IPv6 Firewall on CPEs - Default on or off

Bjørn Mork bjorn at mork.no
Thu Nov 29 10:27:29 CET 2012


Andre Tomt <andre at tomt.net> writes:

> Also mentioned, embedded devices have a horrible, horrible track
> record, and are not really improving much. Think printers, consumer
> wifi routers, semimanaged switches and such. Combined with SLAAC not
> beeing very random (OUI space, sequential addresses within a OUI), it
> makes them easy to discover. "Lets scan this prefix for old,
> vulnerable HP printers and make them send a copy of all printouts to
> us!".
>
> There is also the issue of ND neighbour table exhaustion on a lot of
> CPE, when they have to reach out to the LAN to find hosts during
> scanning sweeps. How long does your Zyxel CPE's hold up during such a
> scan?
>
> So thats pro firewall.

What rules do you propose to mitigate those attacks?


Bjørn



More information about the ipv6-ops mailing list