Just days after we published “Take Control of Your 802.11n AirPort Extreme Network,” Apple released an extremely minor firmware upgrade related to a pair of security issues with the AirPort Extreme Base Station with 802.11n (Extreme N, as I call it).
Security Fixes — The 7.1 firmware release closes a hole in the next-generation Internet Protocol technology that’s built into the Extreme N (and, for that matter, into Mac OS X). IPv6, as it’s known, will ultimately replace the well-known “dotted-quad” of the current IPv4 addressing system. IPv6’s 128-bit address space is several orders of magnitude larger than the 32 bits allotted to IPv4, and will be coupled with advances like automatic address forwarding across routers that will provide truly mobile IP, enabling your laptop to use a static IP address that’s assigned and managed by your home network no matter where you are.
However, IPv6 is currently in use only on certain corporate, academic, and backbone networks. Researchers and others have erected IPv6 tunnels that let you connect to IPv6 end-points over an IPv4 network. The Extreme N supports this feature out of the box – in fact, too well. The factory configuration of the Extreme N turns on tunneling. As Ars Technica documented, this would allow remote connections over SSH and other services to computers on the local network segment of the base station, even without the user’s knowledge. (A lot of factors are required for that to be true, but because of tunneling, it’s possible.)
Firmware Update 7.1 changes the factory default to block incoming IPv6 connections. However, the upgrade doesn’t change any existing configurations, only configurations created if you hard reset the unit to its factory settings.
Apple suggests you use AirPort Utility (Advanced view > IPv6 tab) to enable Block Incoming IPv6 Connections. You could alternately choose Link-Local Only from the IPv6 Mode, which limits IPv6 to the local network, in which case only devices on the local network can route IPv6 to and from the base station. Either choice prevents other machines on the Internet from connecting. Make these changes and click Update for each profile you have created for your Extreme N.
The other fix corrects a shared disk problem. The Extreme N enables you to use AFP (commonly known as AppleShare) and Samba (technically called SMB/CIFS) to share partitions of disks connected via USB to the base station. The flaw Apple has patched would have allowed volumes shared from an Extreme N using the disk password method of access control to display their files to users who didn’t have the password.
In other words, if you don’t use or plan to use USB disk sharing, you can just change the IPv6 settings as I or Apple suggest and avoid this upgrade.
Updating with AirPort Utility — The update is a good chance to see AirPort Utility 1.0.1’s new internal update feature in action, itself part of the AirPort Base Station Update 2007-001, released 29-Mar-07. With automatic updating, when you launch AirPort Utility or choose AirPort Utility > Check for Updates, the program checks Apple’s site for new software.
If there’s an update, a dialog appears that states, “New base station firmware is available.” You can click Show Details for more information, Cancel to exit (and later update), or Download. Clicking Download starts an Internet download of any necessary files with a progress bar explaining the file being retrieved. With Firmware Update 7.1, that’s the only file retrieved. After retrieval, you click Update to install the software. The dialog changes to a note that firmware is being installed on a particular base station. It looks like the software would allow multiple installations in sequence of any base station that required the new firmware.
Finally, when a base station has received the new firmware, it restarts. The LED on the front glows a solid orange while the base station burns the firmware into its rewritable persistent memory, which took about two to three minutes in my case. Then the Extreme N starts up normally.
To revert to 7.0 firmware, should you have a problem, you would need to reinstall your original AirPort Utility software from the CD that comes with the Extreme N. While Apple maintains a page of firmware downloads, they haven’t yet added the 7.0 or 7.1 release to this page. I cover installing older firmware releases in “Revert to Older Firmware” in Appendix C of “Take Control of Your 802.11n AirPort Extreme Network.”