Deploy360 25 September 2014

BlackBerry's New Blend Application Requires IPv6 Networking (UPDATED)

By Dan YorkDirector, Internet Technology

BlackBerry BlendYesterday BlackBerry held a series of events announcing their new “Passport” smartphone as well as an application called “BlackBerry Blend” that lets you use your computer or tablet (including iOS and Android tablets) in conjunction with the Passport phone. There was a good bit of media coverage, almost all focusing on the Passport phone itself.

One interesting fact to emerge, though, is that the BlackBerry Blend application requires IPv6 networking in order to function.

NOTE – it does not seem to require IPv6 connectivity, i.e. your network doesn’t have to have actual IPv6 addressing and connectivity to the IPv6 Internet, but your network computer needs to allow IPv6 networking.

UPDATE 26 Sep 2014 – I received a statement from a representative for Blackberry stating that for Blend to work the mobile device (such as the Passport) does not need to have an IPv6 address or connectivity.  I was told:

Where the dependency exists in Blend is that the Windows and Mac clients send IPv6 source traffic to the corresponding BlackBerry desktop components that perform the networking communication themselves. The BlackBerry component will send over IPv4 but since the source of the traffic was IPv6, on a Windows PC you are required to have enabled IPv6 communication.

So it is not as much an issue of the network allowing IPv6 as it is the computer running the Blend app allowing IPv6.

The issue of Blend not working can then crop up in environments where Windows (and presumably Mac) computers have deliberately turned IPv6 off , either by actions of the computer user or by actions of the network administrator through group policies or similar mechanisms.

On page 13 of a Security Note about BlackBerry Blend there is also the statement:

The certificates permit BlackBerry Blend and the device to tunnel IPv6 traffic over USB or Wi-Fi networks that use IPv4.

which appears to reinforce the idea I suggested below in the article that this was similar to what Apple does with Back To My Mac where there is some kind of tunneling going on of IPv6 over the IPv4 network.

The contact for BlackBerry also pointed out that the two devices (the computer running Blend and the Passport) do not have to be on the same WiFi network.  As shown earlier in that Security Note document the computer could, for instance, be on a home WiFi network while the Passport is on the mobile network.

Thanks to BlackBerry for contacting us with a clarification and kudos to their team for doing this connectivity over IPv6! As the world’s networks move away from the legacy IPv4 networks, BlackBerry will presumably be all set to have their Blend app work over IPv6 networks. Great to see!

This is stated very clearly under “Step 1” on Getting Started with BlackBerry Blend and even more clearly in a knowledge base article titled “Unable to connect to BlackBerry Blend due to ipv6 being blocked on the computer“. That support document states:

BlackBerry Blend is unable to connect to, or communicate with the BlackBerry 10 smartphone when IPv6 traffic is being blocked.

An item in the network environment such as a VPN connector, firewall, network adapter setting, or anti-virus software is blocking or preventing IPv6 traffic.

IPv6 is a requirement for BlackBerry Blend to connect and communicate with the BlackBerry Smartphone. In order to complete the connection, IPv6 traffic will need to be enabled or allowed in the network environment.

So you apparently don’t necessarily have to have actual IPv6 connectivity… but you can’t be blocking IPv6 packets on the WiFi network that Blend is using to communicate with the Passport smartphone computer where the Blend app is running.

Similarity to Apple’s Back To My Mac

I can’t yet find any further information on exactly how BlackBerry is using IPv6 to make the connection between your computer or tablet. (UPDATE: We did find more info. See the note above.) However, on a certain level it sounds similar to what Apple does with their Back To My Mac (BTMM) function that is now part of their iCloud service. BTMM allows you to connect from one Mac back to another Mac to share files or to “share the screen” and remotely operate that remote Mac. Apple has more info about BTMM in its iCloud support area.

Similarly, BlackBerry Blend lets you connect from your computer or tablet to your Passport smartphone to be able to send and receive messages, view your calendars, transfer files, access internal websites using the Passport’s connection, etc. Effectively you are “remotely” managing the Passport smartphone from the tablet or computer, although unlike Apple’s BTMM you aren’t manipulating the actual desktop of the device but rather using the services and applications on the Passport.

The IPv6 connection comes in through the work of a team from Apple, UCLA and Toyota who documented how Apple’s BTMM service works in RFC 6281 and showed how it essentially creates an IPv6 “tunnel” over IPv4 between the two Macs. It’s well worth a read to understand how Apple did this.

Now, differently from what BlackBerry Blend apparently does, Apple tunnels all their IPv6 packets over IPv4 and so they don’t care about what the local network does with IPv6. Apple’s BTMM is also designed to work anywhere across the entire Internet, while the BlackBerry Blend is designed to only work across the local WiFi network. (The device running the BlackBerry Blend app and the Passport smartphone must both be on the same WiFi network to communicate.)

Still, it sounds like BlackBerry is creating some kind of IPv6 “tunnel” between the Blend app and the Passport device.

BlackBerry Assumes IPv6 Will Be Allowed

However, it seems BlackBerry assumed that IPv6 packets would not be blocked on the local WiFi network or would not be blocked on the computer running the Blend app. That probably is a safe assumption for many or even most networks, but I’ve heard of some enterprise networks who have not yet moved from IPv4 restricting IPv6 to prevent any unknown communication. It is those networks where Blend may have challenges working.

The reality is that the world is moving to IPv6 and so network operators MUST understand IPv6 security so that they can create appropriate IPv6 security policies that securely allow IPv6 traffic, rather than just blindly blocking IPv6.

BlackBerry’s Blend is just one of the first apps we’ll see assuming IPv6 is allowed. I’m sure there will be many more in the years ahead. Network operators who don’t at least allow IPv6 will find themselves with people or customers who are unhappy that they can’t use these new applications and services. Time to make IPv6 happen! (Or at least not block it!)

P.S. If you want to get started with IPv6, please visit our “Start Here” page to find resources targeted at your role or type of organization. And please let us know if you need more information! 

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Improving Technical Security 15 March 2019

DNS Privacy Frequently Asked Questions (FAQ)

We previously posted about how the DNS does not inherently employ any mechanisms to provide confidentiality for DNS transactions,...

Improving Technical Security 14 March 2019

Introduction to DNS Privacy

Almost every time we use an Internet application, it starts with a DNS (Domain Name System) transaction to map...

Improving Technical Security 13 March 2019

IPv6 Security for IPv4 Engineers

It is often argued that IPv4 practices should be forgotten when deploying IPv6, as after all IPv6 is a...