<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:12pt"><div><span>Why do you assume that IPv6 host based firewalling is going to be less effective than IPv4's? </span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-style: normal; background-color: transparent;"><span><br></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-style: normal; background-color: transparent;"><span>Why do you assume hosts haven't been protecting themselves, when there is no way or not a reliably way that they can tell if there is an upstream NAT or firewall providing adequate protection in the network?</span></div><div style="color: rgb(0, 0, 0); font-size:
16px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-style: normal; background-color: transparent;"><span><br></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-style: normal; background-color: transparent;"><span>Who is protecting your smartphone when you are using it to access the Internet? If somebody "in the cloud" is protecting you, how can you be sure they're competent? What about when you're using a hotel's Wifi on your laptop? Who is protecting you then? What about when you use the Wifi at the Ausnog/X/Y/Z conference? At Ausnog, the likely greater threat is attached to the same Wifi SSID, not on the Internet ...</span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-style: normal;
background-color: transparent;"><span><br></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-style: normal; background-color: transparent;"><span style="background-color: transparent;">If your smartphone is connected to both Wifi and xG, how can you be sure the apparently existing firewalls in those upstream networks are providing equivalent protection, and protection that is adequate for your specific needs?</span><br></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-style: normal; background-color: transparent;"><span><br></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-style: normal; background-color:
transparent;"><br></div><div></div><blockquote style="border-left: 2px solid rgb(16, 16, 255); margin-left: 5px; margin-top: 5px; padding-left: 5px;"> <div style="font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 12pt;"> <div style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt;"> <div dir="ltr"> <hr size="1"> <font size="2" face="Arial"> <b><span style="font-weight:bold;">From:</span></b> Greg Anderson <ganderson@raywhite.com><br> <b><span style="font-weight: bold;">To:</span></b> Joseph Goldman <joe@apcs.com.au> <br><b><span style="font-weight: bold;">Cc:</span></b> "ausnog@lists.ausnog.net" <ausnog@lists.ausnog.net> <br> <b><span style="font-weight: bold;">Sent:</span></b> Friday, 25 July 2014 1:37 PM<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [AusNOG] Globally Routed IPv6 and Windows Firewall<br> </font> </div> <div
class="y_msg_container"><br><div id="yiv6342222504"><div><div dir="ltr">I agree on the difficulties with brute forcing methods, but I personally don't consider it a silver bullet. There are ways to identify legitimate IP addresses without brute forcing - log files, traffic interception etc.</div>
<div class="yiv6342222504gmail_extra"><br clear="none"><br clear="none"><div class="yiv6342222504gmail_quote">On 25 July 2014 13:34, Joseph Goldman <span dir="ltr"><<a rel="nofollow" shape="rect" ymailto="mailto:joe@apcs.com.au" target="_blank" href="mailto:joe@apcs.com.au">joe@apcs.com.au</a>></span> wrote:<br clear="none"><blockquote class="yiv6342222504gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="qtdSeparateBR"><br><br></div><div class="yiv6342222504yqt7803673090" id="yiv6342222504yqt74036"><div>
I think the concern here though is the real 'dumb' home user. NAT
provides a level of security for inbound attacks to a Personal
Computer unless specified in port fowarding, so the users have
become accustomed to that level of security (even if they dont know
about it).<br clear="none">
<br clear="none">
It was a question that came up in my mind earlier this week too, and
not all modem/routers are featured with firewalls to do this - and
with pretty much any ISP having to allow BYOD, you can't control if
peoples routers will ever have this feature. For business/managed
connections I tend to personally go MikroTIK routers so they do have
the full featured firewall, and I would definitely be setting up
rules for IPv6 once we start our end-user roll-out, but I can't
control residential customer xyz's JB Hi-Fi bought D-Link, and I
don't really want the helpdesk flooded with calls about attacks and
virus' either.<br clear="none">
<br clear="none">
The only comfort that I got was that IPv6 is so vast that
brute-forcing seems illogical and unlikely to net many results. I
will be interested to see others opinions on the matter :)<div><div class="yiv6342222504h5"><br clear="none">
<br clear="none">
<div>On 25/07/14 13:20, Damien Gardner Jnr
wrote:<br clear="none">
</div>
<blockquote type="cite">
<div dir="ltr">What I do (and we do at work) is run stateful
firewalling on the home/office router, and don't allow inbound
traffic on v6 unless it's for an established session. Same as
we did all those years ago when our homes/offices had a public
/24 (We all had that at home right? ;) ). It's certainly not a
new problem :)
<div>
<br clear="none">
</div>
<div>Cheers,</div>
<div><br clear="none">
DG</div>
</div>
<div class="yiv6342222504gmail_extra"><br clear="none">
<br clear="none">
<div class="yiv6342222504gmail_quote">On 25 July 2014 13:11, Greg Anderson <span dir="ltr"><<a rel="nofollow" shape="rect" ymailto="mailto:ganderson@raywhite.com" target="_blank" href="mailto:ganderson@raywhite.com">ganderson@raywhite.com</a>></span>
wrote:<br clear="none">
<blockquote class="yiv6342222504gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div dir="ltr">Good day Ladies and Gentlemen!
<div><br clear="none">
</div>
<div>I had a quick question because try as I might,
anybody I have asked this question to so far (and
Google) have been unable to answer the question for me.</div>
<div><br clear="none">
</div>
<div>With the deployment of a dual stack IPv6 solution
either in a corporate or residential environment, I
expect most users would have a single NIC in most cases.</div>
<div><br clear="none">
</div>
<div>For Windows firewall, IPv4 addresses in common cases
are not globally routed addresses that often have less
restrictive firewall rules and services running on them
(EG SNMP, File/Printer sharing, RDP, Homegroup etc). In
these cases, some would often use "Domain" or "Private"
firewall profiles on these NIC's.</div>
<div><br clear="none">
</div>
<div>With the deployments of IPv6, they will also have
local link IPv6 addresses (fine as they are not globally
routed either obviously), and at some point many will
have a globally routed IPv6 address. So this means, for
a given NIC, you will now have:</div>
<div><br clear="none">
</div>
<div>- IPv4 Reserved address for Private local networking</div>
<div>
<div>- IPv6 Reserved address for Private local
networking</div>
<div>- IPv6 Globally routed address (and possibly a
second temporary address)</div>
<div><br clear="none">
</div>
<div>Suddenly when the deployment of Globally routed
IPv6 addresses happen: because the NIC has a private
profile there is suddenly private services exposed to
the Internet. (Let's put our tin foil hat on and
ignore the difficulties of brute force scanning an
IPv6 subnet).</div>
<div><br clear="none">
</div>
<div>Option 1 is obvious - change your NIC's network
type to public, and if you don't want everything to
break reconfigure all your rules to permit traffic
only from local link addresses (IE - a real pain in
the _)</div>
<div><br clear="none">
</div>
<div>Is there an option 2? Ideally, I would like the
public ranges to be automatically detected (or
specifically reconfigurable) as a globally routed IP
address range and therefore to be able to apply
multiple profiles (Public and Private/Domain) to a
single NIC.</div>
<div><br clear="none">
</div>
<div>I am considering this from a residential dumb end
user perspective as well as enterprise - so whilst I
would like a technical solution (and I am aware those
of us smart enough can still firewall at the edge just
like we do today) - many residential users will not
have these skills - they are likely to really open
themselves up. So I am interested to see if I am
missing something very obvious...</div>
<div><br clear="none">
</div>
<div>Thoughts?</div>
<span><font color="#888888">
</font></span><div><br clear="none">
</div>
<div>- Greg</div>
</div>
</div>
<br clear="none">
_______________________________________________<br clear="none">
AusNOG mailing list<br clear="none">
<a rel="nofollow" shape="rect" ymailto="mailto:AusNOG@lists.ausnog.net" target="_blank" href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br clear="none">
<a rel="nofollow" shape="rect" target="_blank" href="http://lists.ausnog.net/mailman/listinfo/ausnog">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br clear="none">
<br clear="none">
</blockquote>
</div>
<br clear="none">
<br clear="all">
<div><br clear="none">
</div>
-- <br clear="none">
<div dir="ltr">
<div>Damien Gardner Jnr<br clear="none">
VK2TDG. Dip EE. GradIEAust<br clear="none">
<a rel="nofollow" shape="rect" ymailto="mailto:rendrag@rendrag.net" target="_blank" href="mailto:rendrag@rendrag.net">rendrag@rendrag.net</a> - <span><a rel="nofollow" shape="rect" target="_blank" href="http://www.rendrag.net/">http://www.rendrag.net/</a><u><br clear="none">
</u></span>--<br clear="none">
We rode on the winds of the rising storm,<br clear="none">
We ran to the sounds of thunder.<br clear="none">
We danced among the lightning bolts,<br clear="none">
and tore the world asunder</div>
</div>
</div>
<br clear="none">
<fieldset></fieldset>
<br clear="none">
<pre>_______________________________________________
AusNOG mailing list
<a rel="nofollow" shape="rect" ymailto="mailto:AusNOG@lists.ausnog.net" target="_blank" href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a>
<a rel="nofollow" shape="rect" target="_blank" href="http://lists.ausnog.net/mailman/listinfo/ausnog">http://lists.ausnog.net/mailman/listinfo/ausnog</a>
</pre>
</blockquote>
<br clear="none">
</div></div></div></div>
<br clear="none">_______________________________________________<br clear="none">
AusNOG mailing list<br clear="none">
<a rel="nofollow" shape="rect" ymailto="mailto:AusNOG@lists.ausnog.net" target="_blank" href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br clear="none">
<a rel="nofollow" shape="rect" target="_blank" href="http://lists.ausnog.net/mailman/listinfo/ausnog">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br clear="none">
<br clear="none"></blockquote></div><br clear="none"><br clear="all"><div><br clear="none"></div>-- <br clear="none"><img src="https://lh5.googleusercontent.com/-aWq61wdav6s/UM_3TdCcU9I/AAAAAAAAAEE/JxSBQrF1JzI/w600-h148-p-k/ganderson_footer_small.png"><br clear="none">
</div></div></div><br><div class="yqt7803673090" id="yqt23487">_______________________________________________<br clear="none">AusNOG mailing list<br clear="none"><a shape="rect" ymailto="mailto:AusNOG@lists.ausnog.net" href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br clear="none"><a shape="rect" href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br clear="none"></div><br><br></div> </div> </div> </blockquote><div></div> </div></body></html>