This is the forum archive of Homey. For more information about Homey, visit the Official Homey website.
The Homey Community has been moved to https://community.athom.com.
This forum is now read-only for archive purposes.
The Homey Community has been moved to https://community.athom.com.
This forum is now read-only for archive purposes.
IPv6
blusser
Member
Does Homey support IPv6 ? (and what about the app ?)
This would make an ssh tunnel to a central server (to make it reachable from outside) unnecessary.
If so, is all traffic encrypted ? (ipsec ikev2 ? /https -> are certificates checked)
And how is it homey protected/firewalled ?
Comments
You can use the central server but you can also use a direct connection through your own modem/router/firewall.
IPv6 is not (yet) enabled, and yes, all traffic is SSL encrypted.
Ok, can you choose within the app between direct and central server?
Btw, I presume all current code is already IPv6 compliment (so it just need some testing :-))
The app automatically finds the fastest route
Oh by the way, when using https, how do you defend against mitm attacks when using self signed certificates, or are you able to upload a signed certificate and force to only use trusted certificates (and bypass this check (and weaken your protection) when using self signed certificates)?
How would you use self-signed certificates? :-)
If you add the self signed certificate to the client and don't accept any other certificate, you're actually as secure (or, one could argue, even more so) than having a certificate authority signed certificate.
A self signed certificate is more insecure than a CA certificate only when the client does not know the certificate in advance and therefore has no way to validate that the server is who it says it is
Yup. And because you can't access Homey's filesystem, you can't change the shipped certificate as well
@Emile, don't make this mistake: http://arstechnica.com/security/2015/04/android-apps-still-suffer-game-over-https-defects-7-months-later/
On Android, you can install your own certificates, which creates this issue. On Homey, that's luckily not possible
Lucky for us, we can sniff traffic for smart devices that way
Do all homey's have the same (self signed) certificate?
If so, presume a homey has been compromised (it's not the question IF but WHEN) due to bugs like poodle, heartbleed or bugs in apps, how you going to fix this?
They only have a public certificate, so that means that you still can't do anything dangerous
good to know that you are complete over to IPv6, I guess it isn' t activated I the Linux Base of Homey yet.
But don't be afraid,
XS4ALL is complete IPv6 ready except for customers who disabled it or are on 5 year old routers. XS4ALL communicates good about their changes.
The other you mention is at least already 5 years announcing a IPv6 rollout but still not able to do so....
https://tweakers.net/nieuws/79726/ziggo-levert-nog-dit-jaar-ipv6-verbindingen.html
February this year they activated it without notification 2 or 3 weeks on my connection and I experienced instabilities on the router that period. They also removed it silently....
When it is ready IPv4 will be along IPv6 on the wires for several years.... dual stack will be the way we use Internet the next decade as there is no easy way to communicate between the two address schemes that works for all protocols.
So don't worry, it will be long before they remove your IPv4 addresses....
https://www.quora.com/When-will-IPv4-be-phased-out
IPv6 usage now on Google less than 14 % : https://www.google.com/intl/nl/ipv6/statistics.html
IPv6 usage for websites less than 6% : https://w3techs.com/technologies/details/ce-ipv6/all/all
And yes I like it when they enable IPv6 on my devices..... but there is still no real usecase that makes things work that don't work now....
It's generated from the mac address and is replacing Arp traffic.
so this means that the IPv6 stack is loaded.
it doesn't mean that the services are IPv6 enabled.
normally you should be able to ping the link local address from within you LAN unless a firewall is active
Is there a plan to add an configuration to disable IPv6 and also *.homey.athom.com? Like LAN only access.
Time for some firewall rules for Homey
The "Problem" with IPv4 and NAT is the devices are not easily accessible from the outside.
Some ppl see it as an Advantage from using NAT. It is a kind of firewall you have to open to make it available, but not very user friendly (for an average consumer). As we say: "Elk nadeel hep zijn voordeel " ("Every disadvantage has its advantage")
Athom provides an "reverse Proxy" to access Homey from outside a NATed network as all consumer/home networks are to make it user friendly, but this brings some complexity and dependencies. (fe the extra code and athom reverse proxy infrastructure)
With IPv6 every device can be connected to internet and be accessible from everywhere, (it is designed for that!)
For Security reasons this is a challenge as the device can be hack-able from the complete (IPv6) internet.
First point is to secure the device OS (in this case Homey Firmware) to only respond to ports that are used and only to sessions that are properly authenticated.
@MrDutchfighter I trust Athom that the Linux Core of Homey has a decent enabled Firewall, so I guess there are already build in Firewall rules we can't see! But I can't verify. If we really want to know we should ask Athom and trust their professionalism or ask for a independent review of the (Athom secret) code.
Second is keeping your credentials and authentication token (Bearer Token) secure, despite of your Homey is behind an NAT Router or (IPv6) firewall, with that information and the reverse Proxy from Athom I can acces your Homey and control your home ;-) ....
Third: To protect your home network is a consumer responsibility.
imho good IPv6 providers provide a IPv6 Customer Endpoint (CE) with a decent statefull firewall that by default only accepts outbound initiated traphic and provide te customer the option to make individual devices/ports direct accessible on IPv6 from the outside. (Providing the NAT/Firewall option from IPv4 also on IPv6 without the NAT)
In the end we are back at a secure solution (CE with Firewall) that isn't as user friendly as the IoT Internet with Every-where Access Any-Device could (or should?) have be...
@MatjaLipu
Did you create an GitHub Issue or Feature request for it?
A Checkbox to disable direct access to Homey from outside the local subnet/network (independent if it is IPv4 or IPv6) is an nice little security feature I think is useful and easy. I personally don't see much in disabling remote access using the Cloud-ID.homey.athom.com. I see more in adding Multi factor Authentication as security (Google Authenticator, SMS code or Push confirmation when accessing Homey form remote)