[DARARepeater] LAN Routing

Jim Bacher, WB8VSU wb8vsu at arrl.net
Tue Oct 13 18:01:46 EDT 2020


Jack, my isp has supported IPv6 for more than several years at my location. Although I understand not all of their locations have it. I don't recall if it's enabled by default, but I think it was as I remember turning it off when I discovered it. I ran into an issue and turned it back on to resolve the issue. Remote Secure Shell to my server here at home is now IPv6. 

Derek, with IPv4 its real easy to target a device, with IPv6 its virtually impossible. Reason is the massive number of addresses that are available. 

The default size of the smallest subnet is: 18,446,744,073,709,551,616 IPv6 addresses . You can not make a smaller one, it can only be bigger. 

I believe my isp gave me the ability to have 16 default size IPv6 subnets. 

If you keep your IPv6 Iot devices on a separate router, they should not be able to find your computers due to the size of an adjacent subnet. The router will block any attempt to forward a routing packet. 

Biggest risk would be the smart phone as it's IPv6 is on and when it is connected to your home network it would be a risk. I have a app on the cell phone that is IPv6 capable, and it has difficulty finding any IPv6 devices on my local network. 

For a chart see:
https://www.ripe.net/about-us/press-centre/ipv6-chart_2015.pdf

Top level / description:
https://www.ripe.net/about-us/press-centre/understanding-ip-addressing

There is always risk. 

⁣Jim Bacher, WB8VSU 
wb8vsu at arrl.net 
https://trc.guru​

On Oct 13, 2020, 3:47 PM, at 3:47 PM, Jack Gerbs <jgerbs at quanexus.com> wrote:
>Totally agree with Jim on this. IPv6 is not going to leave your
>network. Your ISP, today, is only running IPv4 and you would need to
>translate v6 to v4 at your gateway.  The threat from IPv6 is an
>internal threat, where the malicious actor, once on your network, would
>look to exploit v6 vulnerabilities. it. There is an incredible amount
>of internal v6 running on many network today.
>   73, Jack, WB8SCT
>
>From: dararepeater-bounces at mailman.qth.net
><dararepeater-bounces at mailman.qth.net> On Behalf Of Jim Bacher, WB8VSU
>Sent: Tuesday, October 13, 2020 3:38 PM
>To: Derek Gooley <dgooley at gmail.com>
>Cc: DARA Repeater List <dararepeater at mailman.qth.net>
>Subject: Re: [DARARepeater] LAN Routing
>
>Derek, in general router advertising never leaves the network it was
>broadcast on. As it would be an unsolicited packet on the incoming
>router, the router would automatically block the packet. For a home
>user I don't see it as a threat. For a corporation that is a threat.
>My windows box just informed me it needs to reboot, so they must have
>pushed out the patch.
>Jim Bacher, WB8VSU
>wb8vsu at arrl.net<mailto:wb8vsu at arrl.net>
>https://trc.guru<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2ftrc.guru&c=E,1,KnRqymRIVRLWhfeBfW3OdAoBiKzGSYbsssk3Fzfm1s4bfNfvCIJf2AiWAA-oJJmvErX2_vy67tFVwig3oh8awpnodHhx_6kefCH7i1NkkVI_8FKlPy0t3FqS&typo=1>
>On Oct 13, 2020, at 2:45 PM, Derek Gooley
><dgooley at gmail.com<mailto:dgooley at gmail.com>> wrote:
>I'm not moving to IPv6 any time soon.
>
>https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898
>
>On Mon, Oct 12, 2020, 16:16 Jim Bacher, WB8VSU <
>wb8vsu at arrl.net<mailto:wb8vsu at arrl.net>> wrote:
>Mark, most IoT devices now days are going to be IPv6 and IPv4. If you
>have IPv6 turned off on your 2nd  router then Jack's suggestion is a
>good easy choice. If you have IPv6 turned on, then it won't work if the
>devices have IPv6 enabled.
>Everything is automatic under IPv6 which makes it more difficult to
>block an outgoing packet. Incoming are blocked by default. My two
>routers are capable of blocking networks or devices, whether they are
>IPv4 or IPv6. That can be complex to accomplish depending on the router
>and whether IPv6 is turned on.
>
>Most of the risk with IoT, is allowing remote access to it and not
>changing the default password. So if you don't allow remote access, the
>device didn't have contamination on it when you bought it and you don't
>let it update there shouldn't be a problem.
>Most of the issues I am aware of are due to pin holes created for a IoT
>device on the firewall / router to allow remote access or having a
>contaminated OS to start with. Jack may know of others as he is more
>up-to-date than I am on IT.
>I am running IPv6 on my home networks. From what I can tell, more than
>90% of the traffic is now IPv6 as a result. Most noticeable when
>running an update on a Raspberry Pi, as it will show where it's pulling
>the updates from. The bulk are from IPv6 addresses. Smart phones are
>also mostly IPv6 and you can't disable IPv6 on the cell phone.
>Jim Bacher, WB8VSU
>wb8vsu at arrl.net<mailto:wb8vsu at arrl.net>
>https://trc.guru<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2ftrc.guru&c=E,1,m8tD1_20ndS5wLp-5E32tqliSHgmj8kO5tJB78TOo3a1g7LjPRTUaU_Pqqoqpp4DFCo5VOMUSnf1xFNW9pG2jaPJJ8VtE1hHqmW71UETYKMgaewIJ3_0SAuiuQ,,&typo=1>
>On Oct 12, 2020, at 12:18 PM, Jack Gerbs <
>jgerbs at quanexus.com<mailto:jgerbs at quanexus.com>> wrote:
>Mark,
>An easy way to not allow devices to access the internet is to not put
>in a default gateway on the device, or put an unused address in for the
>default gateway. A more common way to do it is to create a rule that
>blocks the device from accessing the WAN port. Not sure your level of
>experience with firewalls, so don’t take this the wrong way, firewalls
>execute rules (ACLs) from top down, your more restrictive rules need to
>be applied first.
>           Jack
>
>
>From:
>dararepeater-bounces at mailman.qth.net<mailto:dararepeater-bounces at mailman.qth.net>
><dararepeater-bounces at mailman.qth.net<mailto:dararepeater-bounces at mailman.qth.net>>
>On Behalf Of Mark Erbaugh
>Sent: Monday, October 12, 2020 12:11 PM
>To: Derek Gooley <dgooley at gmail.com<mailto:dgooley at gmail.com>>;
>dararepeater at mailman.qth.net<mailto:dararepeater at mailman.qth.net>
>Subject: Re: [DARARepeater] LAN Routing
>
>
>Derek,
>
>
>Thanks. I’ll have to take some time to digest all that and learn to
>craft firewall rules.
>
>
>Another approach I was considering was connecting those devices to the
>secure network as long as I can configure the firewall to not allow
>them to access or be accessed from the Internet. Unlike my smart TV’s
>and Amazon Echo’s they don’t need access to the Internet to function.
>Would that approach be preferable to allowing connections across the
>subnets?
>
>
>73,
>Mark
>
>
>
>
>
>
>From: Derek Gooley<mailto:dgooley at gmail.com>
>Sent: Monday, October 12, 2020 11:40 AM
>To: Mark Erbaugh<mailto:mark.election at gmail.com>
>Cc: dararepeater at mailman.qth.net<mailto:dararepeater at mailman.qth.net>
>Subject: Re: [DARARepeater] LAN Routing
>
>
>Having the devices on separate subnets or VLANs won't secure anything
>if they're still routable to eachother. You need to create firewall
>rules to block traffic between them.
>
>
>You could create a rule allowing traffic from your secure network to
>your IOT network, a rule allowing established connections from your
>dirty network to a secure network (so devices can communicate with
>hosts on your secure network once a connection is established), and a
>rule disallowing all other outbound and inbound traffic from your dirty
>network to achieve what you're asking.
>
>
>Here's some guides on how to add firewall rules to Ubiquiti EdgeRouter:
>
>
>https://help.ui.com/hc/en-us/articles/218889067-EdgeRouter-How-to-Create-a-Guest-LAN-Firewall-Rule<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fhelp.ui.com%2fhc%2fen-us%2farticles%2f218889067-EdgeRouter-How-to-Create-a-Guest-LAN-Firewall-Rule&c=E,1,bdDUoLtTp9a5hgMUSsWg59wOTM-gaO04IfLRYrDNlqt7ydY9qEsZfHQyPnpF7z9g4FbZnvrSoXKJyaWUx3QZjfjK7t5CwIq6RiwfY90auvpict-DrIDN4hR6srU,&typo=1>
>https://help.ui.com/hc/en-us/articles/204962154-EdgeRouter-How-to-Create-a-WAN-Firewall-Rule<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fhelp.ui.com%2fhc%2fen-us%2farticles%2f204962154-EdgeRouter-How-to-Create-a-WAN-Firewall-Rule&c=E,1,1kBBm9SHwd17vwXLgJPJIo_7HkCRRKWKLopBk7rP7d3l3UAMyS0YPviuBDmfEtZoTr0JfjNhcodP3NsmR8QeDCccBeUOpPG3ObCpJmcI7vwz&typo=1>
>https://help.ui.com/hc/en-us/articles/204952154-EdgeRouter-Zone-Based-Firewall<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fhelp.ui.com%2fhc%2fen-us%2farticles%2f204952154-EdgeRouter-Zone-Based-Firewall&c=E,1,RCshEPTtrPKSraRGILk3GBLhhRduHThAY1ducDgi7S2fC_wVRRcmf2H-jwcrP2VL09ukwfqKSYVDolb2WgFp3jSaPrMZmyUzKweHza7r6OKmixlCais,&typo=1>
>On Mon, Oct 12, 2020, 11:06 Mark Erbaugh
><mark.election at gmail.com<mailto:mark.election at gmail.com>> wrote:
>I’ve started adding IOT devices to my home. Following some security
>advice
>https://pcper.com/2016/08/steve-gibsons-three-router-solution-to-iot-insecurity/<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fpcper.com%2f2016%2f08%2fsteve-gibsons-three-router-solution-to-iot-insecurity%2f&c=E,1,387TSYzRW26xvXvTzLfef5trEjglgbY2KZVlCKyeUg1S6mxUhxt4RSQP2AQhEq3DotIsK3CvfY-YY6BAlvpZjJ0B2C--rTJ9t_J32Aezz5Gjljv27FrFqo7Pvhg,&typo=1>)
>, I’ve configured two sub-nets, one for my computers which are secure
>(at least I’m running security software on them) and one for the IOT
>devices which I don’t trust as much. Hopefully, this will prevent an
>attacker from exploiting a weakness in one of my IOT devices to attack
>my secure computers.
>
>But I have found a need for an exception to my configuration. I have a
>couple of devices that I don’t fully trust to be on my secure network
>that I need to communicate with from my computer on the secure network:
>
>  *   FlexRadio 6700 (internal Linux software with unknown security)
>  *   Raspberry Pi running OctoPi server to control my 3d printer
>
>Right now, I’ve left the Flex on the secure network, so I’m trusting
>the Flex developers and I’m not using the OctoPi.
>
>Is it possible to put these devices on the secure network but configure
>the router (I’m currently using a Ubiquity EdgeRouter X) so that they
>can be accessed from inside the network, but that they can’t access the
>internet? I’m assuming that if the device can’t access the Internet,
>the Internet can’t access the device – is that a valid assumption?
>
>If so, how?
>
>One suggestion I saw was to implement parental controls on those
>devices, but I see no mention of parental controls in the EdgeRouter
>configuration.
>
>73,
>Mark
>
>
>
>
>______________________________________________________________
>DARARepeater mailing list
>Home:
>http://mailman.qth.net/mailman/listinfo/dararepeater<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fmailman.qth.net%2fmailman%2flistinfo%2fdararepeater&c=E,1,oV-K8lGzWL2ryfgHlBSLatevJFfZDhgTDWHDM53At_Gqsw_EXAd-HzkbNHd_WI4b7rPSACDsoWHg4xKwbPK9xwN_3q_sON2U0lo4Vegs&typo=1>
>Help:
>http://mailman.qth.net/mmfaq.htm<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fmailman.qth.net%2fmmfaq.htm&c=E,1,mOB7jSfUNeOdizAULu02ktA-vEtAWPbgnmcNV-7zpzl6vLCeweaGTsnH43iUfMwzGVUafQxNrEV7jZS1_7nlbwBggn6YAKb15VoC_Ku5U8Mc1lScK34,&typo=1>
>Post:
>mailto:DARARepeater at mailman.qth.net<mailto:DARARepeater at mailman.qth.net>
>
>This list hosted by:
>http://www.qsl.net<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.qsl.net&c=E,1,EirwSbCV7F2MVLuTPhJdWDnMEM1qBssr310z_SoFYPE3dutDGunq1F-5F_5ZjecTAeWSIHkLxtg2uMlGqE_CoAL8EejjABVOzwAxSjl59ykyrH6U7tlZSOl9VWvA&typo=1>
>Please help support this email list:
>http://www.qsl.net/donate.html<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.qsl.net%2fdonate.html&c=E,1,7BfjHNFHd6YtaLHkEKR_1ZUxb9OOdJN1gMsEqlmEZqE7pYIJ_1odH_gucUvscKCKFlTmOo1T_lAQ8Q6KUWv7ag8B6t-MXAmIgeEzf4TfiA,,&typo=1>
>
>
>
>Our Q-Stack Advantage protects your systems and the information on your
>systems with a layered and proven approach. Quanexus provides managed
>Information Technology services for IT organizations, businesses,
>non-profits and more. Risk Assessments, Vulnerability Scans, Cabling,
>Telephone Systems, Surveillance and Access Control are all part of our
>value added services. Visit us at
>www.Quanexus.com<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fquanexus.com&c=E,1,6czxhaCxN0Q-ydvLV5kfrIpxet8EYuJn60a4iMjxQ5GPqiR5R9atLPac-LQVEVi9sCxdyv4fB2eD8CTlbOAdL22AczjvT-Kb1TDyc8J7DVsCVto,&typo=1>
>to learn more.
>
>
>
>________________________________
>
>DARARepeater mailing list
>Home:
>http://mailman.qth.net/mailman/listinfo/dararepeater<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fmailman.qth.net%2fmailman%2flistinfo%2fdararepeater&c=E,1,UNLrpe8vboBKS8gzg55g1gs_YtBNAV4Jjby8TemabRN1Gv5pFzTZXtyjX64x_K6rVno-cgdoM7cz-pB5vWH4WFzjXX6WeN04WzSaZf4WsGmqEt4_6EoCQl8OWY4,&typo=1>
>Help:
>http://mailman.qth.net/mmfaq.htm<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fmailman.qth.net%2fmmfaq.htm&c=E,1,yzuxz_uMPl0Z3lh25-wB8NGyn_YWoMQAvttUlq7dOhtkjvPQh-tdhWSb4TGxEolyaPc9Oz90wZD7a7ycYh7RLJVTfQq6R0Wb3qE2s7gMgKFR-A0,&typo=1>
>Post:
>mailto:DARARepeater at mailman.qth.net<mailto:DARARepeater at mailman.qth.net>
>
>This list hosted by:
>http://www.qsl.net<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.qsl.net&c=E,1,BsiRmYcc_RlpfAXBXGDTXb1NVq25Zo5D63ksJo6UI_1y28fDuqmeu6R4gDcGYm3WeYGbvWVx-dbBui3UJ7PgM0QMstCcUMGCXRg1MEMB6F7uW3M,&typo=1>
>Please help support this email list:
>http://www.qsl.net/donate.html<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.qsl.net%2fdonate.html&c=E,1,XsC3rrPSbQB-sDHUigu1hwlGiUoNT1eB0_NoPa8YBjhN2PC9MJ4CyR4C9_fmsRbSvVEk1fcNrH9MbiYRSETSY_dVtfljBhf3wBpPs6B0&typo=1>
>______________________________________________________________
>DARARepeater mailing list
>Home:
>http://mailman.qth.net/mailman/listinfo/dararepeater<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fmailman.qth.net%2fmailman%2flistinfo%2fdararepeater&c=E,1,qVrp1lR00oHPaHv9Lk0EuW74IesuPmELzTToNFKs6XOqSS5QwjY7kQJpXouzuFxoQ7vVIZy9JEQLPi9SnAc2wfIOCpl-XVB8fcVPHOWXeiEEDCRZOB7D&typo=1>
>Help:
>http://mailman.qth.net/mmfaq.htm<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fmailman.qth.net%2fmmfaq.htm&c=E,1,RDsNDrsTcBzDFywGZ9RdgL46RxKWImzIaBEBDZaJYzUsd5DQVuYRc5IzYqtMGpXkwVV9GFl1q5Bm_hJDN8j-qg797R3yJedlHz134ifgDA0Qs94,&typo=1>
>Post: mailto:
>DARARepeater at mailman.qth.net<mailto:DARARepeater at mailman.qth.net>
>
>This list hosted by:
>http://www.qsl.net<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.qsl.net&c=E,1,APpCDBWncRMtfd6w6aTLmfsL_mj8BPFA7SQ_XJZK-nuWpnYiKjOtqNWr54k-CAsrANR6S-pz-vqLPMJk6rxPG5PEQFeGOFGskk4DzcQZM2EZERC0S9Gnecik&typo=1>
>Please help support this email list:
>http://www.qsl.net/donate.html<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.qsl.net%2fdonate.html&c=E,1,-AJ5vOLxPAkOuWHLVNI-5kWCjWV4QvOUJOs88j_7DhI7TmMAOixzbwOl6i9phKzYitnXjTuvsX0vSdKQVy8NASeQwAZTbdH4hrr2HajOx0E,&typo=1>
><font size="3" color="A5292B">Our <B>Q-Stack Advantage</B> protects
>your systems and the information on your systems with a layered and
>proven approach.  Quanexus provides managed Information Technology
>services for IT organizations, businesses, non-profits and more. Risk
>Assessments, Vulnerability Scans, Cabling, Telephone Systems,
>Surveillance and Access Control are all part of our value added
>services. Visit us at <a
>href="https://quanexus.com">www.Quanexus.com</a> to learn more.</font>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.qth.net/pipermail/dararepeater/attachments/20201013/7802f986/attachment-0001.html>


More information about the DARARepeater mailing list