Yesterday, Apple dropped the first firmware upgrade to the new 802.11n-capable Airport Extreme Base Station.
But it’s not an upgrade as much as a step backwards. Someone in the Airport Extreme team had dared to fully embrace IPv6 in the original firmware; this update scales back on that ambition.
(You can skip the next three paragraphs if you’re familiar with IPv4, NAT and IPv6.)
Ten, fifteen years ago free IPv4 addresses were plentiful, and so each TCP/IP device in the world could get a unique, globally routable IP address. Everything just worked. Two devices on the Internet could talk to each other without any complications as long as a firewall hadn’t been set up to block that communication. Now the number of networkable devices has skyrocketed and we’ve all but ran out of IP addresses. The interim solution is NAT; we use private addresses on our devices, and let a router translate them to a single public address on the edge of our network.
But NAT has always been problematic: it divides the Internet into islands across which communication is not automatically possible — at least not without often-unreliable band-aids such as UPnP or NAT-PMP.
The long-term solution to all this has always been IPv6; if we increase the number of IP addresses to a point where everyone on the planet has thousands, then we no longer need NAT and all networked computers can again talk to each other.
(We’re back from the networking primer.)
The Airport Extreme was one of the first mass-market routers (if not the first) that shipped with IPv6 enabled and configured in a way that made it work automatically, even across IPv4 Internet connections. Since Mac OS X also ships with IPv6 enabled, this was a bit of a revolution: out of the box, Macs on Airport Extreme networks could talk directly to each other over the Internet, without any port mapping shenanigans. It took us ten years to get back to this point.
Unfortunately, many Airport Extreme Base Station reviews noted this huge feature in an entirely different light — as a security issue. Airport base stations have never included a firewall, but many people, reviewers included, still expect them to block connections out of the box. But that was a bug, not a feature, of NAT-based routing — one that Apple managed to fix with this latest generation of base stations.
Most of the Macs Apple sells today are laptops, and perimeter defense makes no sense with them: you connect them promiscuously to any network you find, so it’s the Mac, not the network, that needs to be secure. Even so, the market is telling Apple that it is more important for a router to act as a poor man’s firewall than, well, a router.
And so, today’s update:
The default configuration of an AirPort Extreme Base Station with 802.11n allows incoming IPv6 connections. This may expose network services on hosts connected through an AirPort Extreme Base Station with 802.11n to remote attackers. This update addresses the issue by changing the default setting to limit inbound IPv6 traffic to the local network. This issue only affects AirPort Extreme Base Station with 802.11n, and not other versions of the Base Station.
Oh well. It was great while it lasted.
"Someone in the Airport Extreme team had dared to fully embrace IPv6 in the original firmware; this update scales back on that ambition."
"Oh well. It was great while it lasted."
See the ongoing kerfuffle in the V6OPS and BEHAVE working groups of the IETF if you want to watch the catastrophe as it continues to unfold.
http://www1.ietf.org/mail-archive/web/ietf/current/index.html
:)