[DARARepeater] LAN Routing

Derek Gooley dgooley at gmail.com
Wed Oct 14 02:30:17 EDT 2020


There are methods of local network host enumeration other than exhaustively
searching the IP range. The number of available addresses is not a security
feature.

On Tue, Oct 13, 2020, 18:01 Jim Bacher, WB8VSU <wb8vsu at arrl.net> wrote:

> Jack, my isp has supported IPv6 for more than several years at my
> location. Although I understand not all of their locations have it. I don't
> recall if it's enabled by default, but I think it was as I remember turning
> it off when I discovered it. I ran into an issue and turned it back on to
> resolve the issue. Remote Secure Shell to my server here at home is now
> IPv6.
>
> Derek, with IPv4 its real easy to target a device, with IPv6 its virtually
> impossible. Reason is the massive number of addresses that are available.
>
> The default size of the smallest subnet is:
> 18,446,744,073,709,551,616 IPv6 addresses . You can not make a smaller one,
> it can only be bigger.
>
> I believe my isp gave me the ability to have 16 default size IPv6 subnets.
>
> If you keep your IPv6 Iot devices on a separate router, they should not be
> able to find your computers due to the size of an adjacent subnet. The
> router will block any attempt to forward a routing packet.
>
> Biggest risk would be the smart phone as it's IPv6 is on and when it is
> connected to your home network it would be a risk. I have a app on the cell
> phone that is IPv6 capable, and it has difficulty finding any IPv6 devices
> on my local network.
>
> For a chart see:
> https://www.ripe.net/about-us/press-centre/ipv6-chart_2015.pdf
>
> Top level / description:
> https://www.ripe.net/about-us/press-centre/understanding-ip-addressing
>
> There is always risk.
>
> Jim Bacher, WB8VSU
> wb8vsu at arrl.net
> https://trc.guru
> On Oct 13, 2020, at 3:47 PM, Jack Gerbs <jgerbs at quanexus.com> wrote:
>>
>> Totally agree with Jim on this. IPv6 is not going to leave your network.
>> Your ISP, today, is only running IPv4 and you would need to translate v6 to
>> v4 at your gateway.  The threat from IPv6 is an internal threat, where the
>> malicious actor, once on your network, would look to exploit v6
>> vulnerabilities. it. There is an incredible amount of internal v6 running
>> on many network today.
>>
>>    73, Jack, WB8SCT
>>
>>
>>
>> *From:* dararepeater-bounces at mailman.qth.net <
>> dararepeater-bounces at mailman.qth.net> *On Behalf Of *Jim Bacher, WB8VSU
>> *Sent:* Tuesday, October 13, 2020 3:38 PM
>> *To:* Derek Gooley <dgooley at gmail.com>
>> *Cc:* DARA Repeater List <dararepeater at mailman.qth.net>
>> *Subject:* Re: [DARARepeater] LAN Routing
>>
>>
>>
>> Derek, in general router advertising never leaves the network it was
>> broadcast on. As it would be an unsolicited packet on the incoming router,
>> the router would automatically block the packet. For a home user I don't
>> see it as a threat. For a corporation that is a threat.
>>
>> My windows box just informed me it needs to reboot, so they must have
>> pushed out the patch.
>>
>> Jim Bacher, WB8VSU
>>
>> wb8vsu at arrl.net
>>
>> https://trc.guru
>> <https://linkprotect.cudasvc.com/url?a=https%3a%2f%2ftrc.guru&c=E,1,KnRqymRIVRLWhfeBfW3OdAoBiKzGSYbsssk3Fzfm1s4bfNfvCIJf2AiWAA-oJJmvErX2_vy67tFVwig3oh8awpnodHhx_6kefCH7i1NkkVI_8FKlPy0t3FqS&typo=1>
>>
>> On Oct 13, 2020, at 2:45 PM, Derek Gooley <dgooley at gmail.com> wrote:
>>
>> I'm not moving to IPv6 any time soon.
>>
>>
>>
>>
>> https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898
>>
>>
>>
>> On Mon, Oct 12, 2020, 16:16 Jim Bacher, WB8VSU < wb8vsu at arrl.net> wrote:
>>
>> Mark, most IoT devices now days are going to be IPv6 and IPv4. If you
>> have IPv6 turned off on your 2nd  router then Jack's suggestion is a good
>> easy choice. If you have IPv6 turned on, then it won't work if the devices
>> have IPv6 enabled.
>>
>> Everything is automatic under IPv6 which makes it more difficult to block
>> an outgoing packet. Incoming are blocked by default. My two routers are
>> capable of blocking networks or devices, whether they are IPv4 or IPv6.
>> That can be complex to accomplish depending on the router and whether IPv6
>> is turned on.
>>
>>
>>
>> Most of the risk with IoT, is allowing remote access to it and not
>> changing the default password. So if you don't allow remote access, the
>> device didn't have contamination on it when you bought it and you don't let
>> it update there shouldn't be a problem.
>>
>> Most of the issues I am aware of are due to pin holes created for a IoT
>> device on the firewall / router to allow remote access or having a
>> contaminated OS to start with. Jack may know of others as he is more
>> up-to-date than I am on IT.
>>
>> I am running IPv6 on my home networks. From what I can tell, more than
>> 90% of the traffic is now IPv6 as a result. Most noticeable when running an
>> update on a Raspberry Pi, as it will show where it's pulling the updates
>> from. The bulk are from IPv6 addresses. Smart phones are also mostly IPv6
>> and you can't disable IPv6 on the cell phone.
>>
>> Jim Bacher, WB8VSU
>>
>> wb8vsu at arrl.net
>>
>> https://trc.guru
>> <https://linkprotect.cudasvc.com/url?a=https%3a%2f%2ftrc.guru&c=E,1,m8tD1_20ndS5wLp-5E32tqliSHgmj8kO5tJB78TOo3a1g7LjPRTUaU_Pqqoqpp4DFCo5VOMUSnf1xFNW9pG2jaPJJ8VtE1hHqmW71UETYKMgaewIJ3_0SAuiuQ,,&typo=1>
>>
>> On Oct 12, 2020, at 12:18 PM, Jack Gerbs < jgerbs at quanexus.com> wrote:
>>
>> Mark,
>>
>>      An easy way to not allow devices to access the internet is to not
>> put in a default gateway on the device, or put an unused address in for the
>> default gateway. A more common way to do it is to create a rule that blocks
>> the device from accessing the WAN port. Not sure your level of experience
>> with firewalls, so don’t take this the wrong way, firewalls execute rules
>> (ACLs) from top down, your more restrictive rules need to be applied first.
>>
>>            Jack
>>
>>
>>
>> *From:* dararepeater-bounces at mailman.qth.net <
>> dararepeater-bounces at mailman.qth.net> *On Behalf Of *Mark Erbaugh
>> *Sent:* Monday, October 12, 2020 12:11 PM
>> *To:* Derek Gooley <dgooley at gmail.com>; dararepeater at mailman.qth.net
>> *Subject:* Re: [DARARepeater] LAN Routing
>>
>>
>>
>> Derek,
>>
>>
>>
>> Thanks. I’ll have to take some time to digest all that and learn to craft
>> firewall rules.
>>
>>
>>
>> Another approach I was considering was connecting those devices to the
>> secure network as long as I can configure the firewall to not allow them to
>> access or be accessed from the Internet. Unlike my smart TV’s and Amazon
>> Echo’s they don’t need access to the Internet to function. Would that
>> approach be preferable to allowing connections across the subnets?
>>
>>
>>
>> 73,
>>
>> Mark
>>
>>
>>
>>
>>
>>
>>
>> *From: *Derek Gooley <dgooley at gmail.com>
>> *Sent: *Monday, October 12, 2020 11:40 AM
>> *To: *Mark Erbaugh <mark.election at gmail.com>
>> *Cc: *dararepeater at mailman.qth.net
>> *Subject: *Re: [DARARepeater] LAN Routing
>>
>>
>>
>> Having the devices on separate subnets or VLANs won't secure anything if
>> they're still routable to eachother. You need to create firewall rules to
>> block traffic between them.
>>
>>
>>
>> You could create a rule allowing traffic from your secure network to your
>> IOT network, a rule allowing established connections from your dirty
>> network to a secure network (so devices can communicate with hosts on your
>> secure network once a connection is established), and a rule disallowing
>> all other outbound and inbound traffic from your dirty network to achieve
>> what you're asking.
>>
>>
>>
>> Here's some guides on how to add firewall rules to Ubiquiti EdgeRouter:
>>
>>
>>
>>
>> https://help.ui.com/hc/en-us/articles/218889067-EdgeRouter-How-to-Create-a-Guest-LAN-Firewall-Rule
>> <https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fhelp.ui.com%2fhc%2fen-us%2farticles%2f218889067-EdgeRouter-How-to-Create-a-Guest-LAN-Firewall-Rule&c=E,1,bdDUoLtTp9a5hgMUSsWg59wOTM-gaO04IfLRYrDNlqt7ydY9qEsZfHQyPnpF7z9g4FbZnvrSoXKJyaWUx3QZjfjK7t5CwIq6RiwfY90auvpict-DrIDN4hR6srU,&typo=1>
>>
>>
>> https://help.ui.com/hc/en-us/articles/204962154-EdgeRouter-How-to-Create-a-WAN-Firewall-Rule
>> <https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fhelp.ui.com%2fhc%2fen-us%2farticles%2f204962154-EdgeRouter-How-to-Create-a-WAN-Firewall-Rule&c=E,1,1kBBm9SHwd17vwXLgJPJIo_7HkCRRKWKLopBk7rP7d3l3UAMyS0YPviuBDmfEtZoTr0JfjNhcodP3NsmR8QeDCccBeUOpPG3ObCpJmcI7vwz&typo=1>
>>
>>
>> https://help.ui.com/hc/en-us/articles/204952154-EdgeRouter-Zone-Based-Firewall
>> <https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fhelp.ui.com%2fhc%2fen-us%2farticles%2f204952154-EdgeRouter-Zone-Based-Firewall&c=E,1,RCshEPTtrPKSraRGILk3GBLhhRduHThAY1ducDgi7S2fC_wVRRcmf2H-jwcrP2VL09ukwfqKSYVDolb2WgFp3jSaPrMZmyUzKweHza7r6OKmixlCais,&typo=1>
>>
>> On Mon, Oct 12, 2020, 11:06 Mark Erbaugh <mark.election at gmail.com>
>> wrote:
>>
>> I’ve started adding IOT devices to my home. Following some security
>> advice
>> https://pcper.com/2016/08/steve-gibsons-three-router-solution-to-iot-insecurity/
>> <https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fpcper.com%2f2016%2f08%2fsteve-gibsons-three-router-solution-to-iot-insecurity%2f&c=E,1,387TSYzRW26xvXvTzLfef5trEjglgbY2KZVlCKyeUg1S6mxUhxt4RSQP2AQhEq3DotIsK3CvfY-YY6BAlvpZjJ0B2C--rTJ9t_J32Aezz5Gjljv27FrFqo7Pvhg,&typo=1>)
>> , I’ve configured two sub-nets, one for my computers which are secure (at
>> least I’m running security software on them) and one for the IOT devices
>> which I don’t trust as much. Hopefully, this will prevent an attacker from
>> exploiting a weakness in one of my IOT devices to attack my secure
>> computers.
>>
>>
>>
>> But I have found a need for an exception to my configuration. I have a
>> couple of devices that I don’t fully trust to be on my secure network that
>> I need to communicate with from my computer on the secure network:
>>
>>
>>    - FlexRadio 6700 (internal Linux software with unknown security)
>>
>>    - Raspberry Pi running OctoPi server to control my 3d printer
>>
>>
>>
>>
>> Right now, I’ve left the Flex on the secure network, so I’m trusting the
>> Flex developers and I’m not using the OctoPi.
>>
>>
>>
>> Is it possible to put these devices on the secure network but configure
>> the router (I’m currently using a Ubiquity EdgeRouter X) so that they can
>> be accessed from inside the network, but that they can’t access the
>> internet? I’m assuming that if the device can’t access the Internet, the
>> Internet can’t access the device – is that a valid assumption?
>>
>>
>>
>> If so, how?
>>
>>
>>
>> One suggestion I saw was to implement parental controls on those devices,
>> but I see no mention of parental controls in the EdgeRouter configuration.
>>
>>
>>
>> 73,
>>
>> Mark
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> ______________________________________________________________
>> DARARepeater mailing list
>> Home: http://mailman.qth.net/mailman/listinfo/dararepeater
>> <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fmailman.qth.net%2fmailman%2flistinfo%2fdararepeater&c=E,1,oV-K8lGzWL2ryfgHlBSLatevJFfZDhgTDWHDM53At_Gqsw_EXAd-HzkbNHd_WI4b7rPSACDsoWHg4xKwbPK9xwN_3q_sON2U0lo4Vegs&typo=1>
>> Help: http://mailman.qth.net/mmfaq.htm
>> <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fmailman.qth.net%2fmmfaq.htm&c=E,1,mOB7jSfUNeOdizAULu02ktA-vEtAWPbgnmcNV-7zpzl6vLCeweaGTsnH43iUfMwzGVUafQxNrEV7jZS1_7nlbwBggn6YAKb15VoC_Ku5U8Mc1lScK34,&typo=1>
>> Post: mailto:DARARepeater at mailman.qth.net
>>
>> This list hosted by: http://www.qsl.net
>> <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.qsl.net&c=E,1,EirwSbCV7F2MVLuTPhJdWDnMEM1qBssr310z_SoFYPE3dutDGunq1F-5F_5ZjecTAeWSIHkLxtg2uMlGqE_CoAL8EejjABVOzwAxSjl59ykyrH6U7tlZSOl9VWvA&typo=1>
>> Please help support this email list: http://www.qsl.net/donate.html
>> <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.qsl.net%2fdonate.html&c=E,1,7BfjHNFHd6YtaLHkEKR_1ZUxb9OOdJN1gMsEqlmEZqE7pYIJ_1odH_gucUvscKCKFlTmOo1T_lAQ8Q6KUWv7ag8B6t-MXAmIgeEzf4TfiA,,&typo=1>
>>
>>
>>
>> Our *Q-Stack Advantage* protects your systems and the information on
>> your systems with a layered and proven approach. Quanexus provides managed
>> Information Technology services for IT organizations, businesses,
>> non-profits and more. Risk Assessments, Vulnerability Scans, Cabling,
>> Telephone Systems, Surveillance and Access Control are all part of our
>> value added services. Visit us at www.Quanexus.com
>> <https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fquanexus.com&c=E,1,6czxhaCxN0Q-ydvLV5kfrIpxet8EYuJn60a4iMjxQ5GPqiR5R9atLPac-LQVEVi9sCxdyv4fB2eD8CTlbOAdL22AczjvT-Kb1TDyc8J7DVsCVto,&typo=1>
>> to learn more.
>>
>>
>>
>>
>>          ------------------------------
>>
>>
>> DARARepeater mailing list
>> Home: http://mailman.qth.net/mailman/listinfo/dararepeater <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fmailman.qth.net%2fmailman%2flistinfo%2fdararepeater&c=E,1,UNLrpe8vboBKS8gzg55g1gs_YtBNAV4Jjby8TemabRN1Gv5pFzTZXtyjX64x_K6rVno-cgdoM7cz-pB5vWH4WFzjXX6WeN04WzSaZf4WsGmqEt4_6EoCQl8OWY4,&typo=1>
>> Help: http://mailman.qth.net/mmfaq.htm <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fmailman.qth.net%2fmmfaq.htm&c=E,1,yzuxz_uMPl0Z3lh25-wB8NGyn_YWoMQAvttUlq7dOhtkjvPQh-tdhWSb4TGxEolyaPc9Oz90wZD7a7ycYh7RLJVTfQq6R0Wb3qE2s7gMgKFR-A0,&typo=1>
>> Post: mailto:DARARepeater at mailman.qth.net
>>
>> This list hosted by: http://www.qsl.net <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.qsl.net&c=E,1,BsiRmYcc_RlpfAXBXGDTXb1NVq25Zo5D63ksJo6UI_1y28fDuqmeu6R4gDcGYm3WeYGbvWVx-dbBui3UJ7PgM0QMstCcUMGCXRg1MEMB6F7uW3M,&typo=1>
>> Please help support this email list: http://www.qsl.net/donate.html <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.qsl.net%2fdonate.html&c=E,1,XsC3rrPSbQB-sDHUigu1hwlGiUoNT1eB0_NoPa8YBjhN2PC9MJ4CyR4C9_fmsRbSvVEk1fcNrH9MbiYRSETSY_dVtfljBhf3wBpPs6B0&typo=1>
>>
>> ______________________________________________________________
>> DARARepeater mailing list
>> Home: http://mailman.qth.net/mailman/listinfo/dararepeater
>> <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fmailman.qth.net%2fmailman%2flistinfo%2fdararepeater&c=E,1,qVrp1lR00oHPaHv9Lk0EuW74IesuPmELzTToNFKs6XOqSS5QwjY7kQJpXouzuFxoQ7vVIZy9JEQLPi9SnAc2wfIOCpl-XVB8fcVPHOWXeiEEDCRZOB7D&typo=1>
>> Help: http://mailman.qth.net/mmfaq.htm
>> <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fmailman.qth.net%2fmmfaq.htm&c=E,1,RDsNDrsTcBzDFywGZ9RdgL46RxKWImzIaBEBDZaJYzUsd5DQVuYRc5IzYqtMGpXkwVV9GFl1q5Bm_hJDN8j-qg797R3yJedlHz134ifgDA0Qs94,&typo=1>
>> Post: mailto: DARARepeater at mailman.qth.net
>>
>> This list hosted by: http://www.qsl.net
>> <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.qsl.net&c=E,1,APpCDBWncRMtfd6w6aTLmfsL_mj8BPFA7SQ_XJZK-nuWpnYiKjOtqNWr54k-CAsrANR6S-pz-vqLPMJk6rxPG5PEQFeGOFGskk4DzcQZM2EZERC0S9Gnecik&typo=1>
>> Please help support this email list: http://www.qsl.net/donate.html
>> <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.qsl.net%2fdonate.html&c=E,1,-AJ5vOLxPAkOuWHLVNI-5kWCjWV4QvOUJOs88j_7DhI7TmMAOixzbwOl6i9phKzYitnXjTuvsX0vSdKQVy8NASeQwAZTbdH4hrr2HajOx0E,&typo=1>
>>
>> Our *Q-Stack Advantage* protects your systems and the information on
>> your systems with a layered and proven approach. Quanexus provides managed
>> Information Technology services for IT organizations, businesses,
>> non-profits and more. Risk Assessments, Vulnerability Scans, Cabling,
>> Telephone Systems, Surveillance and Access Control are all part of our
>> value added services. Visit us at www.Quanexus.com <https://quanexus.com>
>> to learn more.
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.qth.net/pipermail/dararepeater/attachments/20201014/89a032d8/attachment-0001.html>


More information about the DARARepeater mailing list