[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
IPv6-PMP?
On Mar 29, 2007, at 10:25, james woodyatt wrote:
I'd like to assure the working group that I'll make the appropriate
recommendations to decision makers at Apple about how to proceed in
compliance with the recommendations of the IETF.
I have an update about this. Today, Apple released the following
article "About the security content of Firmware Update 7.1 for
AirPort Extreme Base Station with 802.11n"
<http://docs.info.apple.com/article.html?artnum=305366>
Here's the relevant section:
CVE-ID: CVE-2007-1338
Available for: AirPort Extreme Base Station with 802.11n*
Impact: AirPort Extreme Base Station with 802.11n* allows incoming
IPv6 connections
Description: The default configuration of an AirPort Extreme Base
Station with 802.11n* allows incoming IPv6 connections. This may
expose network services on hosts connected through an AirPort
Extreme Base Station with 802.11n* to remote attackers. This
update addresses the issue by changing the default setting to
limit inbound IPv6 traffic to the local network. This issue only
affects AirPort Extreme Base Station with 802.11n*, and not other
versions of the Base Station.
[...]
I'm still a little unclear about the rational arguments in favor of
this behavior, but I've learned to stop asking dumb and annoying
questions and to just do my job.
One concern I've been asked to think about is that the product
doesn't offer any mechanism for nodes on the leaf network to request
the opening of a pinhole in the stateful packet filter. This
function is performed in the IPv4 case by NAT-PMP (which Apple has
tried to advance within IETF without much success), but there is no
equivalent function for IPv6. This was a deliberate decision on our
part, but now we're left reconsidering it.
I know the world's experts on IPv6 operations are regular
participants here, so I'm hoping the group will provide me with the
clue that I'm trying desperately to catch.
As far as I know, there is no current or pending IETF standard for
nodes to use in requesting open pinholes through the stateful packet
filter in a residential IPv6 gateway. In light of the IETF consensus
noted earlier in this thread, doesn't that seems like a serious
oversight? Isn't this function something that rightfully belongs in
ICMP6? If not, do we really think extending NAT-PMP and UPnP IGD to
support IPv6 network boundary filters is a good idea? (A month ago,
I would have found that hard to believe, but I've made some
embarrassing mistakes lately, so I'm gun-shy about what I don't
believe anymore.)
Incidentally, for those interested in the IPv6 behavior of this
product, be advised that most IPv6 applications won't work in the
default mode, i.e. with the stateful packet filter turned on. For
example, active mode FTP from the leaf network won't work, because
the inbound TCP connection for the data will be blocked by the
filter. We haven't written any application layer gateways for the
IPv6 filter in the AirPort Extreme base station, so things like SIP,
RTSP, IPsec/IKE, etc. simply will not work at all. I can't say when
enhancements to support any of those application protocols will be
available. They'll have to be written one by one, and until
recently, we mistakenly thought that the whole point of IPv6 was to
make that unnecessary. (Yeah, that'll teach me not to stay abreast
of developments in the IETF.)
--
j h woodyatt <jhw@apple.com>
- Follow-Ups:
- Re: IPv6-PMP?
- From: RĂ©mi Denis-Courmont <rdenis@simphalempin.com>