On 9/25/2016 12:08 AM, [email protected] wrote:
1) In theory you are right. In practise it is not that black and
white. We never buy an excisting product, we buy an future product
which has to be developed for us. That include physical features
which may not have beed release from Broadcom yet (11ac 3x3 we were
the first mass order from Broadcom for example). That means that we
usualy have an development periode with the vendor, and a release
target (VDSL launch for example) Sometimes the have to rush the CPE
side to meet the network side launch. This again means that we
usualy launch with a fair number of bug and un-optimized software,
and features missing. And since we don't buy in Comcast type volumes
we don not have the purchasing power to instruct the vendors to do
absolutly everything, we have an limited development team working for
us and we have to prioritize what they should work on. And so far
UPnP has not gotten above that treshold.
Well there is an answer to that. Instead of paying your development
team to do a from-scratch build, you can just have them port over
dd-wrt or openwrt. Both of these router firmwares are most likely
tremendously advanced over anything your CPE development team can
come up with.
Also in the case of dd-wrt you can also pay the dd-wrt developer to
do this. He has done it for other CPE vendors and will sign NDAs
and such if you are using hardware that is so precious that the
vendor won't release programming data for it.
2) You may have more luck with your forum posts, but on the norwegian
forums the loudest answer wins the day. Reason cannot stand up to the
forces of loud ignorance.
No, the post that WORKS always ends up winning. You may not have the
last word on a blog but having the last word isn't a sign of winning.
3) As stated in 1, limited recources dictates that we prioritice
security, features which support payable services, then the stuff we
network geeks want. And since I do know a lot of smaller ISP's and
retailers of off-the-shelf products, I do know that those products do
very seldom get anything other than bug fixes for anything other that
flaws which may refelct badly on the CPE vendor.
4) The customers are paying for internet access. That used to mean
an ethernet port and two IPv4 addresses. Today the costomers define
it as wifi access on the phone in the room the furthest away from the
router. The level of knowledge in the user base is dropping like a
stone. If we can have an technical solutin which prevents the
customer from having issues and calling us, we go for it.
There is no such solution because networking and the Internet is
becoming more complex by the day.
I am sorry about this but there you have it. The largest ISPs out there
are solving the support issue by basically offering no useable support,
the customer calls in, complains something doesn't work and is told
to go away and find someone else to help them. These ISPs know that
no matter how angry the customer gets with a non-answer, that ultimately
the customer knows if they quit service and go to another large
competitor that the other large competitor is going to treat them
exactly the same way - so they don't benefit by quitting service.
I make a living today by fixing problems for people who have gotten
non-answers from ISPs for their problems. (among other things) I can
tell you that more and more customers are figuring out that just like
fixing a car, the manufacturer isn't going to train you how to fix your
car you are going to have to take it to a garage and pay someone to fix
it. And yes I agree customer expectations have risen. That is just
bringing the day closer that customers quit bothering the service
providers with problems on their own network. As a former DSL service
provider and a current e-mail service provider I can tell you that
this direction is really the best for both the customer and the
service provider.
Ted
-Erik
________________________________________ Fra:
[email protected]<[email protected]>
på vegne av Ted Mittelstaedt<[email protected]> Sendt: 20. september
2016 18:52 Til: [email protected] Emne: Re: SV: CPE
Residential IPv6 Security Poll
Erik,
I think you have to follow these precepts (keep in mind this is an
American capitalist perspective not a European cooperative socialist
perspective)
1) You got the money, tell your vendors to either do what you want
(put IPv6 UPnP in CPEs they sell you) or you are going to kick their
ass. It's your money! They want your money do they not? That's why
they are selling CPEs to you - so why do you tolerate any crap from
them? Tell them either put UPnP in the code or your going elsewhere
for your CPEs and you are going to tell all your other ISP friends to
go elsewhere for their CPEs. Enough Mr. Nice Guy.
2) It's not your problem if Ma& Pa Kettle find a wannabe power
user. If you don't like being bad-mouthed by wannabe power users on
the online forums then get your ass on the online forums and start
engaging. Refute those "need bigger antennas" posts with logic and
reason. I guarantee to you that 1 correct post is worth 100 baloney
posts from wannabe power users.
3) How on Earth can you make the case that your ISP router patches
security holes and adds features yet turn around and claim that you
can't push your CPE vendors to add UPnP support? Either you have
power to get your CPE vendors to issue updates or not. If you do -
then quit complaining that no CPE's have UPnP support for IPv6. If
you don't - then quit claiming your CPE is better.
4) What is your customers perception that they are paying for and
what are they REALLY paying for? If they think they are paying for
access only - and you think they are paying for access plus your
management of their network CPE - then I can see why you might be
wondering why they aren't complaining to you when there's a problem
and going to the wannabe power users. Maybe you just need to do
some more customer education?
Ted
On 9/20/2016 1:24 AM, [email protected] wrote:
With all due respect to the actual power user out there. For each
one of them, there is at least 20 who think they are power users
who base their knowledge on rumors and misconceptions. They are
often vocal (forums and coments on news sites) and they are the
once who often are enlisted to help Ma& Pa Kettle. At least that
is what we see a lot of in Norway. They simply do not have the
ability to correctly diagnose the issues. Solutions often involve
"you need bigger antennas on the router", "Apple routers are
allways the best", "the ISP supplied router allways suck".
So Bob-the-power-user buy the expencive huge antenna router and
install at M&PK. It does not have dual stack, therefore the
application at M&PK therefore never tries IPv6 and the older UPnP
solution works for them. Bob gets an re confrimation that big
antenas helps, and that the ISP router sucks. Where a simpler and
cheeper solution would be to modify the firewall settings of the
ISP router.
Since I reprecent the ISP and spesificaly the ISP supplied router
(where we do patch security flaws, add features, optimise DSL and
wlan drivers, attack bufferbloat and give the customers the
posibility of remote support. Unlike a lot of retail products
which often have to live with the software it was shiped with).
How do we set up the routers IPv6 setting in such a way that
Bob-the-power-user do not have to be called in by M&PK to fix their
broken app/network, but still maintain a level of security for
them? Is some sort of balanced the way to go? Should we again
push our vendors for PCP/UPnP support?
-Erik
________________________________________ Fra:
[email protected]<[email protected]>
på vegne av Ted Mittelstaedt<[email protected]> Sendt: 19. september
2016 23:23 Til: Bjørn Mork Kopi: [email protected] Emne:
Re: CPE Residential IPv6 Security Poll
I can tell you that -today- in my location both CenturyLink and
Comcast (giant ISPs) supply IPv6 by default on their residential
CPEs - and both of those CPEs have "inbound block outbound allow"
on by default on IPv6. As far as I know neither support UPnP on
IPv6
I think you are overthinking this. If a CPE has no IPv6 support
but it has UPnP support over IPv4 then things "work" If a CPE has
IPv6 support but no UPnP support over IPv6, then things are also
going to "work" - on IPv4. They may break on IPv6 with a "block
everything" IPv6 rule in which case the end user is undoubtedly
going to complain to the toaster manufacturer not you, and that
toaster maker is either going to tell their customer "disable ipv6
on your ISP CPE" or they are going to fix their toaster so that it
doesn't try using UPnP over IPv6, only IPv4.
Your job is to not assume your customers are all morons. It is to
make it safe for the ones who are, and make it usable for the ones
who aren't and want to run their own show. Provide the needed
buttons in the CPE to enable or disable IPv6 and to allow your
customers to shut off your CPE's interference and be done with it.
As an ISP you of all people should understand how powerful the
Internet is. If you make your stuff configurable for power users,
and document it, then the Ma& Pa Kettle customers are going to
engage their friend's son who IS a power user and can search the
Internet and follow simple directions and fix their problem with
their web cam or whatever it is that is demanding UPnP.
If however you default to open, then when Ma& Pa Kettle
eventually get cracked, and call in the power user, that power user
is going to discover your default firewall on IPv6 is open and
realize that you created a huge whole bunch of work for him since
he will now have to put back together a PC for the morons. He
isn't going to appreciate that and will badmouth you online.
Nobody with brains is going to go online and badmouth an ISP that
supplies a CPE that has defaults that error on the side of
protection-of-morons. But they are going to badmouth an ISP that
supplies a CPE that has defaults that allow morons to get easily
broken into - because it's them who are going to be sucked into
putting those systems back together. And they are really going to
badmouth an ISP that supplies a CPE that can't have it's internal
firewall turned off.
Ted
On 9/19/2016 1:29 PM, Bjørn Mork wrote:
Ted Mittelstaedt<[email protected]> writes:
This kind of mirrors the "default" security policy on IPv4 CPEs
(since those CPE's have NAT automatically turned on which
creates a "block in, permit out" kind of approach.) so I'm not
sure why you would want to default it to being different for
IPv6.
I was explained one reason today: No CPEs implement UPnP support
for IPv6 [1].
This makes the effect of the similar IPv4 and IPv6 policies
quite different. UPnP aware applications will set up the
necessary NAT rules for IPv4, allowing inbound connections etc.
But if you want the same applications to work over IPv6, then the
policy must be more open by default. Letting the user disable
IPv6 filtering is not going to help the masses I'm afraid...
So the question remains: What do ISPs actually do to - allow
IPv6, and - secure the end users' networks, and - not break dual
stack applications wanting incoming connections
all at the same time? Looks like a classical "pick any two".
Bjørn
[1] I'm sure someone will come up with an obscure and expensive
example of the contrary - the point is that IPv6 UPnP support is
not readily available in the residential CPE market.
--- This email has been checked for viruses by Avast antivirus
software. https://www.avast.com/antivirus
--- This email has been checked for viruses by Avast antivirus
software. https://www.avast.com/antivirus
---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
