Is TPLink Safe?
- hosting
- server
- servers
- infrastructure
- security
Background¶
I've been running a dual stack ipv4 and ipv6 network with support for ipv6 only clients. In order to run this network a dns64 and a nat64 server are required. For a long time I've been using jool inside of openwrt on my raspberry pi internet gateway. The jool version on it is old, and openwrt isn't really the best OS for compiling things. So I moved my nat64 into a new centos VM, set up routing and used some wizardy, and now the nat64 is running perfectly on the VM. I was able to use it to optimize parts of the network, prevent things going through the nat64 that didn't need to, and clear up the active sessions table so nat64 isn't used for any internal services that don't need it or where it'd have a critical impact on performance (such as access to the ceph s3 buckets et al).
Suspicious Behavors¶
After reducing the number of connections from over 300 to less than 80 I was pretty happy. I noticed a full page of connections from some ipv6 to 64:ff9b::7928:2ae1
- 121.40.42.225
The exact jool session entry is:
Remote: 121.40.42.225#https 2605:b40:1122:6a00:7286:dc1d:589:3cb#37826
Local: 192.168.64.64#57501 64:ff9b::7928:2ae1#443
121.40.42.225 is owned by alibaba.
To trace down what device this might be I quickly ran ip neighbors
on the nat64 vm, and got the result 2605:b40:1122:6a00:7286:dc1d:589:3cb dev enp6s18 lladdr 00:0a:f5:3a:87:ad STALE
The 00:0a:f5:3a:87:ad looks suspiciously like a MAC address, because that's what it is. The next step is to find out what device has this mac address, hopefully it is a device and not something using bridges and virtual nics, I do a lot of virtualization after all.
Tracking down the MAC¶
I logged into the cisco router with a hope and a prayer.
cisco> show mac address-table
...
1 000a.f53a.87ad DYNAMIC Gi7/0/8
...
Unplug port #8 and see what shuts off¶
Port number 8 was running to a room where it could have only been one of two devices, the Omada Wifi AP or my own PC.
I unplugged the port, and the Omada shut off. The port is POE and the Omada is running on POE so that's definitive proof the mac address associated with the IPv6 addresses that have been reaching out to some https server on 121.40.42.225 in china regularly, making a good 20 connections before throwing the ip6 address away.
Conclusion¶
I don't know what it's sending, as it's running on https without hacking into the device itself there's not much info I expect I could glean from using wireshark or something to inspect the papckets. Is it safe? I don't know. If I were worried i might block the remote ip address. If I were a government agency I'd ban TPLink products.
Now it makes sense all that hubub that went on about tplink not being safe.