6

I have a section on a website that blocks access to all IPs, except for those that are whitelisted. For IPv4, this is very simple, because even with dynamic IPs, they generally won't changed for months, or even years.

However, with IPv6, these seem to alternate every 24 hours or so. This means that I can't simply whitelist the initial IPv6 IP and call it good, because it'll just change again too quickly. Therefore, I need to whitelist a whole range. Even after reading about and testing IPv6 over the past couple of days, I'm still not confident I've got a handle on it.

Here's what I've got:

order deny,allow
allow from 1234:123:4567:ab1::/64
deny from all

The first 4 sections of the IP address never change, but the last 4 sections constantly change. Is this the correct way to whitelist an individual's IP in this context?

IPv6Quest
  • 63
  • 1
  • 4

1 Answers1

4

With IPv6 you have to start thinking in terms of subnets, rather than individual IP addresses. A /64 subnet is allocated to a physical LAN (or VLAN) and hosts in that subnet may be assigned addresses in that subnet in a variety of ways, and may change them arbitrarily if configured to do so (e.g. privacy addresses).

It is not possible to be certain that two different IPv6 addresses in a subnet correspond to the same machine, but you can be reasonably sure that a given IPv6 /64 corresponds to a subnet and of course all of the hosts in it.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • So then, I suppose my question is, what is the most secure whitelisting option when it comes to IPv6? I mean, I'd rather whitelist a whole neighborhood, even a whole city, rather than just remove the protection altogether. Also, is my code correct? – IPv6Quest Mar 17 '19 at 20:49
  • That's the syntax for Apache 2.2, the old version. Apache 2.4 works differently, so you'll have to look that up before you upgrade. As for whitelisting, do you actually want to whitelist a whole city? That's not really possible. Isn't it enough to whitelist a subnet? – Michael Hampton Mar 17 '19 at 20:58
  • I'm on Apache 2.4, and that syntax still works for IPv4, at least. Is Apache backwards compatible? Anyway, yes, I'd prefer to make the whitelisting as narrow as possible. I just read https://serverfault.com/questions/940594/what-ipv6-block-should-be-whitelisted-when-a-user-asks-to-whitelist-their-ip, which was very insightful. Still, I can only find a lot of discussion, but not a lot of solid code examples. Whitelisting the subnet sounds great, if I've managed to do that accurately? I just had a user report that it worked, but am I doing it the best way possible? – IPv6Quest Mar 17 '19 at 21:20
  • 1
    @IPv6Quest "...that syntax still works for IPv4" - it still "works" for IPv6 too, however, the `Order`, `Allow` and `Deny` directives are [officially deprecated](https://httpd.apache.org/docs/current/mod/mod_access_compat.html) on Apache 2.4. Backwards compatibility is maintained to ease migration from 2.2 to 2.4. You should update these directives to use [mod_authz_host](https://httpd.apache.org/docs/current/mod/mod_authz_host.html) instead - but note that you should update _all_ relevant directives on your system as the old and new methods aren't necessarily compatible. – MrWhite Mar 17 '19 at 23:43