For many years now I have been using the (free) Hurricane Electric Tunnel Broker. If you don’t have ipv6, its free and very simple to setup and I highly recommend it.

But, time moves on, and dual stack is better than 6in4 tunnel broker. For both latency, and throughput. So I was very excited to see that Rogers has (finally) enabled footprint-wide ipv6 (native, not their original 6RD). They have a mega-thread about it here. But in a nutshell, put your modem back into ‘routed’ mode, do a factory reset, reboot, put it back into bridge mode, and enable DHCP6-PD on your home router. And boom, you have yourself some native ipv6 (those steps are easier than you think, the most complex tool you need is a paperclip, the second most complex is patience).

Once done, head on over to test-ipv6.com, and give it a go. You want 10/10 all green, no tunnel broker. You can then test a top-notch IP v6 web site like www.fobar.com and bask in the glory of ‘it just works’.

(ps if you sign up for the beta firmware, you can leave the modem in ‘routed’ mode. But personally I like my packets bridged when it comes to DOCSIS. YMMV).

So, so long he.net, and thanks for all the bits.

So i’m sitting in the United Club in Denver. The amenities are almost too many to list on the longest fingers of one hand. And good Internet is certainly one of the amenities that is lacking. So i decided to dig into it and share with you so that next time you are in a similar circumstance you will know how to address it (hint, its not going to the people at the front desk and using words like MTU, blackhole, router, ICMP Would Fragment).

So yeah, I whip out the old wifi, connect. The WiFi interface has MTU 1500 as you would expect. But, connect our ipsec VPN, and its awful. Nothing works reliably, pages time out, wiki doesn’t load. Argh. So, debugging 101.

First I run ‘ping -M do -s 1470 8.8.8.8’. I get a ‘would fragment’, so i know that somewhere along the way is a router that won’t pass 1500. OK, that’s fair, TCP doe PMTU for a reason. but, when I do ‘ping -M do -s 1440’, i find that I get no response and no ‘would fragment’. Huh. That’s not allowed. So I probe out the actual MTU with varying size, and then run ‘ifconfig wlp1s0 mtu 1440’ and re-check. All good.

The moral of the story, there is no packet size for which you should not get either a response or a ICMP would fragment. No blackholing is allowed. TCP works badly with it, and worse, when you use a tunnel (like ipsec) it just falls apart.

So I cracked open OpenVAS today. Its been a while, and new vulnerabilities occur (and new devices wiggle there way onto my network in fits of weakness!). And OMG their was a lot of ‘High’ vulnerabilities (without even looking @ the medium and low ones).

I let the discover run for a while (179 actives devices on the main subnet), and then started digging in. And some of the things are impossible to fix (the device manufacturer has no updated firmware, there is no way to turn off the ‘feature’ in question, etc).

Some devices were not too bad (e.g. that small NAS I bought to backend my squirrel cameras), turns out I can edit the nginx config file (and disable SSLv3 and thus POODLE), and edit the sshd_config (and thus disable arcfour and 3des-cbc).

But some of them (e.g. 3 of my access points) have ‘HTTP negative content-length buffer overflow’ which in turn allows ‘remote execution’. Ugh. So anyone who has access to that subnet can run a root shell on my routers.

Some I kind of disagree with (e.g. the IPSEC IKE check…. so yeah, my desktop ignores rather than errors on bogus IKE requests, I’m not sure this will matter to me).

And some seem scary, but on reflection I’m ok with (e.g. CRLF injection in dropbear on my border router). Sounds awful (its high rated in OpenVAS), until I reflect that: a) I don’t run xauth on that router (since it doesn’t run X) and b) its only authenticated users (which would be me). So, X11 forwarding off, mission accomplished.

Some kind of disgusted me (e.g. several of my devices crash if you give a MS-DOS device name in an HTTP request, e.g. con: or lpt1: or com1:. Good lord, what year is this? its been 30 years since that was a thing).

But yeah, a lot of the criticals it gave did check out. Routers were crashed, media players exploited, smart tv’s compromised. It did what it said on the tin and p0wned my network.

So, I recommend you give this a try. Its not that hard. Take a spare linux box in your home (or run a new VM for the purpose), and have a crack @ OpenVAS. Make a new target which is your subnet (e.g. 172.16.0.1-172.16.0.254), and let it fly on ‘full and deep’. Post your score in the comments. Mine was:

29 ‘high’ severity (of which 11 where 10.0), 101 ‘medium’. Ugh, so much upgrading and tweaking, and I only got rid of about 2/3 of the high.