[OpenWrt-Devel] IPv6 firewall and Port Control Protocol (Was: Barrier Breaker 14.07-rc1)

Sebastian Moeller moeller0 at gmx.de
Thu Jul 17 16:26:30 EDT 2014

Hello Benjamin,

On July 17, 2014 7:45:10 PM CEST, Benjamin Cama <benoar at dolka.fr> wrote:
>Le mercredi 16 juillet 2014 à 21:12 +0200, Sebastian Moeller a écrit :
>> 	What is so wonderful about IPv6? Maleware surely will evolve quickly
>> to take advantage of a dropped layer of defense…
>“Layer of defense”? To most, it will just translate to a brick wall
>will have to be worked around by some other mean because nobody except
>advanced user can configure their firewall.

      I argue that people unable to change the router settings are better of with all unsolicited inbound traffic disabled.

>> For experts as you and Benjamin the default does not really matter
>> that much you can easily change it to your liking; but think about
>> non-experts.
>I totally do this for non-experts: non-experts won't ever touch their
>default configuration. So, basically, they will have no inbound
>connection possible, so manufacturer will find other mean to do
>they can to allow for that to happen (as they are doing today with
>IPv4). It will just be even less controllable by yourself (custom
>protocols, etc). Even if PCP comes: imagine then that device configured
>with PCP will be accessible from outside, and… will they be magically
>immune to anything this way? They will have to be secured anyway.

     Note that I argue for a per device white list especially since I do not think that an automatic port opening method has the security guarantees I hope for. But note that with your proposal ALL devices need expert configuration. There is no magic immunity by ports closed by default' just a reduced attack surface...

>> I for one would be quite startled if the switch to IPv6 would expose
>> parts of my device zoo that was never configured with that problem in
>> mind….
>Please, cite me any device today that can be dangerously exposed by an
>IPv6 connectivity.

    While not from today: http://www.kb.cert.org/vuls/id/986425 looks pretty bad... Actually googling for IPv6 cve does seem to find quite a lot. At least enough to make port open by default look like a risky proposition. Now you could argue that all Linux CVEs will also affect the router... But assuming all ipv6 devices will stay safe and secure forever seems a bit to optimistic...

>A printer, for example, should be bound (to me) to a link-local address
>by default. I don't know any manufacturer who does so (well, they don't
>support IPv6 anyway…).



Sent from my Android device with K-9 Mail. Please excuse my brevity.
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list