IPv6 Firewall on CPEs - Default on or off

Andre Tomt andre at tomt.net
Fri Nov 30 11:36:54 CET 2012


On 29. nov. 2012 10:27, Bjørn Mork wrote:
> Andre Tomt <andre at tomt.net> writes:
>
>> Also mentioned, embedded devices have a horrible, horrible track
>> record, and are not really improving much. Think printers, consumer
>> wifi routers, semimanaged switches and such. Combined with SLAAC not
>> beeing very random (OUI space, sequential addresses within a OUI), it
>> makes them easy to discover. "Lets scan this prefix for old,
>> vulnerable HP printers and make them send a copy of all printouts to
>> us!".
>>
>> There is also the issue of ND neighbour table exhaustion on a lot of
>> CPE, when they have to reach out to the LAN to find hosts during
>> scanning sweeps. How long does your Zyxel CPE's hold up during such a
>> scan?
>>
>> So thats pro firewall.
>
> What rules do you propose to mitigate those attacks?

Drop all by default, allow incoming and outgoing for addresses in DHCPv6 
lease database. This is not without drawbacks (breaks static 
addressing), but could be useful as a compromise if you want to give 
IPv6 fully transparent end to end todays software landscape.

A stateful firewall makes the drawbacks somewhat less, in that you could 
allow outbound and return traffic/related inbound to whole prefix, while 
allowing both ways for valid assigned leases.

Hmmm. I need to lab this :-)



More information about the ipv6-ops mailing list