[OpenWrt-Devel] OpenWRT IPv6 firewall
david at lang.hm
Mon Jul 21 04:36:53 EDT 2014
On Mon, 21 Jul 2014, Gert Doering wrote:
> On Mon, Jul 21, 2014 at 12:18:46AM -0700, David Lang wrote:
>> While it is nice to say that IPv6 has a large address space and so nobody
>> will ever scan it, I don't believe it.
> Don't believe. Try math. 2^64 is big enough that if you manage to send
> a few 1000 packets a second, you'll need up to the heat death of the
> universe to scan a single /64 subnet...
> (Of course this can be optimized if you're targeting very specific
> devices and "only" need to scan 2^24 potential EUI64 addresses in
> a given vendor's MAC range - but that's not your Joe Random attacker.
> If someone is that determined, he'll just target your PC first, and
> jump from there to the devices on your LAN. Way easier in general)
If someone is targeting you specifically, there are all sorts of other scenarios
that come into play. I consider those out of scope for this sort of discussion.
We are talking about what is appropriate as the default to defend against the
normal Internet Badness, not against targeted threats or the NSA.
You are effectivly saying that security by obscurity is good enough. You are
assuming that IP address assignments are going to be random enough to make
scanning worthless, so no other protection is needed.
I just don't buy that.
I don't believe that the addresses are really going to end up beng that random.
Plus there will need to be some way for devices to be discovered, which will
probably be via broadcasts. I don't believe that the devices are going to be
secured to the point where these broadcasts will only work from the local
network. It doesn't matter how big the per-network address space is if devices
respond to the one broadcast address for the network. Also, if the devices
intend to be accessible, are they really going to ask people to enter IPv6 IP
addresses into configs? or are they going to be publishing themselves to DNS or
some other nameserver that will make them easier to find? If you have a SIP
phone that you want to "just work", how are the legitimate remote users going to
So I'm saying that we still need to block inbound access from random external IP
addresses by default.
I could see having the firewall look for outbond packets from the devices and
opening up inbound rules from those IPs
Even if it allowed access on all ports from the entire source network it would
still be better than "anyone on the Internet. this would make getting something
work between networks not be on by default, but once each side tries to connect
to the other, things would be open.
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
More information about the openwrt-devel