Re: SV: SV: SV: CPE Residential IPv6 Security Poll
On Thu, Sep 29, 2016 at 01:50:07PM +0200, e.vanu...@avm.de wrote: > CU at BBWF ;-) We are building CPE with IPv6 on board. Which still can't even do static IPv6 routes or open firewall for adresses in prefixes not directly connected. Example: getting a /48 from upstream, either statically routing or PD'ing this to another inside router. No way to disable firewalling for those. Since AVM did close the shell access to the FB, you cannot even manually add the static routes. So FB with current OS is basically unusable for anything but directly connected networks (main/guest) in IPv6. I'm looking for a replacement for my 7390 as this problem doesn't allow me to upgrade firmware anymore (as I would lose telnet access and thus IPv6 in my home networks). Nevertheless, welcome to the list. :-) Best regards, Daniel -- CLUE-RIPE -- Jabber: d...@cluenet.de -- dr@IRCnet -- PGP: 0xA85C8AA0
Re: SV: SV: SV: CPE Residential IPv6 Security Poll
On 29.09.2016 14:28, Thomas Schäfer wrote: > Am 29.09.2016 um 13:50 schrieb e.vanu...@avm.de: >> CU at BBWF ;-) We are building CPE with IPv6 on board. >> >> https://tmt.knect365.com/bbwf/sponsors/avm >> >> Eric > > Without IPv6-support for vpn, without configurable firewall for > dhcpv6-pd, without the ability to disable IPv4-myfritz-DNS-entries. ... without static routes for IPv6 and, to come back to the original topic: Without the possibility to turn of the IPv6 firewall... > AVM is good, but not perfect. Ack! And I like the way how the IPv6 firewall is configurable, but a (maybe somehow hidden) knob to turn it completely off, or even set it to a relaxed security like the Swisscom way, would be great. BR Holger smime.p7s Description: S/MIME Cryptographic Signature
Re: SV: SV: SV: CPE Residential IPv6 Security Poll
Am 29.09.2016 um 13:50 schrieb e.vanu...@avm.de: CU at BBWF ;-) We are building CPE with IPv6 on board. https://tmt.knect365.com/bbwf/sponsors/avm Eric Without IPv6-support for vpn, without configurable firewall for dhcpv6-pd, without the ability to disable IPv4-myfritz-DNS-entries. Some IPv6-menus still hidden, only in expert view or far far away from the users focus. AVM is good, but not perfect. Regards, Thomas -- There’s no place like ::1 Thomas Schäfer (Systemverwaltung) Ludwig-Maximilians-Universität Centrum für Informations- und Sprachverarbeitung Oettingenstraße 67 Raum C109 80538 München ☎ +49/89/2180-9706 ℻ +49/89/2180-9701
Re: SV: SV: SV: CPE Residential IPv6 Security Poll
CU at BBWF ;-) We are building CPE with IPv6 on board. https://tmt.knect365.com/bbwf/sponsors/avm Eric Von: An: Kopie: ipv6-ops@lists.cluenet.de Datum: 29-09-2016 11:27 Betreff:SV: SV: SV: CPE Residential IPv6 Security Poll Gesendet von: ipv6-ops-bounces+e.vanuden=avm...@lists.cluenet.de >>And just to trow this conversation futher of, anybody else here coming to BBWF this year? > > I’ll be there... Beers? Good idea. Any non-Norwegians who would like to join? :) -E
SV: SV: SV: CPE Residential IPv6 Security Poll
>>And just to trow this conversation futher of, anybody else here coming to >>BBWF this year? > > I’ll be there... Beers? Good idea. Any non-Norwegians who would like to join? :) -E
Re: SV: SV: CPE Residential IPv6 Security Poll
On 29/09/2016, 10:26, "ipv6-ops-bounces+ragnar.anfinsen=altibox...@lists.cluenet.de on behalf of erik.tarald...@telenor.com" wrote: >And just to trow this conversation futher of, anybody else here coming to BBWF >this year? I’ll be there... Beers? /Ragnar
SV: SV: CPE Residential IPv6 Security Poll
> > We also hoped that UPnP/PCP would be activly used in IPv6, punching > > firewall holes as needed. > > But that seems to not get any traction. > > any good documents on this issue (upnp and IPv6) ? UPnP and IPv6: https://openconnectivity.org/upnp/specifications/internet-gateway-device-igd-v-2-0 http://upnp.org/specs/gw/UPnP-gw-InternetGatewayDevice-v2-Device.pdf Chapter 2.3.5, WANIPv6FirewallControl:1 If you ment documentation on (lack of) traction I just have the answers in the RFQ's we have sent + talks we have with vendors at such events as BBFW (https://tmt.knect365.com/bbwf/). The RFQ's are under NDA so I can't disclose who or what capabilitys they offer. But in general, very little UPnP + IPv6. And just to trow this conversation futher of, anybody else here coming to BBWF this year? -Erik
Re: SV: SV: CPE Residential IPv6 Security Poll
This is a flawed "argument of futility" The reality is that people are fundamentally lazy - if they were hard workers and industrious they wouldn't be trying to make a living off the backs of other people's work. They wouldn't be stealing and the ones not stealing wouldn't be taking the lazy way out in a debate and using faulty logic. Nor would they be trying to use IPv4 because it's simpler to understand, instead of using IPv6 - which is the reason this list exists in the first place. Because of this we know criminals will always take the easiest way into a system first. When that way gets closed off then they will take the next easiest way in, and so on and so on. Crime is one of the most logical businesses in existence - it's immoral as hell - but you have to respect the logic of a bank robber - where else do you get $20,000 for 20 minutes of work? As a result, securing an open system generally happens through the mechanism of you close a hole then another is discovered and you close that one and another is discovered and so on and so on. People who are not well versed in security, as they see hole after hole closed, they tend to get the idea that holes are endless. Thus, enters in the "argument of futility" What they don't understand is that every time a security hole is discovered it makes it harder and more expensive to attack the next one. Because the entire point of crime is laziness, the issue isn't whether or not we can create an impregnable system. We cannot do that. The issue is can we make a system that is difficult enough to break into that the effort of breaking into it is greater than the effort of just getting a real job and making money the old fashioned way - by EARNING it, rather than stealing it. It is easier to attack a system directly that is exposed then it is to attack that system via proxy. Everyone on the Internet who produces devices that are used on the Internet has a responsibility to close holes they create - but they also have a responsibility to make it difficult for crackers. The web browser makers use technology like Smartscreen Filter, Phishing and Malware Protection, Block Attack Sites & Web Forgeries to try and do their part, the CPE makers need to do their part, and last and most importantly, all of us need to continue our efforts to try and educate Ma and Pa Kettle not to click on the Make Money Fast, schemes. Ted On 9/27/2016 12:54 PM, Gert Doering wrote: Hi, On Tue, Sep 27, 2016 at 05:06:54PM +0900, Erik Kline wrote: So lowest common denominator it is then. Of course, any user's home device can be infected through a web page and become part of a botnet. Nah, of course not. Viruses and such never spreads through mail, or users clicking on things. We've heard a long and elaborate explanation that Firewalls on CPEs will protect IoT devices, so it must be right! *sigh* Gert Doering -- NetMaster --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus
Re: SV: SV: CPE Residential IPv6 Security Poll
Hi, On Tue, Sep 27, 2016 at 05:06:54PM +0900, Erik Kline wrote: > So lowest common denominator it is then. Of course, any user's home > device can be infected through a web page and become part of a botnet. Nah, of course not. Viruses and such never spreads through mail, or users clicking on things. We've heard a long and elaborate explanation that Firewalls on CPEs will protect IoT devices, so it must be right! *sigh* Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AGVorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
Re: SV: SV: CPE Residential IPv6 Security Poll
On 9/25/2016 12:08 AM, erik.tarald...@telenor.com wrote: 1) In theory you are right. In practise it is not that black and white. We never buy an excisting product, we buy an future product which has to be developed for us. That include physical features which may not have beed release from Broadcom yet (11ac 3x3 we were the first mass order from Broadcom for example). That means that we usualy have an development periode with the vendor, and a release target (VDSL launch for example) Sometimes the have to rush the CPE side to meet the network side launch. This again means that we usualy launch with a fair number of bug and un-optimized software, and features missing. And since we don't buy in Comcast type volumes we don not have the purchasing power to instruct the vendors to do absolutly everything, we have an limited development team working for us and we have to prioritize what they should work on. And so far UPnP has not gotten above that treshold. Well there is an answer to that. Instead of paying your development team to do a from-scratch build, you can just have them port over dd-wrt or openwrt. Both of these router firmwares are most likely tremendously advanced over anything your CPE development team can come up with. Also in the case of dd-wrt you can also pay the dd-wrt developer to do this. He has done it for other CPE vendors and will sign NDAs and such if you are using hardware that is so precious that the vendor won't release programming data for it. 2) You may have more luck with your forum posts, but on the norwegian forums the loudest answer wins the day. Reason cannot stand up to the forces of loud ignorance. No, the post that WORKS always ends up winning. You may not have the last word on a blog but having the last word isn't a sign of winning. 3) As stated in 1, limited recources dictates that we prioritice security, features which support payable services, then the stuff we network geeks want. And since I do know a lot of smaller ISP's and retailers of off-the-shelf products, I do know that those products do very seldom get anything other than bug fixes for anything other that flaws which may refelct badly on the CPE vendor. 4) The customers are paying for internet access. That used to mean an ethernet port and two IPv4 addresses. Today the costomers define it as wifi access on the phone in the room the furthest away from the router. The level of knowledge in the user base is dropping like a stone. If we can have an technical solutin which prevents the customer from having issues and calling us, we go for it. There is no such solution because networking and the Internet is becoming more complex by the day. I am sorry about this but there you have it. The largest ISPs out there are solving the support issue by basically offering no useable support, the customer calls in, complains something doesn't work and is told to go away and find someone else to help them. These ISPs know that no matter how angry the customer gets with a non-answer, that ultimately the customer knows if they quit service and go to another large competitor that the other large competitor is going to treat them exactly the same way - so they don't benefit by quitting service. I make a living today by fixing problems for people who have gotten non-answers from ISPs for their problems. (among other things) I can tell you that more and more customers are figuring out that just like fixing a car, the manufacturer isn't going to train you how to fix your car you are going to have to take it to a garage and pay someone to fix it. And yes I agree customer expectations have risen. That is just bringing the day closer that customers quit bothering the service providers with problems on their own network. As a former DSL service provider and a current e-mail service provider I can tell you that this direction is really the best for both the customer and the service provider. Ted -Erik Fra: ipv6-ops-bounces+erik.taraldsen=telenor@lists.cluenet.de på vegne av Ted Mittelstaedt Sendt: 20. september 2016 18:52 Til: ipv6-ops@lists.cluenet.de Emne: Re: SV: CPE Residential IPv6 Security Poll Erik, I think you have to follow these precepts (keep in mind this is an American capitalist perspective not a European cooperative socialist perspective) 1) You got the money, tell your vendors to either do what you want (put IPv6 UPnP in CPEs they sell you) or you are going to kick their ass. It's your money! They want your money do they not? That's why they are selling CPEs to you - so why do you tolerate any crap from them? Tell them either put UPnP in the code or your going elsewhere for your CPEs and you are going to tell all your other ISP friends to go elsewhere for their CPEs. Enough Mr. Nice Guy. 2) It's not your problem if Ma& Pa Kettle find a wannabe power user. If you don't like being bad-mouthed by wannabe power u
Re: SV: SV: CPE Residential IPv6 Security Poll
On Sun, 25 Sep 2016 07:08:46 +, erik.tarald...@telenor.com wrote: 1) In theory you are right. In practise it is not that black and white. We never buy an excisting product, we buy an future product which has to be developed for us. That include physical features which may not have beed release from Broadcom yet (11ac 3x3 we were the first mass order from Broadcom for example). That means that we usualy have an development periode with the vendor, and a release target (VDSL launch for example) Sometimes the have to rush the CPE side to meet the network side launch. This again means that we usualy launch with a fair number of bug and un-optimized software, and features missing. And since we don't buy in Comcast type volumes we don not have the purchasing power to instruct the vendors to do absolutly everything, we have an limited development team working for us and we have to prioritize what they should work on. And so far UPnP has not gotten above that treshold. (And the above is a bit besides the point, we seem to be the only ISP who want UPnP. That don't help our customers a lot. In order for UPnP to work you also need support in the clients, and those we talk to who do develop clients badly want to get away from UPnP) ... that has been said with regard to everything related to IPv6 for nearly 20years. When will we stop using it as an excuse? Someone has to be the first, even if it's just for the show and there are no client side client. --- -- Roger Jorgensen | - ROJO9-RIPE ro...@jorgensen.no | - The Future is IPv6 --- A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail?
SV: SV: CPE Residential IPv6 Security Poll
1) In theory you are right. In practise it is not that black and white. We never buy an excisting product, we buy an future product which has to be developed for us. That include physical features which may not have beed release from Broadcom yet (11ac 3x3 we were the first mass order from Broadcom for example). That means that we usualy have an development periode with the vendor, and a release target (VDSL launch for example) Sometimes the have to rush the CPE side to meet the network side launch. This again means that we usualy launch with a fair number of bug and un-optimized software, and features missing. And since we don't buy in Comcast type volumes we don not have the purchasing power to instruct the vendors to do absolutly everything, we have an limited development team working for us and we have to prioritize what they should work on. And so far UPnP has not gotten above that treshold. (And the above is a bit besides the point, we seem to be the only ISP who want UPnP. That don't help our customers a lot. In order for UPnP to work you also need support in the clients, and those we talk to who do develop clients badly want to get away from UPnP) 2) You may have more luck with your forum posts, but on the norwegian forums the loudest answer wins the day. Reason cannot stand up to the forces of loud ignorance. 3) As stated in 1, limited recources dictates that we prioritice security, features which support payable services, then the stuff we network geeks want. And since I do know a lot of smaller ISP's and retailers of off-the-shelf products, I do know that those products do very seldom get anything other than bug fixes for anything other that flaws which may refelct badly on the CPE vendor. 4) The customers are paying for internet access. That used to mean an ethernet port and two IPv4 addresses. Today the costomers define it as wifi access on the phone in the room the furthest away from the router. The level of knowledge in the user base is dropping like a stone. If we can have an technical solutin which prevents the customer from having issues and calling us, we go for it. -Erik Fra: ipv6-ops-bounces+erik.taraldsen=telenor@lists.cluenet.de på vegne av Ted Mittelstaedt Sendt: 20. september 2016 18:52 Til: ipv6-ops@lists.cluenet.de Emne: Re: SV: CPE Residential IPv6 Security Poll Erik, I think you have to follow these precepts (keep in mind this is an American capitalist perspective not a European cooperative socialist perspective) 1) You got the money, tell your vendors to either do what you want (put IPv6 UPnP in CPEs they sell you) or you are going to kick their ass. It's your money! They want your money do they not? That's why they are selling CPEs to you - so why do you tolerate any crap from them? Tell them either put UPnP in the code or your going elsewhere for your CPEs and you are going to tell all your other ISP friends to go elsewhere for their CPEs. Enough Mr. Nice Guy. 2) It's not your problem if Ma & Pa Kettle find a wannabe power user. If you don't like being bad-mouthed by wannabe power users on the online forums then get your ass on the online forums and start engaging. Refute those "need bigger antennas" posts with logic and reason. I guarantee to you that 1 correct post is worth 100 baloney posts from wannabe power users. 3) How on Earth can you make the case that your ISP router patches security holes and adds features yet turn around and claim that you can't push your CPE vendors to add UPnP support? Either you have power to get your CPE vendors to issue updates or not. If you do - then quit complaining that no CPE's have UPnP support for IPv6. If you don't - then quit claiming your CPE is better. 4) What is your customers perception that they are paying for and what are they REALLY paying for? If they think they are paying for access only - and you think they are paying for access plus your management of their network CPE - then I can see why you might be wondering why they aren't complaining to you when there's a problem and going to the wannabe power users. Maybe you just need to do some more customer education? Ted On 9/20/2016 1:24 AM, erik.tarald...@telenor.com wrote: > With all due respect to the actual power user out there. For each one of > them, there is at least 20 who think they are power users who base their > knowledge on rumors and misconceptions. They are often vocal (forums and > coments on news sites) and they are the once who often are enlisted to help > Ma& Pa Kettle. At least that is what we see a lot of in Norway. They > simply do not have the ability to correctly diagnose the issues. Solutions > often involve "you need bigger antennas on the router", "Apple routers are > allways the best", "the ISP supplied router allways suck". > > So Bob-the-power-user buy the expencive huge antenna router and install at > M&PK. It doe