[ipv6hackers] DHCPv6-PD , TR069 and local network security

Marc Heuse mh at mh-sec.de
Tue Sep 3 15:47:55 CEST 2013 

How about running your filter box as a transparent bridge with packet
filter rules between the router and your internal network?
Linux can do that.

And: most DSL routers, also those from the a provider, have a packet
capture interface possibility.
(find these with a search engines, people post the info on forums)
Use this and reconnect to the Internet, it shows the necessary
credentials in the packet dump - and off you go deploying your own
router without TR069 :-)

Greets,
Marc

-- 
Marc Heuse
www.mh-sec.de

PGP: FEDD 5B50 C087 F8DF 5CB9  876F 7FDD E533 BF4F 891A


On 02.09.2013 14:01, Schmoll, Carsten wrote:
> Dear IPv6 experts,
>
> I am wondering if there already exists a standard-based solution for the following situation:
>
> Assume you are a security-aware DSL customer who can get IPv6 Internet access,
> but your provider only sells it to you together with one of its own CPE routers...
>
> (in Germany we call it "Routerzwang", and there is a strong debate around the question,
> where the provider network ends and where the customer LAN begins. In this case you
> will usually not get any PPPoE "call-in" data, since they are stored in a hidden way in the
> provided CPE)
>
> This approach also opens the way to provider-managed CPE by means of TR069.
> The latter basically means that an admin of the provider can do many things on your local CPE,
> among other things: possibly have a look at your local LAN - which you may want to prohibit.
> The setup also usually comes together with the use of DHCPv6-PrefixDelegation.
>
> Now, if I could just dump that provider for another one that allows me to connect my own CPE router, okay...
> If not, then I can imagine running another router (or at least packet filter) between the CPE and my end systems,
> just like https://tools.ietf.org/html/rfc3633#section-5.1 , but with another "box" in between CPE and the PCs.
>
> To my knowledge, such "extended case" is not envisioned in the DHCPv6-PD use case. Correct?
> So, how could I still get my end systems configured with global IPv6 addresses from the delegated prefix space?
> (no, I don't want to use a web proxy and ULAs internally - that's like cheating around the problem ;)
>
> Best regards
> Carsten
>
> --
> "With great power comes great responsibility! What power, you ask?  UNIX root privileges."
>
> Carsten Schmoll
> Dipl.-Ing.
> Tel: +49 (0) 30 3463-7136
> Fax: +49 (0) 30 3463-997136
>
> Fraunhofer FOKUS
> Public IT / Öffentliche IT (ÖFIT)
> Kaiserin-Augusta-Allee 31
> D-10589 Berlin, Germany
> www.fokus.fraunhofer.de
>
> _______________________________________________
> Ipv6hackers mailing list
> Ipv6hackers at lists.si6networks.com
> http://lists.si6networks.com/listinfo/ipv6hackers
>

More information about the Ipv6hackers mailing list