IPv6 Firewall on CPEs - Default on or off
Eric Vyncke (evyncke)
evyncke at cisco.com
Fri Jan 25 12:25:47 CET 2013
If you remember this old discussion, then you may want to read a new Internet Draft by Martin, Guillaume, Ragnar and myself:
Title: Balanced Security for IPv6 CPE
Creation date: 2013-01-25
WG ID: Individual Submission
Number of pages: 8
Comments are of course welcome :-)
> -----Original Message-----
> From: Merike Kaeo [mailto:merike at doubleshotsecurity.com]
> Sent: jeudi 6 décembre 2012 18:53
> To: Anfinsen, Ragnar
> Cc: Lorenzo Colitti; Martin Millnert; Eric Vyncke (evyncke); Tore Anderson;
> Benedikt Stockebrand; ipv6-ops at lists.cluenet.de
> Subject: Re: IPv6 Firewall on CPEs - Default on or off
> On Dec 5, 2012, at 12:31 AM, Anfinsen, Ragnar wrote:
> > *Lorenzo
> >> Eric, this isn't something you'd be interested in taking on (as an
> >> addition to your growing body of work on IPv6 security), by any chance?
> > +1
> After catching up with this thread there's a few points I figured I'd make.
> 1. Agree with the Off/Low (default)/Diode style firewall approach although
> since CPEs are devices that get owned so easily I think the arguments on
> firewall aspect is somewhat humorous. [sorry, in a somewhat cynical mood
> this AM]. In past year I've seen too many CPE's that are easily hacked that
> I'd prefer some attention be paid to ensuring noone can own your CPE rather
> than figure out what traffic makes sense to permit/deny through it. The
> easiest way to own is by some devices enabling configuration thru WAN and of
> course the default username/pw that noone changes so even LAN side device
> access can be achieved.
> When I first heard of the pinhole aspect and how applications have
> capability to poke a hole through the firewall I was cautiously optimistic
> that this would be an interesting compromise. However, the realities are
> that not many applications clean up after themselves when the session is
> done. Lots of holes everywhere. So I became less enamored of a stateful
> firewall in CPE devices since it would give a user a false sense of
> security. At least let them be aware that all traffic is passed and move
> the mitigation techniques elsewhere.
> 2. In my not so cynical mode I do like the idea of someone working thru what
> the Low mode would block. In addition to the known to be primarily
> malicious use ports (there's only a handful) it may be useful to include
> packets with SRC IP of netblock that should never be passed. (this of course
> brings issues of what happens if some netblocks get reassigned to NOT be
> special purpose addresses as has happened in v4...well, keep the list tiny).
> 3. While many application attacks are increasing along with attacks that
> fall under the radar since they can't be spotted as 'anomolies' with network
> monitoring devices, don't discount the old ones. They are seen around in
> plenty of script kiddie tools and are alive and well. Spoofed addresses
> are used in some large DoS amplification attacks.
> 4. I really am wary about arguments where 'we have not seen an IPv6 attack
> so there is no need to worry' - it's a matter of time. But I would prefer
> to see the mitigation techniques be on end user devices.
> Overall great to see all the discussion. A lot of great work being done to
> move things forward.
> - merike
More information about the ipv6-ops