IPv6 Firewall on CPEs - Default on or off
Eric Vyncke (evyncke)
evyncke at cisco.com
Fri Nov 30 15:00:54 CET 2012
André,
The easiest is to simply ignores inbound packets whose destination address is not in your NDP cache... This should prevent the remote exhaustion attack simply because the CPE router will never initiate a NS ;-)
> -----Original Message-----
> From: ipv6-ops-bounces+evyncke=cisco.com at lists.cluenet.de [mailto:ipv6-ops-
> bounces+evyncke=cisco.com at lists.cluenet.de] On Behalf Of Bjørn Mork
> Sent: vendredi 30 novembre 2012 11:50
> To: Andre Tomt
> Cc: ipv6-ops at lists.cluenet.de; Anfinsen, Ragnar
> Subject: Re: IPv6 Firewall on CPEs - Default on or off
>
> Andre Tomt <andre at tomt.net> writes:
> > On 29. nov. 2012 10:27, Bjørn Mork wrote:
> >> Andre Tomt <andre at tomt.net> writes:
> >>
> >>> Also mentioned, embedded devices have a horrible, horrible track
> >>> record, and are not really improving much. Think printers, consumer
> >>> wifi routers, semimanaged switches and such. Combined with SLAAC not
> >>> beeing very random (OUI space, sequential addresses within a OUI),
> >>> it makes them easy to discover. "Lets scan this prefix for old,
> >>> vulnerable HP printers and make them send a copy of all printouts to
> >>> us!".
> >>>
> >>> There is also the issue of ND neighbour table exhaustion on a lot of
> >>> CPE, when they have to reach out to the LAN to find hosts during
> >>> scanning sweeps. How long does your Zyxel CPE's hold up during such
> >>> a scan?
> >>>
> >>> So thats pro firewall.
> >>
> >> What rules do you propose to mitigate those attacks?
> >
> > Drop all by default, allow incoming and outgoing for addresses in
> > DHCPv6 lease database. This is not without drawbacks (breaks static
> > addressing),
>
> It also breaks SLAAC. That's something you may choose to do on your own
> network, but certainly not an option for a mass market deployment.
>
>
> Bjørn
More information about the ipv6-ops
mailing list