[LINK] home routers, security, privacy, zero config, IPv6 and NAT or no NAT

Karl Auer kauer at biplane.com.au
Fri May 13 10:56:31 AEST 2011 

On Fri, 2011-05-13 at 08:51 +1000, Kim Holburn wrote:
> The current crop of consumer home modem/routers can be very easy to
> configure and maintain some base level of security.  In some countries
> you don't even get to configure them.  They come with a random
> password set by the ISP and they log in to your ADSL account
> automatically.  

That, at least, won't change. That is, if an ISP is supplying the
customer with a preconfigured ADSL router/modem, they can set everything
up so that the customer doesn't need to touch anything; the unit will
work out of the box with no additional configuration required. Whether
such configurations are good, sufficient or secure is another question,
but it's not an IPv6 question.

> Consumer modem/routers get their public (or a valid) IP from the ISP
> and they have a subnet of valid IPs that they give out to home
> devices.  Anyone can connect to them, get a valid IP and connect to
> the internet.  Unique details of their home machines, like their MAC
> Address, things that could identify their machines are not given out
> *by the router*.

That last bit is the likeliest to change. Whether the change is for the
good or not is still under vigorous debate.

For home machines, giving out your MAC address isn't really  privacy
issue, as most home machines belong to a very small group indeed, often
a group of one, and they are just as easily identified via the outside
address of the NAT router as they would be by the inside address of the
host. This is less of an issue for people that are doubly or triply
NATted - of course they pay for that in other ways, like crap
performance and an inability to use some protocols.

For *mobile* machines it's a different matter, because with normal
autoconfiguration, the host will always have an address with the same
lower 64 bits, wherever it is in the world. That really is a tracking
problem.

IPv6 provides a feature called "privacy addressing", where instead of a
host autoconfiguring an address based on its MAC address, the host
autoconfigures a random address within the given prefix. Not only that,
the address can be set to change regularly.

This latter feature only addresses the second issue (mobile hosts),
because the prefix you get from your ISP is unlikely to change That's
generally a good thing, like having a static address, but it means the
aforementioned very small group of computers can be identified by their
prefix. That is no different to the IPv4 situation, where the small
group of computers can be identified by their outside NAT address.

All of this assumes the use of SLAAC (autoconfiguration). If you use
DHCPv6 instead, you avoid all those issues, because you are no longer
using addresses that contain your MAC address.

It seems likely to me that most home kit will support both - SLAAC
because it has to, and DHPv6 partly because of the privacy thing and
partly because it can deliver nameserver information. That latter point
is probably about to change with RFC 6106 (DNS nfo via RA) reaching
standards track.

> Someone can stuff up the config and as long as it still works, it's
> still likely to block most incoming stuff due to NAT.  

This is a bit of a myth. Make a mistake with the so-called DMZ that most
home routers have, and you will forward all packets to your home
computer, unchecked and unchallenged. Make a mistake with port
forwarding (most home routers can forward port ranges) and you get the
same.

That is, there are some misconfigurations where NAT will still block
most incoming packets, but there are plenty - not even particularly
tricky ones - where you will still leave yourself open.

We really have had this discussion about NAT and security already, and I
urge you to visit the archives.

> The ISP doesn't get any control over what you have behind your
> modem/router.  Maybe not even any knowledge of it.  How many devices,
> how large your home network is, no-one else knows.  You didn't have to
> get your subnet range from anyone.

We will almost certainly return to the days where every network gets
publicly routable address space, and the address space you get will be
supplied by the ISP.

That doesn't mean you will have to publicly route it! It can be blocked
at the home router as firmly as you wish. I imagine that the
standard/default rules will be similar to my current rules -  allow
anything out, allow established and related back in, allow nothing else
in. That's pretty much what NAT gives you unless you have set up a DMZ
or port forwarding.

>   Would any system of giving out IPv6 Addresses cope with the shear
> mass of home network users? Would it add to the cost of a home
> network?  Would they even understand what to ask for and how then to
> configure a device?  Would that have to be done by the ISP?  Would
> that be a loss of privacy?

No, no, no, no, and no :-)

The handing out of address space would be done via DHCPv6-PD - prefix
delegation, i.e., would be automated. As most ISPs have everything
automated now.

IPv6 addresses are extremely cheap and likely to remain so. I am sure
there will be some ISPs that try to make a quick buck by selling them;
they will stop doing that because it is too easy to compete by offering
them for free.'

Home customers will not need to know what to ask for; this can all be
automated in the home network just as it is now, with addresses either
being handled via autoconfiguration or by DHCPv6.

No, the ISP will not have to set up the home users' CPE (though as now,
they could).

Privacy will not be affected by the ISPs involvement, if they are
involved at all. The ISP hands out a prefix, but does not have any
control over how it is used. Obviously an ISP is best placed to snoop on
its customers' traffic, but that is no different for IPv6 than for IPv4.

> So, are home routers with these sort of privacy and security
> capabilities possible with IPv6?  Available?

Yes - sort of. The book is still being written on home CPE and IPv6
(actually it's still being written even on high-end kit and IPv6). There
are several models available now that will do all of this stuff.

> How would they work?

See above?

On the privacy front, don't forget that IPv6 offers things that you
don't have now with IPv4. End to end transparency opens the possibility
of doing truly peer-to-peer stuff, without people like Skype in the
middle, for example. But that's another discussion :-)

Regards, K.

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer at biplane.com.au)                   +61-2-64957160 (h)
http://www.biplane.com.au/kauer/                   +61-428-957160 (mob)

GPG fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687
Old fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <https://mailman.anu.edu.au/pipermail/link/attachments/20110513/e1516ff7/attachment.sig>

More information about the Link mailing list