Re: [AFMUG] IPv6 in home routers

Wed, 15 Dec 2021 08:16:57 -0800

Again we're talking about manufacturers not paying attention to it.  It's pretty standard for a home router to have a default set of firewall rules /in addition/ to NAT.  The fact that they didn't bother to have a default set of IPv6 rules isn't a flaw in the protocol itself. 

On 12/15/2021 11:09 AM, Matt Hoppes wrote:
Exactly why we NAT on IPv4 for all residential connections.  The end user is not capable of protecting their home network properly.  Nothing gets in unless it's explicitly requested. 


I know NAT is not a firewall in and of itself, but the simple process 
of using NAT at the end user CPE stops a ton of trouble from devices 
getting compromised.



If we were to implement IPv6 to the end users we would throw up a 
"block all inbound traffic", so what did we really accomplish? IPv6 is 
flawed in so many ways.


On 12/14/21 1:30 PM, dmmoff...@gmail.com wrote:

Yes the firewall thing is a /glaring/ hole especially since you’re 
giving out public IP space to everything.



I wonder how many internet enabled refrigerators and ovens have log4j 
libraries.


*From:*Jesse DuPont <jesse.dup...@celeritycorp.net>
*Sent:* Tuesday, December 14, 2021 11:49 AM

*To:* AnimalFarm Microwave Users Group <af@af.afmug.com>; 
dmmoff...@gmail.com

*Subject:* Re: [AFMUG] IPv6 in home routers


I have done (somewhat) comprehensive testing of consumer routers and 
IPv6. You're right, Cambium/ReadyNet's implementation is either not 
functional or buggy (like, sometimes fails to announce itself as a 
gateway to the LAN). Mikrotik is great, but does take a few steps. 
Calix's support for IPv6 is solid and reliable. Netgear and Asus also 
have good IPv6 support, but it must be enabled. If doing DHCP, just 
enabling it with Auto Config is sufficient most of the time. If 
PPPoE, need to specify it's PPPoE and then to use the same session as 
IPv4. Linksys also generally has working IPv6 support, although the 
older stuff (3+ years) is a little spotty.



When I say working IPv6 support, I mean that they request a prefix 
via DHCP-PD, install that prefix on the LAN side and start announcing 
it to the LAN for SLAAC addressing. Most of them except Mikrotik seem 
to also require a global address via SLAAC on their WAN ports. So in 
my implementation, I have a SLAAC prefix on the subscriber router 
network from my equipment, and DHCP-PD running and the routers assign 
themselves a global address from the SLAAC prefix on their WAN ports 
and the DHCP-PD prefix on their LAN side. I guess they use the WAN 
address for things like DNS queries (for themselves and when they're 
doing DNS proxy). Mikrotik will use any global address for things 
like DNS queries, even an address on it's LAN side.



I'll also say that seems the IPv6 firewall is not enabled on about 
half of what I tested. Maybe it's better now, but even Mikrotik today 
doesn't have a standard set of consumer-router IPv6 firewall rules, 
at least not in RouterOS v6 or earlier. Maybe they do in v7.




*Jesse DuPont*

Owner / Network Architect

email: jesse.dup...@celeritycorp.net 
<mailto:jesse.dup...@celeritycorp.net>

Celerity Networks LLC / Celerity Broadband LLC
Like us! facebook.com/celeritynetworksllc

Like us! facebook.com/celeritybroadband


On 12/13/21 2:51 PM, dmmoff...@gmail.com <mailto:dmmoff...@gmail.com> 
wrote:


    I was doing some testing on our dual stack FTTX network.

    I grabbed a CnPilot R201P off the shelf.  IPv6 was disabled by
    default.  You had to enable it in 3 different places and even after
    following the guides on Cambium’s site the prefix delegation seems
    to not really work.

    I grabbed an AirCube…..no IPv6 support at all.  It’s supported in
    the underlying OS, but not in the GUI.  Ubiquiti support says it’s
    coming, but they’ve been saying that for 2 years +.

    I grabbed a Mikrotik…..works perfectly fine, but setup is beyond
    what any consumer is going to do.  If I’m quibbling, it doesn’t
    support stateful dhcp assignments from a delegated prefix. That’s
    not too big of a deal.

    Out of 3 routers I have close at hand, 1 is a faulty implementation,
    1 is not implemented at all, and one is too hard for normal people.

    So when people run out to the store and get a Netgear, Asus, or
    whatever router off the shelf is it hit-or-miss with those too?  I
    guess I naively assumed that 25 years after IPv6 was created that
    we’d have working implementations by now.




-- 
AF mailing list
AF@af.afmug.com
http://af.afmug.com/mailman/listinfo/af_af.afmug.com























					Reply via email to