Default security functions on an IPv6 CPE

Cameron Byrne cb.list6 at gmail.com
Wed May 11 23:45:19 CEST 2011


On Wed, May 11, 2011 at 2:29 PM, Jon Bane <jon at nnbfn.net> wrote:
>> - Hosts that have IPv6 enabled having also their internal firewalls enabled, the practical danger of CPE transparency to IPv6 is inexistent in unmanaged residential sites.
>
> I really do not understand this conclusion.  Vista/Win7 do have
> firewalls enabled by default, but the first time the machine detects
> it is connected to a new network it asks what kind of network you are
> on.  The options being Public, Home or Work.  If the user choses
> "Home" the firewall is effectively disabled as all of the SMB/NBT
> ports are opened up, as well as several ports for media sharing.
> Ubuntu, does not have the firewall turned on by default and OS X
> doesn't either.  Arguably, they aren't the concern.
>
> So, while all of the modern and most prevalent OSes do have firewalls,
> they are either disabled or are likely to be opened up by default.
>
>> - Now, grandma's CPE should be plug and play, including when some applications start taking advantage of the e2e transparency IPv6 has restored.
>
> Transparency can be achieved easily with the use of the UPnP IGD v6
> firewall spec.  While many on this list probably groan at this idea,
> UPnP is already integrated into just about every home device and is
> the mechanism used to create the little e2e transparency we have
> today.  It is already the norm for how the masses get ports opened and
> forwarded in the v4 world.
>
>
> e2e is an ideal state.  It is also a blue skies kind of desire.
> Exposing your average end user to the internet at large will only
> invite the resurgence of the easy, direct attacks.  Phishing is a lot
> more complicated than pointing metasploit at an IP.  For those arguing
> that a host will be in a sea of billions of addresses in a /64, it is
> trivial to harvest valid addresses by simply pulling logs from a
> website.   If those IPs are unprotected at the gateway, it falls on
> the user to react appropriately and we know that for the most they
> will not.
>

What problem are you trying to solve by putting a software based home
router (~$50) in front of a PC?

Are home routers inherently more secure than your average current PCs?
 If so, why?  Please provide specific data.

Regarding the harvesting of specific address from the /64, i suggest
you look into privacy addresses.... i believe Window 7 has them on by
default.  Furthermore, this limits the potential number of entities
that can find from a (set of sites i go to) vs the entire internet.

Cameron



More information about the ipv6-ops mailing list