Part 01  IPv6 Address Availability 

After the device obtains the IPv6 global unicast address, it can theoretically realize two-way end-to-end communication between the device and the business server. We use a laptop to access the home broadband network, and after assigning and verifying the IPv6 address , we find that its public network connectivity is Unreachable state, what is the reason?

bogon:~ root$ telnet 2409:8a28:ec3:51f0:2a12:93ff:fe68:fee5
Trying 2409:8a28:ec3:51f0:2a12:93ff:fe68:fee5...
telnet: connect to address
2409:8a28:ec3:51f0:2a12:93ff:fe68:fee5: Network is unreachable
1.
2.
3.
4.

It turns out that in consideration of the security risks after the IPv6 address is exposed, the operator put forward the requirements for port authority minimization and attack prevention functions in the smart gateway standard. When the gateway leaves the factory, the manufacturer will preset a specific firewall policy in the gateway. Due to the existence of network policies, the actual availability of IPv6 addresses in the home broadband network is very poor, and the direct downlink forwarding traffic is basically intercepted or discarded by the gateway. In order to use IPv6 addresses safely and effectively, a network policy combined with a whitelist mechanism may be a good choice.

Figure 1 "Technical Specifications for China Mobile Smart Home Gateway" - Port Authority Minimization

Figure 2 "Technical Specifications for China Mobile Smart Home Gateway" - Anti-Attack Function

Part 02 IPv6 session firewall 

For IPv6 end-to-end communication, due to network policy, the downlink traffic from the server to the terminal device is blocked.

After analyzing the intelligent gateway, it is found that the above-mentioned interception capability can be called IPv6 session firewall. The firewall function is implemented based on iptables. In the iptables forwarding chain of the gateway, there is a FORWARD_FIREWALL sub-chain, which is used to store and control the forwarding session firewall policy.

Firewall policy FORWARD:

Chain FORWARD (policy ACCEPT 107 packets, 14852 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1     138K   34M SKIPLOG    all      *      *       ::/0                 ::/0                 mark match ! 0x4000000/0x4000000
2     3547  290K TCPMSS     tcp      *      ppp0    ::/0                 ::/0                 tcp flags:0x06/0x02 tcpmss match 1300:65535 TCPMSS set 1380
3     3176  235K TCPMSS     tcp      ppp0   *       ::/0                 ::/0                 tcp flags:0x06/0x02 tcpmss match 1300:65535 TCPMSS set 1380
4    73122   11M FORWARD_ALG  all      *      !br+    ::/0                 ::/0                
5     146K   36M JNI_FILTER  all      *      *       ::/0                 ::/0                
6    72710   25M IP_FILTER_IN  all      !br+   *       ::/0                 ::/0                
7    73122   11M IP_FILTER_OUT  all      br+    *       ::/0                 ::/0                
8    73122   11M PARCTL_MAC  all      br+    *       ::/0                 ::/0                
9    73122   11M URL_FILTER  all      br+    *       ::/0                 ::/0                
10   73122   11M MAC_FILTER  all      br+    *       ::/0                 ::/0                
11    146K   36M FORWARD_FIREWALL  all      *      *       ::/0                 ::/0
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.

(1) When closed, the firewall policy is empty,

Chain FORWARD_FIREWALL (1 references)
pkts bytes target prot opt in out source destination
1.
2.

(2) After the ipv6 session firewall is enabled, two new strategies are added to the Forward chain strategy:

Chain FORWARD_FIREWALL (1 references)
pkts bytes target prot opt in out source destination 
252 26905 ACCEPT all br+ * ::/0 ::/0 
234 72274 ACCEPT all * br+ ::/0 ::/0 ctstate RELATED,ESTABLISHED
1.
2.
3.
4.

These two strategies are the core of implementing IPv6 Session Firewall, which is implemented based on iptables state tracking. The forwarding control capabilities realized by them are as follows:

(1) Receive traffic from any NIC starting with br to other NICs (uplink);

(2) To receive traffic from the network card to any network card starting with br, the status of the traffic must be that a two-way connection has been established or a derivative connection (downlink) of the connection.

To put it simply, all external accesses from terminal devices are allowed. When an external server accesses a terminal device, if no connection has been established before, it will be blocked directly, otherwise it will be allowed. For specific status information, refer to the following concepts:

- Concept analysis

(1) iptables status tracking

After the kernel version of Linux2.6.15, iptables began to support state tracking (conntrack), which depends on the kernel module nf_conntrack of netfilter. After that, iptables can perform secondary filtering interception and status tracking according to the status of the packet. It is also the main dependent module of state/ctstate and nat.

conntrack stores the state information of the data flow in the memory in the form of a Hash table, including quintuple information and timeout time. The state tracking mentioned here does not refer to the tracking of the connection state in the state protocol (such as TCP), but the state tracking unique to conntrack that has nothing to do with the network transmission protocol.

(2) five states of conntrack

Conntrack can mark five states for the connection, which are as follows:

➟ NEW: A data packet for a new connection request, and the data packet is not associated with any existing connection. The basis for judging is that conntrack currently "only sees data packets in one direction (UNREPLIED)", and there is no return packet.

➟ ESTABLISHED: The connection is the return packet of a connection in the NEW state, that is, the two-way association of the connection is completed.

➟ RELATED: Match those network connections that belong to the special protocol defined by the helper module, and the connection belongs to the derived connection of an existing ESTABLISHED connection. In short, the A connection is already ESTABLISHED, and if the B connection is related to the A connection, then the B connection is RELATED. It doesn’t matter if you don’t understand this part, and it’s hard to explain it clearly in one sentence. Later chapters will use a lot of pen and ink to clarify it.

➟ INVALID: Matches packets that are unrecognized or have no status. This may be due to insufficient system memory or receiving ICMP error messages that do not belong to any known connections, that is, garbage packets. Generally, we will DROP packets in this state.

➟ UNTRACKED: This is a special state, or not a state. It is the state after the administrator sets the NOTRACK rule for the connection in the raw table. In doing so, it is convenient to improve packet filtering efficiency and reduce load.

conntrack is a state tracking and recording mechanism, which cannot filter data packets by itself, but only provides the basis for packet filtering. Stateful is a kind of filtering basis, and stateless is actually a kind of filtering basis.

Part 03 IPv6 Whitelist Mechanism 

The IPv6 Session Firewall realizes forwarding protection through two strategies, so whether it is possible to implement a whitelist mechanism on this basis, the answer is yes, using the whitelist mechanism will limit the sender and receiver at both ends of the channel, while maintaining the original Some network policies are enabled and meet the standards of smart gateways.

iptables can implement the whitelist mechanism through policy addition, add the IPv6 address that is allowed to initiate downlink requests to the forwarding policy of the smart gateway, and filter the data packets of the downlink source IP address according to the address and release them. After testing, after opening the ipv6 session firewall and adding a specific whitelist, the terminal device can support the downlink access of the ipv6 address. Taking 6.ipw.cn as an example, our new strategy is as follows:

ip6tables -t filter -I FORWARD -s 6.ipw.cn -j ACCEPT 
ip6tables -t filter -I FORWARD -d 6.ipw.cn -j ACCEPT
1.
2.

List of newly added iptables policies.

Chain FORWARD (policy DROP 3 packets, 246 bytes)
pkts bytes target     prot opt in     out     source               destination 
7  1833 ACCEPT     all      *      *       ::/0                 2409:8928:e20:84fe:a11b:b839:66ae:84a7 
101  7226 ACCEPT     all      *      *       2409:8928:e20:84fe:a11b:b839:66ae:84a7  ::/0
1.
2.
3.
4.

The result of obtaining the ipv6 address from the external network, that is, the device IPv6 address can be accessed by 6.ipw.cn.

curl 6.ipw.cn
2409:8a28:efb:b8a6:d1b6:9c3b:2f2e:c3ee
1.
2.

The above results indicate that the IPv6 address can be accessed by the public network, indicating that the whitelist mechanism is theoretically feasible.

Part 04 Summary 

Starting from the actual home network environment, this paper analyzes the actual availability and security analysis of IPv6 devices in the home broadband network, and tries a whitelist-based IPv6 address usage method, which can ensure that the address can be accessed from the public network under the premise of opening the firewall. However, from the perspective of the overall home network, there is currently a lack of overall security discovery and analysis capabilities. Especially in the case of IPv6 opening, the support and analysis capabilities of the original security analysis equipment need to be adapted and improved. In the next article, let's talk about how to provide a security monitoring capability for home networks.