如何避免IPv6临时地址泄露家庭路由器公网前缀引起的远程管理风险？Mitigating Remote Management Risks by Preventing IPv6 Temporary Address Exposure of Home Router Public Prefixes？

[misaka19683]

背景：Background:

在IPv6网络中，尤其是采用前缀委托（PD）的家庭网络中，路由器会被分配一个前缀，并将前缀下发给子网的设备，子网的设备自行生成总计128位的ipv6地址，在一些情况下是一个基于mac地址生成的eui64ipv6地址，和几个随机生成的临时地址。这些地址的前64位是网络前缀，而后64位则是设备的唯一标识。当子网中的设备访问互联网时，会使用一个临时的IPv6地址，这可以保护实际地址不被轻易追踪。

如果有一台服务器位于路由器之后，通常会在路由器的ipv6防火墙对服务器的eui64地址的特定端口开放传入连接，并且只对这个地址配置ddns。这样一来，服务器使用临时地址访问互联网，外界只能获知服务器的不被路由器放行的临时ipv6地址，而可以访问服务器的ipv6地址会被隐藏在庞大的IPv6地址池中，从而获得了一层保护。

In IPv6 networks—especially in home networks that use Prefix Delegation (PD)—a router is assigned a prefix and then distributes that prefix to devices within the subnet. Each device independently generates a 128-bit IPv6 address. In some cases, this address is an EUI-64 IPv6 address generated from the device’s MAC address, along with several randomly generated temporary addresses. The first 64 bits of these addresses represent the network prefix, while the last 64 bits serve as a unique identifier for the device. When a device on the subnet accesses the Internet, it typically uses a temporary IPv6 address, which helps protect its actual address from easy tracking.

If a server is located behind the router, it is common for the router’s IPv6 firewall to open specific inbound ports for the server’s EUI-64 address and to configure DDNS only for that address. Consequently, when the server accesses the Internet using a temporary address, external parties can only see the temporary IPv6 address (which is not permitted through the router), while the server’s true IPv6 address remains hidden within a vast pool of IPv6 addresses—providing an extra layer of protection.

问题：Issue:

然而，问题在于，当我的服务器或任何设备访问互联网时，它使用的临时IPv6地址的前64位会暴露网络前缀，这实际上泄露了我的路由器的公共IPv6地址，因为很多路由器会拥有一个[前缀::1]的lan口地址。如果有人尝试通过前缀加上::1的方式去访问路由器管理界面，并且路由器已经启用了远程访问，他们可能会成功访问到路由器管理界面。如果路由器的固件不是最新的，或者使用了简单的密码，他们可能会入侵路由器或家庭网络。

The problem arises because, when my server—or any device—accesses the Internet, the temporary IPv6 address used will expose its network prefix in the first 64 bits. This effectively reveals my router’s public IPv6 address, since many routers have a LAN address such as [prefix::1]. If someone attempts to access the router’s management interface by appending ::1 to the prefix, and if remote management is enabled on the router, they might successfully reach the management interface. Should the router’s firmware be outdated or if it uses a simple password, an attacker could potentially compromise the router and, by extension, the entire home network.

设想的解决方案：Proposed Solution:

为了防止这种情况，我考虑禁止对局域网（LAN）IP地址的访问，但允许访问通过PPPoE分配的公共IPv6地址。这样，即使公共IPv6前缀被获知，外部攻击者也无法访问路由器管理界面，从而增加了一层安全保护。

To prevent this situation, I am considering disabling access to the LAN IP addresses while still allowing access via the public IPv6 address assigned through PPPoE. This way, even if the public IPv6 prefix is known, external attackers would not be able to access the router’s management interface, thereby adding an extra layer of security.

具体问题：Specific Questions:

• 这个方案是否可行？ 如果可行，如何在现代路由器上实现？

• 是否有其他用户遇到过类似的问题？ 他们是如何解决的？

• 除了我提出的方案外，还有哪些其他解决方案？

• 如果需要进一步探讨这个问题，应该去哪里寻求帮助？

• Feasibility: Is this solution feasible? If so, how can it be implemented on modern routers?

• Community Experience: Have other users encountered similar issues, and how did they resolve them?

• Alternative Solutions: Beyond the solution I have proposed, what other approaches exist?

• Further Discussion: Where should one seek additional help if further discussion on this issue is needed?