IPv6 Firewall on CPEs - Default on or off
Andre Tomt
andre at tomt.net
Mon Dec 3 02:29:32 CET 2012
On 03. des. 2012 00:25, Lorenzo Colitti wrote:
> On Thu, Nov 29, 2012 at 3:13 PM, Andre Tomt <andre at tomt.net
> <mailto:andre at tomt.net>> wrote:
>
> I propose setting the managed address flag in the RA's issued to the
> LAN, and provide a DHCPv6 on the CPE doling out completely random
> addresses.
>
>
> What about privacy addresses? They're sufficiently random, or at least
> as random as DHCPv6 assigned addresses?
They're fine for outbound but hosts still assign their MAC-derived
address and will accept inbound connections on it, leaving them "easily"
discoverable and accessible to the bad guys.
Most newer devices do support DHCPv6 addressing* so I don't see too many
downsides of giving the managed addresses the full, unfiltered
experience, leaving the others only outbound + return traffic. Other
than making CPE's support something like it of course.
It effectively also fixing ND exhaustion on sweeping scans and allows
you to not keep connection state for your (in practice) most chatty
devices are just bonus features. :-)
* Most devices I've seen not supporting DHCPv6 addressing have so many
problems with IPv6 that they dont belong on a public IPv6 network anyway.
--
André Tomt
Bob-bob.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4234 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20121203/4c16d694/attachment.bin
More information about the ipv6-ops
mailing list