• r00ty@kbin.life
    link
    fedilink
    arrow-up
    16
    ·
    3 months ago

    I’ve not read the CVE but assuming it works on any IPv6 address including the privacy extensions addresses, it’s a problem. Depending on what most routers do in terms of IPv6 firewalling.

    My opinion is, IPv6 firewalls should, by default, offer similar levels of security to NAT. That is, no unsolicited incoming connections but allow outgoing ones freely.

    In my experience, it’s a bit hit-and-miss whether they do or not.

    Now, if this works on privacy extension addresses, it’s a problem because the IPv6 address could be harvested from outgoing connections and then attacked. If not, then scanning the IPv6 space is extremely hard and by default addresses are assigned randomly inside the /64 most people have assigned by their ISP means that the address space just within your own LAN is huge to scan.

    If it doesn’t work on privacy extension IPs, I would say the risk is very low, since the main IPv6 address is generally not exposed and would be very hard to find by chance.

    Here’s the big caveat, though. If these packets can be crafted as part of a response to an active outgoing TCP circuit/session. Then all bets are off. Because a popular web server could be hacked, adjusted to insert these packets on existing circuits/sessions in the normal response from the web server. Meaning, this could be exploited simply by visiting a website.

    • Toribor@corndog.social
      link
      fedilink
      English
      arrow-up
      10
      ·
      3 months ago

      IPv6 firewalls should, by default, offer similar levels of security to NAT

      I think you’re probably right. We had decades of security experts saying that NAT is not a firewall and everyone on the planet treated it like one anyway. Now we’re overexposed for a no-NAT IPV6 internet.

    • LaggyKar
      link
      fedilink
      English
      arrow-up
      2
      ·
      3 months ago

      Harvesting IP addresses shouldn’t be a problem, since the firewall shouldn’t allow packets from a peer you haven’t talked to first. But true, if you can be attacked in response by a server you’re connecting to that would be bad.

    • LarmyOfLone@lemm.ee
      link
      fedilink
      English
      arrow-up
      3
      arrow-down
      1
      ·
      3 months ago

      What about torrenting through a VPN with IPv6? Would that make you vulnerable to this exploit?

      • r00ty@kbin.life
        link
        fedilink
        arrow-up
        3
        ·
        3 months ago

        I think it depends on all the caveats I mentioned. If it could have worked with an outgoing connection, then someone with a bad client could execute it for sure. The VPN wouldn’t protect you.