[OpenWrt-Devel] OpenWRT IPv6 firewall

Mon Jul 21 04:36:53 EDT 2014

On Mon, 21 Jul 2014, Gert Doering wrote:

> On Mon, Jul 21, 2014 at 12:18:46AM -0700, David Lang wrote:
>> While it is nice to say that IPv6 has a large address space and so nobody
>> will ever scan it, I don't believe it.
>
> Don't believe.  Try math.  2^64 is big enough that if you manage to send
> a few 1000 packets a second, you'll need up to the heat death of the
> universe to scan a single /64 subnet...
>
> (Of course this can be optimized if you're targeting very specific
> devices and "only" need to scan 2^24 potential EUI64 addresses in
> a given vendor's MAC range - but that's not your Joe Random attacker.
> If someone is that determined, he'll just target your PC first, and
> jump from there to the devices on your LAN.  Way easier in general)

If someone is targeting you specifically, there are all sorts of other scenarios 
that come into play. I consider those out of scope for this sort of discussion.

We are talking about what is appropriate as the default to defend against the 
normal Internet Badness, not against targeted threats or the NSA.

You are effectivly saying that security by obscurity is good enough. You are 
assuming that IP address assignments are going to be random enough to make 
scanning worthless, so no other protection is needed.

I just don't buy that.

I don't believe that the addresses are really going to end up beng that random.

Plus there will need to be some way for devices to be discovered, which will 
probably be via broadcasts. I don't believe that the devices are going to be 
secured to the point where these broadcasts will only work from the local 
network. It doesn't matter how big the per-network address space is if devices 
respond to the one broadcast address for the network. Also, if the devices 
intend to be accessible, are they really going to ask people to enter IPv6 IP 
addresses into configs? or are they going to be publishing themselves to DNS or 
some other nameserver that will make them easier to find? If you have a SIP 
phone that you want to "just work", how are the legitimate remote users going to 
find it?

So I'm saying that we still need to block inbound access from random external IP 
addresses by default.

I could see having the firewall look for outbond packets from the devices and 
opening up inbound rules from those IPs

Even if it allowed access on all ports from the entire source network it would 
still be better than "anyone on the Internet. this would make getting something 
work between networks not be on by default, but once each side tries to connect 
to the other, things would be open.

David Lang
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel