The IPv6 Security Threat in Tomato

Discussion in 'Tomato Firmware' started by GreenThumb, Apr 5, 2010.

  1. GreenThumb

    GreenThumb Addicted to LI Member

    I was reading another thread and someone asked why there was no IPv6 support, so I decided to start a new thread since I have a couple of my own questions.

    The reason there's no IPv6 support is because Tomato is using a very old Linux kernel (2.4.20) which was released in 2003. IPv6 support was added to Linux with the 2.6.12 kernel in 2005. So, as you can see, Tomato is using a kernel that is 7 years old.

    Why Tomato uses this old kernel, I don't know (I think the original Cisco firmware used this old kernel so perhaps it was easier to keep using it for legacy reasons). Maybe it is smaller than 2.6 and can be fit on these routers more easily. At any rate, the reason DD-WRT has IPv6 support is because it uses a newer (>2.6.12) Linux kernel.

    Now, the only reason I care about this is because it means Tomato cannot stop attacks on listening IPv6 services. So, IPv6 is a security threat for those of us who rely on Tomato as our only firewall. For instance, on my LAN, I have samba listening on tcp6 and ntp listening on udp6. Since Tomato cannot filter them, this means they are potentially wide-open to attack unless I run a software firewall (which I do not want to do). In fact, there was an article written a couple of years back warning of this very IPv6 threat. If you are interested in the potential issues with not having an IPv6 aware firewall, definitely read that article.

    I use Linux exclusively on all my boxes (Ubuntu in particular) and it's impossible to turn IPv6 off inside the OS without recompiling the kernel (Ubuntu used to allow you to blacklist IPv6 at boot time, but they no longer allow this for some stupid reason). I have compiled many a kernel in my day but I really don't want to do that on my production machine.

    At any rate, my question: is there a Tomato mod that is using a newer >2.6.12 kernel that is IPv6 aware?

    EDIT: After reading a bit more, it seems some sources say that Ipv6 is indeed enabled on 2.4 kernels. Can anyone verify whether this is true, at least for Tomato? Wikipedia is saying Ipv6 was "taken out of experimental mode" in 2.6.12.
  2. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    I don't think there is an "IPv6 security threat in Tomato" at all. Sure, the firewall software isn't IPv6 aware, but neither is the routing software. So, no IPv6 traffic gets through at all. End of story.

    If you're using some sort of IPv6 over IPv4 tunnel, then you're likely opening yourself up. But, that would be true whether or not Tomato supported IPv6.

    Now, IPv6 would be nice, possibly even for security reasons (eg, easy IPSec). But, the lack of it isn't a security "threat".
  3. Toastman

    Toastman Super Moderator Staff Member Member

    And to add to this, yes - the USBmod by Teddy Bear uses kernel - you need to check out the ipv6 though, to see if it could easily be added. The source code is available on the git repository - information is on page 1 of the thread.
  4. GreenThumb

    GreenThumb Addicted to LI Member

    Well the ntp daemon I am running on Ubuntu is listening on udp6. I am not sure whether it is automatically tunneling over ipv4 or what, but netstat shows it listening (and connecting) nonetheless (since it's connecting, this must mean it is tunneling).

    I think it's stupid that these OS's are utilizing tunneled ipv6 over ipv4 services out of the box when most hardware router devices do not support any kind of filtering of this protocol.

    I guess I am just SOL here. I guess I will have to turn on IPtables on the machines on the LAN, which I don't want to do.
  5. Count0

    Count0 Addicted to LI Member

    Yes, if you run netstat, that will tell you what network services are listening ON THAT MACHINE. You will always see it running locally, even if your router doesn't forward ipv6 packets. This is the point of Sgt Pepper. You don't need to worry because IPv6 packets won't actually be forwarded by the router since the routing table can't handle them. The only exception would be if you set up a ipv6 over ipv4 tunnel. However, I don't know of a single distro that does that by default.

    Sgt Pepper was being precise and giving you the only exception to his blanket statement. You would, however, know if that exception applied, since you would be the one to set the tunnel up, not the OS during install.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice