On Mar 13, 2014 4:22 PM, Marco Sommani marcosomm...@gmail.com wrote:
On 13/mar/2014, at 20:12, Eric Vyncke (evyncke) evyn...@cisco.com wrote:
Jakob
What annoys me more if the fact that AVM (and they are not the only one
--
see Technicolor others) naively believes that NAT44 offered some
security by preventing inbound connections... This means that there is
NO
open connectivity between two X/Box behind a closed AVM CPE... Hence
X/Box
has no choice and is smart enough to fall back in the legacy NAT44 mode
with a TURN (or in this case Teredo) to bypass NAT. A very nice
opportunity to run man-in-the-middle attack on a foreign ground.
AVM is not alone in its choices: they just do what is suggested in RFC
6092 - Recommended Simple Security Capabilities in Customer Premises
Equipment (CPE) for Providing Residential IPv6 Internet Service. I don't
like what they do, but maybe we should blame IETF.
Marco
I believe there is an exception for allowing inbound ipsec in the rfc ...
but this really goes to show how stateful firewalls are more harm than good
in the general case.
AVM may as well stay on ipv4 nat444 since they gave up on e2e with the
stateful inspection.
CB
I still wonder why people REALLY believe in the security of NAT (in the
sense of blocking inbound connections) in 2014 while most of the botnet
members are behind a NAT...
Christopher and others = you are RIGHT! Do not change your mind
-éric (see also
http://tools.ietf.org/html/draft-ietf-v6ops-balanced-ipv6-security-01for
my point of view :-))
On 13/03/14 18:43, Jakob Hirsch j...@plonk.de wrote:
Hi!
Christopher Palmer, 2013-10-10 03:22:
http://download.microsoft.com/download/A/C/4/AC4484B8-AA16-446F-86F8-BDFC
498F8732/Xbox%20One%20Technical%20Details.docx
Nice, but why do you absolutely require Teredo even for boxes with
native IPv6? Of course there's the advantage of direct client2client
communication (less latency for clients and less traffic on Teredo
relays), but the box should at least fall back to native IPv6 if Teredo
is not available (quite odd to talk about native IPv6 being a fallback
to Teredo, but anyway).
There's at least one CPE manufacturer (quite prevalent in Europe or at
least in Germany) that filters out Teredo if native IPv6 is available
by
default. They added an option to disable this filter, but that's not a
good thing. See
http://service.avm.de/support/en/skb/FRITZ-Box-7390-int/1439:Cannot-play-o
nline-games-with-Xbox-One
In the current state, the XBox One is doing more harm to IPv6 than
good.
People encounter problems after having IPv6 activated (there are forum
posts which told people to disable IPv6 to fix this issue) and Network
operators will see less increase in IPv6 traffic (which lowers the
incentive to improve IPv6 support).
Regards
Jakob
--
Marco Sommani
Via Contessa Matilde 64C
56123 Pisa - Italia
phone: +390500986728
mobile: +393487981019
fax: +390503869728
email: marcosomm...@gmail.com