IPv6 Firewall on CPEs - Default on or off
Andre Tomt
andre at tomt.net
Fri Nov 30 11:36:54 CET 2012
On 29. nov. 2012 10:27, Bjørn Mork wrote:
> Andre Tomt <andre at tomt.net> writes:
>
>> Also mentioned, embedded devices have a horrible, horrible track
>> record, and are not really improving much. Think printers, consumer
>> wifi routers, semimanaged switches and such. Combined with SLAAC not
>> beeing very random (OUI space, sequential addresses within a OUI), it
>> makes them easy to discover. "Lets scan this prefix for old,
>> vulnerable HP printers and make them send a copy of all printouts to
>> us!".
>>
>> There is also the issue of ND neighbour table exhaustion on a lot of
>> CPE, when they have to reach out to the LAN to find hosts during
>> scanning sweeps. How long does your Zyxel CPE's hold up during such a
>> scan?
>>
>> So thats pro firewall.
>
> What rules do you propose to mitigate those attacks?
Drop all by default, allow incoming and outgoing for addresses in DHCPv6
lease database. This is not without drawbacks (breaks static
addressing), but could be useful as a compromise if you want to give
IPv6 fully transparent end to end todays software landscape.
A stateful firewall makes the drawbacks somewhat less, in that you could
allow outbound and return traffic/related inbound to whole prefix, while
allowing both ways for valid assigned leases.
Hmmm. I need to lab this :-)
More information about the ipv6-ops
mailing list