Default security functions on an IPv6 CPE
mohacsi at niif.hu
Thu May 12 16:58:51 CEST 2011
On Thu, 12 May 2011, Rémi Després wrote:
> Le 12 mai 2011 ? 13:14, Mikael Abrahamsson a écrit :
>> On Thu, 12 May 2011, Rémi Després wrote:
>>> They don't ask for NAT compatibility for the simple reason that they don't know what a NAT is. (User's of Free haven't asked for anything like it.)
>> They also expect their NAS at home with no password, not to be reachable from the Internet (that's the conclusion I can draw from people being interviewed in the media who got their documents downloaded by someone who accessed their NAS which didn't have a password set).
> You have a point if a common NAS product has by default:
> - IPv6 enabled,
> - no restriction on IPv6 client addresses.
> Is this the case?
> (If yes, this is a serious security limitation of this product.)
> To ensure backward compatibility, more reasonable default behaviors would be:
> - IPv4-only, or
> - IPv6 enabled, but only for sources on the same link and/or at private addresses fc00::/7.
I think it is serious conception problem:
NAS has a conception that it is serving data:
- you can enable/disable access to NAS by user bases
- For simplification some services can be made accessible for anyone
- Due to broken client implementation (e.g. broken media servers, silly
DLNA client) this anonymous access setup is very widespread
Therefore the NAS become open, but only in the LAN - and there is a
misconception, that will be the same IPv6.
There are several way to fix it:
- implement allow-outgoing-type SPI IPv6 firewall in the CPE
- fix broken mediaservers and DLNA devices - allow proper authentication
- limit NAS access by default to LAN using link-local addresses
- possible other
I tested on a NAS:
- IPv6 enabled by default in the latest version (if you have IPv6 router
on the LAN, doing SLAAC - have GA).
- Firewall on the NAS is IPv6 capable - switched off by default - it was
easy to limit access to /64 of my LAN
I would not really recommend using ULA addresses in LAN. It is making more
trouble in broken source address selection than worth it.
More information about the ipv6-ops