dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1442
share rss forum feed


timcuth
Braves Fan
Premium
join:2000-09-18
Pelham, AL

World IPv6 Launch Day: A Security Risk?


AVonGauss
Premium
join:2007-11-01
Boynton Beach, FL

2 recommendations

On the residential side there is definitely some truth to that, most home gateways provide minimal if any security support for IPv6. With that said, due to the natural of the IPv6 address space and the fact that most services are not enabled for Internet connections by default I would like to think the actual impact will be minimal.

People are not going to "audit" their computers and ever growing number of non-computer gadgets for security. I hope gateway manufacturers realize this and start to implement better security for the IPv6 side of the house.


whfsdude
Premium
join:2003-04-05
Washington, DC

1 recommendation

reply to timcuth
I can't speak for other routers I haven't tried but both D-Link and Apple (Airport Extreme) toss up an SPI firewall for IPv6.

So you're getting the same protection as NAT.


timcuth
Braves Fan
Premium
join:2000-09-18
Pelham, AL
reply to timcuth
Yes. I modified a Netgear WNDR3300 router with dd-wrt so it would support IPv6. I could install ip6tables on it, except its memory is completely used already.

Tim


graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2

1 recommendation

Not that I am a software author, I wouldn't have put IPv6 support into dd-wrt without ip6tables. It would have been both or not at all.


Cabal
Premium
join:2007-01-21
Reviews:
·Suddenlink
reply to AVonGauss
After Apple's snafu back in 2007 with allowing incoming IPv6 by default (»arstechnica.com/apple/2007/02/7063/), it seems like most manufacturers have gotten on board with the same allow-all-out-block-all-in stateful policy for IPv4 and IPv6.
--
If you can't open it, you don't own it.

AVonGauss
Premium
join:2007-11-01
Boynton Beach, FL
reply to whfsdude
I haven't looked at the Airport Extreme, but last time I looked at the DIR-825 (firmware 2.06) I'd be willing to bet it is not providing protection for IPv6 traffic. Maybe I just missed it, but there was no mechanism I saw via the GUI to grant (or deny for that matter) access to specific IPv6 hosts and/or specific services running on IPv6 hosts. Until that's present, it would be hard to enable a SPI firewall for IPv6 I think. And that being true means its passing the IPv6 traffic indiscriminately.


Cabal
Premium
join:2007-01-21
Reviews:
·Suddenlink
said by AVonGauss:

Maybe I just missed it, but there was no mechanism I saw via the GUI to grant (or deny for that matter) access to specific IPv6 hosts and/or specific services running on IPv6 hosts. Until that's present, it would be hard to enable a SPI firewall for IPv6 I think.

I think it's more likely it's providing blanket protection and is just lacking the GUI to fine-tune on a host-specific basis.
--
If you can't open it, you don't own it.

AVonGauss
Premium
join:2007-11-01
Boynton Beach, FL
If what you were saying is true, then that would mean no IPv6 connection could be made to a host behind the device unless the device had already established a repertoire with the remote host. I probably won't have a chance for a day or two, but I will pull the DIR-825 and try it - I would be highly surprised if any sort of firewall is implemented for the IPv6 side.


whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast
reply to AVonGauss
said by AVonGauss:

I haven't looked at the Airport Extreme, but last time I looked at the DIR-825 (firmware 2.06) I'd be willing to bet it is not providing protection for IPv6 traffic.

Last time I looked at it was when it was beta code on one of their wireless devices. There was also a GUI for v6 firewall functions. It's been two years so maybe they took the Apple approach and removed the firewall feature from the user.