<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.hoenzb
{mso-style-name:hoenzb;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-AU link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>My assumption was similar, that we would start to see “home” grade routers etc putting inbound firewalls in place by default. I would not be surprised if they even used the term “port forwarding” on it at first to ease the transition to users.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I don’t get IPv6 yet at home (on Exetel) and even if I did, my Cisco router is not “home” grade so I can’t comment on whether any are shipping with firewalls on, that was just my assumption as it’s the easiest way to provide a like for like transition for users.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Thanks,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#333333'>Ayden Beeson<i> </i></span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> AusNOG [mailto:ausnog-bounces@lists.ausnog.net] <b>On Behalf Of </b>Damien Gardner Jnr<br><b>Sent:</b> Friday, 25 July 2014 1:36 PM<br><b>To:</b> Greg Anderson<br><b>Cc:</b> ausnog@ausnog.net<br><b>Subject:</b> Re: [AusNOG] Globally Routed IPv6 and Windows Firewall<o:p></o:p></span></p></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>Hmmm I had assumed that Home routers would simply firewall on v6 the way they do for v4, and provide a web interface to add exception rules.. Would be interesting to find out if this is the case though!<o:p></o:p></p></div><div><p class=MsoNormal style='margin-bottom:12.0pt'><o:p> </o:p></p><div><p class=MsoNormal>On 25 July 2014 13:34, Greg Anderson <<a href="mailto:ganderson@raywhite.com" target="_blank">ganderson@raywhite.com</a>> wrote:<o:p></o:p></p><div><p class=MsoNormal>Definitely not a new problem, but I would consider it a previously very uncommon problem.<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Whilst we seem to agree on filtering at the edge - is this something that is going to be something used in the residential space? This is very clear in the enterprise space where things are less dynamic, but at home you are now potentially opening firewall ports in two places, and Joe Public is not going to understand how to do these things. <o:p></o:p></p></div></div><div><div><div><p class=MsoNormal style='margin-bottom:12.0pt'><o:p> </o:p></p><div><p class=MsoNormal>On 25 July 2014 13:20, Damien Gardner Jnr <<a href="mailto:rendrag@rendrag.net" target="_blank">rendrag@rendrag.net</a>> wrote:<o:p></o:p></p><div><p class=MsoNormal>What I do (and we do at work) is run stateful firewalling on the home/office router, and don't allow inbound traffic on v6 unless it's for an established session. Same as we did all those years ago when our homes/offices had a public /24 (We all had that at home right? ;) ). It's certainly not a new problem :)<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Cheers,<o:p></o:p></p></div><div><p class=MsoNormal><br>DG<o:p></o:p></p></div></div><div><p class=MsoNormal style='margin-bottom:12.0pt'><o:p> </o:p></p><div><div><div><p class=MsoNormal>On 25 July 2014 13:11, Greg Anderson <<a href="mailto:ganderson@raywhite.com" target="_blank">ganderson@raywhite.com</a>> wrote:<o:p></o:p></p></div></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm'><div><div><div><p class=MsoNormal>Good day Ladies and Gentlemen!<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I had a quick question because try as I might, anybody I have asked this question to so far (and Google) have been unable to answer the question for me.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>With the deployment of a dual stack IPv6 solution either in a corporate or residential environment, I expect most users would have a single NIC in most cases.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>For Windows firewall, IPv4 addresses in common cases are not globally routed addresses that often have less restrictive firewall rules and services running on them (EG SNMP, File/Printer sharing, RDP, Homegroup etc). In these cases, some would often use "Domain" or "Private" firewall profiles on these NIC's.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>With the deployments of IPv6, they will also have local link IPv6 addresses (fine as they are not globally routed either obviously), and at some point many will have a globally routed IPv6 address. So this means, for a given NIC, you will now have:<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>- IPv4 Reserved address for Private local networking<o:p></o:p></p></div><div><div><p class=MsoNormal>- IPv6 Reserved address for Private local networking<o:p></o:p></p></div><div><p class=MsoNormal>- IPv6 Globally routed address (and possibly a second temporary address)<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Suddenly when the deployment of Globally routed IPv6 addresses happen: because the NIC has a private profile there is suddenly private services exposed to the Internet. (Let's put our tin foil hat on and ignore the difficulties of brute force scanning an IPv6 subnet).<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Option 1 is obvious - change your NIC's network type to public, and if you don't want everything to break reconfigure all your rules to permit traffic only from local link addresses (IE - a real pain in the _)<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Is there an option 2? Ideally, I would like the public ranges to be automatically detected (or specifically reconfigurable) as a globally routed IP address range and therefore to be able to apply multiple profiles (Public and Private/Domain) to a single NIC.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I am considering this from a residential dumb end user perspective as well as enterprise - so whilst I would like a technical solution (and I am aware those of us smart enough can still firewall at the edge just like we do today) - many residential users will not have these skills - they are likely to really open themselves up. So I am interested to see if I am missing something very obvious...<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Thoughts?<o:p></o:p></p></div><div><p class=MsoNormal><span style='color:#888888'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='color:#888888'>- Greg<o:p></o:p></span></p></div></div></div><p class=MsoNormal><o:p> </o:p></p></div></div><p class=MsoNormal style='margin-bottom:12.0pt'>_______________________________________________<br>AusNOG mailing list<br><a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br><a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><o:p></o:p></p></blockquote></div><p class=MsoNormal><span style='color:#888888'><br><br clear=all><o:p></o:p></span></p><div><p class=MsoNormal><span style='color:#888888'><o:p> </o:p></span></p></div><p class=MsoNormal><span style='color:#888888'>-- <o:p></o:p></span></p><div><p><span style='color:#888888'>Damien Gardner Jnr<br>VK2TDG. Dip EE. GradIEAust<br><a href="mailto:rendrag@rendrag.net" target="_blank">rendrag@rendrag.net</a> - <a href="http://www.rendrag.net/" target="_blank">http://www.rendrag.net/</a><u><br></u>--<br>We rode on the winds of the rising storm,<br> We ran to the sounds of thunder.<br>We danced among the lightning bolts,<br> and tore the world asunder<o:p></o:p></span></p></div></div></div><p class=MsoNormal><br><br clear=all><o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div></div></div><p class=MsoNormal><span class=hoenzb><span style='color:#888888'>-- </span></span><span style='color:#888888'><br><img border=0 id="_x0000_i1025" src="https://lh5.googleusercontent.com/-aWq61wdav6s/UM_3TdCcU9I/AAAAAAAAAEE/JxSBQrF1JzI/w600-h148-p-k/ganderson_footer_small.png"></span><o:p></o:p></p></div></div><p class=MsoNormal><br><br clear=all><o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal>-- <o:p></o:p></p><div><p>Damien Gardner Jnr<br>VK2TDG. Dip EE. GradIEAust<br><a href="mailto:rendrag@rendrag.net" target="_blank">rendrag@rendrag.net</a> - <a href="http://www.rendrag.net/" target="_blank">http://www.rendrag.net/</a><u><br></u>--<br>We rode on the winds of the rising storm,<br> We ran to the sounds of thunder.<br>We danced among the lightning bolts,<br> and tore the world asunder<o:p></o:p></p></div></div></div>
<P><A title="Charles Sturt University" href="http://www.csu.edu.au/"><IMG
border=0 alt="Charles Sturt University"
src="cid:csu-logo7a54.bmp"></A></P>
<P
style="FONT-FAMILY: Arial, Helvetica, sans-serif; COLOR: #c42129; FONT-SIZE: 8px">| ALBURY-WODONGA | BATHURST | CANBERRA | DUBBO | GOULBURN | MELBOURNE | ONTARIO | ORANGE | PORT
MACQUARIE | SYDNEY | WAGGA
WAGGA |</P>
<HR>
<SPAN
style="FONT-FAMILY: Arial, Helvetica, sans-serif; FONT-SIZE: 9px; FONT-WEIGHT: bold">LEGAL
NOTICE</SPAN><BR><SPAN
style="FONT-FAMILY: Arial, Helvetica, sans-serif; FONT-SIZE: 9px">This email
(and any attachment) is confidential and is intended for the use of the
addressee(s) only. If you are not the intended recipient of this email, you must
not copy, distribute, take any action in reliance on it or disclose it to
anyone. Any confidentiality is not waived or lost by reason of mistaken
delivery. Email should be checked for viruses and defects before opening.
Charles Sturt University (CSU) does not accept liability for viruses or any
consequence which arise as a result of this email transmission. Email
communications with CSU may be subject to automated email filtering, which could
result in the delay or deletion of a legitimate email before it is read at CSU.
The views expressed in this email are not necessarily those of CSU.</SPAN>
<P style="FONT-FAMILY: Arial, Helvetica, sans-serif; FONT-SIZE: 9px"><A
style="COLOR: #c42129" href="http://www.csu.edu.au">Charles Sturt University in
Australia</A> The Grange Chancellery, Panorama Avenue, Bathurst NSW Australia
2795 (ABN: 83 878 708 551; CRICOS Provider Number: 00005F (National)). TEQSA
Provider Number: PV12018 <BR><A style="COLOR: #c42129"
href="http://www.charlessturt.ca/">Charles Sturt University in Ontario</A> 860
Harrington Court, Burlington Ontario Canada L7N 3N4 Registration: <A
style="COLOR: #c42129" href="http://www.peqab.ca">www.peqab.ca</A></P>
<P style="FONT-FAMILY: Arial, Helvetica, sans-serif; FONT-SIZE: 9px"><IMG
style="WIDTH: 79px; HEIGHT: 66px" border=0 hspace=0 alt=""
src="cid:anniversay50bf.bmp"
width=124 height=99></P><SPAN
style="FONT-FAMILY: Arial, Helvetica, sans-serif; FONT-SIZE: 9px">Consider the
environment before printing this email.</SPAN> <br></body></html>