Abstract
Customer edge routers are the primary mode of connection to the Internet for a large portion of non-commercial users. As these consumer networks migrate from IPv4 to IPv6, stateful firewalls are needed to protect devices in the home. However, policy details crucial to the implementation of these inbound access controls are left to the discretion of the device manufacturers. In this paper, we survey ten customer edge routers to evaluate how manufacturers implement firewalls and user controls in IPv6. The result is a systemic, demonstrable failure among all parties to agree upon, implement, and communicate consistent security policies. We conclude with future research directions and recommendations for all parties to address these systemic failures and provide a consistent model for home security.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Responsible Disclosure Given the severity of enabling IPv6 support by default and a default-permit posture, we disclosed our findings to both Motorola and TP-Link in August 2020. In November 2020, Motorola issued a public patch to correct the issue. TP-Link did not respond to our disclosure.
References
Amazon.com. Amazon Sales Popularity - Computer Routers (2020). https://web.archive.org/web/20201023233343/www.amazon.com/gp/bestsellers/pc/300189/ref=zg_b_bs_300189_1. Accessed 23 Oct 2020
Antonakakis, M., et al.: Understanding the Mirai botnet. In: USENIX - 26th Security Symposium, pp. 1093–1110 (2017)
Chown, T., Arkko, J., Brandt, A., Troan, O., Weil, J.: IPv6 home networking architecture principles. RFC 7368, Internet Engineering Task Force (October 2014)
Frontier Communications: Frontier home Internet setup guide (2020). https://frontier.com/~/media/HelpCenter/Documents/internet/installation-setup/hsi-self-install-guide.ashx?la=en. Accessed 18 Oct 2020
Czyz, J., Luckie, M., Allman, M., Bailey, M.: Don’t forget to lock the back door! A characterization of IPv6 network security policy. In: Proceedings of the 23rd Annual Network and Distributed System Security Symposium (NDSS 2016), San Diego, California, USA (February 2016)
De Leon, N.: Many wireless routers lack basic security protections, consumer reports’ testing finds (2019). https://www.consumerreports.org/wireless-routers/wireless-routers-lack-basic-security-protections. Accessed 20 Oct 2020
Open Connectivity Foundation: UPnP+ Specification (2020). https://openconnectivity.org/developer/specifications/upnp-resources/upnp/#upnp-plus. Accessed 18 Oct 2020
Hain, T.: Architectural implications of NAT. RFC 2993, Internet Engineering Task Force (November 2000)
Kolias, C., Kambourakis, G., Stavrou, A., Voas, J.: DDoS in the IoT: Mirai and other botnets. IEEE Comput. 50(7), 80–84 (2017)
Kumar, D., et al.: All things considered: an analysis of IoT devices on home networks. In: USENIX - 28th Security Symposium, pp. 1169–1185 (2019)
Linksys: Differences between IPv4 and IPv6 (2020). https://www.linksys.com/us/support-article/?articleNum=139604. Accessed 18 June 2020
Microsoft. Support: IPv6 on Xbox one (2020). https://support.xbox.com/help/Hardware-Network/connect-network/ipv6-on-xbox-one. Accessed 18 June 2020
MITRE: CVE-2016-7406 (September 2016). https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7406. Accessed 20 Oct 2020
Morgner, P., Mai, C., Koschate-Fischer, N., Freiling, F., Benenson, Z.: Security update labels: establishing economic incentives for security patching of IoT consumer products. arXiv:1906.11094 (2019)
Ubiquiti Networks. FAQ: does AmpliFi have a firewall? (2020). https://help.amplifi.com/hc/en-us/articles/115009611867-Does-AmpliFi-have-a-firewall-. Accessed 18 Oct 2020
Singh, H., Beebee, W., Donley, C., Stark, B.: Basic requirements for IPv6 customer edge routers. RFC 7084, Internet Engineering Task Force (November 2013)
Tripwire: SOHO wireless router (In)Security (2014). http://www.properaccess.com/docs/Tripwire_SOHO_Router_Insecurity_white_paper.pdf. Accessed 20 Oct 2020
Van de Velde, G., Hain, T., Droms, R., Carpenter, B., Klein, E.: Local network protection for IPv6. RFC 4864, Internet Engineering Task Force (May 2007)
Wing, D., Cheshire, S., Boucadair, M., Penno, R., Selkirk, P.: Port control protocol (PCP). RFC 6887, Internet Engineering Task Force (April 2013)
Woodyatt, J. (ed.): Recommended Simple Security Capabilities in Customer Premises Equipment (CPE) for Providing Residential IPv6 Internet Service. RFC 6092, Internet Engineering Task Force (January 2011)
Zhang, L.: A retrospective view of network address translation. IEEE Netw. 22(5), 8–12 (2008)
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
7 Appendix
7 Appendix
Firewall ingress policies (TCP) – We use Nmap to scan the most common 1000 TCP ports on an internal host from an external vantage point. For each packet the host receives we mark the associated port GREY. Conversely, if the firewall drops the packet or the packet fails to reach the host due to network failure the associated port is marked BLACK. For routers that have an optional firewall we include a scan in both states indicated by FW or NoFW.
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Olson, K., Wampler, J., Shen, F., Scaife, N. (2021). NATting Else Matters: Evaluating IPv6 Access Control Policies in Residential Networks. In: Hohlfeld, O., Lutu, A., Levin, D. (eds) Passive and Active Measurement. PAM 2021. Lecture Notes in Computer Science(), vol 12671. Springer, Cham. https://doi.org/10.1007/978-3-030-72582-2_22
Download citation
DOI: https://doi.org/10.1007/978-3-030-72582-2_22
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-72581-5
Online ISBN: 978-3-030-72582-2
eBook Packages: Computer ScienceComputer Science (R0)