[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IPv6-PMP?

On Mar 29, 2007, at 10:25, james woodyatt wrote:
I'd like to assure the working group that I'll make the appropriate recommendations to decision makers at Apple about how to proceed in compliance with the recommendations of the IETF.
I have an update about this. Today, Apple released the following article "About the security content of Firmware Update 7.1 for AirPort Extreme Base Station with 802.11n" 

	<http://docs.info.apple.com/article.html?artnum=305366>

Here's the relevant section:

CVE-ID: CVE-2007-1338

Available for: AirPort Extreme Base Station with 802.11n*
Impact: AirPort Extreme Base Station with 802.11n* allows incoming IPv6 connections
Description: The default configuration of an AirPort Extreme Base Station with 802.11n* allows incoming IPv6 connections. This may expose network services on hosts connected through an AirPort Extreme Base Station with 802.11n* to remote attackers. This update addresses the issue by changing the default setting to limit inbound IPv6 traffic to the local network. This issue only affects AirPort Extreme Base Station with 802.11n*, and not other versions of the Base Station. 

[...]
I'm still a little unclear about the rational arguments in favor of this behavior, but I've learned to stop asking dumb and annoying questions and to just do my job.
One concern I've been asked to think about is that the product doesn't offer any mechanism for nodes on the leaf network to request the opening of a pinhole in the stateful packet filter. This function is performed in the IPv4 case by NAT-PMP (which Apple has tried to advance within IETF without much success), but there is no equivalent function for IPv6. This was a deliberate decision on our part, but now we're left reconsidering it.
I know the world's experts on IPv6 operations are regular participants here, so I'm hoping the group will provide me with the clue that I'm trying desperately to catch.
As far as I know, there is no current or pending IETF standard for nodes to use in requesting open pinholes through the stateful packet filter in a residential IPv6 gateway. In light of the IETF consensus noted earlier in this thread, doesn't that seems like a serious oversight? Isn't this function something that rightfully belongs in ICMP6? If not, do we really think extending NAT-PMP and UPnP IGD to support IPv6 network boundary filters is a good idea? (A month ago, I would have found that hard to believe, but I've made some embarrassing mistakes lately, so I'm gun-shy about what I don't believe anymore.)
Incidentally, for those interested in the IPv6 behavior of this product, be advised that most IPv6 applications won't work in the default mode, i.e. with the stateful packet filter turned on. For example, active mode FTP from the leaf network won't work, because the inbound TCP connection for the data will be blocked by the filter. We haven't written any application layer gateways for the IPv6 filter in the AirPort Extreme base station, so things like SIP, RTSP, IPsec/IKE, etc. simply will not work at all. I can't say when enhancements to support any of those application protocols will be available. They'll have to be written one by one, and until recently, we mistakenly thought that the whole point of IPv6 was to make that unnecessary. (Yeah, that'll teach me not to stay abreast of developments in the IETF.) 


--
j h woodyatt <jhw@apple.com>