[OpenWrt-Devel] OpenWRT IPv6 firewall
Stefan Lippers-Hollmann
s.L-H at gmx.de
Fri Jul 18 21:26:43 EDT 2014
Hi
On Saturday 19 July 2014, David Lang wrote:
> On Fri, 18 Jul 2014 10:21:56 -0700, Bill wrote:
> > Gert Doering wrote:
> >
> > On Thu, Jul 17, 2014 at 10:20:09AM +0200, Steven Barth wrote:
[...]
> > P.S. No, my printer is not v6-ready, either, but let's assume there
> > are some that are...
If you're looking for real world examples, consider a 2009 vintage
"OKI B430dn" black&white laser printer (which was targetted relatively
cheaply (<160 EUR) between advanced desktop tasks and small
workgroups), something I would call quite representative for embedded
devices.
- it comes with an embedded printserver
- supports IPv4 and IPv6
- it defaults to using DHCP for IPv4.
- the IPv6 implementation is enabled and uses SLAAC by default.
- it does not support DHCPv6, but does support fully manual
configuration (in a very, very limited way and not beyond the limits
depicted for the SLAAC case below).
- via SLAAC, it binds to the globally routable IPv6 address (and to
its link local address (fe80::/10)), it does not support ULA
prefixes, privacy extensions or anything more advanced. Within these
constraints, IPv6 support works surprisingly well (and reliably).
- this printer does have rather advanced user access controls for an
embedded device, including a local static user/ password store and
802.1X (EAP). but, like pretty much any embedded device, it ships
without any of this this enabled --> fully open for printing, default
username and password for administration and everything else.
- it does offer a plethora of protocols (SNMP, telnet, ftp, NetBEUI,
Ethertalk, (LPR, Port9100, IPP, NetWare PServer/ RPrinter, etc.)),
with at least the common ones (IPP, LPR, Webinterface, SNMP) enabled
by default.
- there are no intrusion detection methods, nothing stops you from
painstakingly brute forcing your way into it (if the default
username/ password don't happen to work and if you really don't find
a simpler way in).
On paper, the access controls are pretty advanced (if you bother to
configure them), but would I trust its security if exposed to the open
internet? Of course not.
To the best of my knowledge there hasn't been any security problem
published, but at the same time there has never been a firmware update
either, nor would I expect any after 2, or 5, years - even leaving
alone the likelyness that an enduser (or the resident (network-) admin
for a small to medium office or company) would find one, if it existed,
or risk flashing it.
> that's a real example that has been exploited in the past, especially
> with the very expensive, high-end printer/copiers sold to businesses.
> Again from companies that "should know better"
[...]
Like David Lang mentioned, there are tons of network enabled devices,
increasingly with some kind of IPv6 support. Why, because supporting
it essentially comes for free (especially if you base your firmware on
linux, one of the BSDs, etc.) and allows the manufacturer to tick a few
more bullet points in their product description. Security is usually
being an afterthought at best, you can be happy if IPv6 support
actually works in the first place (see the limited configuration
options for the printer mentioned above).
While probably not printers, many of these will need a globally
routable address for outgoing services (think NAS and downloading
functions), but fewer need to provide incoming services to the internet
at large (while you may want to connect to them via a VPN) - and very
few can be expected to be (and remain-) secure over their whole
effective life time (which can easily be 5-10 years or longer for
printers, wireless security cameras, simple NAS boxes and other
embedded devices). This even ignoring that pretty much all networked
appliances (including OpenWrt itself) default to open access (with weak
default passwords at best) after firstboot, because that and binding to
all available network addresses is the only way to configure them in
the first place.
With IPv6, you naturally get end-to-end connections, but this (imho)
shouldn't imply unfiltered, incoming connections by default. Unlike
with IPv4 and NAT, you do have all the options to allow incoming
connections easily, for all your devices, without having to fight with
managing portforwardings within the acceptable range of your service.
If you're in an ISP-like position, you certainly need to provide
unfiltered access to your clients, but CPE devices (which OpenWrt
certainly is) better error on the side of caution and provide the
ingrained expectation of having a secure local net.
Regards
Stefan Lippers-Hollmann
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list