On Sun, 28 Mar 2010, Konrad Rosenbaum wrote:
On Wednesday 24 March 2010, Mohacsi Janos wrote:Your NAS should run link-local or ULA if you don't want it to reach the outside world.How to configure the NAS for such a setup? - If I use SLAAC? Do I have to prevent RAs with global prefix to be arrived to NAS? Do I have to filter on NAS? But what about the ULA? Do I get ULA via SLAAC? This requires a pretty complex setup.If I would build the NAS I would let it operate as usual, but add a few simple packet filter rules to the rudimentary firewall inside the device: allow absolutely everything out; allow everything in that targets me at fe80::/10; allow everything in that targets me at fc00::/7 if it comes from a locally advertise network, do not allow anything else in.
This does not prevent the NAS and clients to pick up global addresses. The current RFC 3484 does not cope properly with ULA addresses, so therefore there are some risk for no working setup witch such a filtering on NAS: nas-client and nas-server has both ULA and global ipv6 address. If the nas-client want to use global address to reach nas-server, then it will fail.
I don't really see an incentive for device engineers to put proper security into "dumb" devices if there is no spec - they are used to letting the "magic of NAT" take care of this.
There is a user expectation: my devices was protrected by IPv4-NAT/CPE , then similar should happen with IPv6....
However I am not favor of firewalls.... Best Regards, Janos Mohacsi