4

In the next months/years my ISP might give me IPv6 for my home connection. But what are the security implications? Will local network servers/embedded devices be accessible from the whole internet?

In IPv4 you were protected by the NAT. Many services and embedded devices like network printers have a local adress but listen to any incoming connection (0.0.0.0 at IPv4). If they should be reachable from the internet, port forwarding or upnp were your options (including some infamous security cameras beeing accessible via upnp without password by default from the internet).

When my ISP switches me to IPv6 are those accessible from the internet/do I need to create firewall rules on my home router (similar to port forwarding)/will there be something like UPnP for programms like bittorrent? Are there other security considerations? Will it end like this https://serverfault.com/questions/766890/network-printer-exploited-read-hacked-to-print-antisemitic-documents-how-to ?

If this is model/ISP specific, feel free to assume a common configuration (preferable in central Europe).

Community
  • 1
H. Idden
  • 2,988
  • 1
  • 10
  • 19
  • It's a bit hard to be sure - there isn't really a common configuration, yet, since it still seems to be in the hands of consumer router manufacturers and choices by consumer ISPs, at least in the west. I'm not sure how places like South Korea have adopted it commonly, but it would be interesting to hear from someone from that part of the world. – Matthew Apr 01 '16 at 12:52

1 Answers1

3

With IPv6 you cannot rely on NAT, and thus, yes, you have to configure reasonable packet filtering rules on the router or firewall. For stateful filters this is easy to accomplish: Allow all outgoing traffic and allow all incoming traffic that is related to the outgoing traffic, drop anything else. For stateless filters there's a bit more to do, in particular, you have to bear in mind that IPv6 requires several ICMPv6 packet types for its operation (mostly error messages; for instance, "packet too big" messages since with IPv6 routers don't fragment as they do with IP legacy).

Without NAT you don't need port forwarding, you simply add the according filter rule for incoming traffic.

countermode
  • 684
  • 1
  • 7
  • 22
  • 1
    Is there also a standard like UPnP that allows applications to automatically open/forward/... a port to it in IPv6 when using such a firewall? All information I found was about IP but didn't specify if it is for IPv6 too. – H. Idden Apr 01 '16 at 16:11