On Saturday 10 September 2016 21:03:18 Lew Wolfgang wrote:
On 09/10/2016 10:01 AM, James Knott wrote:
On 09/10/2016 12:46 PM, Lew Wolfgang wrote:
So, what is the threat to a home IPv6 user who has WiFi and an Internet of Things with minimal/non-existent security? I personally feel safer behind a nice natted IPv4 firewall with ACL rules between my copper and WiFi subnets. I just feel that I have more control of the situation with a simpler network.
First off, use Wireshark to determine the MAC address of the device sending out those RAs. Once you've found that computer, you can configure it properly (or toss it out the Windows <g>).
Also, forget about NAT as a firewall. You should be relying only on a properly configured stateful firewall for both IPv4 and IPv6. You can have firewalls on both the router and hosts.
Yes, but I'm not getting paid to police my customer's network looking for knuckleheads. Then there's the bad actor problem that might be harder to discover.
Yes, I use a good stateful firewall (ZyXel) and am not using NAT as the firewall. I've got specific ACL's between WAN/LAN and between subnets on the LAN side. Further, I've got a separate Wifi router with separate SSID's for authorized access and IOT devices.
Wifi connections, especially from IOT devices, are almost by default insecure. What prevents a bad actor from hacking into my wireless network and installing a rogue IPv6 router? My routing tables are cast in concrete with IPv4 and MITM's are very unlikely.
Basically, can IPv6 router discovery be turned off? Nothing makes me happier than a nice static route!
echo 0 > /proc/sys/net/ipv6/conf/eth0/accept_ra But I don't think it makes sense to accept the prefix but not the router.
Regards, Lew
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org