cancel
Showing results for 
Search instead for 
Did you mean: 

IPv6 Security

pwatson
Rising Star
Posts: 2,470
Thanks: 8
Fixes: 1
Registered: ‎26-11-2012

IPv6 Security

Thinking it would be useful to have a thread about security issues around the new trial?  I'm aware, for instance, that the stock firmware for the Asus RT-N66U doesn't (or at least didn't) have any firewall settings for IPv6.  Any issues with other routers?  Any spurious entries appearing yet in firewall logs?
13 REPLIES 13
dragon2611
Grafter
Posts: 283
Registered: ‎20-10-2013

Re: IPv6 Security

Scares the hell out of me thinking the number of IPv6 enabled Routers that will probably be sold without adequate default firewall settings.
I'm of the opinion that out of the Box any unsolicited inbound IPv6 traffic should be dropped and then it's upto the user to change the settings to allow access to various services.
Anonymous
Not applicable

Re: IPv6 Security

I would like to know whether the Plusnet "Broadband Firewall" works the same for IPv6 ?
hazzamon
Grafter
Posts: 33
Registered: ‎11-03-2011

Re: IPv6 Security

In the absence of a router firewall for IPv6, you also have Window's software firewall too (assuming you run Windows); both will drop unsolicited incoming packets.
MJN
Pro
Posts: 1,318
Thanks: 161
Fixes: 5
Registered: ‎26-08-2010

Re: IPv6 Security

It is worth recognising that the vast majority of attacks these days, particular on home connections, are as a result of user-executed malware e.g. opening infected binary attachments received by e-mail, downloading dodgy software from the Internet, indiscriminate use of memory sticks and other removable media and inadvertently running malicious code on visited websites etc.
Given this there is very little a stateful firewall can actually do. We must therefore be very careful that we don’t focus on the wrong problem - just because we’ve lost the inherent stateful restrictions of an IPv4 NAT doesn’t necessarily mean we are any more vulnerable.
All that said, whilst the majority of attacks might well be at the application layer, the majority doesn't equal the entirety and so there are still some prudent steps that ought to be taken to protect elements of the network layer and also to help shield some of the more common applications/services from attack that might be vulnerable in their default or otherwise badly configured state.
To that end there is a draft informational RFC published under draft-v6ops-vyncke-balanced-ipv6-security-01.txt that proposes such an stance as a default CPE configuration. It is based upon a real IPv6 deployment (Swisscom) and claims to have resulted in no known security incidents. Of course, security is an arms race and methods of attack are an ever-moving target so such a configuration would need to evolve to suit the changing landscape but as a general principle I fully support it.
Again though, the real issue is malware and mitigation of that threat lies almost exclusively in user education and host-based security.
dragon2611
Grafter
Posts: 283
Registered: ‎20-10-2013

Re: IPv6 Security

Actually more worried about things like printers, Ip cameras, WiFi access points and the such like which often have known default passwords that few people actually bother to change.
MJN
Pro
Posts: 1,318
Thanks: 161
Fixes: 5
Registered: ‎26-08-2010

Re: IPv6 Security

Agreed, but the appropriate fix for that is to cure the cause not the symptom. Just as routers (and I assumed wifi access points) tend to be shipped now with unique passwords other equipment vendors need to be encouraged (pressured) to do the same.
There is a very real risk that the opportunity to benefit from one of the fundamental potential enablers of IPv6 - open end-to-end connectivity - could be completely missed if we don't pull our socks up and implement 'proper' security.
Perhaps this will happen automatically though as a result of evolution in response to the changing landscape - with the current traditional IPv4 setup sitting behind a NAT there is arguably no benefit (but potential drawback) from shipping network devices with unique passwords and secure network stacks. With the open nature of IPv6, specifically the ubiquitous use of a globally unique address space, vendors should hopefully be forced to change their default stance in response to this.
dragon2611
Grafter
Posts: 283
Registered: ‎20-10-2013

Re: IPv6 Security

Agreed but it still needs a firewall in the edge device as far as I'm concerned.
After all lets face it even if today all the manufacturers started doing security properly there would still be 1000's of devices out there with insecure default configurations/
SimonHobson
Rising Star
Posts: 190
Thanks: 41
Registered: ‎30-07-2007

Re: IPv6 Security

Yup, agree 100%
Perimeter firewall is essential, even if all your devices do have good security themselves - multiple layers of protection and all that.
Plus of course, we need to consider that probably 99+% of users have no idea at all - and the kit sent out needs to be secure by default. Those of us who want more openness, or public facing services etc are most likely knowledgable to deal with the security issues that go with that. Just eliminating NAT will make many things so much easier - eg things like SIP and Torrents should work fairly well (and without messy workarounds) as long as firewalls handle outbound connections properly and permit the reverse traffic.
MJN
Pro
Posts: 1,318
Thanks: 161
Fixes: 5
Registered: ‎26-08-2010

Re: IPv6 Security

Quote from: SimonHobson
as long as firewalls handle outbound connections properly and permit the reverse traffic.

That's the easy bit. The real difficulty lies with configuring firewalls to permit wanted outside-initiated traffic whilst blocking that which we don't want. If we don't achieve this then we might as well go back to sitting behind a NAT again.
dragon2611
Grafter
Posts: 283
Registered: ‎20-10-2013

Re: IPv6 Security

Quote from: SimonHobson
Yup, agree 100%
Perimeter firewall is essential, even if all your devices do have good security themselves - multiple layers of protection and all that.
Plus of course, we need to consider that probably 99+% of users have no idea at all - and the kit sent out needs to be secure by default. Those of us who want more openness, or public facing services etc are most likely knowledgable to deal with the security issues that go with that. Just eliminating NAT will make many things so much easier - eg things like SIP and Torrents should work fairly well (and without messy workarounds) as long as firewalls handle outbound connections properly and permit the reverse traffic.

allow established/related and outbound should be a reasonably sensible out of the box configuration I believe as it should allow any outbound traffic and any replies to come back but drop unsolicited inbound.
Then of course there should be options in the router gui to open up additional inbound ports.
MJN
Pro
Posts: 1,318
Thanks: 161
Fixes: 5
Registered: ‎26-08-2010

Re: IPv6 Security

That's too complicated for your average user - just as it is today and why UPnP was invented (which brings a whole host of other problems). It is all too easy for us relative 'techies' to completely misjudge (and nearly always overstating) the the technical ability of a typical user.
If my mum buys an IP camera for keeping an eye on the cat from her phone whist she's out she shouldn't have to enter the router GUI ('the what what?' she'll say) to enable it to work.
IPv6 is a unique opportunity to regain the end-to-end connectivity that was a fundamental architectural principle of the design of the Internet and whilst the environment might have changed we should be very careful effectively undermining any chance to get it back by blindly implementing old techniques.
Did you read the 'balanced security' proposal? If so, what are your thoughts?
MJN
Pro
Posts: 1,318
Thanks: 161
Fixes: 5
Registered: ‎26-08-2010

Re: IPv6 Security

Incidentally, I should add that I don't see this as a black and white issue so I do hope any firm stating of my own opinion is taken as intended i.e. merely an expression of opinion for debate rather than a you're wrong I'm right stance!
SimonHobson
Rising Star
Posts: 190
Thanks: 41
Registered: ‎30-07-2007

Re: IPv6 Security

Quote from: MJN
... an expression of opinion for debate rather than a you're wrong I'm right stance!

Indeed, for there is no "right" or "wrong" for this - only shades of better or worse which will vary depending on your viewpoint.
Personally, I think uPNP is a gaping security chasm - but as pointed out, for most people it's the only way their <whatever> will work for them. There are already devices which come with default settings that open up ports with uPNP to their buggy software and then expose the entire network to attack. In other words, uPNP is only as secure as your least secure device - and some stuff is "not very secure" by misdesign.