Re: SV: SV: SV: CPE Residential IPv6 Security Poll

2016-10-01 Thread Daniel Roesen
On Thu, Sep 29, 2016 at 01:50:07PM +0200, e.vanu...@avm.de wrote:
> CU at BBWF ;-) We are building CPE with IPv6 on board.

Which still can't even do static IPv6 routes or open firewall for
adresses in prefixes not directly connected.

Example: getting a /48 from upstream, either statically routing or
PD'ing this to another inside router. No way to disable firewalling for
those.

Since AVM did close the shell access to the FB, you cannot even manually
add the static routes. So FB with current OS is basically unusable for
anything but directly connected networks (main/guest) in IPv6. I'm
looking for a replacement for my 7390 as this problem doesn't allow me
to upgrade firmware anymore (as I would lose telnet access and thus IPv6
in my home networks).

Nevertheless, welcome to the list. :-)

Best regards,
Daniel

-- 
CLUE-RIPE -- Jabber: d...@cluenet.de -- dr@IRCnet -- PGP: 0xA85C8AA0


Re: SV: SV: SV: CPE Residential IPv6 Security Poll

2016-09-29 Thread Holger Zuleger


On 29.09.2016 14:28, Thomas Schäfer wrote:
> Am 29.09.2016 um 13:50 schrieb e.vanu...@avm.de:
>> CU at BBWF ;-) We are building CPE with IPv6 on board.
>>
>> https://tmt.knect365.com/bbwf/sponsors/avm
>>
>> Eric
> 
> Without IPv6-support for vpn, without configurable firewall for
> dhcpv6-pd, without the ability to disable IPv4-myfritz-DNS-entries.
... without static routes for IPv6 and, to come back to the original
topic: Without the possibility to turn of the IPv6 firewall...

> AVM is good, but not perfect.
Ack! And I like the way how the IPv6 firewall is configurable, but a
(maybe somehow hidden) knob to turn it completely off, or even set it to
a relaxed security like the Swisscom way, would be great.

BR
 Holger



smime.p7s
Description: S/MIME Cryptographic Signature


Re: SV: SV: SV: CPE Residential IPv6 Security Poll

2016-09-29 Thread Thomas Schäfer

Am 29.09.2016 um 13:50 schrieb e.vanu...@avm.de:

CU at BBWF ;-) We are building CPE with IPv6 on board.

https://tmt.knect365.com/bbwf/sponsors/avm

Eric


Without IPv6-support for vpn, without configurable firewall for 
dhcpv6-pd, without the ability to disable IPv4-myfritz-DNS-entries.
Some IPv6-menus still hidden, only in expert view or far far away from 
the users focus.


AVM is good, but not perfect.


Regards,
Thomas





--

There’s no place like ::1

Thomas Schäfer (Systemverwaltung)
Ludwig-Maximilians-Universität
Centrum für Informations- und Sprachverarbeitung
Oettingenstraße 67 Raum C109
80538 München ☎ +49/89/2180-9706  ℻ +49/89/2180-9701



Re: SV: SV: SV: CPE Residential IPv6 Security Poll

2016-09-29 Thread e . vanuden
CU at BBWF ;-) We are building CPE with IPv6 on board.

https://tmt.knect365.com/bbwf/sponsors/avm

Eric





Von:<erik.tarald...@telenor.com>
An: <ragnar.anfin...@altibox.no>
Kopie:  ipv6-ops@lists.cluenet.de
Datum:  29-09-2016 11:27
Betreff:        SV: SV: SV: CPE Residential IPv6 Security Poll
Gesendet von:   ipv6-ops-bounces+e.vanuden=avm...@lists.cluenet.de



>>And just to trow this conversation futher of, anybody else here coming 
to BBWF this year?
>
> I’ll be there... Beers?

Good idea.  Any non-Norwegians who would like to join? :)

-E



SV: SV: SV: CPE Residential IPv6 Security Poll

2016-09-29 Thread erik.taraldsen
>>And just to trow this conversation futher of, anybody else here coming to 
>>BBWF this year?
>
> I’ll be there... Beers?

Good idea.  Any non-Norwegians who would like to join? :)

-E

Re: SV: SV: CPE Residential IPv6 Security Poll

2016-09-28 Thread Ted Mittelstaedt


This is a flawed "argument of futility"

The reality is that people are fundamentally lazy -
if they were hard workers and industrious they wouldn't be
trying to make a living off the backs of other people's work.
They wouldn't be stealing and the ones not stealing wouldn't be
taking the lazy way out in a debate and using faulty logic.
Nor would they be trying to use IPv4 because it's simpler
to understand, instead of using IPv6 - which is the reason
this list exists in the first place.

Because of this we know criminals will always take the easiest way
into a system first.  When that way gets closed off then they will
take the next easiest way in, and so on and so on.  Crime is
one of the most logical businesses in existence - it's immoral
as hell - but you have to respect the logic of a bank robber -
where else do you get $20,000 for 20 minutes of work?

As a result, securing an open system generally happens through
the mechanism of you close a hole then another is discovered and
you close that one and another is discovered and so on and so on.

People who are not well versed in security,
as they see hole after hole closed, they tend to get the idea
that holes are endless.  Thus, enters in the "argument of futility"

What they don't understand is that every time a security
hole is discovered it makes it harder and more expensive to attack
the next one.

Because the entire point of crime is laziness, the issue isn't whether 
or not we can create an impregnable system.  We cannot do that.


The issue is can we make a system that is difficult enough to
break into that the effort of breaking into it is greater than
the effort of just getting a real job and making money the old
fashioned way - by EARNING it, rather than stealing it.

It is easier to attack a system directly that is exposed then
it is to attack that system via proxy.  Everyone on the Internet
who produces devices that are used on the Internet has a
responsibility to close holes they create - but they also have a
responsibility to make it difficult for crackers.

The web browser makers use
technology like Smartscreen Filter, Phishing and Malware Protection,
Block Attack Sites & Web Forgeries to try and do their part, the
CPE makers need to do their part, and last and most importantly,
all of us need to continue our efforts to try and educate Ma and
Pa Kettle not to click on the Make Money Fast, schemes.

Ted

On 9/27/2016 12:54 PM, Gert Doering wrote:

Hi,

On Tue, Sep 27, 2016 at 05:06:54PM +0900, Erik Kline wrote:

So lowest common denominator it is then.  Of course, any user's home
device can be infected through a web page and become part of a botnet.


Nah, of course not.  Viruses and such never spreads through mail, or
users clicking on things.

We've heard a long and elaborate explanation that Firewalls on CPEs will
protect IoT devices, so it must be right!

*sigh*

Gert Doering
 -- NetMaster


---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus



Re: SV: SV: CPE Residential IPv6 Security Poll

2016-09-25 Thread Roger Jørgensen

On Sun, 25 Sep 2016 07:08:46 +, erik.tarald...@telenor.com wrote:

1) In theory you are right.  In practise it is not that black and
white.  We never buy an excisting product, we buy an future product
which has to be developed for us.  That include physical features
which may not have beed release from Broadcom yet (11ac 3x3 we were
the first mass order from Broadcom for example).  That means that we
usualy have an development periode with the vendor, and a release
target (VDSL launch for example)  Sometimes the have to rush the CPE
side to meet the network side launch.  This again means that we 
usualy

launch with a fair number of bug and un-optimized software, and
features missing.  And since we don't buy in Comcast type volumes we
don not have the purchasing power to instruct the vendors to do
absolutly everything, we have an limited development team working for
us and we have to prioritize what they should work on.  And so far
UPnP has not gotten above that treshold.

(And the above is a bit besides the point, we seem to be the only ISP
who want UPnP.  That don't help our customers a lot.  In order for
UPnP to work you also need support in the clients, and those we talk
to who do develop clients badly want to get away from UPnP)


... that has been said with regard to everything related to IPv6 for
nearly 20years. When will we stop using it as an excuse?

Someone has to be the first, even if it's just for the show and there
are no client side client.



---

--
Roger Jorgensen  | - ROJO9-RIPE
ro...@jorgensen.no   | - The Future is IPv6
---

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?


SV: SV: CPE Residential IPv6 Security Poll

2016-09-25 Thread erik.taraldsen
1) In theory you are right.  In practise it is not that black and white.  We 
never buy an excisting product, we buy an future product which has to be 
developed for us.  That include physical features which may not have beed 
release from Broadcom yet (11ac 3x3 we were the first mass order from Broadcom 
for example).  That means that we usualy have an development periode with the 
vendor, and a release target (VDSL launch for example)  Sometimes the have to 
rush the CPE side to meet the network side launch.  This again means that we 
usualy launch with a fair number of bug and un-optimized software, and features 
missing.  And since we don't buy in Comcast type volumes we don not have the 
purchasing power to instruct the vendors to do absolutly everything, we have an 
limited development team working for us and we have to prioritize what they 
should work on.  And so far UPnP has not gotten above that treshold.

(And the above is a bit besides the point, we seem to be the only ISP who want 
UPnP.  That don't help our customers a lot.  In order for UPnP to work you also 
need support in the clients, and those we talk to who do develop clients badly 
want to get away from UPnP)


2) You may have more luck with your forum posts, but on the norwegian forums 
the loudest answer wins the day. Reason cannot stand up to the forces of loud 
ignorance.

3) As stated in 1, limited recources dictates that we prioritice security, 
features which support payable services, then the stuff we network geeks want.  
And since I do know a lot of smaller ISP's and retailers of off-the-shelf 
products, I do know that those products do very seldom get anything other than 
bug fixes for anything other that flaws which may refelct badly on the CPE 
vendor.

4) The customers are paying for internet access.  That used to mean an ethernet 
port and two IPv4 addresses.  Today the costomers define it as wifi access on 
the phone in the room the furthest away from the router.  The level of 
knowledge in the user base is dropping like a stone.  If we can have an 
technical solutin which prevents the customer from having issues and calling 
us, we go for it.


-Erik



Fra: ipv6-ops-bounces+erik.taraldsen=telenor@lists.cluenet.de 
 på vegne av Ted 
Mittelstaedt 
Sendt: 20. september 2016 18:52
Til: ipv6-ops@lists.cluenet.de
Emne: Re: SV: CPE Residential IPv6 Security Poll

Erik,

I think you have to follow these precepts (keep in mind this is an
American capitalist perspective not a European cooperative socialist
perspective)

1) You got the money, tell your vendors to either do what you want (put
IPv6 UPnP in CPEs they sell you) or you are going to kick their ass.
It's your money!  They want your money do they not?  That's why they are
selling CPEs to you - so why do you tolerate any crap from them?  Tell
them either put UPnP in the code or your going elsewhere for your CPEs
and you are going to tell all your other ISP friends to go elsewhere for
their CPEs.   Enough Mr. Nice Guy.

2) It's not your problem if Ma & Pa Kettle find a wannabe power user.
If you don't like being bad-mouthed by wannabe power users on the online
forums then get your ass on the online forums and start engaging.
Refute those "need bigger antennas" posts with logic and reason.
I guarantee to you that 1 correct post is worth 100 baloney posts from
wannabe power users.

3) How on Earth can you make the case that your ISP router patches
security holes and adds features yet turn around and claim that you
can't push your CPE vendors to add UPnP support?   Either you have power
to get your CPE vendors to issue updates or not.  If you do - then
quit complaining that no CPE's have UPnP support for IPv6.  If you
don't - then quit claiming your CPE is better.

4) What is your customers perception that they are paying for and
what are they REALLY paying for?   If they think they are paying for
access only - and you think they are paying for access plus your
management of their network CPE - then I can see why you might be
wondering why they aren't complaining to you when there's a problem
and going to the wannabe power users.  Maybe you just need to do some
more customer education?

Ted

On 9/20/2016 1:24 AM, erik.tarald...@telenor.com wrote:
> With all due respect to the actual power user out there.  For each one of 
> them, there is at least 20 who think they are power users who base their 
> knowledge on rumors and misconceptions.   They are often vocal (forums and 
> coments on news sites) and they are the once who often are enlisted to help 
> Ma&  Pa Kettle.  At least that is what we see a lot of in Norway.  They 
> simply do not have the ability to correctly diagnose the issues.  Solutions 
> often involve "you need bigger antennas on the router", "Apple routers are 
> allways the best", "the ISP supplied router allways suck".
>
> So