nanog mailing list archives

IPv6 Ingress traffic by default

From: Jared Mauch <jared () puck nether net>
Date: Mon, 20 Jun 2016 13:38:07 -0400

On Jun 20, 2016, at 1:30 PM, Owen DeLong <owen () delong com> wrote:

On Jun 17, 2016, at 10:10 , Mark Milhollan <mlm () pixelgate net> wrote:

On Tue, 14 Jun 2016, Owen DeLong wrote:

On Jun 14, 2016, at 11:57 , Ricky Beam <jfbeam () gmail com> wrote:

I've seen many "IPv6 Capable" CPEs that apply ZERO security to IPv6 traffic.


Those are by definition poorly designed CPE.


This (open by default vs closed) has been discussed before, with plenty 
of people on either side.


/mark


I’m unaware of anyone advocating open inbound by default residential CPE.


I’m sure changing the subject line will draw out the purists at heart :)

I’m not saying they don’t exist, but I can’t imagine how anyone could possibly defend that position rationally.


I think certain things, eg: SSH would be ‘safe-ish’ to support ingress, but at the same time, you connect something 
like a Raspberry PI w/ global V6 and someone is doing honeypot stuff in pool.ntp.org you may get someone doing ssh 
pi/raspberry with automation before you can even change the passwords.

I’m pretty much in favor of open by default in most things, but for inbound traffic to residential CPE? Even I find 
that hard to rationalize.


What I find frustrating is that my current ISP requires a managed CPE where I can disable the IPv6 firewall so I can 
access devices at home over IPv6, but there is no way to download/upload the config, and they don’t store it on their 
side either.  This means when a device is swapped, it must be reprogrammed to disable this stuff, meaning I must be 
on-site or have something phone-home to disable their DHCP server and other elements.

I also can’t triage why it keeps rebooting every few days as it doesn’t tell me anything about debug logs, if it 
uploaded a core file, etc.

I’m guessing there is some ‘exotic’ L2 traffic I have that is hosing it, but haven’t gone so far as to tcpdump the 
entire network for the possible offending traffic.

- Jared

Current thread:

Re: Netflix banning HE tunnels, (continued)
- - - Re: Netflix banning HE tunnels Ricky Beam (Jun 09)
    - Re: Netflix banning HE tunnels Mark Andrews (Jun 09)
    - Re: Netflix banning HE tunnels Baldur Norddahl (Jun 09)
    - Re: Netflix banning HE tunnels Ricky Beam (Jun 09)
    - Re: Netflix banning HE tunnels Owen DeLong (Jun 12)
    - Re: Netflix banning HE tunnels Ricky Beam (Jun 14)
    - Re: Netflix banning HE tunnels Valdis . Kletnieks (Jun 14)
    - Re: Netflix banning HE tunnels Owen DeLong (Jun 14)
    - Re: Netflix banning HE tunnels Mark Milhollan (Jun 17)
    - Re: Netflix banning HE tunnels Owen DeLong (Jun 20)
    - IPv6 Ingress traffic by default Jared Mauch (Jun 20)
    - Re: IPv6 Ingress traffic by default Mark Milhollan (Jun 20)
    - Re: IPv6 Ingress traffic by default Mark Andrews (Jun 20)
    - Re: IPv6 Ingress traffic by default Owen DeLong (Jun 20)
    - Re: IPv6 Ingress traffic by default Mark Andrews (Jun 20)
    - Re: Netflix banning HE tunnels Mark Andrews (Jun 20)
    - Re: Netflix banning HE tunnels Owen DeLong (Jun 20)
    - Re: Netflix banning HE tunnels Mark Andrews (Jun 20)
    - Re: Netflix banning HE tunnels Jason Baugher (Jun 20)
    - Re: Netflix banning HE tunnels Owen DeLong (Jun 20)
    - Re: Netflix banning HE tunnels Donn Lasher via NANOG (Jun 20)

(Thread continues...)