[OpenWrt-Devel] IPv6 firewall and Port Control Protocol (Was: Barrier Breaker 14.07-rc1)

Benjamin Cama benoar at dolka.fr
Wed Jul 16 04:53:59 EDT 2014 

Le mardi 15 juillet 2014 à 17:43 -0400, Justin Vallon a écrit :
> I don't think turning off the firewall is a sane default.

I don't advise to turn it off for everything. I am trying to find a good
compromise.

> Your
> arguments based on "global addressability" are false because IPv4 can be
> globally addressable, if you want.  You can get static ip addresses (or
> a subnet), turn off NAT, and turn off the firewall - every "internal"
> network device will be on the public internet.

Yes (even if I don't understand why you are talking about "static"
addressing; it could work with DHCP the same) but you are talking about
people who are able to be routed a public IPv4 prefix, which is very few
people today, and will be almost nobody in the future because of IPv4
address space depletion. I assume almost every user of OpenWRT is a
“home” user and I believe none of them are offered such a possibility by
there ISP (well, I happen to have this possibility with my ISP, but it
is a very tiny exception, and I don't even use it).

> You say:  "A general principle is that a service should not be bound on
> a globally reachable address if it is not meant to be globally
> accessible."  If my desktop is given an IPv6 address, are all of my
> services now globally addressable?

Yes.

> If yes, I have opened up all local
> services (oops).

Well, if you didn't want them to be accessible, you have many
possibilities: bind it on some non-global address (LL, ULA), restrict it
locally (/etc/hosts.deny when appropriate, custom configuration that
limit access to some range, etc), use some authentication, configure
your firewall appropriately (on the targeted machine or on your router),
…

The thing here, is to find a _default_: you are imagining a case where
every service should be blocked from outside access by default. But I
would like my telephony programs, my P2P clients, my local daemons that
I run for friends (local git repos, experimental web apps,…), my
different servers that listen on different addresses, etc, to be
accessible by default. It seems to me that there are far more use cases
for allowed access by default than forbidden access. The thing is, these
use cases are not very common today because there is no equivalent in
IPv4 (practically): you cannot have “accessible by default” in today
NATed IPv4.

> If no, do I need a "locally addressable" and "globally
> addressable" IPv6 space for each device & service, so that I can choose
> which services I consider internal (my printer, my smb share) vs
> external (my web server)?

Yes, this is one possibility. OpenWRT even have by default an ULA prefix
configured for delegation on the local network! (BTW, there is a bug
that make it configure the /60 on the lan by default, I couldn't trace
its origin) Or you could use one of the means I listed. Comprising
configuring OpenWRT's firewall. But what should be the default? Is your
use case representing what would be globally the right solution?

Of course, a lot of people on this ML are thinking in terms of “I can
configure my firewall myself”, but this is not the case of the casual
users. And I think that in the end, there are far more casual users of
OpenWRT that one think if you take into account people that will use
your router to access the Internet: these are the ones that will be
blocked to run whatever software they want.

> That is pushing the security problem to the
> "terminal" devices.

And this is exactly what the end-to-end argument is about!
http://en.wikipedia.org/wiki/End-to-end_principle
But I don't want to remove the possibility to secure you network at the
edge; I just want to say that by default, we could block only a small
portion of traffic and let the less security-problematic one flow.
Everyone has the possibility to forbid some traffic at the edge by
configuring its firewall.

By the way, when we talk about restrict the use of some port, we
automatically forbid IPsec (RFC 4301
<http://tools.ietf.org/html/rfc4301>) and Mobile IPv6 (RFC 6275
<http://tools.ietf.org/html/rfc6275>), which are layer 3 protocols that
don't bother about ports. It is a bit sad when we are forbidding some
traffic for “security”.

> > I do not understand what the principle of least privilege has to do
> here. “Forbidden by default” is not about privileges.
> 
> Privilege here is the right to do something; with respect to networking:
> open a connection to any host, open a connection to a specific host,
> allow incoming connections from any host.  Principle of least privilege
> means that you only allow what is required - default is to restrict, not
> allow.  Privileges are granted where necessary, instead of taken away
> when abused.

Why would you immediately talk about abuses? When one is talking about
connecting to someone, that means that your correspondent has allowed
traffic to flow in. Was your correspondent abused? No, he willingly
bound some software to some address, and offered a service. Should this
“privilege” be granted only to a few? I don't think so. This is one
reason we have a so asymmetric Internet today: people are not “allowed”
to run their software on their machine to be contacted by whoever they
want. Instead, they have to rely on some intermediary that will offer
them this possibility (think about all the HTTP kludges to get traffic
to flow to you asynchronously).

Of course, I am talking about something bigger that just the people who
set up OpenWRT boxes, but as OpenWRT is a leader in what is done in home
routers today, I thing we should think bigger than only the community of
routers' hackers.

> Here, incoming connections represent a security risk
> (hackers),

I don't see it that way. This is, as I already said, a very big
presupposition that has a lot of consequences on how the Internet works.
And hackers very well do there thing today without incoming connections
allowed.

> and mitigation is that it becomes a privilege (to be
> earned).

This is the problem to me: every sysadmin think that people that use
their network must “earn” some “privileges” to be able to receive
connections. The myth that people will abide has been so many times
debunked by so many technologies and architectures that work around it
that it becomes sad.

> By default, incoming connections are not allowed, and uPNP
> (etc) is used to request (and grant) that privilege.

As had been shown many times
<http://en.wikipedia.org/wiki/UPnP#Problems_with_UPnP>, using UPnP does
not improve the situation much. The problem of binding or not to a
global address (or using or not a restriction mechanism) translate to
configuring or not UPnP: people not knowledgeable won't really
understand and will run UPnP that will open the port on the firewall, so
your firewall is “useless”. People that know could have as well blocked
the service themselves.

In the mean time, we will have PCP to bring the same functionality to
IPv6, but we have to find some sane default anyway.

--
benjamin
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

More information about the openwrt-devel mailing list