<p dir="ltr">The immediate issue with this that springs to mind is that if people don't bother with IPv6 before customers ask for it, then they won't be ready for IPv6 when customers DO ask for it.</p>
<p dir="ltr">That doesn't strike me as good business sense to my way of thinking. But what would I know, I'm just a customer who already wants IPv6 but can't get it on a decent speed connection.</p>
<div class="gmail_quote">On 27 May 2016 5:26 PM, "Jesse Fusarelli" <<a href="mailto:jesse@azapp.com.au">jesse@azapp.com.au</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">This is an interesting topic one we discussed recently internally - we can deploy ipv6 quiet easily on our handful of servers, we currently don't see a benefit as all current traffic can be routed via ipv4. <span style="font-size:12.8px">"End users don't care about IPv6" is pretty much the reason we haven't switched it on and until then it will most likely remain on hold - and I'm sure I'm not the only one with this opinion. I do agree though this is a trivial against argument but one that is hard to overcome currently - until someone really steps into play and enforces ipv6 we will most likely see it remain in the dark. </span></div><div class="gmail_extra"><br clear="all"><div><div><div dir="ltr"><font face="trebuchet ms, helvetica, sans-serif">Azapp IT Support and Solutions</font></div></div></div>
<br><div class="gmail_quote">On Fri, May 27, 2016 at 5:10 PM, Mark Andrews <span dir="ltr"><<a href="mailto:marka@isc.org" target="_blank">marka@isc.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
In message <<a href="mailto:5747E0FF.3020706@0xc0dedbad.com" target="_blank">5747E0FF.3020706@0xc0dedbad.com</a>>, Peter Fern writes:<br>
> On 05/27/16 15:11, Pete Mundy wrote:<br>
> > <snip><br>
<span>> > One particular message from the thread that sums it up well is quoted<br>
> > follow below. But there are others, so it's worth reviewing the entire<br>
> > thread.<br>
</span>> > <snip><br>
<span>> ><br>
> > On 6/05/2016, at 8:45 am, Mark Smith <<a href="mailto:markzzzsmith@gmail.com" target="_blank">markzzzsmith@gmail.com</a><br>
</span><span>> > <mailto:<a href="mailto:markzzzsmith@gmail.com" target="_blank">markzzzsmith@gmail.com</a>>> wrote:<br>
> ><br>
> > On 5 May 2016 20:28, "Peter Fern" <<a href="mailto:ausnog@0xc0dedbad.com" target="_blank">ausnog@0xc0dedbad.com</a><br>
</span><span>> > <mailto:<a href="mailto:ausnog@0xc0dedbad.com" target="_blank">ausnog@0xc0dedbad.com</a>>> wrote:<br>
> > ><br>
> > > What do the default firewalls look like on those modems? Will we<br>
> > > suddenly find thousands of Windows PCs directly accessible on the<br>
> > Internet?<br>
> ><br>
> > Possibly, and it doesn't matter.<br>
> ><br>
> > <a href="https://technet.microsoft.com/library/bb877979" rel="noreferrer" target="_blank">https://technet.microsoft.com/library/bb877979</a><br>
> ><br>
> > Every version of Windows since then has had a host firewall, mainly<br>
> > courtesy of this guy - <a href="http://www.huitema.net/bio.asp" rel="noreferrer" target="_blank">http://www.huitema.net/bio.asp</a> (his "Routing In<br>
> > The Internet" book is excellent).<br>
> ><br>
> > The easier target these days is the unmaintained CPE itself, and<br>
> > they're much easier to find.<br>
> ><br>
> > <a href="http://routersecurity.org/bugs.php" rel="noreferrer" target="_blank">http://routersecurity.org/bugs.php</a><br>
> ><br>
> > People need to stop thinking that host security is stuck in the in the<br>
> > 1990s/early 2000s. There are instances where it is, but it is not<br>
> > universal.<br>
> ><br>
><br>
</span>> I'll respond here where I didn't in the last thread due to the immediate<br>
> pile-on. Windows was intended as tongue-in-cheek, but was obviously a<br>
> poor example. How does this logic hold up if you replace Windows with<br>
> OSX, Linux, webcams, appliances, IoT devices, toasters, etc? *Plenty*<br>
> of devices do not ship/enable host firewalls by default, and expose<br>
> numerous services that are best walled-off from the Internet.<br>
<br>
OSX has the host firewall on by default. Linux has host firewall<br>
and depending upon the distro it many be on or off by default. In<br>
reality you don't need a host firewall for most things. A simple<br>
acl after accept is enough as you only have a single port open if<br>
any at all.<br>
<br>
e.g. TV's don't need to be listening on the net.<br>
<br>
What is needed is to build with concept that there is a hostile<br>
environment out there and to validate all inputs before otherwise<br>
using them.<br>
<br>
This is what we do with BIND. We code assuming that there is nothing<br>
between the server and the rest of the world. We have machines<br>
continually attempting to break it. We issue advisaries when we<br>
find a issue. We assume there are blackhats inspecting every change<br>
we make in a attempt to find a way in. We also have thousands of<br>
internal consistancy checks.<br>
<br>
> If the ISP has supplied a CPE, enables IPv6 without notification,<br>
> assistance, or recommendations, and the CPEs are inadequately configured<br>
> to protect users, then the expectations of risk for (particularly<br>
> less-savvy) end-users changes dramatically. This would seem to me to be<br>
> a problem.<br>
><br>
> There is some level of validity to the argument that larger address<br>
> space makes scanning more expensive, but when the scanning is being done<br>
> by swarms of zombies, that just slows the process (a lot, granted),<br>
> though there may be ways to improve the hit-rate there too.<br>
<span>><br>
> On 05/27/16 15:18, Mark Andrews wrote:<br>
> > It isn't the ISP's job.<br>
><br>
</span>> That seems rather short-sighted, and additionally problematic if the ISP<br>
> supplies the CPE and configuration.<br>
<br>
If the ISP supplies the CPE then they need to source a CPE with<br>
equivalent functionality which do exist.<br>
<span><br>
> > If manufacturers are selling consumer equipement that is incapable of<br>
> > being exposed to the net directly they should be being fined for<br>
> > selling substandard products and be forced to recall / provide updates.<br>
><br>
</span>> Except that this is far removed from reality.<br>
<br>
It shouldn't be. We have strong consumer protection laws in this<br>
country and we pay a premium for this.<br>
<span><font color="#888888"><br>
Mark<br>
</font></span><span>--<br>
Mark Andrews, ISC<br>
1 Seymour St., Dundas Valley, NSW 2117, Australia<br>
PHONE: <a href="tel:%2B61%202%209871%204742" value="+61298714742" target="_blank">+61 2 9871 4742</a> INTERNET: <a href="mailto:marka@isc.org" target="_blank">marka@isc.org</a><br>
</span><div><div>_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" rel="noreferrer" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
</div></div></blockquote></div><br></div>
<br>_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" rel="noreferrer" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
<br></blockquote></div>