Re: question regarding over the counter devices
Am 06.03.2017 um 11:37 schrieb Florian Lohoff: Nevertheless - As an ISP i would never enable IPv6 for Customers without beeing shure that they are aware. While I understand the concerns, since I was in this situation a while ago at $ORKPLACE[-1] (you may remember me from your former employer :), this is OK in the early phase, were you want to make sure that your hotline won't blow up. If you want a significant IPv6 usage (which we all do, I hope), you'll just start enabling it. We had several phases, roughly and IIRC: - enabled it for customers that ask for it (after announcing it in the support forum) - enabled it for new customers on the network side. The few ones that enable it by themselves will profit, but this is mainly to make sure your access network won't run into problems when going large scale - after a while, started enabling for all customers network-side - enable it on new customers CPEs (or whenever they reset their CPE). with an appropriate rate of new customers, you will get nice numbers after several months. So here we are now, a good six-figure (or maybe even seven by now) number using IPv6, most without knowing or noticing, without any big issues rolling in from support. So from my experience I would say: be bold! Regards Jakob
Re: Microsoft: Give Xbox One users IPv6 connectivity
On 14.03.2014 12:47, Tore Anderson wrote: Christopher and others = you are RIGHT! Do not change your mind Right abouth _what_? You provided not a single reason for the described behaviour, i.e. the missing fallback to native IPv6. According to Microsoft, there should never be a fallback to native IPv6, as IPv6 should be the preferred protocol. Teredo should be the fallback, for those situations where end-to-end IPv6 isn't available. The fallback I was talking about is not a description of the current behaviour, it's about what is missing. Can you confirm that this is the case that all the XB1s involved have native IPv6 connectivity, and that Teredo is used in spite of that? (If No, and I did not claim that. not all of the XB1s communicating have native IPv6, fallback to Teredo is the expected behaviour.) documented, yes, but sureley not expected. involved XB1s are behind AVM HGWs, any IPv6 connectivity is broken and thus useless. That may well be the reason why the XB1 is trying to fall back on Teredo in the first place, a fact that makes the claims in the No, according to Microsoft the XB1 will not use native IPv6 if one of the peers is IPv4 only. «The Xbox's behavior contradicts the Teredo standard (RFC 4380 Section 5.5)». -- No, it doesn't, because the XB1 *doesn't* have IPv6 connectivity, because the AVM broke it. No. Just because there's stateful IPv6 firewall does not mean no IPv6 connectivity? (Besides which, RFC 4380 section 5.5 is meant for Teredo implementers, not for HGW manufacturers.) So what? It's XB1 which is using Teredo and violating section 5.5 of RFC 4380 (which is, ironically, authored by Microsoft itself). And now the HGW is the one to blame for that it was not expecting that? Finally, the KB article says «there is a risk that using Teredo could allow the security functions of the FRITZ!Box to be circumvented». I cannot see how the presence of IPv6 makes this any worse. If AVM had That's simple: - As long as my HGW is _not_ doing IPv6, I do not expect it to prevent unwanted IPv6 traffic - If my HGW _is_ doing IPv6, I do expect it to prevent unwanted IPv6 traffic Sure, this is all debatable and everything, but I really don't understand the harsh bashing of AVM and avid defense of the XB1 at the same time time here. The XB1, as recently released device, abuses an outdated, skunky protocol to create its own pseudo-VPN and everybody's cheering for it, without a single critical remark? That's just sad.
Re: Microsoft: Give Xbox One users IPv6 connectivity
Hi! Christopher Palmer, 2013-10-10 03:22: http://download.microsoft.com/download/A/C/4/AC4484B8-AA16-446F-86F8-BDFC498F8732/Xbox%20One%20Technical%20Details.docx Nice, but why do you absolutely require Teredo even for boxes with native IPv6? Of course there's the advantage of direct client2client communication (less latency for clients and less traffic on Teredo relays), but the box should at least fall back to native IPv6 if Teredo is not available (quite odd to talk about native IPv6 being a fallback to Teredo, but anyway). There's at least one CPE manufacturer (quite prevalent in Europe or at least in Germany) that filters out Teredo if native IPv6 is available by default. They added an option to disable this filter, but that's not a good thing. See http://service.avm.de/support/en/skb/FRITZ-Box-7390-int/1439:Cannot-play-online-games-with-Xbox-One In the current state, the XBox One is doing more harm to IPv6 than good. People encounter problems after having IPv6 activated (there are forum posts which told people to disable IPv6 to fix this issue) and Network operators will see less increase in IPv6 traffic (which lowers the incentive to improve IPv6 support). Regards Jakob
Re: Microsoft: Give Xbox One users IPv6 connectivity
On 13.03.2014 20:12, Eric Vyncke (evyncke) wrote: I still wonder why people REALLY believe in the security of NAT (in the sense of blocking inbound connections) in 2014 while most of the botnet members are behind a NAT... I really don't know what this has to do with Toredo or IPv6, but well... Blocking inbound connections will save your host from remote exploits of its network services, but not from getting infected by malicious websites or email attachments. This is out of the scope of the common RG. And this has nothing to do with AVM, Technicolor or any other RG manufacturer, last time I checked Cisco RGs did just the same. Christopher and others = you are RIGHT! Do not change your mind Right abouth _what_? You provided not a single reason for the described behaviour, i.e. the missing fallback to native IPv6. -éric (see also http://tools.ietf.org/html/draft-ietf-v6ops-balanced-ipv6-security-01 for my point of view :-)) I liked especially this section 5. Security Considerations where it says The policy addresses the major concerns related to the loss of stateful filtering imposed by IPV4 NAPT when enabling public globally reachable IPv6 in the home. and This set of rules cannot help with the following attacks: [...] Malware which is fetched by inside hosts on a hostile web site (which is in 2013 the majority of infection sources). This approach seems a little too bold to me, and the lack of incidents may just be caused by the lack of attacks via IPv6, but if it works for Swisscom, good for them. Jakob