Re: Microsoft: Give Xbox One users IPv6 connectivity
Hi! Christopher Palmer, 2013-10-10 03:22: http://download.microsoft.com/download/A/C/4/AC4484B8-AA16-446F-86F8-BDFC498F8732/Xbox%20One%20Technical%20Details.docx Nice, but why do you absolutely require Teredo even for boxes with native IPv6? Of course there's the advantage of direct client2client communication (less latency for clients and less traffic on Teredo relays), but the box should at least fall back to native IPv6 if Teredo is not available (quite odd to talk about native IPv6 being a fallback to Teredo, but anyway). There's at least one CPE manufacturer (quite prevalent in Europe or at least in Germany) that filters out Teredo if native IPv6 is available by default. They added an option to disable this filter, but that's not a good thing. See http://service.avm.de/support/en/skb/FRITZ-Box-7390-int/1439:Cannot-play-online-games-with-Xbox-One In the current state, the XBox One is doing more harm to IPv6 than good. People encounter problems after having IPv6 activated (there are forum posts which told people to disable IPv6 to fix this issue) and Network operators will see less increase in IPv6 traffic (which lowers the incentive to improve IPv6 support). Regards Jakob
Re: Microsoft: Give Xbox One users IPv6 connectivity
Jakob What annoys me more if the fact that AVM (and they are not the only one -- see Technicolor others) naively believes that NAT44 offered some security by preventing inbound connections... This means that there is NO open connectivity between two X/Box behind a closed AVM CPE... Hence X/Box has no choice and is smart enough to fall back in the legacy NAT44 mode with a TURN (or in this case Teredo) to bypass NAT. A very nice opportunity to run man-in-the-middle attack on a foreign ground. I still wonder why people REALLY believe in the security of NAT (in the sense of blocking inbound connections) in 2014 while most of the botnet members are behind a NAT... Christopher and others = you are RIGHT! Do not change your mind -éric (see also http://tools.ietf.org/html/draft-ietf-v6ops-balanced-ipv6-security-01 for my point of view :-)) On 13/03/14 18:43, Jakob Hirsch j...@plonk.de wrote: Hi! Christopher Palmer, 2013-10-10 03:22: http://download.microsoft.com/download/A/C/4/AC4484B8-AA16-446F-86F8-BDFC 498F8732/Xbox%20One%20Technical%20Details.docx Nice, but why do you absolutely require Teredo even for boxes with native IPv6? Of course there's the advantage of direct client2client communication (less latency for clients and less traffic on Teredo relays), but the box should at least fall back to native IPv6 if Teredo is not available (quite odd to talk about native IPv6 being a fallback to Teredo, but anyway). There's at least one CPE manufacturer (quite prevalent in Europe or at least in Germany) that filters out Teredo if native IPv6 is available by default. They added an option to disable this filter, but that's not a good thing. See http://service.avm.de/support/en/skb/FRITZ-Box-7390-int/1439:Cannot-play-o nline-games-with-Xbox-One In the current state, the XBox One is doing more harm to IPv6 than good. People encounter problems after having IPv6 activated (there are forum posts which told people to disable IPv6 to fix this issue) and Network operators will see less increase in IPv6 traffic (which lowers the incentive to improve IPv6 support). Regards Jakob
Re: Microsoft: Give Xbox One users IPv6 connectivity
Le 2014-03-13 15:12, Eric Vyncke (evyncke) a écrit : What annoys me more if the fact that AVM (and they are not the only one -- see Technicolor others) naively believes that NAT44 offered some security by preventing inbound connections... This means that there is NO open connectivity between two X/Box behind a closed AVM CPE... Hence X/Box has no choice and is smart enough to fall back in the legacy NAT44 mode with a TURN (or in this case Teredo) to bypass NAT. A very nice opportunity to run man-in-the-middle attack on a foreign ground. I still wonder why people REALLY believe in the security of NAT (in the sense of blocking inbound connections) in 2014 while most of the botnet members are behind a NAT... Christopher and others = you are RIGHT! Do not change your mind -éric (see also http://tools.ietf.org/html/draft-ietf-v6ops-balanced-ipv6-security-01 for my point of view :-)) +1000 Simon -- DTN made easy, lean, and smart -- http://postellation.viagenie.ca NAT64/DNS64 open-source-- http://ecdysis.viagenie.ca STUN/TURN server -- http://numb.viagenie.ca
Re: Microsoft: Give Xbox One users IPv6 connectivity
Hi On Thu, Mar 13, 2014 at 07:12:54PM +, Eric Vyncke (evyncke) wrote: What annoys me more if the fact that AVM (and they are not the only one -- see Technicolor others) naively believes that NAT44 offered some security by preventing inbound connections... This means that there is NO open connectivity between two X/Box behind a closed AVM CPE... Hence X/Box has no choice and is smart enough to fall back in the legacy NAT44 mode with a TURN (or in this case Teredo) to bypass NAT. A very nice opportunity to run man-in-the-middle attack on a foreign ground. I'm not sure what NAT44 has to do with it. The point is that there is *native* IPv6 and the XBox insists on preferring Teredo - and the AVM box blocks Teredo if it has native IPv6, because there is no real use in permitting an tunnel IPv6 around the IPv4-only router! protocol when there *is* a perfectly good IPv6-capable router around... Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AGVorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
Re: Microsoft: Give Xbox One users IPv6 connectivity
Or is it because AVM blocks all inbound IPv6 connection and X/Box has no choice but falling back on Teredo? I am really unclear on the exact situation -éric On 13/03/14 21:46, Gert Doering g...@space.net wrote: Hi On Thu, Mar 13, 2014 at 07:12:54PM +, Eric Vyncke (evyncke) wrote: What annoys me more if the fact that AVM (and they are not the only one -- see Technicolor others) naively believes that NAT44 offered some security by preventing inbound connections... This means that there is NO open connectivity between two X/Box behind a closed AVM CPE... Hence X/Box has no choice and is smart enough to fall back in the legacy NAT44 mode with a TURN (or in this case Teredo) to bypass NAT. A very nice opportunity to run man-in-the-middle attack on a foreign ground. I'm not sure what NAT44 has to do with it. The point is that there is *native* IPv6 and the XBox insists on preferring Teredo - and the AVM box blocks Teredo if it has native IPv6, because there is no real use in permitting an tunnel IPv6 around the IPv4-only router! protocol when there *is* a perfectly good IPv6-capable router around... Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AGVorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
Re: Microsoft: Give Xbox One users IPv6 connectivity
On Mar 13, 2014 4:22 PM, Marco Sommani marcosomm...@gmail.com wrote: On 13/mar/2014, at 20:12, Eric Vyncke (evyncke) evyn...@cisco.com wrote: Jakob What annoys me more if the fact that AVM (and they are not the only one -- see Technicolor others) naively believes that NAT44 offered some security by preventing inbound connections... This means that there is NO open connectivity between two X/Box behind a closed AVM CPE... Hence X/Box has no choice and is smart enough to fall back in the legacy NAT44 mode with a TURN (or in this case Teredo) to bypass NAT. A very nice opportunity to run man-in-the-middle attack on a foreign ground. AVM is not alone in its choices: they just do what is suggested in RFC 6092 - Recommended Simple Security Capabilities in Customer Premises Equipment (CPE) for Providing Residential IPv6 Internet Service. I don't like what they do, but maybe we should blame IETF. Marco I believe there is an exception for allowing inbound ipsec in the rfc ... but this really goes to show how stateful firewalls are more harm than good in the general case. AVM may as well stay on ipv4 nat444 since they gave up on e2e with the stateful inspection. CB I still wonder why people REALLY believe in the security of NAT (in the sense of blocking inbound connections) in 2014 while most of the botnet members are behind a NAT... Christopher and others = you are RIGHT! Do not change your mind -éric (see also http://tools.ietf.org/html/draft-ietf-v6ops-balanced-ipv6-security-01for my point of view :-)) On 13/03/14 18:43, Jakob Hirsch j...@plonk.de wrote: Hi! Christopher Palmer, 2013-10-10 03:22: http://download.microsoft.com/download/A/C/4/AC4484B8-AA16-446F-86F8-BDFC 498F8732/Xbox%20One%20Technical%20Details.docx Nice, but why do you absolutely require Teredo even for boxes with native IPv6? Of course there's the advantage of direct client2client communication (less latency for clients and less traffic on Teredo relays), but the box should at least fall back to native IPv6 if Teredo is not available (quite odd to talk about native IPv6 being a fallback to Teredo, but anyway). There's at least one CPE manufacturer (quite prevalent in Europe or at least in Germany) that filters out Teredo if native IPv6 is available by default. They added an option to disable this filter, but that's not a good thing. See http://service.avm.de/support/en/skb/FRITZ-Box-7390-int/1439:Cannot-play-o nline-games-with-Xbox-One In the current state, the XBox One is doing more harm to IPv6 than good. People encounter problems after having IPv6 activated (there are forum posts which told people to disable IPv6 to fix this issue) and Network operators will see less increase in IPv6 traffic (which lowers the incentive to improve IPv6 support). Regards Jakob -- Marco Sommani Via Contessa Matilde 64C 56123 Pisa - Italia phone: +390500986728 mobile: +393487981019 fax: +390503869728 email: marcosomm...@gmail.com
Re: Microsoft: Give Xbox One users IPv6 connectivity
On 13.03.2014 20:12, Eric Vyncke (evyncke) wrote: I still wonder why people REALLY believe in the security of NAT (in the sense of blocking inbound connections) in 2014 while most of the botnet members are behind a NAT... I really don't know what this has to do with Toredo or IPv6, but well... Blocking inbound connections will save your host from remote exploits of its network services, but not from getting infected by malicious websites or email attachments. This is out of the scope of the common RG. And this has nothing to do with AVM, Technicolor or any other RG manufacturer, last time I checked Cisco RGs did just the same. Christopher and others = you are RIGHT! Do not change your mind Right abouth _what_? You provided not a single reason for the described behaviour, i.e. the missing fallback to native IPv6. -éric (see also http://tools.ietf.org/html/draft-ietf-v6ops-balanced-ipv6-security-01 for my point of view :-)) I liked especially this section 5. Security Considerations where it says The policy addresses the major concerns related to the loss of stateful filtering imposed by IPV4 NAPT when enabling public globally reachable IPv6 in the home. and This set of rules cannot help with the following attacks: [...] Malware which is fetched by inside hosts on a hostile web site (which is in 2013 the majority of infection sources). This approach seems a little too bold to me, and the lack of incidents may just be caused by the lack of attacks via IPv6, but if it works for Swisscom, good for them. Jakob
Re: Microsoft: Give Xbox One users IPv6 connectivity
On 3/13/14, 15:46 , Gert Doering wrote: Hi On Thu, Mar 13, 2014 at 07:12:54PM +, Eric Vyncke (evyncke) wrote: What annoys me more if the fact that AVM (and they are not the only one -- see Technicolor others) naively believes that NAT44 offered some security by preventing inbound connections... This means that there is NO open connectivity between two X/Box behind a closed AVM CPE... Hence X/Box has no choice and is smart enough to fall back in the legacy NAT44 mode with a TURN (or in this case Teredo) to bypass NAT. A very nice opportunity to run man-in-the-middle attack on a foreign ground. I'm not sure what NAT44 has to do with it. The point is that there is *native* IPv6 and the XBox insists on preferring Teredo - and the AVM box blocks Teredo if it has native IPv6, because there is no real use in permitting an tunnel IPv6 around the IPv4-only router! protocol when there *is* a perfectly good IPv6-capable router around... They prefer native IPv6, but only if all the peer-to-peer participants also have native IPv6. So, if all your gamer buddies have native IPv6, then native IPv6 is preferred. They do not want to use Teredo Gateways. So, they do not allow Native IPv6 to Teredo communications, and prefer Teredo if any of the participants needs Teredo to do IPv6. Then they fall back to IPv4 after Teredo, again all participants doing IPv4. If I remember correctly what was said at NANOG last fall. -- David Farmer Email: far...@umn.edu Office of Information Technology University of Minnesota 2218 University Ave SE Phone: 1-612-626-0815 Minneapolis, MN 55414-3029 Cell: 1-612-812-9952