Re: SV: SV: SV: CPE Residential IPv6 Security Poll

[Daniel Roesen]

On Thu, Sep 29, 2016 at 01:50:07PM +0200, e.vanu...@avm.de wrote:
> CU at BBWF ;-) We are building CPE with IPv6 on board.

Which still can't even do static IPv6 routes or open firewall for
adresses in prefixes not directly connected.

Example: getting a /48 from upstream, either statically routing or
PD'ing this to another inside router. No way to disable firewalling for
those.

Since AVM did close the shell access to the FB, you cannot even manually
add the static routes. So FB with current OS is basically unusable for
anything but directly connected networks (main/guest) in IPv6. I'm
looking for a replacement for my 7390 as this problem doesn't allow me
to upgrade firmware anymore (as I would lose telnet access and thus IPv6
in my home networks).

Nevertheless, welcome to the list. :-)

Best regards,
Daniel

-- 
CLUE-RIPE -- Jabber: d...@cluenet.de -- dr@IRCnet -- PGP: 0xA85C8AA0

Re: SV: SV: SV: CPE Residential IPv6 Security Poll

[Holger Zuleger]

On 29.09.2016 14:28, Thomas Schäfer wrote:
> Am 29.09.2016 um 13:50 schrieb e.vanu...@avm.de:
>> CU at BBWF ;-) We are building CPE with IPv6 on board.
>>
>> https://tmt.knect365.com/bbwf/sponsors/avm
>>
>> Eric
> 
> Without IPv6-support for vpn, without configurable firewall for
> dhcpv6-pd, without the ability to disable IPv4-myfritz-DNS-entries.
... without static routes for IPv6 and, to come back to the original
topic: Without the possibility to turn of the IPv6 firewall...

> AVM is good, but not perfect.
Ack! And I like the way how the IPv6 firewall is configurable, but a
(maybe somehow hidden) knob to turn it completely off, or even set it to
a relaxed security like the Swisscom way, would be great.

BR
 Holger



smime.p7s
Description: S/MIME Cryptographic Signature

Re: SV: SV: SV: CPE Residential IPv6 Security Poll

[Thomas Schäfer]

Am 29.09.2016 um 13:50 schrieb e.vanu...@avm.de:

CU at BBWF ;-) We are building CPE with IPv6 on board.

https://tmt.knect365.com/bbwf/sponsors/avm

Eric


Without IPv6-support for vpn, without configurable firewall for 
dhcpv6-pd, without the ability to disable IPv4-myfritz-DNS-entries.
Some IPv6-menus still hidden, only in expert view or far far away from 
the users focus.


AVM is good, but not perfect.


Regards,
Thomas





--

There’s no place like ::1

Thomas Schäfer (Systemverwaltung)
Ludwig-Maximilians-Universität
Centrum für Informations- und Sprachverarbeitung
Oettingenstraße 67 Raum C109
80538 München ☎ +49/89/2180-9706  ℻ +49/89/2180-9701

Re: SV: SV: SV: CPE Residential IPv6 Security Poll

[e . vanuden]

CU at BBWF ;-) We are building CPE with IPv6 on board.

https://tmt.knect365.com/bbwf/sponsors/avm

Eric





Von:<erik.tarald...@telenor.com>
An: <ragnar.anfin...@altibox.no>
Kopie:  ipv6-ops@lists.cluenet.de
Datum:  29-09-2016 11:27
Betreff:SV: SV: SV: CPE Residential IPv6 Security Poll
Gesendet von:   ipv6-ops-bounces+e.vanuden=avm...@lists.cluenet.de



>>And just to trow this conversation futher of, anybody else here coming 
to BBWF this year?
>
> I’ll be there... Beers?

Good idea.  Any non-Norwegians who would like to join? :)

-E

SV: SV: SV: CPE Residential IPv6 Security Poll

[erik.taraldsen]

>>And just to trow this conversation futher of, anybody else here coming to 
>>BBWF this year?
>
> I’ll be there... Beers?

Good idea.  Any non-Norwegians who would like to join? :)

-E

Re: SV: SV: CPE Residential IPv6 Security Poll

[Ted Mittelstaedt]

This is a flawed "argument of futility"

The reality is that people are fundamentally lazy -
if they were hard workers and industrious they wouldn't be
trying to make a living off the backs of other people's work.
They wouldn't be stealing and the ones not stealing wouldn't be
taking the lazy way out in a debate and using faulty logic.
Nor would they be trying to use IPv4 because it's simpler
to understand, instead of using IPv6 - which is the reason
this list exists in the first place.

Because of this we know criminals will always take the easiest way
into a system first.  When that way gets closed off then they will
take the next easiest way in, and so on and so on.  Crime is
one of the most logical businesses in existence - it's immoral
as hell - but you have to respect the logic of a bank robber -
where else do you get $20,000 for 20 minutes of work?

As a result, securing an open system generally happens through
the mechanism of you close a hole then another is discovered and
you close that one and another is discovered and so on and so on.

People who are not well versed in security,
as they see hole after hole closed, they tend to get the idea
that holes are endless.  Thus, enters in the "argument of futility"

What they don't understand is that every time a security
hole is discovered it makes it harder and more expensive to attack
the next one.

Because the entire point of crime is laziness, the issue isn't whether 
or not we can create an impregnable system.  We cannot do that.


The issue is can we make a system that is difficult enough to
break into that the effort of breaking into it is greater than
the effort of just getting a real job and making money the old
fashioned way - by EARNING it, rather than stealing it.

It is easier to attack a system directly that is exposed then
it is to attack that system via proxy.  Everyone on the Internet
who produces devices that are used on the Internet has a
responsibility to close holes they create - but they also have a
responsibility to make it difficult for crackers.

The web browser makers use
technology like Smartscreen Filter, Phishing and Malware Protection,
Block Attack Sites & Web Forgeries to try and do their part, the
CPE makers need to do their part, and last and most importantly,
all of us need to continue our efforts to try and educate Ma and
Pa Kettle not to click on the Make Money Fast, schemes.

Ted

On 9/27/2016 12:54 PM, Gert Doering wrote:

Hi,

On Tue, Sep 27, 2016 at 05:06:54PM +0900, Erik Kline wrote:

So lowest common denominator it is then.  Of course, any user's home
device can be infected through a web page and become part of a botnet.


Nah, of course not.  Viruses and such never spreads through mail, or
users clicking on things.

We've heard a long and elaborate explanation that Firewalls on CPEs will
protect IoT devices, so it must be right!

*sigh*

Gert Doering
 -- NetMaster


---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

Re: CPE Residential IPv6 Security Poll

[Sander Steffann]

Hi,

> For what it's worth, the Swisscom approach seems sensible to me. At
> least if I understand it correctly, in that they by default only block
> ports associated with application protocols known to be insecure, meant
> for home network use only, etc. All other ports and protocols not on
> the blacklist are let through in both directions. As far as I know this
> has been working out fine for them.

I like that approach as well. It might be generalised into "ports <= x are 
blocked by default and can be opened manually, ports > x are open by default". 
Whether x=1024, x=1 or x=16384 can be discussed. If usually services aren't 
listening on those high-numbered ports then the firewall blocking incoming 
packets for them doesn't make much of a difference anyway.

Cheers,
Sander



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: Re: Re: CPE Residential IPv6 Security Poll

[Mikael Abrahamsson]

On Mon, 26 Sep 2016, Ted Mittelstaedt wrote:

Well there is an answer to that.  Instead of paying your development 
team to do a from-scratch build, you can just have them port over dd-wrt 
or openwrt.  Both of these router firmwares are most likely tremendously 
advanced over anything your CPE development team can come up with.


I've been working with this for the past 3 years or so. We have a CPE 
using OpenWrt we use as development platform.


So while OpenWrt is great for supporting development of new protocols, 
it's nowhere near as stable/bug free as one of the more restrictive vendor 
CPEs. When you have millions of devices in the field, shipping OpenWrt 
with all the bells and whistles available would be just a nightmare. If 
one were to restrict it a lot and just use the features "needed", then it 
might be managable. I know some vendors who do this and ship HGWs based on 
OpenWrt. It's however quite heavily modified OpenWrt from what I can tell, 
and they don't rev their versions as fast as the OPenWrt project does.


I am sorry about this but there you have it.  The largest ISPs out there 
are solving the support issue by basically offering no useable support, 
the customer calls in, complains something doesn't work and is told to 
go away and find someone else to help them.  These ISPs know that no 
matter how angry the customer gets with a non-answer, that ultimately 
the customer knows if they quit service and go to another large 
competitor that the other large competitor is going to treat them 
exactly the same way - so they don't benefit by quitting service.


90% (or more) of people want their ISP to just "FIX IT! FIX IT! FIX IT!". 
So we're going to see more and more ISP provided equipment in peoples 
homes and ISPs getting more and more involved in running the home 
networks.


This is not something the ISPs are generally great at, the product cycles 
are generally long, it's quite a lot of "let's come up with something that 
works, is fairly bug free, then run the production line for 3 years, oh, 
and we need to support it for another 3-5 years". This is not a great 
combination with some customers wishes to always have the latest and 
greatest. Very few people give any kind of love to their "home router". 
They go and buy a USD40 device (or complain to the ISP that it's too 
expensive when the ISP wants to charge that kind of money for it) and then 
they connect their 1000 USD iPhone to it and expect everything to work 
great.


But I also (I think we're in agreement here) think I am seeing people more 
interested in their home networks now compared to 5-10 years ago. More 
people now know that you shouldn't put your wifi router in the basement 
behind a lot of boxes if you want good wifi coverage. But there is more to 
be done here, and we need more tools to help the customers figure out 
what's wrong. Doing truck rolls to fix peoples home networks is going to 
be too expensive, so we need home network devices (and SoHo devices) to 
talk to each other so they can figure out what's going on and give advice 
to the customer. Right now I see forum posts all the time with people 
frantically kicking all the things to try to figure out what's going on. 
There is no indication to them if the connectivity is bad because the 
problem is in their home network, on the access line, ISP core network, or 
further out from the Internet. People just don't have the tools to help 
them understand what's going on. The only thing they can say is "my 
Internet is slow", which of course says nothing what the problem really 
is. Current devices can't even tell them if DNS lookups are slow, if TCP 
establishment is slow, if TCP transfer rate is low because of packet loss, 
because of high delay, because of something else. This information just 
isn't available to the end user, and it's sad state of affairs.


The IETF, vendors and ISPs are all quite siloed so I don't know where we 
would start to actually improve this. I tried talking to the TCP people at 
the IETF and had no takers. I tried talking to the IPPM people, but they 
just want to measure with test traffic. I don't know who to talk to next.


--
Mikael Abrahamssonemail: swm...@swm.pp.se

Re: CPE Residential IPv6 Security Poll

[Nick Hilliard]

Lorenzo Colitti wrote:
> Surely there's got to be a better solution here than
> lowest-common-denominator engineering, a.k.a., "design your product for
> your least knowledgeable customer"?

sensible secure defaults for grandma + "Advanced" tab on CPE
configuration page for 10yo grandchild?

Nick

Re: SV: SV: CPE Residential IPv6 Security Poll

[Roger Jørgensen]

On Sun, 25 Sep 2016 07:08:46 +, erik.tarald...@telenor.com wrote:

1) In theory you are right.  In practise it is not that black and
white.  We never buy an excisting product, we buy an future product
which has to be developed for us.  That include physical features
which may not have beed release from Broadcom yet (11ac 3x3 we were
the first mass order from Broadcom for example).  That means that we
usualy have an development periode with the vendor, and a release
target (VDSL launch for example)  Sometimes the have to rush the CPE
side to meet the network side launch.  This again means that we 
usualy

launch with a fair number of bug and un-optimized software, and
features missing.  And since we don't buy in Comcast type volumes we
don not have the purchasing power to instruct the vendors to do
absolutly everything, we have an limited development team working for
us and we have to prioritize what they should work on.  And so far
UPnP has not gotten above that treshold.

(And the above is a bit besides the point, we seem to be the only ISP
who want UPnP.  That don't help our customers a lot.  In order for
UPnP to work you also need support in the clients, and those we talk
to who do develop clients badly want to get away from UPnP)


... that has been said with regard to everything related to IPv6 for
nearly 20years. When will we stop using it as an excuse?

Someone has to be the first, even if it's just for the show and there
are no client side client.



---

--
Roger Jorgensen  | - ROJO9-RIPE
ro...@jorgensen.no   | - The Future is IPv6
---

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

SV: SV: CPE Residential IPv6 Security Poll

[erik.taraldsen]

1) In theory you are right.  In practise it is not that black and white.  We 
never buy an excisting product, we buy an future product which has to be 
developed for us.  That include physical features which may not have beed 
release from Broadcom yet (11ac 3x3 we were the first mass order from Broadcom 
for example).  That means that we usualy have an development periode with the 
vendor, and a release target (VDSL launch for example)  Sometimes the have to 
rush the CPE side to meet the network side launch.  This again means that we 
usualy launch with a fair number of bug and un-optimized software, and features 
missing.  And since we don't buy in Comcast type volumes we don not have the 
purchasing power to instruct the vendors to do absolutly everything, we have an 
limited development team working for us and we have to prioritize what they 
should work on.  And so far UPnP has not gotten above that treshold.

(And the above is a bit besides the point, we seem to be the only ISP who want 
UPnP.  That don't help our customers a lot.  In order for UPnP to work you also 
need support in the clients, and those we talk to who do develop clients badly 
want to get away from UPnP)


2) You may have more luck with your forum posts, but on the norwegian forums 
the loudest answer wins the day. Reason cannot stand up to the forces of loud 
ignorance.

3) As stated in 1, limited recources dictates that we prioritice security, 
features which support payable services, then the stuff we network geeks want.  
And since I do know a lot of smaller ISP's and retailers of off-the-shelf 
products, I do know that those products do very seldom get anything other than 
bug fixes for anything other that flaws which may refelct badly on the CPE 
vendor.

4) The customers are paying for internet access.  That used to mean an ethernet 
port and two IPv4 addresses.  Today the costomers define it as wifi access on 
the phone in the room the furthest away from the router.  The level of 
knowledge in the user base is dropping like a stone.  If we can have an 
technical solutin which prevents the customer from having issues and calling 
us, we go for it.


-Erik



Fra: ipv6-ops-bounces+erik.taraldsen=telenor@lists.cluenet.de 
<ipv6-ops-bounces+erik.taraldsen=telenor@lists.cluenet.de> på vegne av Ted 
Mittelstaedt <t...@ipinc.net>
Sendt: 20. september 2016 18:52
Til: ipv6-ops@lists.cluenet.de
Emne: Re: SV: CPE Residential IPv6 Security Poll

Erik,

I think you have to follow these precepts (keep in mind this is an
American capitalist perspective not a European cooperative socialist
perspective)

1) You got the money, tell your vendors to either do what you want (put
IPv6 UPnP in CPEs they sell you) or you are going to kick their ass.
It's your money!  They want your money do they not?  That's why they are
selling CPEs to you - so why do you tolerate any crap from them?  Tell
them either put UPnP in the code or your going elsewhere for your CPEs
and you are going to tell all your other ISP friends to go elsewhere for
their CPEs.   Enough Mr. Nice Guy.

2) It's not your problem if Ma & Pa Kettle find a wannabe power user.
If you don't like being bad-mouthed by wannabe power users on the online
forums then get your ass on the online forums and start engaging.
Refute those "need bigger antennas" posts with logic and reason.
I guarantee to you that 1 correct post is worth 100 baloney posts from
wannabe power users.

3) How on Earth can you make the case that your ISP router patches
security holes and adds features yet turn around and claim that you
can't push your CPE vendors to add UPnP support?   Either you have power
to get your CPE vendors to issue updates or not.  If you do - then
quit complaining that no CPE's have UPnP support for IPv6.  If you
don't - then quit claiming your CPE is better.

4) What is your customers perception that they are paying for and
what are they REALLY paying for?   If they think they are paying for
access only - and you think they are paying for access plus your
management of their network CPE - then I can see why you might be
wondering why they aren't complaining to you when there's a problem
and going to the wannabe power users.  Maybe you just need to do some
more customer education?

Ted

On 9/20/2016 1:24 AM, erik.tarald...@telenor.com wrote:
> With all due respect to the actual power user out there.  For each one of 
> them, there is at least 20 who think they are power users who base their 
> knowledge on rumors and misconceptions.   They are often vocal (forums and 
> coments on news sites) and they are the once who often are enlisted to help 
> Ma&  Pa Kettle.  At least that is what we see a lot of in Norway.  They 
> simply do not have the ability to correctly diagnose the issues.  Solutions 
> often involve "you need bigger antennas on the router", "Apple routers are 
> 

Re: CPE Residential IPv6 Security Poll

[Valve Store Support]

Hello,

   Thank you for your email. Are you referring to an order placed at the Valve Store? If this is regarding an in-game issue we kindly ask that you contact Steam Support directly as we are unable to help with any inquiries not regarding orders placed on http://valvestore.welovefine.com/. Please note that you are contacting Welovefine directly and we only handle Valve merchandise, we are not Valve or Steam. 

If this is regarding a merchandise order placed at our store please respond with your order number so that I can look into this issue further.


Steam Support: https://support.steampowered.com/


Thank You
 

Re: SV: CPE Residential IPv6 Security Poll

[Thomas Schäfer]

Am 21.09.2016 um 14:58 schrieb Jeroen Massar:

The major mistake that ISPs are making here btw is marketing:
  they are not informing their users


I am not sure about this advice.

(I read the forum from vodafone, telekom and unitymedia in Germany daily)

One similar example: VOIP

The Deutsche Telekom has clearly stated what she planned - a complete 
ip-infrastructure without ISDN, with marketing and so on...


What was the reaction? The people and also some journalist are against 
VOIP. They found 1000 reasons why. Only the Telekom was blamed.


But - Kabel Deutschland (now Vodafone) and other ISPs did the same 
without public trouble.


Apropos VOIP and Deutsche Telekom, my router phones still via ipv4, 
while Liberty Global (Unitymedia) routers use partly IPv6.


Regards,
Thomas Schäfer




--

There’s no place like ::1

Thomas Schäfer (Systemverwaltung)
Ludwig-Maximilians-Universität
Centrum für Informations- und Sprachverarbeitung
Oettingenstraße 67 Raum C109
80538 München ☎ +49/89/2180-9706  ℻ +49/89/2180-9701

Re: SV: CPE Residential IPv6 Security Poll

[Jeroen Massar]

On 2016-09-21 13:49, Benedikt Stockebrand wrote:
[..]
> There's a fairly large SIP operator (sipgate) here in Germany who for
> quite some time has told people that their service not working over
> DS-Lite was entirely a problem between the customer and their ISP,
> giving technical reasons you can quite likely figure out yourself.  With
> DS-Lite gaining more and more of a foothold here---and at least one
> major ISP slipstreaming that on existing lines without notifying the
> customers---technical explanations are exactly not what to tell people
> whose phones suddenly stopped working.
> 
> Once you screw your customer relation up with this sort of stunt it
> takes a lot of time (and marketing) to fix that up again.

sipgate messed up by not upgrading to IPv6 (though, yeah find an IPv6
SIP capable device, they are quite rare ;) which they knew was coming
and could have solved, as that clearly is a business case
(still waiting for Gigaset to make IPv6 upgrades...)

... this while Liberty Global is abusing their monopoly in all of Europe
by forcing people (without notification or contract change; well they
did remove the word "IPv4" from their new contracts at one point) onto
DS-Lite because "we are out of IPv4" while their business customers, who
are paying significantly more, cannot even get IPv6 even though they are
asking for it.

Oh, and yes, poor people who don't get proper IPv4 anymore and are still
waiting for Sony to make a move to IPv6; though apparently at least IPv6
addresses are now being configured since 4.00; that quite breaks
multiplayer games though...

It is sad that people didn't bother to listen and that literally
thousands are now noticing how crappy the industry handled this
"transition" to IPv6, as many ISPs seem to make it a flag day: one day
you have IPv4, the other you have broken IPv4 + 'working' IPv6...


The major mistake that ISPs are making here btw is marketing:
  they are not informing their users

nor did they ask (or look with netflow) who are using IPv4 in a way that
would not work with the AFTR stuff they just push onto them.

I guess the loss of customers (for the few who have the choice to
change, many are stuck in monopoly situations) or the amount of support
desk calls is less cost than the money expected to be made by selling
IPv4 service to other parts of the company.

Sad that the Internet is so commercial and not about letting people
communicate... :(

Greets,
 Jeroen

Re: SV: CPE Residential IPv6 Security Poll

[Benedikt Stockebrand]

Hi Ted and list,

Ted Mittelstaedt  writes:

> 1) You got the money, tell your vendors to either do what you want
> (put IPv6 UPnP in CPEs they sell you) or you are going to kick their
> ass. It's your money! [...]

that only works if you're big enough for that.  If you're a small local
ISP (and I've done the odd training/consulting job with these) this is
frequently not an option.

Plus, you may as an ISP be unable to dictate your customers what CPE to
use.  We've recently had a law introduced here (Germany) aimed to
prevent ISPs from forcing their CPEs down people's throats.

And finally, especially in a market which is largely price driven,
you're sometimes bound to buy the cheapest CPEs on the market.  And
these then turn out to be so cheap because they have so little resources
that UPnP can't be implemented in them.

> 2) It's not your problem if Ma & Pa Kettle find a wannabe power
> user.

That's too simple.  As soon as they call your first level support, then
it becomes your problem if only because you need to pay your first level
supporters.

> If you don't like being bad-mouthed by wannabe power users on the
> online forums then get your ass on the online forums and start
> engaging.

Definitely.  But again, that involves paying people for doing so.

> Refute those "need bigger antennas" posts with logic and reason.

Hmm, that can actually be kind of tricky.  If your organization has a
reputation of talking your way out of the problems you have, this will
be difficult at best.

There's a fairly large SIP operator (sipgate) here in Germany who for
quite some time has told people that their service not working over
DS-Lite was entirely a problem between the customer and their ISP,
giving technical reasons you can quite likely figure out yourself.  With
DS-Lite gaining more and more of a foothold here---and at least one
major ISP slipstreaming that on existing lines without notifying the
customers---technical explanations are exactly not what to tell people
whose phones suddenly stopped working.

Once you screw your customer relation up with this sort of stunt it
takes a lot of time (and marketing) to fix that up again.


Cheers,

Benedikt

-- 
Benedikt Stockebrand,   Stepladder IT Training+Consulting
Dipl.-Inform.   http://www.stepladder-it.com/

  Business Grade IPv6 --- Consulting, Training, Projects

BIVBlog---Benedikt's IT Video Blog: http://www.stepladder-it.com/bivblog/

Re: CPE Residential IPv6 Security Poll

[JORDI PALET MARTINEZ]

I’ve promised an article to RIPE and APNIC … will work on it once I’ve the 
Korean data … hopefully in a couple of weeks …

If somebody can help to disseminate the survey among Korean ISPs, please, let 
me know!

In case someone in this list still didn’t responded, here is the link:

http://survey.consulintel.es/index.php/175122

Regards,
Jordi


-Mensaje original-
De: Tim Chown <tim.ch...@jisc.ac.uk>
Responder a: <tim.ch...@jisc.ac.uk>
Fecha: martes, 20 de septiembre de 2016, 15:55
Para: "jordi.pa...@consulintel.es" <jordi.pa...@consulintel.es>
CC: Benedikt Stockebrand <b...@stepladder-it.com>, IPv6 Ops list 
<ipv6-ops@lists.cluenet.de>, "Anfinsen, Ragnar" <ragnar.anfin...@altibox.no>
Asunto: Re: CPE Residential IPv6 Security Poll

Hi,

Thanks Jordi.  And yes, hindsight is always easy!

It would be nice to have a survey report document online for anyone to 
read, to complement various powerpoint decks you’ve used.

Amazing to get such a large response - well done :)

Tim 

> On 20 Sep 2016, at 14:49, JORDI PALET MARTINEZ 
<jordi.pa...@consulintel.es> wrote:
> 
> No, didn’t included anything about security, unfortunately (now I realize 
having missed it !) I will consider upgrading the actual questions or making a 
specific one related to security …
> 
> I’ve got already over 1.100 responses, and I’m waiting for Korean ISPs to 
start responding … I think is the only country which didn’t responded at all.
> 
> I did a quick presentation about the data both in the last v6ops and IEPG 
meetings. Will do a new presentation at the next LACNIC meeting and hopefully 
at the next RIPE one.
> 
> Regards,
> Jordi
> 
> 
> -Mensaje original-
> De: <ipv6-ops-bounces+jordi.palet=consulintel...@lists.cluenet.de> en 
nombre de Tim Chown <tim.ch...@jisc.ac.uk>
> Responder a: <tim.ch...@jisc.ac.uk>
> Fecha: martes, 20 de septiembre de 2016, 14:50
> Para: Benedikt Stockebrand <b...@stepladder-it.com>, Jordi Palet Martinez 
<jordi.pa...@consulintel.es>
> CC: IPv6 Ops list <ipv6-ops@lists.cluenet.de>, "Anfinsen, Ragnar" 
<ragnar.anfin...@altibox.no>
> Asunto: Re: CPE Residential IPv6 Security Poll
> 
>Hi,
> 
>Was this one of the questions asked in Jordi’s survey?  I’m not sure 
I’ve seen the results published as yet, but he got a fantastic level of 
response (over 200 iirc)… Jordi? :)
> 
>Tim 
> 
>> On 20 Sep 2016, at 13:44, Benedikt Stockebrand <b...@stepladder-it.com> 
wrote:
>> 
>> Hi Ragnar and list,
>> 
>> as far as I can tell, little has changed at least in Germany since our
>> last discussion on this (except that I've since sobered up again:-)
>> 
>> I guess you won't be surprised that I still share the same opinion as
>> Ted:-)
>> 
>> So far all I've consciously seen on consumer CPEs is "per default, allow
>> all outbound, block all inbound".  I'm not sure if there are any ultra
>> cheap CPEs out that don't even let users configure inbound rules, but
>> I've never had the need to deal with anything like that.
>> 
>> However, one rather interesting thing has changed here: Since August
>> this year, ISPs can by law no longer force their customers in Germany to
>> use the CPE they provide.  The implications here are yet to appear, but
>> one possible effect might be that the ISPs move away from the
>> all-features-you-never-wanted-plus-some-extra CPEs they so far forced on
>> their customers to minimalistic devices they can just manage via TR-069
>> or similar (reaching a setup similar ot the old NT1/NT2 split with ISDN
>> in Europe), eventually leaving the filtering to the end user again.
>> 
>> With business customers the range obviously goes from "consumer grade is
>> good enough so why use anything else" for small businesses to dark fiber
>> for customers running their own AS.
>> 
>> 
>> Cheers,
>> 
>>   Benedikt
>> 
>> -- 
>> Benedikt Stockebrand,   Stepladder IT Training+Consulting
>> Dipl.-Inform.   http://www.stepladder-it.com/
>> 
>> Business Grade IPv6 --- Consulting, Training, Projects
>> 
>> BIVBlog---Benedikt's IT Video Blog: http://www.stepladder-it.com/bivblog/
>> 
> 
> 
> 
> 
> 
> 

Re: CPE Residential IPv6 Security Poll

[Bjørn Mork]

Ted Mittelstaedt  writes:

> This kind of mirrors the "default" security policy on IPv4 CPEs (since
> those CPE's have NAT automatically turned on which creates a "block in,
> permit out" kind of approach.) so I'm not sure why you would want to
> default it to being different for IPv6.

I was explained one reason today: No CPEs implement UPnP support for
IPv6 [1].

This makes the effect of the similar IPv4 and IPv6 policies quite
different.  UPnP aware applications will set up the necessary NAT rules
for IPv4, allowing inbound connections etc. But if you want the same
applications to work over IPv6, then the policy must be more open by
default. Letting the user disable IPv6 filtering is not going to help
the masses I'm afraid...

So the question remains: What do ISPs actually do to
 - allow IPv6, and
 - secure the end users' networks, and
 - not break dual stack applications wanting incoming connections

all at the same time?  Looks like a classical "pick any two".



Bjørn

[1] I'm sure someone will come up with an obscure and expensive example
 of the contrary - the point is that IPv6 UPnP support is not readily
 available in the residential CPE market.

Re: CPE Residential IPv6 Security Poll

[Ted Mittelstaedt]

When we were still doing DSL I brought IPv6 online, but the only way our
customers could access it was to have the DSL modem/CPE in bridged mode,
and run their own router which was IPv6 compliant.  Thus the "CPE" 
security policy was whatever the router vendor defaulted.   Our 
observation was that the customers who didn't understand routing and

firewalling tended to buy lower-end routers that defaulted to blocking
any inbound traffic trying to initiate a connection, while the customers
who did understand it tended to buy Cisco routers and other higher-end
routers that defaulted to permit any any both directions - but since 
they knew what they were doing, they would install their own security

policy.

IMHO a CPE that supports IPv6 should be designed to default to a 
blocking inbound traffic on IPv6 but contain a provision for disabling

that AND a provision for disabling the entire CPE and the customer using
their own gear.

That way, you are not screwing over your ignorant customers by leaving
their networks wide open, and you are not screwing over your advanced
customers who want to use their own gear and/or provide IPv6-enabled
services on the Internet.

This kind of mirrors the "default" security policy on IPv4 CPEs (since
those CPE's have NAT automatically turned on which creates a "block in,
permit out" kind of approach.) so I'm not sure why you would want to
default it to being different for IPv6.

Ted

On 9/19/2016 5:32 AM, Anfinsen, Ragnar wrote:

Hi all.

In light of a new discussion blossoming in Norway, we are curious about the 
IPv6 security policy different ISP’s has adopted. So it would be very helpful 
if you could do a quick response, either here or directly to me, on the 
following question:

Which security policy are you using for you residential IPv6 enabled CPE’s? 
(RFC6092, fully open, balanced or other)

Why did you adopt this policy?

Any good or not so good experience with the choice?

All answers are very much appreciated, and I will post the results here after a 
week or so. Thank you very much.

Best Regards
Ragnar Anfinsen

Chief Architect CPE
IP Address Architect
Infrastructure
Technology
Altibox AS

E-mail: ragnar.anfin...@altibox.no
www.altibox.no

[cid:image001.png@01D21282.A1DD77A0]
   [cid:image002.png@01D21282.A1DD77A0]  
[cid:image003.png@01D21282.A1DD77A0]
CONFIDENTIAL
The content of this e-mail is intended solely for the use of the individual or 
entity to whom it is addressed. If you have received this communication in 
error, be aware that forwarding it, copying it, or in any way disclosing its 
content to any other person, is strictly prohibited. If you have received this 
communication in error, please notify the author by replying to this e-mail 
immediately, deleting this message and destruct all received documents.


---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

Re: CPE Residential IPv6 Security Poll

[Tarko Tikan]

hey,


I guess none of the users know they are using IPv6 around 75-80% of
the time internal, or 20-30% on their external traffic either:-)


Indeed. I've been spreading knowledge about our deployment to our 
customers and most of them have been amazed that they had no idea :) But 
they have never had any trouble so overall feedback is still positive.


--
tarko

Re: CPE Residential IPv6 Security Poll

[Roger Jørgensen]

On Mon, 19 Sep 2016 12:32:27 +, Anfinsen, Ragnar wrote:

Hi all.

In light of a new discussion blossoming in Norway, we are curious
about the IPv6 security policy different ISP’s has adopted. So it
would be very helpful if you could do a quick response, either here 
or

directly to me, on the following question:

Which security policy are you using for you residential IPv6 enabled
CPE’s? (RFC6092, fully open, balanced or other)

Why did you adopt this policy?

Any good or not so good experience with the choice?

All answers are very much appreciated, and I will post the results
here after a week or so. Thank you very much.


Not really for residential, but business/governmental related. We just
added IPv6 addresses to the IPv4 rule object and went on as before.
I guess none of the users know they are using IPv6 around 75-80% of
the time internal, or 20-30% on their external traffic either:-)



---

--
Roger Jorgensen  | - ROJO9-RIPE
ro...@jorgensen.no   | - The Future is IPv6
---

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

CPE Residential IPv6 Security Poll

[Anfinsen, Ragnar]

Hi all.

In light of a new discussion blossoming in Norway, we are curious about the 
IPv6 security policy different ISP’s has adopted. So it would be very helpful 
if you could do a quick response, either here or directly to me, on the 
following question:

Which security policy are you using for you residential IPv6 enabled CPE’s? 
(RFC6092, fully open, balanced or other)

Why did you adopt this policy?

Any good or not so good experience with the choice?

All answers are very much appreciated, and I will post the results here after a 
week or so. Thank you very much.

Best Regards
Ragnar Anfinsen

Chief Architect CPE
IP Address Architect
Infrastructure
Technology
Altibox AS

E-mail: ragnar.anfin...@altibox.no
www.altibox.no

[cid:image001.png@01D21282.A1DD77A0]
  [cid:image002.png@01D21282.A1DD77A0]  
[cid:image003.png@01D21282.A1DD77A0] 
CONFIDENTIAL
The content of this e-mail is intended solely for the use of the individual or 
entity to whom it is addressed. If you have received this communication in 
error, be aware that forwarding it, copying it, or in any way disclosing its 
content to any other person, is strictly prohibited. If you have received this 
communication in error, please notify the author by replying to this e-mail 
immediately, deleting this message and destruct all received documents.