Re: [OpenWrt-Devel] OpenWRT IPv6 firewall
Hi, On Sun, Jul 20, 2014 at 03:50:24PM -0700, David Lang wrote: I'm well aware of all the bullshit that is knocking on my doors all day. Point is, firewalls on the *routers* are not goint to help the laptop that moves around, attaches to a Wifi Hotspot, is hacked there, gets moved back behind your firewall, and starts hacking others from there. And it doesn't help the desktop PC that neglected to do any updates, gets infected by flash/pdf/word exploit, and starts scanning your network, behind the firewall. The problem here isn't with laptops, it's with TVs, light Bulbs, Thermostats, digital picture frames, etc. These are the types of devices that I'm worried about protecting. Yes, so how do you protect them from the malware on your PC and Laptop, which both are behind the firewall? A hacker from the wild is likely to not even *find* the device if it's using EUI64 IPv6 addressing and not registered in DNS, while an attacker on the same LAN just needs to ping ff02::1 to see them all, wide open... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgppN212beHLO.pgp Description: PGP signature ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] OpenWRT IPv6 firewall
On Mon, 21 Jul 2014, Gert Doering wrote: Hi, On Sun, Jul 20, 2014 at 03:50:24PM -0700, David Lang wrote: I'm well aware of all the bullshit that is knocking on my doors all day. Point is, firewalls on the *routers* are not goint to help the laptop that moves around, attaches to a Wifi Hotspot, is hacked there, gets moved back behind your firewall, and starts hacking others from there. And it doesn't help the desktop PC that neglected to do any updates, gets infected by flash/pdf/word exploit, and starts scanning your network, behind the firewall. The problem here isn't with laptops, it's with TVs, light Bulbs, Thermostats, digital picture frames, etc. These are the types of devices that I'm worried about protecting. Yes, so how do you protect them from the malware on your PC and Laptop, which both are behind the firewall? A hacker from the wild is likely to not even *find* the device if it's using EUI64 IPv6 addressing and not registered in DNS, while an attacker on the same LAN just needs to ping ff02::1 to see them all, wide open... The argument was that laptops are better protected nowdays because they routinely get exposed outside the home network. I agree that they are far better than they used to be, but I am saying that there is this other class of devices that is not benefiting from the attention that the desktop OSs are getting, and these devices are absolutly quality. no, having a default-deny permiter doesn't protect you from a laptop on the inside, but it does protect you from everyone else's laptops outside. While it is nice to say that IPv6 has a large address space and so nobody will ever scan it, I don't believe it. When IPv4 started out, people didn't believe that scanning it was going to be practical either. And since common methods of assigning IPv6 addresses are either sequential (DHCP) or based on MAC addresses (fairly predictable per vendor), I expect that scanning is going to continue. As for the doing a scan against someone else's IPv6 address space is a DoS against your service, remember that these people aren't doing the scan from _their_ internet connection, they are doing it from botnets, so they are using free bandwidth David Lang ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] OpenWRT IPv6 firewall
Hi, On Mon, Jul 21, 2014 at 12:18:46AM -0700, David Lang wrote: While it is nice to say that IPv6 has a large address space and so nobody will ever scan it, I don't believe it. Don't believe. Try math. 2^64 is big enough that if you manage to send a few 1000 packets a second, you'll need up to the heat death of the universe to scan a single /64 subnet... (Of course this can be optimized if you're targeting very specific devices and only need to scan 2^24 potential EUI64 addresses in a given vendor's MAC range - but that's not your Joe Random attacker. If someone is that determined, he'll just target your PC first, and jump from there to the devices on your LAN. Way easier in general) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgp9RQ4rBklXV.pgp Description: PGP signature ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] OpenWRT IPv6 firewall
On Mon, 21 Jul 2014, Gert Doering wrote: On Mon, Jul 21, 2014 at 12:18:46AM -0700, David Lang wrote: While it is nice to say that IPv6 has a large address space and so nobody will ever scan it, I don't believe it. Don't believe. Try math. 2^64 is big enough that if you manage to send a few 1000 packets a second, you'll need up to the heat death of the universe to scan a single /64 subnet... (Of course this can be optimized if you're targeting very specific devices and only need to scan 2^24 potential EUI64 addresses in a given vendor's MAC range - but that's not your Joe Random attacker. If someone is that determined, he'll just target your PC first, and jump from there to the devices on your LAN. Way easier in general) If someone is targeting you specifically, there are all sorts of other scenarios that come into play. I consider those out of scope for this sort of discussion. We are talking about what is appropriate as the default to defend against the normal Internet Badness, not against targeted threats or the NSA. You are effectivly saying that security by obscurity is good enough. You are assuming that IP address assignments are going to be random enough to make scanning worthless, so no other protection is needed. I just don't buy that. I don't believe that the addresses are really going to end up beng that random. Plus there will need to be some way for devices to be discovered, which will probably be via broadcasts. I don't believe that the devices are going to be secured to the point where these broadcasts will only work from the local network. It doesn't matter how big the per-network address space is if devices respond to the one broadcast address for the network. Also, if the devices intend to be accessible, are they really going to ask people to enter IPv6 IP addresses into configs? or are they going to be publishing themselves to DNS or some other nameserver that will make them easier to find? If you have a SIP phone that you want to just work, how are the legitimate remote users going to find it? So I'm saying that we still need to block inbound access from random external IP addresses by default. I could see having the firewall look for outbond packets from the devices and opening up inbound rules from those IPs Even if it allowed access on all ports from the entire source network it would still be better than anyone on the Internet. this would make getting something work between networks not be on by default, but once each side tries to connect to the other, things would be open. David Lang ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] OpenWRT IPv6 firewall
On Sat, 19 Jul 2014, Gert Doering wrote: On Fri, Jul 18, 2014 at 04:08:02PM -0700, David Lang wrote: go do a tcpdump of your WAN interface some time, look at all the attacks that are going on there (especially with an ISP that's not blocking it for you) I'm well aware of all the bullshit that is knocking on my doors all day. Point is, firewalls on the *routers* are not goint to help the laptop that moves around, attaches to a Wifi Hotspot, is hacked there, gets moved back behind your firewall, and starts hacking others from there. And it doesn't help the desktop PC that neglected to do any updates, gets infected by flash/pdf/word exploit, and starts scanning your network, behind the firewall. The problem here isn't with laptops, it's with TVs, light Bulbs, Thermostats, digital picture frames, etc. These are the types of devices that I'm worried about protecting. David Lang ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] OpenWRT IPv6 firewall
Hi, On Fri, Jul 18, 2014 at 04:08:02PM -0700, David Lang wrote: Yes, there will be some attacks that get through and start from the inside, but there are far fewer that get into my network than to get into the network of everyone I share an ISP with. I also don't want these random external users to be eating up my wireless bandwidth hammering uselessly against my devices, even if they will withstand the hammering. In that case, you should ask your *ISP* to install the filter - after all, you wouldn't want them to eat up your WAN bandwidth, no? go do a tcpdump of your WAN interface some time, look at all the attacks that are going on there (especially with an ISP that's not blocking it for you) I'm well aware of all the bullshit that is knocking on my doors all day. Point is, firewalls on the *routers* are not goint to help the laptop that moves around, attaches to a Wifi Hotspot, is hacked there, gets moved back behind your firewall, and starts hacking others from there. And it doesn't help the desktop PC that neglected to do any updates, gets infected by flash/pdf/word exploit, and starts scanning your network, behind the firewall. These things are all so commonplace that the firewall on the router adds dubious value - but at the same time, it breaks stuff. So if you have to decide about something that adds little positive but significant negative, why would you go for enabling it, except for we've done it that way for the last 20 years? And yes, I do agree that too many software and hardware vendors have no clue how to properly secure their systems. Will it help hide them behind a magic firewall, until they get hacked via proxy (there *will* be a hacked machine behind that firewall), or will it help more to expose them, *get* them hacked, raise a big fuzz in the press about, say, printer vendor XYZ being too stupid to get their firmware right, and get it actually *fixed*, instead of having a time bomb in your network? If nothing ever got compromised from network attacks, the malware wouldn't bother trying them. Serves get compromised from network attacks all day. Unfortunately, servers usually sit behind firewalls that permit just those ports that enable the attacks, like php based attack du jour or sip attacks on weak credentials, etc. To turn that argument around: why are bots mailing me infected documents, or trying to lure me into web sites that contain malware if network attacks are so successful? (But anyway - I already stated far upthread that this is one of the threads where people will not listen and stick to their religion anyway. So I should spend my time coding instead) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgp3MtiaZYaXj.pgp Description: PGP signature ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] OpenWRT IPv6 firewall
David == David Lang da...@lang.hm writes: David go do a tcpdump of your WAN interface some time, look at all David the attacks that are going on there (especially with an ISP David that's not blocking it for you) Bear in mind, scanning an IPv6 network is a self-inflicted denial-of-service attack. The universe will end before you finish testing the addresses on *one* /64 network. If someone has your host's globally routable IPv6 address, e.g. from observing your traffic, that's a bit different. But otherwise, unless you advertise your ipv6 address, it's very unlikely anyone is going to guess it. -- Russell Senior, President russ...@personaltelco.net ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] OpenWRT IPv6 firewall
Hi, On Thu, Jul 17, 2014 at 10:20:09AM +0200, Steven Barth wrote: Regarding firewalling: I understand and support your point for end-to-end connectivity though there are still quite a few people (including myself) who have reservations about the security implications. This discussion here is very much the same discussion as everywhere when the topic pops up. There's basically 3 sides here: - I want a firewall that mimics IPv4 NAT default-closed behaviour - I want IPv6 to be end-to-end so applications can just work and not bother with PCP, firewall traversal, etc. - I want a firewall but one that defaults to open for $somestuff and to close for $otherstuff (swisscom model) I don't think we will be able to agree here any more than on the IETF lists or whatever. But what we (uh, Steven :) ) can do is: provide easily selectable firewall profiles that match the 3 common scenarios. As of today, OpenWRT routers are not autoconfig yet, but you need to put in some config anyway (like, the protocol and username/password used to connect to your ISP). If we could have a basic firewall switch there that has 4 settings closed, fully open, balanced (swisscom model) or customized, this should enable users to get what they want without having to really think about firewall rules, ports, etc. Of course the question remains what should the default be, and I'm not sure we can come to an agreement on this. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpG13MFLVJiR.pgp Description: PGP signature ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] OpenWRT IPv6 firewall
Hi, On Thu, Jul 17, 2014 at 12:07:57PM -0400, Soren Harward wrote: the worst case scenario is that the user's machine gets compromised. This is an extreme likely case, but it will not happen by a network based attack. Compromises these days on end hosts happen due to garbage the users click on (in mail, in web sites, etc.), much less due to network attacks (because client systems have become more robust to these, and they all come with a host firewall by default today). So always assume that the compromised host is already *in* your network, and then re-evaluate your router firewall requirements. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpz91XsOUdoy.pgp Description: PGP signature ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] OpenWRT IPv6 firewall
Gert Doering wrote: On Thu, Jul 17, 2014 at 10:20:09AM +0200, Steven Barth wrote: Regarding firewalling: I understand and support your point for end-to-end connectivity though there are still quite a few people (including myself) who have reservations about the security implications. This discussion here is very much the same discussion as everywhere when the topic pops up. There's basically 3 sides here: - I want a firewall that mimics IPv4 NAT default-closed behaviour - I want IPv6 to be end-to-end so applications can just work and not bother with PCP, firewall traversal, etc. - I want a firewall but one that defaults to open for $somestuff and to close for $otherstuff (swisscom model) I don't think we will be able to agree here any more than on the IETF lists or whatever. But what we (uh, Steven :) ) can do is: provide easily selectable firewall profiles that match the 3 common scenarios. As of today, OpenWRT routers are not autoconfig yet, but you need to put in some config anyway (like, the protocol and username/password used to connect to your ISP). If we could have a basic firewall switch there that has 4 settings closed, fully open, balanced (swisscom model) or customized, this should enable users to get what they want without having to really think about firewall rules, ports, etc. I agree - this is an excellent approach Of course the question remains what should the default be, and I'm not sure we can come to an agreement on this. My own thoughts on this are evolving. In real life (whatever that is), I consider myself more a product manager (marketing guy) than a developer, so I'm interested in the customer experience of the final product. Of course, the final product is really a router, and OpenWRT would be a component of that router. In all fairness, as I'm building that router product, I'm going to modify OpenWRT to meet the needs of the market. So, the bottom line is that, whatever the default is in OpenWRT, I'm going to go ahead and set it to what I need it to be in my build, before I blow it on to the router (or whatever) that the customer sees. The end user of the router would be a random customer (let's just say, someone's mom), and I am responsible for that customer's experience. Being the experienced (some might say, cynical) individual I am, I'd want it to be idiot-friendly - removing as many opportunities for the end user to get into trouble as possible. So, at least at this point in time, I'm going to close all the ports by default. I'd rather face the prospect of helping the customer open the ports as they need that end-to-end connectivity than the prospect of someone saying, you sold me a router that's unexpectedly wide open to the Internet and everyone in the world is sending all manner of nasty stuff to my printer. However, *I* am actually the end user of OpenWRT - it's reasonable to assume that anyone who is downloading OpenWRT or building it from source is sufficiently advanced in their knowledge (or at least wants to be) that they would expect it to be expert-friendly, not idiot-friendly. From that perspective, I still think that having the router block all ports (as is done in v4 consumer-grade routers today) is the idiot-friendly default, but, after thinking about it more, I think that Gert's balanced approach is probably the expert-friendly default and the one I would want and expect in the OpenWRT builds. FWIW, Bill P.S. No, my printer is not v6-ready, either, but let's assume there are some that are... ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] OpenWRT IPv6 firewall
On Fri, 18 Jul 2014 10:21:56 -0700, Bill wrote: Gert Doering wrote: On Thu, Jul 17, 2014 at 10:20:09AM +0200, Steven Barth wrote: Regarding firewalling: I understand and support your point for end-to-end connectivity though there are still quite a few people (including myself) who have reservations about the security implications. This discussion here is very much the same discussion as everywhere when the topic pops up. There's basically 3 sides here: - I want a firewall that mimics IPv4 NAT default-closed behaviour - I want IPv6 to be end-to-end so applications can just work and not bother with PCP, firewall traversal, etc. - I want a firewall but one that defaults to open for $somestuff and to close for $otherstuff (swisscom model) I don't think we will be able to agree here any more than on the IETF lists or whatever. But what we (uh, Steven :) ) can do is: provide easily selectable firewall profiles that match the 3 common scenarios. As of today, OpenWRT routers are not autoconfig yet, but you need to put in some config anyway (like, the protocol and username/password used to connect to your ISP). If we could have a basic firewall switch there that has 4 settings closed, fully open, balanced (swisscom model) or customized, this should enable users to get what they want without having to really think about firewall rules, ports, etc. I agree - this is an excellent approach I also agree, this set of basic defaults is good. Of course the question remains what should the default be, and I'm not sure we can come to an agreement on this. My own thoughts on this are evolving. In real life (whatever that is), I consider myself more a product manager (marketing guy) than a developer, so I'm interested in the customer experience of the final product. Of course, the final product is really a router, and OpenWRT would be a component of that router. In all fairness, as I'm building that router product, I'm going to modify OpenWRT to meet the needs of the market. So, the bottom line is that, whatever the default is in OpenWRT, I'm going to go ahead and set it to what I need it to be in my build, before I blow it on to the router (or whatever) that the customer sees. The end user of the router would be a random customer (let's just say, someone's mom), and I am responsible for that customer's experience. Being the experienced (some might say, cynical) individual I am, I'd want it to be idiot-friendly - removing as many opportunities for the end user to get into trouble as possible. So, at least at this point in time, I'm going to close all the ports by default. I'd rather face the prospect of helping the customer open the ports as they need that end-to-end connectivity than the prospect of someone saying, you sold me a router that's unexpectedly wide open to the Internet and everyone in the world is sending all manner of nasty stuff to my printer. However, *I* am actually the end user of OpenWRT - it's reasonable to assume that anyone who is downloading OpenWRT or building it from source is sufficiently advanced in their knowledge (or at least wants to be) that they would expect it to be expert-friendly, not idiot-friendly. From that perspective, I still think that having the router block all ports (as is done in v4 consumer-grade routers today) is the idiot-friendly default, but, after thinking about it more, I think that Gert's balanced approach is probably the expert-friendly default and the one I would want and expect in the OpenWRT builds. I think the default should be idiot-friendly. Having the easy knob to toggle to make it 'expert-friendly' should be enough. If the 'expert' can't flip that knob, they can't secure their network either. FWIW, Bill P.S. No, my printer is not v6-ready, either, but let's assume there are some that are... that's a real example that has been exploited in the past, especially with the very expensive, high-end printer/copiers sold to businesses. Again from companies that should know better David Lang ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] OpenWRT IPv6 firewall
Hi On Saturday 19 July 2014, David Lang wrote: On Fri, 18 Jul 2014 10:21:56 -0700, Bill wrote: Gert Doering wrote: On Thu, Jul 17, 2014 at 10:20:09AM +0200, Steven Barth wrote: [...] P.S. No, my printer is not v6-ready, either, but let's assume there are some that are... If you're looking for real world examples, consider a 2009 vintage OKI B430dn blackwhite laser printer (which was targetted relatively cheaply (160 EUR) between advanced desktop tasks and small workgroups), something I would call quite representative for embedded devices. - it comes with an embedded printserver - supports IPv4 and IPv6 - it defaults to using DHCP for IPv4. - the IPv6 implementation is enabled and uses SLAAC by default. - it does not support DHCPv6, but does support fully manual configuration (in a very, very limited way and not beyond the limits depicted for the SLAAC case below). - via SLAAC, it binds to the globally routable IPv6 address (and to its link local address (fe80::/10)), it does not support ULA prefixes, privacy extensions or anything more advanced. Within these constraints, IPv6 support works surprisingly well (and reliably). - this printer does have rather advanced user access controls for an embedded device, including a local static user/ password store and 802.1X (EAP). but, like pretty much any embedded device, it ships without any of this this enabled -- fully open for printing, default username and password for administration and everything else. - it does offer a plethora of protocols (SNMP, telnet, ftp, NetBEUI, Ethertalk, (LPR, Port9100, IPP, NetWare PServer/ RPrinter, etc.)), with at least the common ones (IPP, LPR, Webinterface, SNMP) enabled by default. - there are no intrusion detection methods, nothing stops you from painstakingly brute forcing your way into it (if the default username/ password don't happen to work and if you really don't find a simpler way in). On paper, the access controls are pretty advanced (if you bother to configure them), but would I trust its security if exposed to the open internet? Of course not. To the best of my knowledge there hasn't been any security problem published, but at the same time there has never been a firmware update either, nor would I expect any after 2, or 5, years - even leaving alone the likelyness that an enduser (or the resident (network-) admin for a small to medium office or company) would find one, if it existed, or risk flashing it. that's a real example that has been exploited in the past, especially with the very expensive, high-end printer/copiers sold to businesses. Again from companies that should know better [...] Like David Lang mentioned, there are tons of network enabled devices, increasingly with some kind of IPv6 support. Why, because supporting it essentially comes for free (especially if you base your firmware on linux, one of the BSDs, etc.) and allows the manufacturer to tick a few more bullet points in their product description. Security is usually being an afterthought at best, you can be happy if IPv6 support actually works in the first place (see the limited configuration options for the printer mentioned above). While probably not printers, many of these will need a globally routable address for outgoing services (think NAS and downloading functions), but fewer need to provide incoming services to the internet at large (while you may want to connect to them via a VPN) - and very few can be expected to be (and remain-) secure over their whole effective life time (which can easily be 5-10 years or longer for printers, wireless security cameras, simple NAS boxes and other embedded devices). This even ignoring that pretty much all networked appliances (including OpenWrt itself) default to open access (with weak default passwords at best) after firstboot, because that and binding to all available network addresses is the only way to configure them in the first place. With IPv6, you naturally get end-to-end connections, but this (imho) shouldn't imply unfiltered, incoming connections by default. Unlike with IPv4 and NAT, you do have all the options to allow incoming connections easily, for all your devices, without having to fight with managing portforwardings within the acceptable range of your service. If you're in an ISP-like position, you certainly need to provide unfiltered access to your clients, but CPE devices (which OpenWrt certainly is) better error on the side of caution and provide the ingrained expectation of having a secure local net. Regards Stefan Lippers-Hollmann ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] OpenWRT IPv6 firewall
On 16.07.2014 22:41, Gui Iribarren wrote: On 16/07/14 16:21, Bill Moffitt wrote: However, for the moment, I would argue that the rightness of following expected behavior is greater than the rightness of delivering the true end-to-end nature of v6. At least Swisscom (according to Baptiste) and TP-Link seem to have solved the dilemma by defining expected behaviour = the true end-to-end nature of v6 :P hurray! End-to-End communication without firewalls in routers is important for some users (myself included) If expected behaviour seems to differ one could check IETF RFCs or drafts 6092: Recommended Simple Security Capabilities in Customer Premises Equipment (CPE) for Providing Residential IPv6 Internet Service: http://tools.ietf.org/rfc/rfc6092.txt 6204: Basic Requirements for IPv6 Customer Edge Routers http://tools.ietf.org/rfc/rfc6204.txt Checking OpenWrt against these or against some proposed consumer certifications like https://www.ipv6ready.org/?page=documentstag=phase-2-cpe and a testsuite http://interop.ipv6.org.tw/CERouter/ Possibly there were discussions about ipv6 and firewall settings, end-to-end on home routers (CPE) on NANOG or other NOG mailing lists AFAICT OpenWrt does not have some of these sane defaults enabled to quote 6092: IPsec transport and tunnel modes are explicitly secured by definition, so this document recommends that the DEFAULT operating mode permit IPsec. Possibly connected with the firewall issues are the state tracking tables. Bittorrent use case: https://dev.openwrt.org/ticket/16938 requests NOTRACK documentation And IPv6 privacy extensions might increase tracking tables too if a shorter lease time is used. PS: Checking and updating the wiki might be nice regarding IPv6 capabilities from RFCs. I began adding some pages regarding new features mentioned in the changelog, linking from http://wiki.openwrt.org/doc/barrier.breaker Some short use cases / commandlines / guide links from people that developed and tested these features (and list of/if additional hw/software used) would be very helpful. ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] OpenWRT IPv6 firewall
Hi Dirk, thanks for your help. I'll try to add some more documentation for the IPv6 stuff in the near future. In general the aim is to make stuff comply with RFC 7084 (successor of 6204) as closely as possible (with only 1 or 2 exceptions on purpose). In general I'm not sure if anyone has really done a full interop test to check for compliance with RFCs, though it would be nice if someone volunteers. My work has been more on a best-effort basis for now. Though some of the OpenWrt people work closely together with various ISPs so there are some interoperability tests running and some ISPs even have provided some information or patches to make OpenWrt work with their glitches. That doesn't necessarily aid in RFC compliance though ;) Regarding firewalling: I understand and support your point for end-to-end connectivity though there are still quite a few people (including myself) who have reservations about the security implications. I don't think it makes sense to change the defaults for BB at this point, that would be totally unexpected and hastily. And I don't really agree with some of the opinions like users will get used to end-to-end IPv6 - in my experience users don't even know what IPv6 is and does. Nevertheless we should have a discussion about this for CC probably and I will try to get some more opinions also in the light of IETF 90 being next week. Cheers, Steven ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] OpenWRT IPv6 firewall
Dne 16.7.2014 22:41, Gui Iribarren napsal(a): I expect that, over time, users will become accustomed to the end-to-end nature of the v6 Internet and may demand that the firewall be open by default, and I would certainly propose that we have a simple checkbox in LUCI that allows the firewall to be changed from all closed except explicitly open ports to all open in one action. At some point we would probably change the default behavior from all closed to all open. What about... at *this* point? :) (i.e. before BB rc2 freeze) However, for the moment, I would argue that the rightness of following expected behavior is greater than the rightness of delivering the true end-to-end nature of v6. At least Swisscom (according to Baptiste) and TP-Link seem to have solved the dilemma by defining expected behaviour = the true end-to-end nature of v6 :P hurray! +1 for having default firewall settings somewhat more open. IMO opening incoming connections to TCP/UDP ports greater than 1024 as well as all other protocols that don't use port numbers would be the best compromise between security and usability. Blocking ports lower than 1024 should be sufficient to protect legacy stuff with exploitable telnet, SSH or HTTP/S management interfaces, as well as it would block unintended file sharing from home NAS-es using CIFS/NFS/HTTP(S). On the other hand, it would still allow unrestricted flow of P2P traffic, as well as ad-hoc servers in home network (For instance, I like to share a file by running an ad-hoc HTTP server and sharing a link such as http://[2001:db8:123:456::2]:8080/). I think that reasonable default matters, because sometimes, you are not able to change the setting of home router (like visiting a friend or on public hotspot). It would be sad if you had to use some sort of VPN or IPv6-over-IPv6 tunnelling just to overcome the firewall. Cheers! Ondřej Caletka smime.p7s Description: Elektronicky podpis S/MIME ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] OpenWRT IPv6 firewall
Hello guys, This discussion if becoming each day more confusing for something, which for me, is very simple assuming the following: - IPv6 as IPv4 should block *any incoming connection* on the WAN interface including those directed to the LAN IPs behind it. - If a client in the LAN initiates a connection to outsite, the return to the this connection will pass through just fine as it already does on IPv4 (assume NAT is not in use). - If a server in the LAN needs incoming connections it will be allowed in a per port or per IP basis on the router. - If one wants to use the OpenWRT router just as a router and not as router+firewall he can just disable the firewall role globally (all open X all closed) and let all traffic pass to the networks behind it. What is making it more complicated than this ? Regards, Fernando On 17/07/2014 09:25, Ondr(ej Caletka wrote: Dne 16.7.2014 22:41, Gui Iribarren napsal(a): I expect that, over time, users will become accustomed to the end-to-end nature of the v6 Internet and may demand that the firewall be open by default, and I would certainly propose that we have a simple checkbox in LUCI that allows the firewall to be changed from all closed except explicitly open ports to all open in one action. At some point we would probably change the default behavior from all closed to all open. What about... at *this* point? :) (i.e. before BB rc2 freeze) However, for the moment, I would argue that the rightness of following expected behavior is greater than the rightness of delivering the true end-to-end nature of v6. At least Swisscom (according to Baptiste) and TP-Link seem to have solved the dilemma by defining expected behaviour = the true end-to-end nature of v6 :P hurray! +1 for having default firewall settings somewhat more open. IMO opening incoming connections to TCP/UDP ports greater than 1024 as well as all other protocols that don't use port numbers would be the best compromise between security and usability. Blocking ports lower than 1024 should be sufficient to protect legacy stuff with exploitable telnet, SSH or HTTP/S management interfaces, as well as it would block unintended file sharing from home NAS-es using CIFS/NFS/HTTP(S). On the other hand, it would still allow unrestricted flow of P2P traffic, as well as ad-hoc servers in home network (For instance, I like to share a file by running an ad-hoc HTTP server and sharing a link such as http://[2001:db8:123:456::2]:8080/). I think that reasonable default matters, because sometimes, you are not able to change the setting of home router (like visiting a friend or on public hotspot). It would be sad if you had to use some sort of VPN or IPv6-over-IPv6 tunnelling just to overcome the firewall. Cheers! Ondr(ej Caletka ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] OpenWRT IPv6 firewall
On Thu, Jul 17, 2014 at 03:21:32PM +0100, Fernando Frediani wrote: Hello guys, This discussion if becoming each day more confusing for something, which for me, is very simple assuming the following: - IPv6 as IPv4 should block *any incoming connection* on the WAN interface including those directed to the LAN IPs behind it. As explained before: this is a mostly unavoidable fact for IPv4, because of NAT. Now, if this is avoidable, such as with IPv6, does it have any justification? Does your should comes from a RFC? From common sense? From a widely accepted practice? Security comes into mind, but the proposal is *not* about disabling the firewall completely. As for the usage, any application that is not purely client/server needs to be reachable from the outside. You may want to use peer-to-peer applications (voice chat, video chat, file sharing, etc) without having to explicitely configure your firewall. Btw, this is why protocols such as UPnP, NAT-PMP, or PCP have been developped. pgp6zyg1Wy0d7.pgp Description: PGP signature ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] OpenWRT IPv6 firewall
On Thu, Jul 17, 2014 at 11:23 AM, Baptiste Jonglez bjong...@illyse.org wrote: ... without having to explicitely configure your firewall. And this is the opinion that I, and many others, disagree with. I look at it from the principle of minimizing the worst case scenario. We could allow all (or some, like ports 1024) incoming traffic by default; the worst case scenario is that the user's machine gets compromised. We could deny all incoming traffic by default; the worst case scenario is that a peer-to-peer service—which not all users actually use—doesn't work until the user opens up their firewall, either manually or by enabling UPnP/NAT-PMP/PCP. IMO, the latter is the the much less costly scenario, and follows the best security practice of deny-by-default, IETF RFCs notwithstanding. -- Soren Harward ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] OpenWRT IPv6 firewall
Hello Baptiste, Clarifying my point should I meant From common sense and also From Widely accepted practice. One that may use applications that may need to be reachable from outside can adjust the firewall manually to reflect that for the desired ports which is not a big deal, or even by UPnP which is even simpler. I would say more that depending on the environment if a specific user prefers, the firewall in the router can allow any traffic to his IP only and he can control it locally in his machine. Therefore there are possibilities and these in my opinion are less costly and more secure to have by default. Best regards, Fernando On 17/07/2014 16:23, Baptiste Jonglez wrote: On Thu, Jul 17, 2014 at 03:21:32PM +0100, Fernando Frediani wrote: Hello guys, This discussion if becoming each day more confusing for something, which for me, is very simple assuming the following: - IPv6 as IPv4 should block *any incoming connection* on the WAN interface including those directed to the LAN IPs behind it. As explained before: this is a mostly unavoidable fact for IPv4, because of NAT. Now, if this is avoidable, such as with IPv6, does it have any justification? Does your should comes from a RFC? From common sense? From a widely accepted practice? Security comes into mind, but the proposal is *not* about disabling the firewall completely. As for the usage, any application that is not purely client/server needs to be reachable from the outside. You may want to use peer-to-peer applications (voice chat, video chat, file sharing, etc) without having to explicitely configure your firewall. Btw, this is why protocols such as UPnP, NAT-PMP, or PCP have been developped. ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] OpenWRT IPv6 firewall
Hi Bill, Le mercredi 16 juillet 2014 à 12:21 -0700, Bill Moffitt a écrit : All these routers today, of course, necessarily come NATted, meaning no ports are open to the Internet. Users are accustomed to being able to connect their computers to the router's network and be shielded from unwanted intrusions from outside by the NAT firewall. No. Users are used to thing “just working”. They don't know what NAT or a firewall is. They think they are secured because the vendor of their devices did his job well. Their Skype phone work because it uses some kludge that make it look like a malware from a network security point-of-view. It is kind of secure because you have allowed only one overlord (Microsoft) to access your machine and your network. You have to trust Microsoft: no layer of firewall or anything (apart from cutting yourself completely from the Internet) will stop your computer from being tied to the Skype network. So you have to trust them. If you didn't want to be reachable by Skype, just don't use it, and you won't be reachable, even with no firewall at all on your router. Your game console “just work” because it uses a supplementary protocol (UPnP) that make incoming connections to your console possible. This doesn't render your console more secure: it would have been the same if you had global reachability and no firewall. It is just a supplementary layer that has only one advantage: software not implementing it can't be globally reachable. So, every software that wants to be reachable has to do so, or they just die as of yesterday. Every software that does not just can stay as is; with IPv6, they just could have bound to some link-local address: the one bound to a global address would have gotten global reachability “magically”. […] 1.) In the IPv6 world, the firewall should rightfully migrate from the router to the device, but that transition won't be simultaneous with the availability of v6. For some transitional time, we'll have legacy devices on the network that are v6-capable but not necessarily v6-safe - and consumer-grade users will probably not realize it. At the least, users won't be accustomed to having their printer visible to the whole world and will need time to understand that they need to have strong passwords on their printers, cameras, thermostats, dog feeders, etc. (or explicitly block them) If the use of such device is meant to be by default “local”, the manufacturer should somehow restrict its use by default. But printers may have reason to be globally reachable, if one wants to share it between several networks. You can configure it (or your firewall) to restrict its access once you have decided to make it global (as I suggested, I don't think this would be a good default; I hope the manufacturers get it…). 2.) I believe that the transition to v6 in the U.S. and Europe is not going to be slow and orderly, but will be sudden and chaotic, driven by emergent demand for some service that arises in a manner that necessitates v6 access. The demande has been their for decades (IP phones for everybody, anyone?). But I agree that it may be chaotic anyway. For that reason, I think that maintaining behavior similar to what consumers see today will be critical in user satisfaction. The “behavior” casual people are “seeing” today has nothing to do with their device having global IPv6 reachability or not: they just want things to work. One way of having IP phones everywhere is to find more kludges to get through firewalls and praying for nice intermediaries not to mess with your communications (like MS cited above), the other one is to have it basically done at the IP level, with IPv6 and global reachability by default. I expect that, over time, users will become accustomed to the end-to-end nature of the v6 Internet and may demand that the firewall be open by default, No normal people ask for their firewall to be open by default: only geeks do. and I would certainly propose that we have a simple checkbox in LUCI that allows the firewall to be changed from all closed except explicitly open ports to all open in one action. At some point we would probably change the default behavior from all closed to all open. “At some point” being too late. -- benjamin ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] OpenWRT IPv6 firewall
I'd like to chime in to this thread as someone who has spent a fair bit of time supporting end users (primarily home and small office users) setting up and using consumer grade routers. All these routers today, of course, necessarily come NATted, meaning no ports are open to the Internet. Users are accustomed to being able to connect their computers to the router's network and be shielded from unwanted intrusions from outside by the NAT firewall. I believe the default behavior of an IPv6 consumer-grade router should be the same: all ports blocked. Of course, it seems foolish to have global addressing and then have a router that blocks client devices, but here is my reasoning: 1.) In the IPv6 world, the firewall should rightfully migrate from the router to the device, but that transition won't be simultaneous with the availability of v6. For some transitional time, we'll have legacy devices on the network that are v6-capable but not necessarily v6-safe - and consumer-grade users will probably not realize it. At the least, users won't be accustomed to having their printer visible to the whole world and will need time to understand that they need to have strong passwords on their printers, cameras, thermostats, dog feeders, etc. (or explicitly block them) 2.) I believe that the transition to v6 in the U.S. and Europe is not going to be slow and orderly, but will be sudden and chaotic, driven by emergent demand for some service that arises in a manner that necessitates v6 access. For that reason, I think that maintaining behavior similar to what consumers see today will be critical in user satisfaction. I expect that, over time, users will become accustomed to the end-to-end nature of the v6 Internet and may demand that the firewall be open by default, and I would certainly propose that we have a simple checkbox in LUCI that allows the firewall to be changed from all closed except explicitly open ports to all open in one action. At some point we would probably change the default behavior from all closed to all open. However, for the moment, I would argue that the rightness of following expected behavior is greater than the rightness of delivering the true end-to-end nature of v6. FWIW, -Bill Moffitt ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel