nanog mailing list archives
Re: IPv6 Ingress traffic by default
From: Mark Andrews <marka () isc org>
Date: Tue, 21 Jun 2016 08:09:24 +1000
In message <B950E696-1A72-4166-B615-A68BF30AD4F2 () puck nether net>, Jared Mauch writes:
On Jun 20, 2016, at 1:30 PM, Owen DeLong <owen () delong com> wrote:On Jun 17, 2016, at 10:10 , Mark Milhollan <mlm () pixelgate net> wrote: On Tue, 14 Jun 2016, Owen DeLong wrote:On Jun 14, 2016, at 11:57 , Ricky Beam <jfbeam () gmail com> wrote:I've seen many "IPv6 Capable" CPEs that apply ZERO security to IPv6traffic.Those are by definition poorly designed CPE.This (open by default vs closed) has been discussed before, withplentyof people on either side. /markIâm unaware of anyone advocating open inbound by default residentialCPE. Iâm sure changing the subject line will draw out the purists at heart :)Iâm not saying they donât exist, but I canât imagine how anyone couldpossibly defend that position rationally. I think certain things, eg: SSH would be âsafe-ishâ to support ingress, but at the same time, you connect something like a Raspberry PI w/ global V6 and someone is doing honeypot stuff in pool.ntp.org you may get someone doing ssh pi/raspberry with automation before you can even change the passwords.
And that is the fault of the Raspberry PI. There is zero reason for the Raspberry PI to be open to the world before it has been configured. It could have a initial configuration that is just permit <local-prefixes>/64 any port 22 deny any any port 22 That is just as safe as the CPE firewall would have been and doesn't require a external firewall. It would be nice if that could have been permit <local-prefixes>/48 any port 22 but a group of ISP's thought they knew better than the IETF and decided that they would not listen to the advice that every site gets a /48 so now there is no sensible site wide default prefix.
Iâm pretty much in favor of open by default in most things, but for inbound traffic to residential CPE? Even I find that hard to rationalize.What I find frustrating is that my current ISP requires a managed CPE where I can disable the IPv6 firewall so I can access devices at home over IPv6, but there is no way to download/upload the config, and they donât store it on their side either. This means when a device is swapped, it must be reprogrammed to disable this stuff, meaning I must be on-site or have something phone-home to disable their DHCP server and other elements. I also canât triage why it keeps rebooting every few days as it doesnât tell me anything about debug logs, if it uploaded a core file, etc. Iâm guessing there is some âexoticâ L2 traffic I have that is hosing it, but havenât gone so far as to tcpdump the entire network for the possible offending traffic. - Jared
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka () isc org
Current thread:
- Re: Netflix banning HE tunnels, (continued)
- Re: Netflix banning HE tunnels Baldur Norddahl (Jun 09)
- Re: Netflix banning HE tunnels Ricky Beam (Jun 09)
- Re: Netflix banning HE tunnels Owen DeLong (Jun 12)
- Re: Netflix banning HE tunnels Ricky Beam (Jun 14)
- Re: Netflix banning HE tunnels Valdis . Kletnieks (Jun 14)
- Re: Netflix banning HE tunnels Owen DeLong (Jun 14)
- Re: Netflix banning HE tunnels Mark Milhollan (Jun 17)
- Re: Netflix banning HE tunnels Owen DeLong (Jun 20)
- IPv6 Ingress traffic by default Jared Mauch (Jun 20)
- Re: IPv6 Ingress traffic by default Mark Milhollan (Jun 20)
- Re: IPv6 Ingress traffic by default Mark Andrews (Jun 20)
- Re: IPv6 Ingress traffic by default Owen DeLong (Jun 20)
- Re: IPv6 Ingress traffic by default Mark Andrews (Jun 20)
- Re: Netflix banning HE tunnels Mark Andrews (Jun 20)
- Re: Netflix banning HE tunnels Owen DeLong (Jun 20)
- Re: Netflix banning HE tunnels Mark Andrews (Jun 20)
- Re: Netflix banning HE tunnels Jason Baugher (Jun 20)
- Re: Netflix banning HE tunnels Owen DeLong (Jun 20)
- Re: Netflix banning HE tunnels Donn Lasher via NANOG (Jun 20)
- Re: Netflix banning HE tunnels Harald Koch (Jun 20)
- Re: Netflix banning HE tunnels Ricky Beam (Jun 09)