[OpenWrt-Devel] OpenWRT IPv6 firewall

Dirk Neukirchen dirkneukirchen at web.de
Thu Jul 17 02:59:17 EDT 2014

On 16.07.2014 22:41, Gui Iribarren wrote:
> On 16/07/14 16:21, Bill Moffitt wrote:
>> However, for the moment, I would argue that the "rightness" of following
>> expected behavior is greater than the "rightness" of delivering the true
>> "end-to-end" nature of v6.
> At least Swisscom (according to Baptiste) and TP-Link seem to have
> solved the dilemma by defining "expected behaviour" = the true
> end-to-end nature of v6 :P hurray!

End-to-End communication without firewalls in routers is important for
some users (myself included)

If expected behaviour seems to differ one could check IETF RFCs or drafts

6092: Recommended Simple Security Capabilities in Customer Premises Equipment (CPE) for
Providing Residential IPv6 Internet Service: http://tools.ietf.org/rfc/rfc6092.txt 

6204: Basic Requirements for IPv6 Customer Edge Routers

Checking OpenWrt against these or against some proposed consumer certifications
like https://www.ipv6ready.org/?page=documents&tag=phase-2-cpe
and a testsuite http://interop.ipv6.org.tw/CERouter/

Possibly there were discussions about ipv6 and firewall settings, end-to-end 
on home routers ("CPE") on NANOG or other NOG mailing lists

AFAICT OpenWrt does not have some of these "sane" defaults enabled to quote 6092:
"IPsec transport and tunnel modes are explicitly secured by definition, so
 this document recommends that the DEFAULT operating mode permit IPsec."

Possibly connected with the firewall issues are the state tracking tables.
Bittorrent use case: https://dev.openwrt.org/ticket/16938 requests NOTRACK documentation
And IPv6 privacy extensions might increase tracking tables too if a shorter lease time is used.

PS: Checking and updating the wiki might be nice regarding IPv6 capabilities from RFCs.
I began adding some pages regarding new features mentioned
in the changelog, linking from http://wiki.openwrt.org/doc/barrier.breaker
Some short use cases / commandlines / guide links from people that developed and
tested these features (and list of/if additional hw/software used) would be very helpful.
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list