[OpenWrt-Devel] IPv6 firewall and Port Control Protocol (Was: Barrier Breaker 14.07-rc1)

David Lang david at lang.hm
Fri Jul 18 03:22:11 EDT 2014


by the way, link local addresses are not going to be used for these devices, 
because they will all have some 'cloud' feature that will require they have a 
way to phone home.

David Lang

On Fri, 18 Jul 2014, David Lang wrote:

>
> Every IPv4 home router I have seen defaults to 'block all incoming, unless 
> something on the inside opens it'
>
> If IPv6 routers end up being wide open, then we are going to start seeing 
> people getting compromized and the analysis being that it was through IPv6 
> and it will get an (undeserved) reputation of being less secure than IPv4 
> just because stupid vendors are going to have their stuff exposed.
>
> We've seen worms specifically targeting printers in the past, what makes you 
> think we aren't going to see things like that exploiting NAS devices, DNLA 
> servers, thermostats, etc?
>
> You would be horrified to see what passes for security in the Internet of 
> Things. A lot of that software makes me think of stuff from the '70s and 
> early '80s. I've seen devices manufactured in 2012 that used 4 bits for the 
> year (with the epoc being Jan 1 2010)!!
>
> The horror stories that you have heard about how insecure SCADA and other 
> industrial devices are are not exaggerations, if anything they understate the 
> problems.
>
> think about the early Internet protocols (SNMP and tFTP), and think about 
> systems that make them look sane and perfectly reasonable.
>
> Exposing these systems to inbound connections from anywhere on the Internet 
> is irresponsible.
>
> Now, if these devices make a connection out to phone home, allowing that home 
> to reach back is reasonable, and supporting things like upnp to allow devices 
> to specifically open up inbound connections are reasonable. I'm not saying 
> that it needs to be as hard to configure as getting in through IPv4 NAT, but 
> it should NOT be the 'open end-to-end Internet the way $DIETY intended'
>
> look at how easy it is to 'root' phones, where the company involved is at 
> least reasonable competent in writing software. For a lot of the IoT devices, 
> the Internet is a rushed, tacked on addition (they already needed a processor 
> to manage something, so spend a few cents more and now they can advertise 
> this mobile device app). Try using some of these apps and devices and see how 
> horrific the software is.
>
> David Lang
>
>> 
>> cheers!
>> 
>>> 
>>> Yes, it would be ideal if every host was locked down so that it was safe
>>> for them to be exposed.
>>> 
>>> But that's not the world we live in.
>>> 
>>> David Lang
>>> 
>>> On Wed, 16 Jul 2014, Lyme Marionette wrote:
>>> 
>>>> ----- Original Message -----
>>>> On Wednesday, July 16, 2014 2:10:53 PM "Gui Iribarren"
>>>> <gui at altermundi.net> wrote:
>>>>> Benjamin is giving some great examples of real-world scenarios where
>>>>> an
>>>>> default-open firewall simplifies administration,
>>>>> and where a default-closed firewall would be not only unnecessary
>>>>> (provides no benefits), but would indeed complicate setting up
>>>>> things.
>>>> 
>>>> There have been many good arguments posted on this subject and to
>>>> throw my opinion in, it a question of effort and expectations.
>>>> 
>>>> I think everyone can agree that:
>>>> -It takes equal effort to turn a firewall on, as it does to turn one off.
>>>> -It takes equal effort to create a specific block list, as it does to
>>>> create a specific allow list.
>>>> -UPnP is not included by default for either the ipv4 or ipv6 stacks.
>>>> 
>>>> I would also go further to suggest that:
>>>> -Consistency is good, even if it consistent for superficial reasons.
>>>> 
>>>> We know that, for NAT reasons, that the ipv4 stack by default blocks
>>>> incoming connections:
>>>> -Because it doesn't know by default where to route them.
>>>> -ipv4 end-points have been traditionally insecure.
>>>> 
>>>> The two ways to get around this (for gaming, etc):
>>>> -Through setting firewall rules to route the traffic to an end-point.
>>>> -Through the use of UPnP (which is used by most games to host, and
>>>> gaming consoles).
>>>> 
>>>> With the adoption of ipv6 there is the opportunity to change this
>>>> behaviour such that instead of incoming traffic being restricted for
>>>> technical reasons, that incoming traffic is routed to the correct
>>>> end-point.
>>>> However, that begs the questions:
>>>> A) Is that consistent with what people would expect?
>>>> B) Are ipv6 end-points secure by design?
>>>> 
>>>> In regards to A, from the mindset of a non-technical user, would wager
>>>> that the answer is 'no'. Even though there is a change in technology
>>>> with ipv6, the ipv6 technology fulfills the same role as ipv4 and this
>>>> could be seen as opposing direction between the two. This would likely
>>>> catch many end-users by surprize unless they read the small print
>>>> regarding this.
>>>> 
>>>> As for B, given my view of software development, applications,
>>>> networks, etc (I've been in the IT business for over 25 years now) I
>>>> would wager that 80% of applications are secure, and that the 0ther
>>>> 20% make the potential change in policy very risky.
>>>> 
>>>> IMO, which others may disagree with, would be to include UPnP by
>>>> default which would/should resolve most of the hosting issues.
>>>> 
>>>> Thanks.
>>>> _______________________________________________
>>>> openwrt-devel mailing list
>>>> openwrt-devel at lists.openwrt.org
>>>> https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
>>>> 
>> 
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
>
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel



More information about the openwrt-devel mailing list