IPv6 'upnp' pin holes

[kevindb]

An observation on IPv6 operation. In order to provide some network services to the wider internet it is necessary to put pin holes in the IPv6 firewall such that certain ports are forwarded to the correct LAN machine & port. Traditionally this has been done via a upnp type mechanism which also set up the necessary port/address translation for IPv4. A similar mechanism should also work for IPv6 but so far it looks like Asuswrt doesn't work/support this. It looks like miniupnpd should do this, but it's not compiled with IPv6 support.

Thoughts/ideas on this and who to contact at Asus to get this implemented. I'd argue that without this functionality then IPv6 support is incomplete. Or does the firewall not exist in the official Asus firmware?

 

[RMerlin]

The firewall is there in the stock firmware too.

I've never been able to get IPv6 support to compile properly with miniupnpd. As for Asus, they'd need to upgrade miniupnpd first, as they are still using an old version.

 

[kevindb]

The firewall is there in the stock firmware too.

I've never been able to get IPv6 support to compile properly with miniupnpd. As for Asus, they'd need to upgrade miniupnpd first, as they are still using an old version.

Neither have I (various kernel headers appear to be missing), so I'm sort of encouraged that you've not succeeded yet I'll log a support call with Asus.

 

[charlie2alpha]

IPv6 and UPnP? It doesn't make too much sense, in IPv6 each device has it's own routable public IP. Any applications/devices designed for IPv6 will probably assume that they can select any port for incoming connections, UPnP was designed because of the NAT issues, in IPv6 NAT is not used.

 

[kevindb]

IPv6 and UPnP? It doesn't make too much sense, in IPv6 each device has it's own routable public IP. Any applications/devices designed for IPv6 will probably assume that they can select any port for incoming connections, UPnP was designed because of the NAT issues, in IPv6 NAT is not used.

Whilst every device will have a globally routable public IP you're assuming that there's no firewall implemented on the border gateway device, that also implies each local device has a suitable IPv6 firewall. Upnp even in IPv4 land solves the problem of allowing external access to internal servers, also almost as a side effect it solves the problem of NAT/PAT as implemented on the domestic router.

upnp or some sort of firewall control for IPv6 makes an awful lot of sense. See here http://miniupnp.tuxfamily.org/forum/viewtopic.php?t=1142
Also http://upnp.org/specs/gw/igd2/

 

[charlie2alpha]

It can be used as firewall control in theory, but I really doubt it will become a standard anytime soon. IPv6 was designed to have us get rid of any nuisances like UPnP and NAT, introducing something like this now seems just redundant. I understand that you are seeing it from a security standpoint but since things are moving towards the so called "internet of things", I doubt any non-PC devices will ever support this, and that includes mobile phones, tablets, wearables. So far, a handful of cellphones supports anything other than SLAAC IPv6 configuration, I only came across one that supported DHCPv6. As usual, it's a tradeoff between simplicity versus security, and security is on the losing side currently.

 

[kevindb]

It can be used as firewall control in theory, but I really doubt it will become a standard anytime soon. IPv6 was designed to have us get rid of any nuisances like UPnP and NAT, introducing something like this now seems just redundant. I understand that you are seeing it from a security standpoint but since things are moving towards the so called "internet of things", I doubt any non-PC devices will ever support this, and that includes mobile phones, tablets, wearables. So far, a handful of cellphones supports anything other than SLAAC IPv6 configuration, I only came across one that supported DHCPv6. As usual, it's a tradeoff between simplicity versus security, and security is on the losing side currently.

It'll be interesting to see how this plays out. But stuff that used to 'just work' in IPv4 land because of upnp punching pin holes in NAT is going to stop in IPv6. I've just been bitten by this in trying to get a torrent application to speak IPv6 - the IPv6 bit works, the punching through firewalls doesn't. The IGDv2 spec is a few years old now, it's about time some IGD manufacturers stepped up to the plate and considered it in their products.

http://arstechnica.com/gadgets/2007/05/ipv6-firewall-mixed-blessing/1/

 

[charlie2alpha]

Yeah, I agree to that, IPv6 has enough addresses for all etc but no standard was planned with regards to a central firewalling point. The routers the ISPs that have native IPv6 here give have no IPv6 firewall whatsoever, they just pass along the IPv6 prefix and that's it, each device is on its own for security.

 

[RMerlin]

IPv6 and UPnP? It doesn't make too much sense, in IPv6 each device has it's own routable public IP. Any applications/devices designed for IPv6 will probably assume that they can select any port for incoming connections, UPnP was designed because of the NAT issues, in IPv6 NAT is not used.

In addition to UPNP, miniupnpd also supports PCP. That protocol (which was intended as a successor to UPNP) also supports IPv6 pinholing.

 

[kevindb]

I logged a support call with Asus and got a reply from Patrick at Asus UK. The enhancement request has been forwarded to "HQ Wireless department to see if our engineers can implement a fix in the next firmware update."

It would be great if Asus can sort this. I'm impressed with the speed and positivity of support. Would be good for them too, they can say 'Supports IGDv2' which I think is important for latest Xbox One and the brave new IPv6 world.

 

[charlie2alpha]

It will be tough though since it breaks on the kernel headers. Who knows though, we can always hope.

 

[RMerlin]

Neither have I (various kernel headers appear to be missing), so I'm sort of encouraged that you've not succeeded yet I'll log a support call with Asus.

The first thing missing is the libip6tc library. That can easily be resolved:

diff --git a/release/src/router/miniupnpd/Makefile.merlin b/release/src/router/miniupnpd/Makefile.merlin
index e2414cc..d6fcfb5 100644
--- a/release/src/router/miniupnpd/Makefile.merlin
+++ b/release/src/router/miniupnpd/Makefile.merlin
@@ -71,8 +71,14 @@ ifeq ($(TEST), 1)
CFLAGS := $(CFLAGS) -DIPTABLES_143
# the following sucks, but works
LIBS = $(IPTABLESPATH)/libiptc/.libs/libip4tc.o
+ifeq ($(RTCONFIG_IPV6), y)
+LIBS += $(IPTABLESPATH)/libiptc/.libs/libip6tc.o
+endif
else   # ifeq ($(TEST), 1)
LIBS = $(IPTABLESPATH)/libiptc/libiptc.a
+ifeq ($(RTCONFIG_IPV6), y)
+LIBS += $(IPTABLESPATH)/libiptc/libip6tc.a
+endif
endif  # ifeq ($(TEST), 1)
else   #ifdef IPTABLESPATH

And we'll need linux/getroute.c, so shortcut here:

diff --git a/release/src/router/miniupnpd/linux/getroute.c b/release/src/router/miniupnpd/linux/getroute.c
index e76ac0b..a308f6a 100644
--- a/release/src/router/miniupnpd/linux/getroute.c
+++ b/release/src/router/miniupnpd/linux/getroute.c
@@ -5,7 +5,7 @@
  * This software is subject to the conditions detailed
  * in the LICENCE file provided within the distribution */

-#ifdef UPNP_STRICT
+#if 1 //def UPNP_STRICT

#include <stdio.h>
#include <string.h>

The next issue is miniupnpd's linux/getroute.c relies on libnfnetlink, which isn't part of Asuswrt. I added its include files just to see how far I could keep going with this, and this time it got stuck there:

   miniupnpd 
cp -f ./shared/version.h miniupnpd/.
make -C miniupnpd -f Makefile.merlin -j`grep -c '^processor' /proc/cpuinfo`
make[1]: Entering directory `/home/merlin/asuswrt.ac87/release/src/router/miniupnpd'
arm-brcm-linux-uclibcgnueabi-gcc -DBCMWPA2 -DBCMQOS -DBCM_DCS -DEXT_ACS -DD11AC_IOTYPES -DPHYMON -DPROXYARP -DTRAFFIC_MGMT -DTRAFFIC_MGMT_RSSI_POLICY -DMFP -D__CONFIG_MFP__ -DLINUX26 -DCONFIG_BCMWL5 -DDEBUG_NOISY -DDEBUG_RCTEST -pipe -DBCMWPA2 -DBCMARM -fno-strict-aliasing -marm -DRTCONFIG_NVRAM_64K -DLINUX_KERNEL_VERSION=132644  -DRTAC87U -O2 -D__CONFIG_EMF__ -D__CONFIG_WPS__ -fno-strict-aliasing -fno-common -D_GNU_SOURCE -Wall -Wextra -Wstrict-prototypes -Wdeclaration-after-statement -DLINUX26 -DCONFIG_BCMWL5 -DDEBUG_NOISY -DDEBUG_RCTEST -pipe -DBCMWPA2 -DBCMARM -fno-strict-aliasing -marm -DRTCONFIG_NVRAM_64K -DLINUX_KERNEL_VERSION=132644  -I/home/merlin/asuswrt.ac87/release/src-rt-6.x.4708/router/iptables-1.4.x/include/ -DIPTABLES_143 -I../libnfnetlink/include    -c -o linux/getroute.o linux/getroute.c
arm-brcm-linux-uclibcgnueabi-gcc  -L/home/merlin/asuswrt.ac87/release/src-rt-6.x.4708/router/iptables-1.4.x/libiptc/  miniupnpd.o upnphttp.o upnpdescgen.o upnpsoap.o upnpreplyparse.o minixml.o portinuse.o upnpredirect.o getifaddr.o daemonize.o upnpglobalvars.o options.o upnppermissions.o minissdp.o natpmp.o pcpserver.o upnpevents.o upnputils.o getconnstatus.o upnppinhole.o pcplearndscp.o asyncsendto.o linux/getifstats.o linux/ifacewatcher.o linux/getroute.o netfilter/iptcrdr.o netfilter/iptpinhole.o netfilter/nfct_get.o /home/merlin/asuswrt.ac87/release/src-rt-6.x.4708/router/iptables-1.4.x/libiptc/.libs/libip4tc.o /home/merlin/asuswrt.ac87/release/src-rt-6.x.4708/router/iptables-1.4.x/libiptc/.libs/libip6tc.o   -o miniupnpd
linux/getroute.o: In function `get_src_for_route_to':
getroute.c:(.text+0xf8): undefined reference to `nfnl_addattr_l'
getroute.c:(.text+0x2c0): undefined reference to `nfnl_addattr_l'
collect2: ld returned 1 exit status
make[1]: *** [miniupnpd] Error 1
make[1]: Leaving directory `/home/merlin/asuswrt.ac87/release/src/router/miniupnpd'

And that's as far as I've been for now. At this stage, the next step is probably to actually compile libnfnetlink, and link it against miniupnpd, and see what else comes up afterward.

 

[buddyp]

I got libnfnetlink to build but then I ran into another problem building miniupnpd and kind of lost interest. From the little bit I poked at it, it wasn't clear that current version would build against a 2.6 kernel without a lot of work. It builds against 3.x without any issues.

FWIW, I did hacking on it in my entware tree.

 

[RMerlin]

I got libnfnetlink to build but then I ran into another problem building miniupnpd and kind of lost interest. From the little bit I poked at it, it wasn't clear that current version would build against a 2.6 kernel without a lot of work. It builds against 3.x without any issues.

FWIW, I did hacking on it in my entware tree.

Lack of motivation is also what made me stop working on this, as almost no software supports PCP anyway, so that would be mostly a waste of time at this point.

 

[brad0]

IPv6 and UPnP? It doesn't make too much sense, in IPv6 each device has it's own routable public IP. Any applications/devices designed for IPv6 will probably assume that they can select any port for incoming connections, UPnP was designed because of the NAT issues, in IPv6 NAT is not used.

It makes perfect sense to be able to create pinholes through a router with a default block policy. That is why UPnP as a standard has had support defined for being able to do so with IPv6 for 14 years now.

UPnP was designed because of the NAT issues

Actually no, UPnP was designed to allow devices to be able to discover each other on a network, what services are provided by each respective device and a certain amount of auto-configuration. It is an extensible protocol. Being able to do pinholes for v4 and NAT (IGD) was just one feature of the much bigger picture and not what it was originally designed for.

 

[brad0]

IPv6 was designed to have us get rid of any nuisances like UPnP and NAT

It was designed to remove NAT and nothing more. UPnP and such mechanisms wasn't an issue. It was NAT and the issues it introduces. It is only logical that UPnP is necessary.

 

[NewUserHa]

Lack of motivation is also what made me stop working on this, as almost no software supports PCP anyway, so that would be mostly a waste of time at this point.

nowadays Asus merlin <System Log> page found that software like qBittorrent is using PCP.

Is the current newest firmware able to support ipv6 with UPnP?

there're some info I found related to 'miniupnpd ipv6 support':

miniupnpd: Issues when adding IPv6 Firewall rules · Issue #9752 · openwrt/packages

I have observed an issue when working with miniupnpd 2.1 package and OpenWrt 18.06 and trying to add IPv6 Firewall rules to allow traffic towards a device in the LAN: When using a miniupnp client t...

github.com

miniupnp.tuxfamily.org :: View topic - How to use IPv6 with miniupnpc

miniupnp.tuxfamily.org :: View topic - IPv6 Support

IPv6 UPnP - pinholes ? - Transmission

 

[tenwx]

Can merlin add ipv6 support for miniupnpd now? It's been 7 years since this post. More and more p2p software already supports ipv6 pin holes. For security reason, we have to open the ipv6 firewall in merlin. But it'll cause the restriction of ipv6 inbound traffic. So it is very necessary for miniupnpd to support ipv6 pin holes.

 

[RMerlin]

Can merlin add ipv6 support for miniupnpd now? It's been 7 years since this post. More and more p2p software already supports ipv6 pin holes. For security reason, we have to open the ipv6 firewall in merlin. But it'll cause the restriction of ipv6 inbound traffic. So it is very necessary for miniupnpd to support ipv6 pin holes.

Has Microsoft ever fixed their broken IGDv2 support in Windows? Because if I remember correctly, that was what prevented us from enabling it in miniupnpd. IPv6 pinhole support requires IGDv2.

 

[RMerlin]

Did some checking, and Windows 10 and Xbox still don't support IGDv2. Enabling it would break UPNP for the majority of users out there.