Protecting against rogue routers, DHCP(v6) servers, etc


recently, I've been trying to dive more into IPv6 security issues and started wondering if and how OpenWrt/LEDE mitigates risks exposed by rogue routers, DHCP(v6) servers on the WAN link.

Does OpenWrt/LEDE implement any hardening with regards to these risks or is it assumed that measures are taken by the ISP to ensure such packets are not forwarded to customer endpoints? (I don't know if the latter is even possible on shared media such as cable networks...)



If I recall correctly, the default firewall limits DHCPv6 to specific source IP. That should protect you from rogue sources outside of your ISP's link:

Line 56:

# Allow DHCPv6 replies
option name		Allow-DHCPv6
option src		wan
option proto		udp
option src_ip		fc00::/6
option dest_ip		fc00::/6
option dest_port	546
option family		ipv6
option target		ACCEPT

If I recall correctly, the default firewall limits DHCPv6 to specific source IP.

It doesn't limit to a specific source IP but to a prefix, fc00::/6.

I believe that falls under the unique local address on v6 space (private IP so to speak). Hence it's only between LEDE router and the immediate ISP (link).

LEDE has to trust a limited source that will server DHCPv6 on WAN. I suppose that prefix is large enough to ensure that it works within the immediate local link; and not rogue packets outside of it.

First of all, fc00::/6 includes more than just ULA addresses, it also includes link-local addresses and multicast addresses. The problem here is, can you be sure that only packets from your ISP arrive at your router? In general, local addresses can be used by hosts on the same network segment. So, unless the ISP has some sort of link isolation between customer connections in place, customers of the same ISP on the same network segment might reach each other with these addresses. My question here is twofold: a) How can you ensure this on a shared medium such as cable networks? If someone manipulates their cable modem they could send packets to other customers and the ISP couldn't prevent this. But even with direct subscriber lines, do ISPs actually isolate links or take measures to prevent such scenarios? I honestly don't know. That's why I'm asking.

But more importantly, my question was not supposed to focus on DHCPv6 only. There are plenty of risks that arise from the fact that many of the mechanisms used to autoconfigure or assign address and routing information work without authentication. Just to name a few:

  • fake router advertisements
  • fake duplicate address detection responses
  • fake neighbor discovery messages
  • fake DHCP or DHCPv6 announcements
  • ICMP redirect messages
  • ...

I'm wondering how OpenWrt protects against these types of attacks. Is it even possible to do this at teh customer endpoint or is it assumed that the ISP implements mesures to minimize potential risks?

I'm not 100% sure but I don't think this is correct. Or at least it's a pretty remote possibility. I think docsis does some sort of time division multiplexing, and so other modems won't be listening during rogue modem timeslots. Docsis is I think always talking modem to head end ISP equipment, never modem to modem directly... But as I say I'm not an expert here.

1 Like