Re: [External] Re: IPv6 uptake

[Tim Howe <tim.h () bendtel com>]

Some responses below.

On Mon, 19 Feb 2024 10:01:06 -0800
William Herrin <bill () herrin us> wrote:

> > I've never once seen a device
> > that has v6 support and didn't have a stateful v6 firewall on by
> > default (if v6 was "on").  
>
> Acknowledged.
>
> So when the user wants to run a home server, their IPv4 options are to
> create a TCP or UDP port forward for a single service port or perhaps
> create a generic port forward for every port to a single internal
> machine. Protocols other than TCP and UDP not supported.

        OK, but I'm not sure what you are getting at by saying this is
TCP and UDP exclusive... I don't know why it would be; what's the
example you think is typically being denied?

> They might
> also have the option of a "bridge" mode in which only one internal
> host is usable and the IPv4 functions of the device are disabled. The
> bridge mode is the only "off" setting for the IPv4 firewall.
>
> Correct?
>
> Their IPv6 options *might* include these but also include the option
> to turn the IPv6 firewall off. At which point IPv4 is still firewalled
> but IPv6 is not and allows all L4 protocols, not just TCP and UDP.
>
> Also correct?

        This isn't how I would characterize any of this, to be honest.
I think what you are trying to say is that a v6 firewall can be "off"
while IPv6 connectivity remains unhindered, but turning "off" an IPv4
firewall means no hosts behind NAT will continue to have connectivity.
The assumption being that a guardrail for someone being really
self-destructive is removed.

        OK.  So someone really wanted connectivity and really wanted to
disable security.  Maybe.
        I still believe that the statement "IPv6 is typically delivered
to "most people" without border security" to be demonstrably false.

-- 
TimH