My SolarInverter doesnt allow me to change the password!!... It has both Telnet and HTTP menu's, and, sadly, You can change critical data through those menus.
If you manage to get a secure connection inside someones LAN then they are done for. I am sure that you dont have your computer set to block all lan traffic? I am sure with a bit of work you could flash custom firmware on the SuperHubs too. So if someone breaks into your LAN then they could flash the SH with firmware and chances are that all traffic coming from there does have permission to talk to your pc...
As we said ealrier tho, the "firewall" features of home routers is what gives the huge protection, we will still need a device like that when we move to ipv6 (I will not trust VM's hardware to do it).
All NetGear routers (with original firmware) can easily be tampered with from the LAN side. I know the SH firmware will not deviate much but until I find a cheap SH to tamper with I'll not try anything.... A lot of other equipment can (from LAN) be exposed with little or no way to protect them without physically disconnecting the unit. Devices on my network that have limited settings are a Roku box, Solar Inverter, Two TV's, One freeview box. I could even include my two netgear routers in there. The key is in the gateway (Router) and it will be even after the move to ipv6.
I think a /120 or /116 block would be more than enough to hand out to users.
An IPv6 block smaller than /64 would break stateless autoconfig, i agree a /64 block is wasteful but this is just how ipv6 has been designed and with 2^128 addresses there really is no realistic chance of them running out. It also means that even if you do leave systems on unfiltered routable addresses, the likelihood of someone finding them within 2^64 possible addresses is fairly slim.
As for blocking lan traffic, i don't block any traffic to my main workstation at all. No software firewall, and i also use a vpn connection to a colocated server to give myself fully routable ipv4 and ipv6 connectivity.
I don't block any traffic, because aside from SSH there are no other services open to answer any such traffic. If you were to attack this service, you would either need to find a vulnerability in the particular version of SSH thats in use, or brute force my private key.
The superhub is designed to be updated from the isp end, i don't believe it is designed to be updated from the customer end although vulnerabilities could exist. That said, vulnerabilities could also exist on such devices which are accessible from the outside, thus giving an attacker access to your internal network.
There are various ways attackers could get into your internal network...
Misconfigured wifi? (google for aircrack-ng or reaver-wps)
Reflection attacks against outbound applications such as browsers... Within an html page on a website it is possible to instruct a browser to fetch other resources, if you know the default internal ip of certain types of router combined with the default password it may be possible to bounce requests off a users browser, simply by that user visiting a site over which you have some level of control. The same could probably be done with your solar inverter too, although it would be necessary to guess the internal ip you can narrow down the possibilities by process of elimination (eg the default dhcp scope, default internal ranges) and some browsers can even leak their internal ip address under certain circumstances.
Guest users may introduce trojans to your network...
You may take a device elsewhere, eg a public wifi network where it can be easily attacked, backdoored, and then take it home again.
The "protection" offered by filtering is not really protection at all, it is just hiding... If you are ever found, then its game over. Like you said, if you get a connection to someone's LAN then they are done for.
However, if you configure your devices properly then a hostile connection to the LAN would not be game over at all.
If you have devices which cannot be configured in a secure way, then you need to chase the vendor of that device for an update, or switch to a more responsible competitor.
I also have various devices here, which have non routable IPv4s not out of choice but because i dont have enough addresses to go round. Some of them have fully routable V6 with no filtering.
An HP printer - both the admin interface (https) and the actual print service require authentication.
An HP networked scanner - the https admin interface requires authentication, otherwise this device only makes outbound connections and has no other services listening.
Two wireless access points operating in bridging mode - they only offer https/ssh services for administration, again authenticated.
One TV - this is purely a media consumption device, it does not offer any services which accept inbound connections.
Two freesat receivers - these have an authenticated web interface from which you can schedule recording of shows, otherwise they too are consumption devices.
A NAS - this offers authenticated file shares which are accessed by the tv and freesat receivers, and an authenticated https page for management
A VOIP telephone adapter - this offers an authenticated SIP service, through which phonecalls can be made.
Two VOIP telephones - these connect to the telephone adapter, it also connects back when inbound calls are received.
I'm sure theres some other stuff i've forgotten, but i would be perfectly happy to put all this stuff on the internet safe in the knowledge that your very unlikely to guess my authentication details, and even if you compromised the devices via an exploit access to one device would not give you any elevated access to any other.
Responding to ARP requests for the NAT mapped global addresses with its own MAC address is a must ..... with Basic NAT setup.
That quote is from RFC 3022 Section 6.2, which if you read the full paragraph you'll see is actually talking about the need to use proxy ARP in the case where your WAN IPs haven't been routed to you, i.e. the case I've been busy saying is a bad idea; it also highlights the fact that NAT doesn't touch MAC addresses, since if it did there wouldn't be a need to additionally use proxy ARP in that situation. (Also note that "Basic NAT" isn't the type of NAT we use; Basic NAT is when you have a public block of addresses big enough to do 1:1 address mapping with your private addresses.)
I think a /120 or /116 block would be more than enough to hand out to users.
I did go over this earlier in the thread; while a /120 has enough addresses for most people, it's not about the number of addresses. SLAAC is only specified for /64s (and the subnet size is expected to be /64 on all subnets anyway); I have multiple VLANs here, each of which need their own /64, so I need a bigger block than just a single /64 routed to me.
And there is absolutely no problem with allocating /48s to every customer. It's no more difficult than allocating /64s to every customer, and Virgin have enough IPv6 space to do it.
Claustrophiles can simply ignore any extra space they get, while those of us that do need the extra space can't just pretend it into existence. Since there's no problem with allocating /48s from an exhaustion -- or any other -- perspective, we should do that, since it permits all use cases.
One again I have no idea what to say to that, so I'll just repeat my previous offer: if there's anything you don't understand in my previous posts, please tell me what it is and I'll try to clarify it for you.
If you are new to the forum, please remember to search the forum before posting your question. Please don't send private messages directly to the forum team unless they ask you to, post your issue to the forum first.
If someone's helped you out, say thanks by clicking on the Kudos Star. If someone other than the Forum Team has solved your problem, why not mark their message as an Helpful Answer?
I just wonder what's going to happen to Virgin Media broadband users when a web site appears on the Internet which has _no_ IPv4 address, because there simply is no IPv4 address available to give to the creators of that web site.
It is at that point that we will all need our own IPv6 address.
It seems to me that Virgin have either chosen not to address (sorry about the pun) that future requirement, or don't know how to address it.