[OpenWrt-Devel] IPv6 firewall and Port Control Protocol (Was: Barrier Breaker 14.07-rc1)

Gui Iribarren gui at altermundi.net
Wed Jul 16 06:25:18 EDT 2014 

+1 to all benjamin arguments,

default openwrt ipv4 firewall basically does:
 * deny all unsolicited traffic coming from WAN to the router (i.e. it's
own host)
 * masquerade the LAN hosts behind a single, scarce, ipv4 address, on
outgoing traffic.
 * allow *any possible traffic* that involves LAN hosts (LAN->LAN,
LAN->Router, Router->LAN, LAN->WAN)

There's *no* way to allow incoming unsolicited traffic coming from WAN
to LAN hosts, since they have no public ips that can address them. So
there hasn't been a "decision" or a "policy" so far regarding inbound
traffic for LAN hosts, there was simply no such scenario.

now, default openwrt ipv6 firewall basically does:
 * deny all unsolicited traffic coming from WAN to the router (i.e. it's
own host)
 * allow *some* traffic involving LAN hosts (LAN->LAN, LAN->Router,
Router->LAN, LAN->WAN)
 * in addition, deny all unsolicited traffic coming from WAN to any LAN
host (i.e. taking a decision on behalf of other hosts)

it is an error to consider this last point/decision "in line" with the
ipv4 policy, since as stated, there's no such scenario in SOHO ipv4 nets

in other words, i'd say the "principle of least privilege" has not been
applied so far in ipv4 world to LAN hosts, (they were allowed to do
everything they could possibly do)
so if there was any "principle" so far, was something along "full trust"
for LAN hosts.
Now LAN hosts gained a new freedom, getting inbound traffic addressed at
themselves. Following the "full trust" principle, why block that? (and
worst: while at it, break ipv6 main 'selling point' - end-to-end internet!)

cheers!

gui

On 16/07/14 05:53, Benjamin Cama wrote:
> Le mardi 15 juillet 2014 à 17:43 -0400, Justin Vallon a écrit :
>> I don't think turning off the firewall is a sane default.
> 
> I don't advise to turn it off for everything. I am trying to find a good
> compromise.
> 
>> Your
>> arguments based on "global addressability" are false because IPv4 can be
>> globally addressable, if you want.  You can get static ip addresses (or
>> a subnet), turn off NAT, and turn off the firewall - every "internal"
>> network device will be on the public internet.
> 
> Yes (even if I don't understand why you are talking about "static"
> addressing; it could work with DHCP the same) but you are talking about
> people who are able to be routed a public IPv4 prefix, which is very few
> people today, and will be almost nobody in the future because of IPv4
> address space depletion. I assume almost every user of OpenWRT is a
> “home” user and I believe none of them are offered such a possibility by
> there ISP (well, I happen to have this possibility with my ISP, but it
> is a very tiny exception, and I don't even use it).
> 
>> You say:  "A general principle is that a service should not be bound on
>> a globally reachable address if it is not meant to be globally
>> accessible."  If my desktop is given an IPv6 address, are all of my
>> services now globally addressable?
> 
> Yes.
> 
>> If yes, I have opened up all local
>> services (oops).
> 
> Well, if you didn't want them to be accessible, you have many
> possibilities: bind it on some non-global address (LL, ULA), restrict it
> locally (/etc/hosts.deny when appropriate, custom configuration that
> limit access to some range, etc), use some authentication, configure
> your firewall appropriately (on the targeted machine or on your router),
>> 
> The thing here, is to find a _default_: you are imagining a case where
> every service should be blocked from outside access by default. But I
> would like my telephony programs, my P2P clients, my local daemons that
> I run for friends (local git repos, experimental web apps,…), my
> different servers that listen on different addresses, etc, to be
> accessible by default. It seems to me that there are far more use cases
> for allowed access by default than forbidden access. The thing is, these
> use cases are not very common today because there is no equivalent in
> IPv4 (practically): you cannot have “accessible by default” in today
> NATed IPv4.
> 
>> If no, do I need a "locally addressable" and "globally
>> addressable" IPv6 space for each device & service, so that I can choose
>> which services I consider internal (my printer, my smb share) vs
>> external (my web server)?
> 
> Yes, this is one possibility. OpenWRT even have by default an ULA prefix
> configured for delegation on the local network! (BTW, there is a bug
> that make it configure the /60 on the lan by default, I couldn't trace
> its origin) Or you could use one of the means I listed. Comprising
> configuring OpenWRT's firewall. But what should be the default? Is your
> use case representing what would be globally the right solution?
> 
> Of course, a lot of people on this ML are thinking in terms of “I can
> configure my firewall myself”, but this is not the case of the casual
> users. And I think that in the end, there are far more casual users of
> OpenWRT that one think if you take into account people that will use
> your router to access the Internet: these are the ones that will be
> blocked to run whatever software they want.
> 
>> That is pushing the security problem to the
>> "terminal" devices.
> 
> And this is exactly what the end-to-end argument is about!
> http://en.wikipedia.org/wiki/End-to-end_principle
> But I don't want to remove the possibility to secure you network at the
> edge; I just want to say that by default, we could block only a small
> portion of traffic and let the less security-problematic one flow.
> Everyone has the possibility to forbid some traffic at the edge by
> configuring its firewall.
> 
> By the way, when we talk about restrict the use of some port, we
> automatically forbid IPsec (RFC 4301
> <http://tools.ietf.org/html/rfc4301>) and Mobile IPv6 (RFC 6275
> <http://tools.ietf.org/html/rfc6275>), which are layer 3 protocols that
> don't bother about ports. It is a bit sad when we are forbidding some
> traffic for “security”.
> 
>>> I do not understand what the principle of least privilege has to do
>> here. “Forbidden by default” is not about privileges.
>>
>> Privilege here is the right to do something; with respect to networking:
>> open a connection to any host, open a connection to a specific host,
>> allow incoming connections from any host.  Principle of least privilege
>> means that you only allow what is required - default is to restrict, not
>> allow.  Privileges are granted where necessary, instead of taken away
>> when abused.
> 
> Why would you immediately talk about abuses? When one is talking about
> connecting to someone, that means that your correspondent has allowed
> traffic to flow in. Was your correspondent abused? No, he willingly
> bound some software to some address, and offered a service. Should this
> “privilege” be granted only to a few? I don't think so. This is one
> reason we have a so asymmetric Internet today: people are not “allowed”
> to run their software on their machine to be contacted by whoever they
> want. Instead, they have to rely on some intermediary that will offer
> them this possibility (think about all the HTTP kludges to get traffic
> to flow to you asynchronously).
> 
> Of course, I am talking about something bigger that just the people who
> set up OpenWRT boxes, but as OpenWRT is a leader in what is done in home
> routers today, I thing we should think bigger than only the community of
> routers' hackers.
> 
>> Here, incoming connections represent a security risk
>> (hackers),
> 
> I don't see it that way. This is, as I already said, a very big
> presupposition that has a lot of consequences on how the Internet works.
> And hackers very well do there thing today without incoming connections
> allowed.
> 
>> and mitigation is that it becomes a privilege (to be
>> earned).
> 
> This is the problem to me: every sysadmin think that people that use
> their network must “earn” some “privileges” to be able to receive
> connections. The myth that people will abide has been so many times
> debunked by so many technologies and architectures that work around it
> that it becomes sad.
> 
> 
> As had been shown many times
> <http://en.wikipedia.org/wiki/UPnP#Problems_with_UPnP>, using UPnP does
> not improve the situation much. The problem of binding or not to a
> global address (or using or not a restriction mechanism) translate to
> configuring or not UPnP: people not knowledgeable won't really
> understand and will run UPnP that will open the port on the firewall, so
> your firewall is “useless”. People that know could have as well blocked
> the service themselves.
> 
> In the mean time, we will have PCP to bring the same functionality to
> IPv6, but we have to find some sane default anyway.
> 
> --
> benjamin
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
> 
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

More information about the openwrt-devel mailing list