everything-that-is. Usually, when something like that happens, all computer professionals then are trained about how this new feature works. That definitely has not happened. We are in for such trouble on this one.
Another contributing factor to all this is the recent trend to push updates to end-users relentlessly, daily, (too often). For many people, toggling on some auto-update feature lowers their own sense of being nagged into daily updates. The “magic” just seems to happen and the users assume that literally hundreds of people have tested the safety of everything before it’s put out there for an upgrade. The dirty little secret is that it isn’t tested at all in areas like IPV6.
In short, turn off IPV6 support from every computer, router, device and smartphone in your life. Do it as soon as you learn how to do so.
Turn off IPV6 support on everything you own and everything you can control within your life. It’s a ticking time bomb from the standpoint of Internet security.
There will be a time when this new technology is safe. I’m guessing that this will be at least one decade in the future.
For more information, search for “turn off ipv6” in your favorite search engine.