Default security functions on an IPv6 CPE

Mohacsi Janos mohacsi at niif.hu
Thu May 12 16:58:51 CEST 2011 



On Thu, 12 May 2011, Rémi Després wrote:

>
> Le 12 mai 2011 ? 13:14, Mikael Abrahamsson a écrit :
>
>> On Thu, 12 May 2011, Rémi Després wrote:
>>
>>> They don't ask for NAT compatibility for the simple reason that they don't know what a NAT is. (User's of Free haven't asked for anything like it.)
>>
>> They also expect their NAS at home with no password, not to be reachable from the Internet (that's the conclusion I can draw from people being interviewed in the media who got their documents downloaded by someone who accessed their NAS which didn't have a password set).
>
> You have a point if a common NAS product has by default:
> - IPv6 enabled,
> - no restriction on IPv6 client addresses.
> Is this the case?
> (If yes, this is a serious security limitation of this product.)
>
> To ensure backward compatibility, more reasonable default behaviors would be:
> - IPv4-only, or
> - IPv6 enabled, but only for sources on the same link and/or at private addresses fc00::/7.

I think it is serious conception problem:

NAS has a conception that it is serving data:
- you can enable/disable access to NAS by user bases
- For simplification some services can be made accessible for anyone
- Due to broken client implementation (e.g. broken media servers, silly 
DLNA client) this anonymous access setup is very widespread

Therefore the NAS become open, but only in the LAN  - and there is a 
misconception, that will be the same IPv6.


There are several way to fix it:
- implement allow-outgoing-type SPI IPv6 firewall in the CPE
- fix broken mediaservers and DLNA devices - allow proper authentication
- limit NAS access by default to LAN using link-local addresses
- possible other

I tested on a NAS:
- IPv6 enabled by default in the latest version (if you have IPv6 router 
on the LAN, doing SLAAC - have GA).
- Firewall on the NAS is IPv6 capable - switched off by default - it was 
easy to limit access to /64 of my LAN

I would not really recommend using ULA addresses in LAN. It is making more 
trouble in broken source address selection than worth it.

Best Regards,
 		Janos Mohacsi

More information about the ipv6-ops mailing list