[AusNOG] Globally Routed IPv6 and Windows Firewall

Joseph Goldman joe at apcs.com.au
Fri Jul 25 13:34:06 EST 2014


I think the concern here though is the real 'dumb' home user. NAT 
provides a level of security for inbound attacks to a Personal Computer 
unless specified in port fowarding, so the users have become accustomed 
to that level of security (even if they dont know about it).

It was a question that came up in my mind earlier this week too, and not 
all modem/routers are featured with firewalls to do this - and with 
pretty much any ISP having to allow BYOD, you can't control if peoples 
routers will ever have this feature. For business/managed connections I 
tend to personally go MikroTIK routers so they do have the full featured 
firewall, and I would definitely be setting up rules for IPv6 once we 
start our end-user roll-out, but I can't control residential customer 
xyz's JB Hi-Fi bought D-Link, and I don't really want the helpdesk 
flooded with calls about attacks and virus' either.

The only comfort that I got was that IPv6 is so vast that brute-forcing 
seems illogical and unlikely to net many results. I will be interested 
to see others opinions on the matter :)

On 25/07/14 13:20, Damien Gardner Jnr wrote:
> What I do (and we do at work) is run stateful firewalling on the 
> home/office router, and don't allow inbound traffic on v6 unless it's 
> for an established session.   Same as we did all those years ago when 
> our homes/offices had a public /24 (We all had that at home right? ;) 
> ).   It's certainly not a new problem :)
>
> Cheers,
>
> DG
>
>
> On 25 July 2014 13:11, Greg Anderson <ganderson at raywhite.com 
> <mailto:ganderson at raywhite.com>> wrote:
>
>     Good day Ladies and Gentlemen!
>
>     I had a quick question because try as I might, anybody I have
>     asked this question to so far (and Google) have been unable to
>     answer the question for me.
>
>     With the deployment of a dual stack IPv6 solution either in a
>     corporate or residential environment, I expect most users would
>     have a single NIC in most cases.
>
>     For Windows firewall, IPv4 addresses in common cases are not
>     globally routed addresses that often have less restrictive
>     firewall rules and services running on them (EG SNMP, File/Printer
>     sharing, RDP, Homegroup etc).  In these cases, some would often
>     use "Domain" or "Private" firewall profiles on these NIC's.
>
>     With the deployments of IPv6, they will also have local link IPv6
>     addresses (fine as they are not globally routed either obviously),
>     and at some point many will have a globally routed IPv6 address.
>      So this means, for a given NIC, you will now have:
>
>     - IPv4 Reserved address for Private local networking
>     - IPv6 Reserved address for Private local networking
>     - IPv6 Globally routed address (and possibly a second temporary
>     address)
>
>     Suddenly when the deployment of Globally routed IPv6 addresses
>     happen: because the NIC has a private profile there is suddenly
>     private services exposed to the Internet.  (Let's put our tin foil
>     hat on and ignore the difficulties of brute force scanning an IPv6
>     subnet).
>
>     Option 1 is obvious - change your NIC's network type to public,
>     and if you don't want everything to break reconfigure all your
>     rules to permit traffic only from local link addresses (IE - a
>     real pain in the _)
>
>     Is there an option 2?  Ideally, I would like the public ranges to
>     be automatically detected (or specifically reconfigurable) as a
>     globally routed IP address range and therefore to be able to apply
>     multiple profiles (Public and Private/Domain) to a single NIC.
>
>     I am considering this from a residential dumb end user perspective
>     as well as enterprise - so whilst I would like a technical
>     solution (and I am aware those of us smart enough can still
>     firewall at the edge just like we do today) - many residential
>     users will not have these skills - they are likely to really open
>     themselves up.  So I am interested to see if I am missing
>     something very obvious...
>
>     Thoughts?
>
>     - Greg
>
>     _______________________________________________
>     AusNOG mailing list
>     AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
>     http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
>
>
> -- 
>
> Damien Gardner Jnr
> VK2TDG. Dip EE. GradIEAust
> rendrag at rendrag.net <mailto:rendrag at rendrag.net> - 
> http://www.rendrag.net/_
> _--
> We rode on the winds of the rising storm,
>  We ran to the sounds of thunder.
> We danced among the lightning bolts,
>  and tore the world asunder
>
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140725/e9b7c7d9/attachment.html>


More information about the AusNOG mailing list