An Infinite Loop article in Ars Technica discusses an unwanted, undocumented “feature” of Apple’s newly-shipping AirPort Extreme base station. Details of the feature are somewhat complex (check the article), but the end result is that the entire network of computers behind that new base station is exposed to an unneeded Internet security risk, which Apple could easily have prevented.

Real briefly, IPv6 is the next generation of Internet protocols. There is a fledgling IPv6-based Internet that’s evolving parallel to, and pretty much independent of, the current Internet. The IPv6 Internet can be “tunneled to” by machines connected to the current Internet, although doing so has been quite difficult. Apple’s new base station, however, automatically, by default, does this for you, exposing any computer (Mac or otherwise) connected to the base station (wirelessly or through its additional wired ports) to the unknown slings and arrows of the new IPv6 Internet. Worse, unlike its IPv4 side (IPv4 is what the current Internet protocols are called), the base station’s IPv6 side does not have a built-in pseudo-firewall that blocks most access attempts at the base station (through side-effects of a protocol called NAT). Worse still, many current Mac OS X personal firewalls don’t block IPv6 either. In particular, Mac OS X’s so-called “built-in” firewall won’t block IPv6 to any service that’s enabled in the Sharing System Preferences panel, and some of those services (for instance Remote Login/SSH, FTP and Personal File Sharing/AFP) do in fact support access via IPv6.

Why did Apple implement this “feature” in its base station? Perhaps it’s to help the struggling IPv6 Internet develop faster by making it easier for computers behind the base station to get on that Internet, which it certainly does. But, if so, why didn’t Apple document this feature, and, more importantly, why is it on by default? An overriding principle of security, and one at which Apple is generally very good at implementing, is that unneeded services and features should be disabled by default. This rule simply wasn’t followed in the case of the AirPort Extreme base station’s IPv6 feature, and the ramifications could be significant.

Real briefly again (the article has all the details), to turn off this “feature,” putting the base station back into the mode in which it should have shipped, use the AirPort Utility application (included with the base station) to check the box entitled “Block incoming IPv6 connections” under Advanced configuration options. You should also consider, if you’re not already, using a Mac OS X personal firewall that blocks or disables IPv6, such as our DoorStop X Firewall.