IPv6 Firewall on CPEs - Default on or off

Fri Jan 25 12:25:47 CET 2013

If you remember this old discussion, then you may want to read a new Internet Draft by Martin, Guillaume, Ragnar and myself:

Filename:	 draft-v6ops-vyncke-balanced-ipv6-security
Revision:	 00
Title:		 Balanced Security for IPv6 CPE
Creation date:	 2013-01-25
WG ID:		 Individual Submission
Number of pages: 8
URL:             http://www.ietf.org/internet-drafts/draft-v6ops-vyncke-balanced-ipv6-security-00.txt
Status:          http://datatracker.ietf.org/doc/draft-v6ops-vyncke-balanced-ipv6-security
Htmlized:        http://tools.ietf.org/html/draft-v6ops-vyncke-balanced-ipv6-security-00

Comments are of course welcome :-)

-éric

> -----Original Message-----
> From: Merike Kaeo [mailto:merike at doubleshotsecurity.com]
> Sent: jeudi 6 décembre 2012 18:53
> To: Anfinsen, Ragnar
> Cc: Lorenzo Colitti; Martin Millnert; Eric Vyncke (evyncke); Tore Anderson;
> Benedikt Stockebrand; ipv6-ops at lists.cluenet.de
> Subject: Re: IPv6 Firewall on CPEs - Default on or off
> 
> 
> On Dec 5, 2012, at 12:31 AM, Anfinsen, Ragnar wrote:
> 
> > *Lorenzo
> >
> >> Eric, this isn't something you'd be interested in taking on (as an
> >> addition to your growing body of work on IPv6 security), by any chance?
> >
> > +1
> 
> After catching up with this thread there's a few points I figured I'd make.
> 
> 1. Agree with the Off/Low (default)/Diode style firewall approach although
> since CPEs are devices that get owned so easily I think the arguments on
> firewall aspect is somewhat humorous.  [sorry, in a somewhat cynical mood
> this AM].  In past year I've seen too many CPE's that are easily hacked that
> I'd prefer some attention be paid to ensuring noone can own your CPE rather
> than figure out what traffic makes sense to permit/deny through it.   The
> easiest way to own is by some devices enabling configuration thru WAN and of
> course the default username/pw that noone changes so even LAN side device
> access can be achieved.
> 
> When I first heard of the pinhole aspect and how applications have
> capability to poke a hole through the firewall I was cautiously optimistic
> that this would be an interesting compromise.  However, the realities are
> that not many applications clean up after themselves when the session is
> done.  Lots of holes everywhere.  So I became less enamored of a stateful
> firewall in CPE devices since it would give a user a false sense of
> security.  At least let them be aware that all traffic is passed and move
> the mitigation techniques elsewhere.
> 
> 
> 2. In my not so cynical mode I do like the idea of someone working thru what
> the Low mode would block.  In addition to the known to be primarily
> malicious use ports (there's only a handful) it may be useful to include
> packets with SRC IP of netblock that should never be passed. (this of course
> brings issues of what happens if some netblocks get reassigned to NOT be
> special purpose addresses as has happened in v4...well, keep the list tiny).
> 
> 
> 3. While many application attacks are increasing along with attacks that
> fall under the radar since they can't be spotted as 'anomolies' with network
> monitoring devices, don't discount the old ones.  They are seen around in
> plenty of script kiddie tools and are alive and well.   Spoofed addresses
> are used in some large DoS amplification attacks.
> 
> 4. I really am wary about arguments where 'we have not seen an IPv6 attack
> so there is no need to worry' - it's a matter of time.  But I would prefer
> to see the mitigation techniques be on end user devices.
> 
> Overall great to see all the discussion.  A lot of great work being done to
> move things forward.
> 
> - merike
> 
> 