this post was submitted on 16 Aug 2024
695 points (98.9% liked)

Technology

60101 readers
1846 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 2 years ago
MODERATORS
 

archive

If you have the August 13, 2024—KB5041580 update. You're good.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 1 points 4 months ago (1 children)

so back to the beginning of this thread: ipv6 in home lans is likely to be unsafe due to the defaults in some/many/most routers? and those ipv6 devices can in these szenarios escalate their permissions be spawning new ip adresses that would overcome lazy output fw rules?

thanks for all the explaining here so far!

or if i upload a malicious apk to some smartTV and have a it spawn a dhvpv6 server and then spawn a new virtual device that would be given an IP by my fake dhcpv6 to bypass. and we all can use macaddresschanger.

so you say with macfiltering the router would still prevent unwanted direct connections between my c&c server and some malicious virtual device? that'd be cool, but i dont understand how.

[–] [email protected] 4 points 4 months ago (1 children)

ipv6 in home lans is likely to be unsafe due to the defaults in some/many/most routers?

no

and those ipv6 devices can in these szenarios escalate their permissions be spawning new ip adresses

yes and this is not "escalating their permissions", it is in fact the expected behavior with Privacy Extensions (RFC 4941) where devices will probably have multiple addresses at the same time that are used for outgoing connections

that would overcome lazy output fw rules?

any router that doesn't have deny as the default rule for WAN->LAN traffic (probably not many) is trash, and if you're filtering LAN->WAN traffic (not really usual for a home network) then you want default deny there too, but at that point that is not an ipv6 problem

or if i upload a malicious apk to some smartTV and have a it spawn a dhvpv6 server and then spawn a new virtual device that would be given an IP by my fake dhcpv6 to bypass. and we all can use macaddresschanger.

rogue dhcp is not an ipv6 exclusive problem

so you say with macfiltering the router would still prevent unwanted direct connections between my c&c server and some malicious virtual device? that’d be cool, but i dont understand how.

yes, firewall rules can work based on mac addresses, not sure exactly what you mean

[–] [email protected] 1 points 4 months ago

ok. cool.that was really helpfull.