IPv6 Firewall on CPEs - Default on or off

Bjørn Mork bjorn at mork.no
Fri Nov 30 11:50:25 CET 2012


Andre Tomt <andre at tomt.net> writes:
> On 29. nov. 2012 10:27, Bjørn Mork wrote:
>> Andre Tomt <andre at tomt.net> writes:
>>
>>> Also mentioned, embedded devices have a horrible, horrible track
>>> record, and are not really improving much. Think printers, consumer
>>> wifi routers, semimanaged switches and such. Combined with SLAAC not
>>> beeing very random (OUI space, sequential addresses within a OUI), it
>>> makes them easy to discover. "Lets scan this prefix for old,
>>> vulnerable HP printers and make them send a copy of all printouts to
>>> us!".
>>>
>>> There is also the issue of ND neighbour table exhaustion on a lot of
>>> CPE, when they have to reach out to the LAN to find hosts during
>>> scanning sweeps. How long does your Zyxel CPE's hold up during such a
>>> scan?
>>>
>>> So thats pro firewall.
>>
>> What rules do you propose to mitigate those attacks?
>
> Drop all by default, allow incoming and outgoing for addresses in
> DHCPv6 lease database. This is not without drawbacks (breaks static
> addressing),

It also breaks SLAAC.  That's something you may choose to do on your own
network, but certainly not an option for a mass market deployment.


Bjørn



More information about the ipv6-ops mailing list