[PLUG] Configuring Ubiquiti ER-X - IPv6

Tom tomas.kuchta.lists at gmail.com
Sun Nov 12 08:43:25 UTC 2017 

Hi Bill,

I would not consider IPv4 NAT to be much protection for someone trying
to connect to your NAS either manually or by drive by automation. There
are plenty ways to get into the network in a typical customer router
setup, even without forwarding setup.

If you like IPv4 NAT, there is nothing stopping you to implementing it
the same way with IPv6 too.

With that knowledge - it would be pretty irresponsible to leave your
NAS wide open for anyone from the web to connect to it, be it via IPv4
or IPv6. I believe that NAS, like any other computer these days has
firewall. My NAS has firewall as well as my router. So it should help
to configure it (both the NAS and the router) to know what your local
network is and do not respond to random outside traffic, at the
minimum.

IPV6 provides for local network discovery, so your NAS, and other
computers befind the router should definitely know what is local and
what is outside traffic.

Beside firewalling things and limiting things from being able to
communicate, Kerberos can authenticat not only users, but also devices
as well as to encrypt the traffic. Then you should be able to connect
with your devices securely from anywhere. That ability to connect
anywhere with ease, was the whole promise of this thing we call
internet. Then came NAT and double/triple/.. NAT and instead of fixing
protocols like SMTP, we got firewalls at ISP blocking stuff like port
25, .....

For me at least, IPv6 could not come fast enough.

Tomas

On Mon, 2017-11-06 at 16:38 +0000, Bill Weiss wrote:
> I'd like to share a recent failure, in case I can help any of you not
> have
> the same: if you happen to have native IPv6 at home, please know that
> the
> GUI-configured firewall doesn't touch IPv6 at all. So, let's say your
> devices are getting real IPv6 address as they should... they're just
> out
> on the internet. Is your NAS ready to be talked to by the internet?
> 
> https://community.ubnt.com/t5/EdgeMAX/Time-Warner-Cable-Working-IPv6-
> Configuration-with-IPv6-Firewall/td-p/1554856
> contained the magic bits I needed to make it work, starting with
> "from
> UBNT-stig" through the end of that block.
> 
> A remote person _probably_ didn't guess the IP of my dumpy NAS and
> exploit
> it, but it's kind of hard to say, you know?
>

More information about the PLUG mailing list