<div dir="ltr">This is an interesting topic one we discussed recently internally - we can deploy ipv6 quiet easily on our handful of servers, we currently don't see a benefit as all current traffic can be routed via ipv4. <span style="font-size:12.8px">"End users don't care about IPv6" is pretty much the reason we haven't switched it on and until then it will most likely remain on hold - and I'm sure I'm not the only one with this opinion. I do agree though this is a trivial against argument but one that is hard to overcome currently - until someone really steps into play and enforces ipv6 we will most likely see it remain in the dark. </span></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><font face="trebuchet ms, helvetica, sans-serif">Azapp IT Support and Solutions</font></div></div></div>
<br><div class="gmail_quote">On Fri, May 27, 2016 at 5:10 PM, Mark Andrews <span dir="ltr"><<a href="mailto:marka@isc.org" target="_blank">marka@isc.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
In message <<a href="mailto:5747E0FF.3020706@0xc0dedbad.com">5747E0FF.3020706@0xc0dedbad.com</a>>, Peter Fern writes:<br>
> On 05/27/16 15:11, Pete Mundy wrote:<br>
> > <snip><br>
<span class="">> > One particular message from the thread that sums it up well is quoted<br>
> > follow below. But there are others, so it's worth reviewing the entire<br>
> > thread.<br>
</span>> > <snip><br>
<span class="">> ><br>
> > On 6/05/2016, at 8:45 am, Mark Smith <<a href="mailto:markzzzsmith@gmail.com">markzzzsmith@gmail.com</a><br>
</span><span class="">> > <mailto:<a href="mailto:markzzzsmith@gmail.com">markzzzsmith@gmail.com</a>>> wrote:<br>
> ><br>
> > On 5 May 2016 20:28, "Peter Fern" <<a href="mailto:ausnog@0xc0dedbad.com">ausnog@0xc0dedbad.com</a><br>
</span><span class="">> > <mailto:<a href="mailto:ausnog@0xc0dedbad.com">ausnog@0xc0dedbad.com</a>>> wrote:<br>
> > ><br>
> > > What do the default firewalls look like on those modems? Will we<br>
> > > suddenly find thousands of Windows PCs directly accessible on the<br>
> > Internet?<br>
> ><br>
> > Possibly, and it doesn't matter.<br>
> ><br>
> > <a href="https://technet.microsoft.com/library/bb877979" rel="noreferrer" target="_blank">https://technet.microsoft.com/library/bb877979</a><br>
> ><br>
> > Every version of Windows since then has had a host firewall, mainly<br>
> > courtesy of this guy - <a href="http://www.huitema.net/bio.asp" rel="noreferrer" target="_blank">http://www.huitema.net/bio.asp</a> (his "Routing In<br>
> > The Internet" book is excellent).<br>
> ><br>
> > The easier target these days is the unmaintained CPE itself, and<br>
> > they're much easier to find.<br>
> ><br>
> > <a href="http://routersecurity.org/bugs.php" rel="noreferrer" target="_blank">http://routersecurity.org/bugs.php</a><br>
> ><br>
> > People need to stop thinking that host security is stuck in the in the<br>
> > 1990s/early 2000s. There are instances where it is, but it is not<br>
> > universal.<br>
> ><br>
><br>
</span>> I'll respond here where I didn't in the last thread due to the immediate<br>
> pile-on. Windows was intended as tongue-in-cheek, but was obviously a<br>
> poor example. How does this logic hold up if you replace Windows with<br>
> OSX, Linux, webcams, appliances, IoT devices, toasters, etc? *Plenty*<br>
> of devices do not ship/enable host firewalls by default, and expose<br>
> numerous services that are best walled-off from the Internet.<br>
<br>
OSX has the host firewall on by default. Linux has host firewall<br>
and depending upon the distro it many be on or off by default. In<br>
reality you don't need a host firewall for most things. A simple<br>
acl after accept is enough as you only have a single port open if<br>
any at all.<br>
<br>
e.g. TV's don't need to be listening on the net.<br>
<br>
What is needed is to build with concept that there is a hostile<br>
environment out there and to validate all inputs before otherwise<br>
using them.<br>
<br>
This is what we do with BIND. We code assuming that there is nothing<br>
between the server and the rest of the world. We have machines<br>
continually attempting to break it. We issue advisaries when we<br>
find a issue. We assume there are blackhats inspecting every change<br>
we make in a attempt to find a way in. We also have thousands of<br>
internal consistancy checks.<br>
<br>
> If the ISP has supplied a CPE, enables IPv6 without notification,<br>
> assistance, or recommendations, and the CPEs are inadequately configured<br>
> to protect users, then the expectations of risk for (particularly<br>
> less-savvy) end-users changes dramatically. This would seem to me to be<br>
> a problem.<br>
><br>
> There is some level of validity to the argument that larger address<br>
> space makes scanning more expensive, but when the scanning is being done<br>
> by swarms of zombies, that just slows the process (a lot, granted),<br>
> though there may be ways to improve the hit-rate there too.<br>
<span class="">><br>
> On 05/27/16 15:18, Mark Andrews wrote:<br>
> > It isn't the ISP's job.<br>
><br>
</span>> That seems rather short-sighted, and additionally problematic if the ISP<br>
> supplies the CPE and configuration.<br>
<br>
If the ISP supplies the CPE then they need to source a CPE with<br>
equivalent functionality which do exist.<br>
<span class=""><br>
> > If manufacturers are selling consumer equipement that is incapable of<br>
> > being exposed to the net directly they should be being fined for<br>
> > selling substandard products and be forced to recall / provide updates.<br>
><br>
</span>> Except that this is far removed from reality.<br>
<br>
It shouldn't be. We have strong consumer protection laws in this<br>
country and we pay a premium for this.<br>
<span class="HOEnZb"><font color="#888888"><br>
Mark<br>
</font></span><span class="im HOEnZb">--<br>
Mark Andrews, ISC<br>
1 Seymour St., Dundas Valley, NSW 2117, Australia<br>
PHONE: <a href="tel:%2B61%202%209871%204742" value="+61298714742">+61 2 9871 4742</a> INTERNET: <a href="mailto:marka@isc.org">marka@isc.org</a><br>
</span><div class="HOEnZb"><div class="h5">_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" rel="noreferrer" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
</div></div></blockquote></div><br></div>