Friday, January 23, 2009

Consumer Router & IPv6 == Firewall FAIL

I'm using a Linksys wrt610n router (lets call it Eve) at home at the moment and noticed upon upgrading that my home server suddenly had IPv6 connectivity to the world. Apparently Eve supports IPv6, neat! Nowhere in its admin interface are there any settings to control IPv6 behavior.

What does this mean?

Eve has handed out a 6to4 IPv6 address to my internal hosts and is routing IPv6 traffic encapsulated to the IPv4 6to4 anycast 192.88.99.1 address. My current ISP, Comcast, is happily routing this to a 6to4 router. So I have IPv6 connectivity at home. yay... but wait.

Big Trouble In Little Router

Realizing that I had an IPv6 address visible to the world it dawned on me to ask, "hey, what happens to inbound connections? Is there a firewall?".

So I tested it from an IPv6 enabled host at work. Turns out there was no firewall. The entire world (err, the entire 0.01% of it that speaks IPv6 anyways) could connect to my internal file and print servers (samba and cups) among other things. Eek. I solved that by altering the configuration of those servers for now. I really should also configure a firewall on the system to limit what is allowed in.

Cisco (Linksys): The default configuration for any router claiming to be a firewall should be to block inbound connections on IPv6 since the router supports IPv6. Second, the IPv6 firewall should obey the existing port forwarding settings using the associated 6to4 address to allow port forwarding to work the same regardless of IPv4 or IPv6.

Stupid Network Admins In Giant ISP

Comcast is routing the 6to4 anycast 192.88.99.1 traffic to a 6to4 tunnel exit node in Amsterdam. Yes, thats right. My IPv6 traffic on comcast in California is taking an additional 150ms round trip across the Atlantic Ocean to go to a local data center (he.net), wasting transatlantic bandwidth and making the user experience (ie: latency) of most things on IPv6 painful.

Comcast: Stop routing around the world! There are local IPv6 6to4 gateways all around the world. Better yet, setup your own. I realize native IPv6 on cable modem service is a long ways off, likely waiting for DOCSIS 3.0 deployment, but thats no reason to make the experience of IPv6 users suck by default. End users should not need to know anything about IPv6, it should just work. Adding 150ms latency is horrible and will make customers hate you and your customer support will not have a clue how to fix their problems.


P.S. I do not recommend the Linksys wrt610n. It has horrible signal strength compared to anything with external antennas.

3 comments:

Unknown said...

Are you using NAT?

IPv6 doesn't support NAT, in that you're not supposed to use it. Host-level firewalls are the only recourse, because, frankly, relying entirely on the firewall is dumb. :-)

Comcast's routing is probably accidental. They use IPv6 themselves, to talk to their central management, and probably don't intend to give customers IPv6 routing to the rest of the world.

Bill Fenner said...

You don't have a NAT/Firewall box; you have a NAT box which comes with a free accidental firewall. However, "accidental due to the architecture of NAT" probably didn't fit on the box.

Unknown said...

Accidental or not, its the behavior people have come to depend on for the past decade most without even realizing it (consumers are not technical).

For that reason I suggest a default of blocking inbound connections for IPv6 is the right behavior.

That is probably bad for the internet as it discourages easy P2P traffic but I expect its what will happen. Here's to hoping I'm wrong.