CloudFlare’s newly announced IPv6 support brings much more than just the ability to provide their caching and security features to IPv6-based websites. A few weeks ago CloudFlare co-founder Matthew Prince cryptically announced that they were working on a new groundbreaking feature. Whilst IPv6 is a great addition, IPv6 support alone is not what makes this new feature as cool as it is.
The main issue with IPv6 today is not the fact that ISP’s haven’t made the switch yet – this will be a fairly simple process – but rather that most websites themselves don’t yet support IPv6. This is one of the main reasons why ISPs don’t want to go full IPv6 – most content would be inaccessible to their customers. What CloudFlare have done is to make all current IPv4 CloudFlare-enabled sites accessible to IPv6-only clients, even if those websites don’t have IPv6 addresses. Because CloudFlare acts as a proxy, they simply add their own IPv6 address to the DNS of CloudFlare-enabled sites, allowing them to receive requests for those sites. Now all they have to do is serve up exactly the same cached content, and for everything else, proxy the request over onto IPv4. To make things even better, it works both ways, allowing IPv4-only clients to access IPv6-only websites, and vice-versa.
CloudFlare allows you can choose between two options: Full Mode which will enable IPv6 on all subdomains that are CloudFlare-enabled, or Safe Mode which will automatically create specific IPv6-only subdomains (e.g. www.ipv6.yoursite.com). You do not need to change any of your DNS settings. After it is up and running, you can test your IPv6 compatibility and get a badge for your site (mine’s at the bottom of the page).
I was able to take part in CloudFlare’s beta for this new feature and it works great. As you can see from the Security Generation host information below, on top of CloudFlare’s two IPv4 IPs, they’ve now added two IPv6 IPs.
securitygeneration.com has address 126.96.36.199
securitygeneration.com has address 188.8.131.52
securitygeneration.com has IPv6 address 2400:cb00:2048:1::adf5:3c63
securitygeneration.com has IPv6 address 2400:cb00:2048:1::c71b:8720
The IPv6 transition can now go ahead… Security Generation will be available when we get there ;)
As of today all CloudFlare members can now enable IPv6 support on the Settings page for the relevant domain(s). To enable ‘Automatic IPv6’ on your site, log in to CloudFlare.com > My websites > Settings (pull down menu) > CloudFlare Settings > Automatic IPv6: On.
Hit the jump to see CloudFlare’s funky new IPv6 infographic.
Don’t let the name fool you, prn-2-me is pronounced “print-to-me”, and not “pr0n-to-me”. I was disappointed too… but not for long!
prn-2-me is a man-in-the-middle python script from Chris John Riley that creates a custom listener (on port 9100 by default) and acts like a printer. Its purpose is to handle incoming PCL and PostScript print jobs, save a copy on your computer, and then forward them on to the actual printer. With a bit of arpspoofing magic, you or an attacker could intercept the print jobs of an entire office.
In theory, this tool could be expanded to allow you to also modify print files before they are sent on to the actual printer. An attacker could substitute specific prints with his own to do all kinds of wonderful and damaging things. Maybe a bit of automagic image editing in python could overlay an image on every file before forwarding it to the printer? Hilarity ensues. (Chris note the feature request)
Chris says he’s planning on integrating this into Metasploit. I’m going to hold him to that!