Some Characteristics of China Telecom's IPv6
Categories:
-
Some Characteristics of China Telecom’s IPv6
-
Some Characteristics of China Telecom’s IPv6
IPv6 has been fully deployed in China, with a sufficiently large IPv6 address pool, allowing each personal device to obtain an IPv6 address.
For home users, all devices in the chain need to support IPv6 to ultimately use IPv6. Since it has been promoted for many years, devices purchased after 2016 generally support IPv6.
The full stack of devices includes: metropolitan area equipment -> community router -> home router (optical modem, router) -> end devices (phones, computers, TVs, etc.)
This article does not discuss the standard IPv6 protocol, only some characteristics of China Telecom’s IPv6.
Address Allocation
First is the address allocation method. IPv6 has three allocation methods: static allocation, SLAAC, DHCPv6.
China Telecom in Hubei uses SLAAC, meaning that Telecom’s IPv6 addresses are automatically assigned by devices. Since Telecom’s IPv6 address pool is large enough, address conflicts do not occur.
Telecom IPv6 addresses are randomly assigned and reassigned every 24 hours. If you want to access from outside, you must use a DDNS service.
Firewall
Currently, it can be observed that common ports such as 80, 139, 445 are already blocked, aligning with IPv4 firewall rules. This is very understandable, as carrier-level firewalls do protect ordinary users who lack cybersecurity awareness. In 2020, Telecom’s IPv6 was completely open, but now some common ports are blocked.
The 443 port is occasionally open within the Telecom network but not open to China Mobile or China Unicom. Developers should note this point. Services that work well in development environments, and are even accessible via Telecom’s mobile network, may not be accessible via China Mobile’s mobile network.
Based on simple firewall testing, it is recommended that developers remember not to trust carrier firewalls and choose a 5-digit port to provide services.
Additionally, the Telecom firewall does not block port 22, and Windows Remote Desktop Service port 3389 is also not blocked.
This means remote login control is possible, which poses certain risks.
After attackers obtain the IP or DDNS domain name, they can begin targeted attacks, using brute force methods to obtain passwords and gain control. Domain names may also expose personal information, such as names, addresses, etc., and social engineering methods may be used to obtain more information to speed up the cracking process.
It is recommended to disable password login for ssh and only use key-based login, or use VPN methods for remote login, or use jump server methods for remote login.