[OpenWrt-Devel] IPv6 firewall and Port Control Protocol (Was: Barrier Breaker 14.07-rc1)

Sebastian Moeller moeller0 at gmx.de
Wed Jul 16 15:12:33 EDT 2014


Hi Gui,


On Jul 16, 2014, at 20:10 , Gui Iribarren <gui at altermundi.net> wrote:

> On 16/07/14 12:09, Gert Doering wrote:
>> Hi,
>> 
>> On Wed, Jul 16, 2014 at 08:41:50AM -0300, Gui Iribarren wrote:
>>> then, what happens when those devices are deployed in a myriad of
>>> real-world scenarios? hackers rejoice!
>> 
>> This actually is a somewhat moot arguments.  Devices travel today, and
>> while your home network and office network might be behind a firewall,
>> the hotspot you're using while waiting for your train might not be.
>> 
>> So with todays devices, every device needs to be able to protect itself
>> (i.e.: host firewall, services only accepting connection from "local
>> network", etc. - windows 7 doing a fairly good job with this today).
>> 
>> The old model "strong firewall, weak devices behind it" is just a thing
>> not matching reality anymore...
> 
> Ah, sorry if irony blurred my position:
> your point, Gert, is exactly my point :)
> 
> in other words, we're both on the same side: my arguments are in favour
> of openwrt having an open ipv6 firewall by default, so to put the policy
> back into end-devices hands (where it always should have been)

	??? The part in parenthesis is debatable...

> 
> Benjamin is giving some great examples of real-world scenarios where an
> default-open firewall simplifies administration,
> and where a default-closed firewall would be not only unnecessary
> (provides no benefits), but would indeed complicate setting up things.

	My interpretation of his examples is that putting the MAC/IPv6-addresses into a router-managed whitelist would have not significantly increased the amount of work involved...

> 
> proprietary-software personal devices are a special case - granted.
> putting that aside, i think it's insightful to consider that a person
> that has admin access to all her mobile devices config (which carries
> every day), so to publish (or restrict) services at her own will,
> if and only if the network devices upstream (to which might have no
> control over) have a default-open firewall.

	But in your home you have control over the router’s setting, so explicitly managing the access rights is an easy way deal with the quite common case you just put aside? Or what is your idea about the proprietary-software personal devices. I could envision two “networks” a secured default-closed and on optimistic default-open network managed by the same router (sort of like a guest network with default-open, while the main network is default-closed or vice versa).


> 
> in ipv4 world, there was no discussion: a default-open inbound policy in
> routers that would let end-hosts decide, was simply not possible.

	? The default could have been to direct everything to one internal host (say lowest MAC or first discovered device).

> why carry that legacy restriction into the wonderful ipv6 world?

	What is so wonderful about IPv6? Maleware surely will evolve quickly to take advantage of a dropped layer of defense… For experts as you and Benjamin the default does not really matter that much you can easily change it to your liking; but think about non-experts. I for one would be quite startled if the switch to IPv6 would expose parts of my device zoo that was never configured with that problem in mind….



Best Regards
	Sebastian

> 
> chee::rs!
> 
> gui
> 
>> 
>> gert
>> 
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel



More information about the openwrt-devel mailing list