Default security functions on an IPv6 CPE

Ted Mittelstaedt tedm at ipinc.net
Fri May 13 15:53:09 CEST 2011


On 5/13/2011 12:21 AM, Mark Smith wrote:
> On 13/05/2011 4:34 PM, S.P.Zeidler wrote:
>> Thus wrote Mark Smith (msmith at internode.com.au):
>>
>>>> Either way you setup the CPE the ISP will get called.
>>>>
>>>> But, the users who got an open IPv6 firewall and as a result got
>>>> their machine rooted, when their calls come in they will take a lot
>>>> more time and be much more costly.
>>>>
>>>
>>> Have you or Doug read
>>>
>>> RFC5157 - IPv6 Implications for Network Scanning
>> [...]
>>> Still think address scanning is going to be a useful technique under
>>> IPv6?
>>
>> As has been mentioned in this thread, you do not need to scan addresses
>> when you can harvest active addresses from connects to a hacked webserver
>> or even from blog comments (and a million other places).
>>
>
> So tell me how a host based firewall isn't going to prevent that attack,
> which therefore makes a CPE firewall absolutely necessary (which is the
> argument in question)?
>

As I already explained since the host's TCP/IP stack must process the
packets before handing them to the hosts internal firewall, any flaws
there allow exploitation.  Chances that the CPE and Host, both of which
likely run vastly different OSes, would have the same flaw, are minimal.

Every IPv4 NAT device out there that does not have a port or dmz forward
to an inside number will prevent the 2 attacks I just listed in my
prior post.

The reason you don't see the rather primitive attacks I listed in my
earlier post is because of the crude limited firewalling that is
inherent in NAT.  THe crackers have developed more sophisticated
Phishing attacks.

If non-firewalled IPv6 CPEs become popular then not only will we still
see the sophisticated cracks but we will see a resurgence of the simple
ones that admins have mostly forgotten about, which NAT effectively
blocked.

Ted

>> Hiding in the forest only works when you don't move (ie, never use your
>> address outside your LAN).
>>
>> regards,
>> spz
>



More information about the ipv6-ops mailing list