A challenge (was Re: Default security functions on an IPv6 CPE)

S.P.Zeidler spz at serpens.de
Thu May 19 21:11:58 CEST 2011


Thus wrote Mark Smith (msmith at internode.com.au):

> On 19/05/2011 5:15 PM, S.P.Zeidler wrote:
> >Thus wrote Mark Smith (msmith at internode.com.au):
> >
> >>On 19/05/2011 3:54 PM, S.P.Zeidler wrote:
> >>>Thus wrote Mark Smith (nanog at 85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org):
> >>
> >>The original question was whether to enable a CPE firewall by
> >>default. The discussion is therefore constrained to threats for
> >>which a CPE firewall is a possible mitigation.
> >
> >So you are assuming that the ONLY thing a CPE firewall EVER could do is
> >prevent an address scan?
> >
> 
> I have for this discussion. The OP didn't specify what specific
> functions the CPE firewall function was performing, so I'll assume
> the common and least function case of no more than a stateful packet
> filter, with inbound to outbound traffic creating the packet filter
> state. That's the typical firewall functionality in common (and low
> end) IPv4/IPv6 CPE.

The typical thing in IPv4 is that the outbound connection creates an
inbound hole (specific to one inside address:port to outside
address:port pair). (Reverse to what you wrote but most likely what you
meant, too).

That's a result of NAT. With no NAT, other things can be done as actual
need dictates. I doubt one size will fit all, which is why the most
important part is that there is readily available documentation of what's
available and what's active, and how it can be changed.

> Completely agree - address scanning is not a threat under IPv6 like
> it is under IPv4. So what are the threats under IPv6 (which may or
> may not be the same under IPv4), what mitigation are there for them,

Send an ipcomp quine packet to an unpatched "traditional" KAME stack f.e.
Having ports open or closed do not matter in this case. (Filtering away
proto ipcomp does work in this case, but I'm not going to bet there are no
bugs in any stack that work in spite or maybe even because of filtering.)

As to legal questions, these differ too much between legislations;
consulting a local lawyer will serve you a lot better than musings
of people who've never even seen any of your local law.

regards,
	spz
-- 
spz at serpens.de (S.P.Zeidler)


More information about the ipv6-ops mailing list