Re: Microsoft: Give Xbox One users IPv6 connectivity

2014-03-13 Thread Cb B 
On Mar 13, 2014 4:22 PM, Marco Sommani marcosomm...@gmail.com wrote:

 On 13/mar/2014, at 20:12, Eric Vyncke (evyncke) evyn...@cisco.com wrote:

  Jakob
 
  What annoys me more if the fact that AVM (and they are not the only one
--
  see Technicolor  others) naively believes that NAT44 offered some
  security by preventing inbound connections... This means that there is
NO
  open connectivity between two X/Box behind a closed AVM CPE... Hence
X/Box
  has no choice and is smart enough to fall back in the legacy NAT44 mode
  with a TURN (or in this case Teredo) to bypass NAT. A very nice
  opportunity to run man-in-the-middle attack on a foreign ground.

 AVM is not alone in its choices: they just do what is suggested in RFC
6092 - Recommended Simple Security Capabilities in Customer Premises
Equipment (CPE) for Providing Residential IPv6 Internet Service. I don't
like what they do, but maybe we should blame IETF.

 Marco


I believe there is an exception for allowing inbound ipsec in the rfc ...
but this really goes to show how stateful firewalls are more harm than good
in the general case.

AVM may as well stay on ipv4 nat444 since they gave up on e2e with the
stateful inspection.

CB
 
  I still wonder why people REALLY believe in the security of NAT (in the
  sense of blocking inbound connections) in 2014 while most of the botnet
  members are behind a NAT...
 
  Christopher and others = you are RIGHT! Do not change your mind
 
  -éric (see also
  http://tools.ietf.org/html/draft-ietf-v6ops-balanced-ipv6-security-01for
  my point of view :-))
 
 
  On 13/03/14 18:43, Jakob Hirsch j...@plonk.de wrote:
 
  Hi!
 
  Christopher Palmer, 2013-10-10 03:22:
 
 
http://download.microsoft.com/download/A/C/4/AC4484B8-AA16-446F-86F8-BDFC
  498F8732/Xbox%20One%20Technical%20Details.docx
 
  Nice, but why do you absolutely require Teredo even for boxes with
  native IPv6? Of course there's the advantage of direct client2client
  communication (less latency for clients and less traffic on Teredo
  relays), but the box should at least fall back to native IPv6 if Teredo
  is not available (quite odd to talk about native IPv6 being a fallback
  to Teredo, but anyway).
 
  There's at least one CPE manufacturer (quite prevalent in Europe or at
  least in Germany) that filters out Teredo if native IPv6 is available
by
  default. They added an option to disable this filter, but that's not a
  good thing. See
 
http://service.avm.de/support/en/skb/FRITZ-Box-7390-int/1439:Cannot-play-o
  nline-games-with-Xbox-One
 
  In the current state, the XBox One is doing more harm to IPv6 than
good.
  People encounter problems after having IPv6 activated (there are forum
  posts which told people to disable IPv6 to fix this issue) and Network
  operators will see less increase in IPv6 traffic (which lowers the
  incentive to improve IPv6 support).
 
 
  Regards
  Jakob
 
 

 --
 Marco Sommani
 Via Contessa Matilde 64C
 56123 Pisa - Italia
 phone: +390500986728
 mobile: +393487981019
 fax: +390503869728
 email: marcosomm...@gmail.com

www.uol.com.br

2014-01-18 Thread Cb B 
It looks like a lot of Brazilian IPv6 is offline,  they are all over the
bad list at

http://www.employees.org/~dwing/-stats/ipv6-failed.2014-01-17_0800.txt

My own testing

cbyrne@ubi:~$ wget www.uol.com.br
--2014-01-18 17:39:15--  http://www.uol.com.br/
Resolving www.uol.com.br (www.uol.com.br)... 2804:49c:319:430::100,
200.221.2.45
Connecting to www.uol.com.br (www.uol.com.br)|2804:49c:319:430::100|:80...
^C
cbyrne@ubi:~$ wget -6 www.uol.com.br -T 5
--2014-01-18 17:39:30--  http://www.uol.com.br/
Resolving www.uol.com.br (www.uol.com.br)... 2804:49c:319:430::100
Connecting to www.uol.com.br (www.uol.com.br)|2804:49c:319:430::100|:80...
failed: Connection timed out.
Retrying.

--2014-01-18 17:39:36--  (try: 2)  http://www.uol.com.br/
Connecting to www.uol.com.br (www.uol.com.br)|2804:49c:319:430::100|:80...
failed: Connection timed out.
Retrying.

--2014-01-18 17:39:43--  (try: 3)  http://www.uol.com.br/
Connecting to www.uol.com.br (www.uol.com.br)|2804:49c:319:430::100|:80...
failed: Connection timed out.
Retrying.

^C
cbyrne@ubi:~$ traceroute6 www.uol.com.br
traceroute to homeuol.ipv6uol.com.br (2804:49c:319:430::100) from
2001:5c0:1000:a::df, 30 hops max, 24 byte packets
 1  2001:5c0:1000:a::de (2001:5c0:1000:a::de)  102.285 ms  103.219 ms
102.954 ms
 2  ix-5-0-1.6bb1.MTT-Montreal.ipv6.as6453.net (2001:5a0:300::5)  100.013
ms  101.419 ms  98.764 ms
 3  if-ge-11-3-0.0.tcore2.MTT-Montreal.ipv6.as6453.net(2001:5a0:1900:100::d)
 174.996 ms  150.218 ms  125.806 ms
 4  if-ae5.2.tcore2.NYY-NewYork.ipv6.as6453.net (2001:5a0:400:700::5)
106.977 ms  112.074 ms  109.283 ms
 5  if-ae11.2.tcore1.NYY-NewYork.ipv6.as6453.net (2001:5a0:400:700::2)
107.136 ms  108.147 ms  107.042 ms
 6  if-ae5.5.tcore1.NTO-NewYork.ipv6.as6453.net (2001:5a0:400:200::e)
106.494 ms  107.164 ms  108.047 ms
 7  10gigabitethernet4.switch3.nyc4.he.net (2001:470:0:1a3::1)  117.914 ms
112.04 ms  111.513 ms
 8  100ge7-2.core1.chi1.he.net (2001:470:0:298::1)  121.752 ms  129.8 ms *
 9  equinix-V6-exchange-chi.merit.edu (2001:504:0:4::237:1)  184.18 ms
147.539 ms  123.464 ms
10  tenge0-0-0-0x76.aa2.mich.net (2001:48a8:48ff:ff01::2)  159.109 ms
127.228 ms  124.78 ms
11  * * *
12  * * *
13  * * *
14  * * *
15  *^C