Re: question regarding over the counter devices

[Mikael Abrahamsson]

On Tue, 7 Mar 2017, Brian E Carpenter wrote:

I notice this because I log IPv6 connectivity. My wife has no idea this 
is going on. (Why my ISP offers inconsistent IPv6 service is another 
question, which their help desk cannot answer.)


Yeah, I have the same experience. Historically I've had my IPv6 down for 
days before I actually needed it to ssh home to one of my devices. HE 
solvs most user issues.


Only thing that makes it break is if there is PMTUD blackhole. So better 
to stop IPv6 (or IPv4) working completely, than to introduce PMTUD 
blackhole.


--
Mikael Abrahamssonemail: swm...@swm.pp.se

Re: question regarding over the counter devices

[Bjørn Mork]

Tim Chown  writes:

> But the mobile situation is now becoming better, isn’t it? I read that
> >50% of the traffic to Facebook from the bigger US mobile operators is
> now IPv6. In the UK, we have at least one mobile operator with a
> growing deployment of over half a million v6-only handsets - see
> https://indico.uknof.org.uk/event/38/contribution/8/material/slides/1.pdf.

Tore's excellent statistics shows that 2/3 of the traffic from Norway's
biggest mobile operator now is IPv6:
https://fud.no/munin/Networking/Networking/vg_ds_telenor_mobil.html

100% is the next reasonable goal :)


Bjørn

Re: question regarding over the counter devices

[Thomas Schäfer]

Am 06.03.2017 um 13:48 schrieb Gert Doering:


3G mandated IPv6, no carrier actually deployed it *before* they had a
huge legacy of IPv4-only handsets in the field...  could have been done
from day one.



One interesting point here is: Despite the late start of the mobile 
network people, we have some user equipment at the moment.


LTE/UMTS-modems(usb/mPCIe) - no firewall issue - because it is 
exclusively done / not done by the OS of the connected device (e.g. 
Notebook)


LTE/UMTS - router, my focus is on the mobile things here: I never have 
seen firewall settings for IPv6, only a lot of mostly obsolete IPv4-features


LTE-router for DSL-replacement may be better here, but I don't know

Some phones are able to share IPv6-connections (tethering, 
hotspot-mode): Do they provide a firewall? Is it useful?


Can anybody test it? I can't because there is a big firewall by the ISP.


Regards,
Thomas

Re: question regarding over the counter devices

[Gert Doering]

Hi,

On Mon, Mar 06, 2017 at 02:07:31PM +0100, Mikael Abrahamsson wrote:
> On Mon, 6 Mar 2017, Gert Doering wrote:
> 
> > 3G mandated IPv6, no carrier actually deployed it *before* they had a 
> > huge legacy of IPv4-only handsets in the field...  could have been done 
> > from day one.
> 
> On the other hand no handset manufacturer apart from Nokia ever made any 
> 3G handsets that supported IPv6.

I'm not sure why "point to the part in the 3G specs that says v6 is mandatory"
would have been so hard...

> Also, since you needed two concurrent bearers and the 3GPP network vendors 
> charged per bearer, it also make IPv6 deployment extremely expensive.
> 
> Yes, plenty of blame to go around. It's not only a carrier problem.

If you wanted reasons to not deploy IPv6, there have always been excuses 
galore.

But then do not complain 10 years later that you have such a large basis
of IPv4-only clients and all of a sudden it's sooo much work...

Gert Doering
-- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AGVorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14  Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen   HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444   USt-IdNr.: DE813185279


signature.asc
Description: PGP signature

Re: question regarding over the counter devices

[Mikael Abrahamsson]

On Mon, 6 Mar 2017, Gert Doering wrote:

3G mandated IPv6, no carrier actually deployed it *before* they had a 
huge legacy of IPv4-only handsets in the field...  could have been done 
from day one.


On the other hand no handset manufacturer apart from Nokia ever made any 
3G handsets that supported IPv6.


Also, since you needed two concurrent bearers and the 3GPP network vendors 
charged per bearer, it also make IPv6 deployment extremely expensive.


Yes, plenty of blame to go around. It's not only a carrier problem.

--
Mikael Abrahamssonemail: swm...@swm.pp.se

Re: question regarding over the counter devices

[Gert Doering]

Hi,

On Mon, Mar 06, 2017 at 01:26:57PM +0100, Mikael Abrahamsson wrote:
> > The mobile carriers nicely demonstrated how *not* to do it - by ignoring 
> > the mandate for IPv6 in 3G, and rolling out huge masses of v4-only 
> > handsets, they suddenly had a huge installed basis of, well, v4-only 
> > legacy devices to deal with...
> 
> Most carriers do not control handsets anymore. Those days are long gone.

The day to roll out mobile Internet properly are indeed long gone, now
they get to deal with the legacy.

3G mandated IPv6, no carrier actually deployed it *before* they had a
huge legacy of IPv4-only handsets in the field...  could have been done
from day one.

Gert Doering
-- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AGVorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14  Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen   HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444   USt-IdNr.: DE813185279


signature.asc
Description: PGP signature

Re: question regarding over the counter devices

[Jakob Hirsch]

Am 06.03.2017 um 11:37 schrieb Florian Lohoff:

Nevertheless - As an ISP i would never enable IPv6 for Customers
without beeing shure that they are aware.


While I understand the concerns, since I was in this situation a while 
ago at $ORKPLACE[-1] (you may remember me from your former employer :), 
this is OK in the early phase, were you want to make sure that your 
hotline won't blow up. If you want a significant IPv6 usage (which we 
all do, I hope), you'll just start enabling it. We had several phases, 
roughly and IIRC:
- enabled it for customers that ask for it (after announcing it in the 
support forum)
- enabled it for new customers on the network side. The few ones that 
enable it by themselves will profit, but this is mainly to make sure 
your access network won't run into problems when going large scale

- after a while, started enabling for all customers network-side
- enable it on new customers CPEs (or whenever they reset their CPE). 
with an appropriate rate of new customers, you will get nice numbers 
after several months.


So here we are now, a good six-figure (or maybe even seven by now) 
number using IPv6, most without knowing or noticing, without any big 
issues rolling in from support. So from my experience I would say: be bold!



Regards
Jakob

Re: question regarding over the counter devices

[Mikael Abrahamsson]

On Mon, 6 Mar 2017, Gert Doering wrote:

If a CPE has no v6 support, having it available on the DSLAM (in passive 
mode = do not start IPv6CP until the client initiates it) will not do 
harm.


The issue here isn't devices that do not support IPv6, it's the ones that 
do support IPv6 when it "suddenly" is turned on.


The mobile carriers nicely demonstrated how *not* to do it - by ignoring 
the mandate for IPv6 in 3G, and rolling out huge masses of v4-only 
handsets, they suddenly had a huge installed basis of, well, v4-only 
legacy devices to deal with...


Most carriers do not control handsets anymore. Those days are long gone.

--
Mikael Abrahamssonemail: swm...@swm.pp.se

Re: question regarding over the counter devices

[Gert Doering]

Hi,

On Mon, Mar 06, 2017 at 12:11:53PM +0100, Florian Lohoff wrote:
> You cant enable some feature for "Aunt Tilly" without her at least
> beeing able to take action. 

Aunt Tilly has no idea what IPv4, IPv6 or "Internet" is.  As long as her
web browser will show cat videos, she's happy.

If you wait for Aunt Tilly to make a decision regarding "how should her
Internet access be provisioned?", nothing will ever happen.

[..]
> I have been with a large Carrier in .de and we had the transitional
> problems and we didnt fix/enable it at all until i left in 2011.
> Although we enabled the core of my former employee to IPv6/6PE
> and the BRAS were all IPv6 capable we didnt enable it. So around 1.7
> million DSL Subscribers without IPv6. I and a few collegues started a
> new carrier and we shipped 100% Dualstack but we knew the oldest Software
> of our CPEs and we new the features. So it was much easier.

If a CPE has no v6 support, having it available on the DSLAM (in passive
mode = do not start IPv6CP until the client initiates it) will not do harm.

> You need to start somewhere and the non-tier1 carriers with enough
> IP Adresses dont even start enabling IPv6 because they have no answer
> to the transition scenario.

Delaying the inevitable will just raise your costs more and more.

The mobile carriers nicely demonstrated how *not* to do it - by ignoring
the mandate for IPv6 in 3G, and rolling out huge masses of v4-only 
handsets, they suddenly had a huge installed basis of, well, v4-only
legacy devices to deal with...

Gert Doering
-- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AGVorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14  Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen   HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444   USt-IdNr.: DE813185279


signature.asc
Description: PGP signature

Re: question regarding over the counter devices

[Thomas Schäfer]

Am 06.03.2017 um 12:11 schrieb Florian Lohoff:

Aunt Tilly




You are dealing with non technical people.



You contradict yourself.
Non technical people have no clue about IPv6/IPv4, some of them flood
the support(in Germany Unitymedia/UPC, Vodafone)) because their PS-games 
don't work anymore with CGNAT as part of DS-lite.


But they got the change implicitly via the new AGB(Terms and Conditions 
small printed) while upgrading the speed without being asked about the 
protocol changes.



A further example is the mobile network. After changing the network 
profile on IOS-devices, the user cannot opt out.


Without a choice (switched on is switched on the IPv6-monitoring must be 
better.


Last Friday the IPv6-connection between DTAG and google was broken for 
some hours.


Non technical people have no chance to debug the slow motion web sites 
in this case.



Regards,
Thomas

Re: question regarding over the counter devices

[Florian Lohoff]

On Mon, Mar 06, 2017 at 11:41:54AM +0100, Gert Doering wrote:
> Hi,
> 
> On Mon, Mar 06, 2017 at 11:37:30AM +0100, Florian Lohoff wrote:
> > Nevertheless - As an ISP i would never enable IPv6 for Customers
> > without beeing shure that they are aware.
> > 
> > - Deploy IPv6 Dualstack from some point in time and making it clear
> >   in your paperwork.
> > - Make it an option for legacy users to opt in.
> > - After some time - send emails telling the users
> > - Enable a captive portal for users to let them enable ipv6
> 
> This is "last century's process":  wait for customers to ask for IPv6,
> which they will not do, and then you can prove to your management that 
> "there is no demand", so you can continue to not roll out v6.
> 
> If we ever want to reach the point when we can stop bothering with
> IPv4 on the server side, IPv6 needs to be on by default on *ALL* 
> access.  Not opt-in.  Not "it will take another 20 years".

You cant enable some feature for "Aunt Tilly" without her at least
beeing able to take action. And Aunt Tilly will never be able to take
action after you ship her the CPE. She will not even be able to log into
her CPE. And thats the todays Default customer. You need to tell
them to press the WPS Button to get their Mobile Phone online and they
wont find the button marked "WPS".

So the best bet is that you enable IPv6 for new contracts and shipments
and with the average contract time you age out your legacy products.

This is what Deutsche Telekom did. They bundled there IPv6 deployment
with their VDSL/FTTB deployment. So switching contracts means getting
a newer CPE and Dualstack. 

I have been with a large Carrier in .de and we had the transitional
problems and we didnt fix/enable it at all until i left in 2011.
Although we enabled the core of my former employee to IPv6/6PE
and the BRAS were all IPv6 capable we didnt enable it. So around 1.7
million DSL Subscribers without IPv6. I and a few collegues started a
new carrier and we shipped 100% Dualstack but we knew the oldest Software
of our CPEs and we new the features. So it was much easier.

You need to start somewhere and the non-tier1 carriers with enough
IP Adresses dont even start enabling IPv6 because they have no answer
to the transition scenario.

If you have an existing ADSL deployment for 10 Years you have hundrets
of different customer owned CPEs in the field with a permutation of ALL broken
Software in the world one could imagine. You wont fix that. Enabling
IPv6 unconditionally will swamp your support with all sorts of obscure
Problems e.g. "I suddenly cant print anymore" - Yes - your Printer is ipv4 and 
your
clients are dualstacked now and Cups is broken as it does not try a
fallback to v4 if v6 fails ...  Been there - Done that.


You are dealing with non technical people. So it must be easy, straight
forward and within their expectations that something changed. 

Flo
-- 
Florian Lohoff f...@zz.de
 UTF-8 Test: The  ran after a , but the  ran away


signature.asc
Description: Digital signature

Re: question regarding over the counter devices

[Gert Doering]

Hi,

On Mon, Mar 06, 2017 at 11:37:30AM +0100, Florian Lohoff wrote:
> Nevertheless - As an ISP i would never enable IPv6 for Customers
> without beeing shure that they are aware.
> 
> - Deploy IPv6 Dualstack from some point in time and making it clear
>   in your paperwork.
> - Make it an option for legacy users to opt in.
> - After some time - send emails telling the users
> - Enable a captive portal for users to let them enable ipv6

This is "last century's process":  wait for customers to ask for IPv6,
which they will not do, and then you can prove to your management that 
"there is no demand", so you can continue to not roll out v6.

If we ever want to reach the point when we can stop bothering with
IPv4 on the server side, IPv6 needs to be on by default on *ALL* 
access.  Not opt-in.  Not "it will take another 20 years".

Gert Doering
-- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AGVorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14  Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen   HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444   USt-IdNr.: DE813185279


signature.asc
Description: PGP signature

Re: question regarding over the counter devices

[Florian Lohoff]

On Wed, Mar 01, 2017 at 08:06:02AM +0100, Mikael Abrahamsson wrote:
> 
> Hi,
> 
> I just had a discussion with people from an ISP in the process of
> implementing IPv6. They were afraid of turning on IPv6 for customers
> who had purchased their own routers themselves, because these
> routers might not have IPv6 firewalling on by default, thus exposing
> customers who used to be "protected" by IPv4 NAT, to now be exposed
> with unfirewalled IPv6.
> 
> So my question:
> 
> Devices that people buy in electronics stores etc, do they even come
> with IPv6 turned on by default?

With the AVM Fritz!Box line - yes - its enabled by default - And yes,
even the firewalling. 

Nevertheless - As an ISP i would never enable IPv6 for Customers
without beeing shure that they are aware.

- Deploy IPv6 Dualstack from some point in time and making it clear
  in your paperwork.
- Make it an option for legacy users to opt in.
- After some time - send emails telling the users
- Enable a captive portal for users to let them enable ipv6

If you are a xDSL provider you can even make this based on the
DSL Vendor and Version you get in the xDSL Handshake. You even 
know what CPE the customer has and if its IPv6 Capable at all
or if its safe to enable. 

Flo
-- 
Florian Lohoff f...@zz.de
 UTF-8 Test: The  ran after a , but the  ran away


signature.asc
Description: Digital signature

Re: question regarding over the counter devices

[Gert Doering]

Hi,

On Wed, Mar 01, 2017 at 08:39:43AM +0100, sth...@nethelp.no wrote:
> FreeBSD, at least until 11.0-STABLE: No IPv6 firewall turned on by
> default. Which is exactly what I want.

Well, "have no services on by default" is good enough for the issue
at hand "can my devices protect themselves, or would a firewall be
beneficial in any way?"... :-)

Gert Doering
-- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AGVorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14  Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen   HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444   USt-IdNr.: DE813185279

Re: question regarding over the counter devices

[Sean Hunter]

"...because there was a port-forward in the residential gateway..."

That's unrelated to the original query that started this thread. A user (or
device via UPnP, I suppose) had to have configured that port forward. What
happened there has nothing to do with default firewall behavior in SOHO
routers.

I could spout off personal experience but hard data would be better, and I
have none of that to contribute, unfortunately. Probably the best approach
would be for some group to spend a few thousand $currency and purchase a
load of SOHO routers for testing. I would hope that data would eventually
be published publicly, as it would be highly valuable.

I believe there was an offer further up the thread for the IETF to pick up
this work? I am not part of the relevant working group, but I would find
this data to be useful.

On Wed, Mar 1, 2017 at 2:18 PM, Mikael Abrahamsson  wrote:

> On Wed, 1 Mar 2017, Nick Buraglio wrote:
>
> Is this actually a realistic fear?
>>
>
> Let me put it this way, I have personally found an anon-ftp server with
> company confidential documents on it, that was reachable from the outside
> without the owners knowledge, because there was a port-forward in the
> residential gateway that the owner wasn't actively aware of, and the NAS
> had anon-ftp turned on without the owners active knowledge.
>
> So google had indexed all files on this NAS. I contacted the person (did
> some digging using pictures etc on this NAS) via their employer, and talked
> to the person who had no idea.
>
> Now, with unfiltered IPv6 it would be harder to actually find this NAS,
> but once found, there is no need for port forward for it to be reachable
> from the Internet.
>
> So yes, I can understand the fear and I agree that it's realistic. That's
> why most ISPs have chosen to have stateful filtering toward the customers
> by default.
>
>
> --
> Mikael Abrahamssonemail: swm...@swm.pp.se
>

Re: question regarding over the counter devices

[Jens Link]

Mikael Abrahamsson  writes:

> Let me put it this way, I have personally found an anon-ftp server with
> company confidential documents on it, that was reachable from the
> outside without the owners knowledge, because there was a port-forward
> in the residential gateway that the owner wasn't actively aware of, and
> the NAS had anon-ftp turned on without the owners active knowledge.

Just take a look at many university networks. The ones I know use
public IPv4 space, no NAT and many times not firewalls. Now take one of
those scanner / printer thinks with anon FTP saving all document
scanned on their local disk drive. Or power full laser with a power
supply accessible via SNMP private. I think many people are accustomed
to the "security" they get from NAT and don't think that there is
anything else. 

Jens
-- 

| Foelderichstr. 40   | 13595 Berlin, Germany   | +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@quux.de| ---  | 

Re: question regarding over the counter devices

[Mikael Abrahamsson]

On Wed, 1 Mar 2017, Nick Buraglio wrote:


Is this actually a realistic fear?


Let me put it this way, I have personally found an anon-ftp server with 
company confidential documents on it, that was reachable from the outside 
without the owners knowledge, because there was a port-forward in the 
residential gateway that the owner wasn't actively aware of, and the NAS 
had anon-ftp turned on without the owners active knowledge.


So google had indexed all files on this NAS. I contacted the person (did 
some digging using pictures etc on this NAS) via their employer, and 
talked to the person who had no idea.


Now, with unfiltered IPv6 it would be harder to actually find this NAS, 
but once found, there is no need for port forward for it to be reachable 
from the Internet.


So yes, I can understand the fear and I agree that it's realistic. That's 
why most ISPs have chosen to have stateful filtering toward the customers 
by default.


--
Mikael Abrahamssonemail: swm...@swm.pp.se

Re: question regarding over the counter devices

[Nick Buraglio]

Is this actually a realistic fear? Let me preface this by saying that I
find NAT extremely distasteful, however, the one thing that NAT provides
some modicum of advantage from is inbound scans of end systems. With IPv6
this is functionally a non-issue from a shotgun scan perspective. Most
devices that come with IPv6 enabled require a prefix delegation, which in
my opinion should be enabled by default. In the US, a great deal of the
major broadband providers are moving toward an all in one, ISP managed
gateway that has all of this enabled and filters IPv6 inbound (although,
again, I'm not sure that it's actually more than a perceived issue and is
likely more of a CYA). Even the smaller ISPs that I have worked with are
enabling IPv6 with the same methodology. Mobile networks enable v6 by
default as well, although I am not able to reach my EUI-64 addresses on my
mobile devices - they appear to be filtered as well.
Realistically the deployments should have as much parity as possible
between v4 and v6, which I believe most reasonable consumer CPE do.
I remember going through this a lifetime ago with IPv4 before ISPs moved to
NAT at the CPE, this really isn't much different and should be reasonably
easier with v6 due to the inherent tracking you get from PD and privacy
addressing on by default with almost everything.

nb

ᐧ

On Wed, Mar 1, 2017 at 3:11 AM, Mikael Abrahamsson  wrote:

> On Wed, 1 Mar 2017, Bjørn Mork wrote:
>
> As an ISP: If you don't manage the CPE, should you even care?
>>
>
> That is good question. In Sweden ISPs have gotten in trouble historically
> for not filtering stuff and customers files were exposed. For instance when
> ETTH had people plug their computers directly into the ETTH RJ45 jack
> (12-15 years ago), had no-password SMB shares on their computers, and there
> was no broadcast filtering on the LAN. Then they could "see" other users
> SMB shares and access them, and this made the papers as "unsecure". This
> was blamed on ISPs, not users.
>
> So when IPv6 now comes along, ISPs are scared that users might have
> no-firewall IPv6 devices, so when IPv6 is enabled all of a sudden lots of
> unsecured devices are then reachable from the Internet, devices that were
> configured in that way because before NAT "protected" them.
>
> yes, yes, being nice is good.  But this is an impossible task.  There is
>> no way you can make assumptions about the security of any unmanaged CPE,
>> with or without IPv6.
>>
>
> I tend to agree, but I can also understand why an ISP might hesitate in
> this case.
>
>
> --
> Mikael Abrahamssonemail: swm...@swm.pp.se
>

Re: question regarding over the counter devices

[Timothy Winters]

The IOL doesn't keep this data at hand for Ethernet CPEs, but I would guess
that over half today have IPv6 on by default.I will add when IPv6 is on
almost always they have a firewalll.  If there is exact data the working
group wants we can try to run that down.

Tim

On Wed, Mar 1, 2017 at 3:54 AM JORDI PALET MARTINEZ <
jordi.pa...@consulintel.es> wrote:

> Yes, CEs used for residential and SMEs.
>
> In all the products I’ve seen, IPv6 was even on by default (again,
> IPv6-on, firewall-on, but by default). For example, this is true for
> several FTTH (with and without embedded ONT) and DSL CPEs that Spanish
> providers deliver to customers, even if they don’t provide IPv6 yet. I’ve
> seen the same situation in several of my customers, recently in Latin and
> Central America countries.
>
> I’ve looked at different models of about 11-12 vendors, but was just
> using/configuring them, so not on purpose for checking this matter. I’m
> talking about my memory collection from about 4-5 years ago, so will not be
> easy to remember exact models/firmware versions, etc. In my own home, I’ve
> right now access to 4 vendors, 5 products in total, and all them have the
> IPv6 firewall on by default. I’ve another one from TP-Link that I believe
> was on, but it has been reflashed with OpenWRT first, now to LEDE, so I
> can’t check it anymore … Of course, OpenWRT/LEDE have it on by default.
>
> I’m not sure if they keep a record of that, but may be Tim/Erica (in copy)
> from UNH, that perform IPv6 Ready certification, have this detail in some
> kind of statistics? May be even they can ask the other labs that do the
> testing worldwide.
>
> Regards,
> Jordi
>
>
> -Mensaje original-
> De: <ipv6-ops-bounces+jordi.palet=consulintel...@lists.cluenet.de> en
> nombre de Mikael Abrahamsson <swm...@swm.pp.se>
> Organización: People's Front Against WWW
> Responder a: <swm...@swm.pp.se>
> Fecha: miércoles, 1 de marzo de 2017, 9:13
> Para: JORDI PALET MARTINEZ <jordi.pa...@consulintel.es>
> CC: <ipv6-ops@lists.cluenet.de>
> Asunto: Re: question regarding over the counter devices
>
> On Wed, 1 Mar 2017, JORDI PALET MARTINEZ wrote:
>
> > IPv6 firewall non-on by default. I’ve not seen that myself in any
> product up to now.
>
> How many products have you looked at? We're still talking about home
> routers now, right?
>
> I just checked Netgear R6100. Factory default has "IPv6 disabled",
> when I
> change it to "Auto Detect" the setting "IPv6 filtering" is "secured" by
> default.
>
> So this seems to be same thing that you've been seeing.
>
> --
> Mikael Abrahamssonemail: swm...@swm.pp.se
>
>
>
> **
> IPv4 is over
> Are you ready for the new Internet ?
> http://www.consulintel.es
> The IPv6 Company
>
> This electronic message contains information which may be privileged or
> confidential. The information is intended to be for the use of the
> individual(s) named above. If you are not the intended recipient be aware
> that any disclosure, copying, distribution or use of the contents of this
> information, including attached files, is prohibited.
>
>
>
> --

Now offering testing for SDN applications and controllers in our SDN switch
test bed. Learn more today http://bit.ly/SDN_IOLPR

Re: question regarding over the counter devices

[Jens Link]

JORDI PALET MARTINEZ  writes:

Hi,

> Maybe we need to look into those distributions of BSD/Linux made for
> non-techie users, that come with a “build-in” GUI, etc. I doubt those
> come with IPv6-enabled by default and the firewall-off, it will be a
> mistake, as they try to allow the users to work with those
> distributions replacing a Windows (which of course comes with IPv6
> enabled and IPv6 firewall enabled by default).

I just installed the latest Ubuntu Version (default Desktop
iInstallation) and there are no rules for IPv4 and IPv6.

Jens
-- 

| Foelderichstr. 40   | 13595 Berlin, Germany   | +49-151-18721264 |
| http://blog.quux.de | jabber: jensl...@quux.de| ---  | 

Re: question regarding over the counter devices

[Mikael Abrahamsson]

On Wed, 1 Mar 2017, Bjørn Mork wrote:


As an ISP: If you don't manage the CPE, should you even care?


That is good question. In Sweden ISPs have gotten in trouble historically 
for not filtering stuff and customers files were exposed. For instance 
when ETTH had people plug their computers directly into the ETTH RJ45 jack 
(12-15 years ago), had no-password SMB shares on their computers, and 
there was no broadcast filtering on the LAN. Then they could "see" other 
users SMB shares and access them, and this made the papers as "unsecure". 
This was blamed on ISPs, not users.


So when IPv6 now comes along, ISPs are scared that users might have 
no-firewall IPv6 devices, so when IPv6 is enabled all of a sudden lots of 
unsecured devices are then reachable from the Internet, devices that were 
configured in that way because before NAT "protected" them.



yes, yes, being nice is good.  But this is an impossible task.  There is
no way you can make assumptions about the security of any unmanaged CPE,
with or without IPv6.


I tend to agree, but I can also understand why an ISP might hesitate in 
this case.


--
Mikael Abrahamssonemail: swm...@swm.pp.se

Re: question regarding over the counter devices

[Bjørn Mork]

Mikael Abrahamsson  writes:

> I just had a discussion with people from an ISP in the process of
> implementing IPv6. They were afraid of turning on IPv6 for customers
> who had purchased their own routers themselves, because these routers
> might not have IPv6 firewalling on by default, thus exposing customers
> who used to be "protected" by IPv4 NAT, to now be exposed with
> unfirewalled IPv6.

As an ISP: If you don't manage the CPE, should you even care?

yes, yes, being nice is good.  But this is an impossible task.  There is
no way you can make assumptions about the security of any unmanaged CPE,
with or without IPv6.

If you care about the security of arbitrary customer owned devices, then
you should probably start by disabling IPv4.


Bjørn

Re: question regarding over the counter devices

[JORDI PALET MARTINEZ]

I guess the point here is to compare if they also have IPv4 firewall on by 
default.

However, I believe the point here is to understand if a user having a 
“standard” distribution of any BSD/Linux, is the one that don’t double check 
all the security of that OS. Maybe we need to look into those distributions of 
BSD/Linux made for non-techie users, that come with a “build-in” GUI, etc. I 
doubt those come with IPv6-enabled by default and the firewall-off, it will be 
a mistake, as they try to allow the users to work with those distributions 
replacing a Windows (which of course comes with IPv6 enabled and IPv6 firewall 
enabled by default).

Regards,
Jordi
 

-Mensaje original-
De: <sth...@nethelp.no>
Responder a: <sth...@nethelp.no>
Fecha: miércoles, 1 de marzo de 2017, 9:44
Para: <swm...@swm.pp.se>
CC: <jordi.pa...@consulintel.es>, <ipv6-ops@lists.cluenet.de>
Asunto: Re: question regarding over the counter devices

> > IPv6 firewall non-on by default. I�$,1ryve not seen that myself in any 
product up to now.
> 
> How many products have you looked at? We're still talking about home 
> routers now, right?

I was commenting on "all the IPv6 OSs *for hosts and servers*, have the
IPv6 firewall on by default" (my emphasis). This would seem to include
all the BSD variants, all the Linux variants, etc. And in that case, the
statement "IPv6 firewall on by default" is clearly not true.

Steinar Haug, AS2116





**
IPv4 is over
Are you ready for the new Internet ?
http://www.consulintel.es
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the use of the 
individual(s) named above. If you are not the intended recipient be aware that 
any disclosure, copying, distribution or use of the contents of this 
information, including attached files, is prohibited.

Re: question regarding over the counter devices

[JORDI PALET MARTINEZ]

Yes, CEs used for residential and SMEs.

In all the products I’ve seen, IPv6 was even on by default (again, IPv6-on, 
firewall-on, but by default). For example, this is true for several FTTH (with 
and without embedded ONT) and DSL CPEs that Spanish providers deliver to 
customers, even if they don’t provide IPv6 yet. I’ve seen the same situation in 
several of my customers, recently in Latin and Central America countries.

I’ve looked at different models of about 11-12 vendors, but was just 
using/configuring them, so not on purpose for checking this matter. I’m talking 
about my memory collection from about 4-5 years ago, so will not be easy to 
remember exact models/firmware versions, etc. In my own home, I’ve right now 
access to 4 vendors, 5 products in total, and all them have the IPv6 firewall 
on by default. I’ve another one from TP-Link that I believe was on, but it has 
been reflashed with OpenWRT first, now to LEDE, so I can’t check it anymore … 
Of course, OpenWRT/LEDE have it on by default.

I’m not sure if they keep a record of that, but may be Tim/Erica (in copy) from 
UNH, that perform IPv6 Ready certification, have this detail in some kind of 
statistics? May be even they can ask the other labs that do the testing 
worldwide.

Regards,
Jordi
 

-Mensaje original-
De: <ipv6-ops-bounces+jordi.palet=consulintel...@lists.cluenet.de> en nombre de 
Mikael Abrahamsson <swm...@swm.pp.se>
Organización: People's Front Against WWW
Responder a: <swm...@swm.pp.se>
Fecha: miércoles, 1 de marzo de 2017, 9:13
Para: JORDI PALET MARTINEZ <jordi.pa...@consulintel.es>
CC: <ipv6-ops@lists.cluenet.de>
Asunto: Re: question regarding over the counter devices

On Wed, 1 Mar 2017, JORDI PALET MARTINEZ wrote:

> IPv6 firewall non-on by default. I’ve not seen that myself in any product 
up to now.

How many products have you looked at? We're still talking about home 
routers now, right?

I just checked Netgear R6100. Factory default has "IPv6 disabled", when I 
change it to "Auto Detect" the setting "IPv6 filtering" is "secured" by 
default.

So this seems to be same thing that you've been seeing.

-- 
Mikael Abrahamssonemail: swm...@swm.pp.se



**
IPv4 is over
Are you ready for the new Internet ?
http://www.consulintel.es
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the use of the 
individual(s) named above. If you are not the intended recipient be aware that 
any disclosure, copying, distribution or use of the contents of this 
information, including attached files, is prohibited.

Re: question regarding over the counter devices

[sthaug]

> > IPv6 firewall non-on by default. I$,1ry(Bve not seen that myself in any 
> > product up to now.
> 
> How many products have you looked at? We're still talking about home 
> routers now, right?

I was commenting on "all the IPv6 OSs *for hosts and servers*, have the
IPv6 firewall on by default" (my emphasis). This would seem to include
all the BSD variants, all the Linux variants, etc. And in that case, the
statement "IPv6 firewall on by default" is clearly not true.

Steinar Haug, AS2116

Re: question regarding over the counter devices

[Mikael Abrahamsson]

On Wed, 1 Mar 2017, JORDI PALET MARTINEZ wrote:


IPv6 firewall non-on by default. I’ve not seen that myself in any product up to 
now.


How many products have you looked at? We're still talking about home 
routers now, right?


I just checked Netgear R6100. Factory default has "IPv6 disabled", when I 
change it to "Auto Detect" the setting "IPv6 filtering" is "secured" by 
default.


So this seems to be same thing that you've been seeing.

--
Mikael Abrahamssonemail: swm...@swm.pp.se

Re: question regarding over the counter devices

[Mikael Abrahamsson]

On Wed, 1 Mar 2017, JORDI PALET MARTINEZ wrote:

What I’ve seen, yes is on by default, but I also heard the same 
complain, but actually never seen a device not-on by default … so I’m 
not really convinced is very real.


"not-on", do you mean "IPv6" or "IPv6 firewalling"?

--
Mikael Abrahamssonemail: swm...@swm.pp.se

Re: question regarding over the counter devices

[sthaug]

> However, I believe that all the IPv6 OSs for hosts and servers, have the IPv6 
> firewall on by default, so this should not be a big issue, unless you have 
> other devices with no IPv6 firewall (IP cameras?), which I think is not 
> common, because those devices (what I$,1ry(Bve seen up to now), only 
> respond to the port that they have designated to work on.

FreeBSD, at least until 11.0-STABLE: No IPv6 firewall turned on by
default. Which is exactly what I want.

Steinar Haug, AS2116

Re: question regarding over the counter devices

[JORDI PALET MARTINEZ]

What I’ve seen, yes is on by default, but I also heard the same complain, but 
actually never seen a device not-on by default … so I’m not really convinced is 
very real.

However, I believe that all the IPv6 OSs for hosts and servers, have the IPv6 
firewall on by default, so this should not be a big issue, unless you have 
other devices with no IPv6 firewall (IP cameras?), which I think is not common, 
because those devices (what I’ve seen up to now), only respond to the port that 
they have designated to work on.

We had this debate several times in IETF I think …

There is some text about that in both RFC7084 (and bis that I’m working on 
https://tools.ietf.org/html/draft-palet-v6ops-rfc7084-bis-01) and RFC6092.

Regards,
Jordi
 

-Mensaje original-
De:  en nombre de 
Mikael Abrahamsson 
Organización: People's Front Against WWW
Responder a: 
Fecha: miércoles, 1 de marzo de 2017, 8:06
Para: 
Asunto: question regarding over the counter devices


Hi,

I just had a discussion with people from an ISP in the process of 
implementing IPv6. They were afraid of turning on IPv6 for customers who 
had purchased their own routers themselves, because these routers might 
not have IPv6 firewalling on by default, thus exposing customers who used 
to be "protected" by IPv4 NAT, to now be exposed with unfirewalled IPv6.

So my question:

Devices that people buy in electronics stores etc, do they even come with 
IPv6 turned on by default?

If they do, is firewalling turned on by default?

My Apple Airport Express at least came with firewalling turned on, I don't 
remember what the default setting was for IPv6 support. But if one turned 
on IPv6 support, then one had to unclick the firewall clickbox to be able 
to get incoming connections.

I'm going to check the devices I have in my boxes here at home, but in the 
mean time would appreciate if others could share their experiences.

-- 
Mikael Abrahamssonemail: swm...@swm.pp.se





**
IPv4 is over
Are you ready for the new Internet ?
http://www.consulintel.es
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the use of the 
individual(s) named above. If you are not the intended recipient be aware that 
any disclosure, copying, distribution or use of the contents of this 
information, including attached files, is prohibited.

Re: question regarding over the counter devices

[Torbjörn Eklöv]

> 1 mars 2017 kl. 08:06 skrev Mikael Abrahamsson :
> 
> 
> Hi,
> 
> I just had a discussion with people from an ISP in the process of 
> implementing IPv6. They were afraid of turning on IPv6 for customers who had 
> purchased their own routers themselves, because these routers might not have 
> IPv6 firewalling on by default, thus exposing customers who used to be 
> "protected" by IPv4 NAT, to now be exposed with unfirewalled IPv6.
> 
> So my question:
> 
> Devices that people buy in electronics stores etc, do they even come with 
> IPv6 turned on by default?
> 
> If they do, is firewalling turned on by default?

Swedish only - https://ipv6only.se/  - tested some 
routers bought in electronic stores and tested IPv6 and firewall and most don’t 
have firewall for IPv6 enabled.
I’ll install Google translate for the site in some minutes.

/Tobbe

> 
> My Apple Airport Express at least came with firewalling turned on, I don't 
> remember what the default setting was for IPv6 support. But if one turned on 
> IPv6 support, then one had to unclick the firewall clickbox to be able to get 
> incoming connections.
> 
> I'm going to check the devices I have in my boxes here at home, but in the 
> mean time would appreciate if others could share their experiences.
> 
> --
> Mikael Abrahamssonemail: swm...@swm.pp.se




signature.asc
Description: Message signed with OpenPGP