[AusNOG] IPv6 excuses

Mark Smith markzzzsmith at gmail.com
Fri May 27 15:24:17 EST 2016 

On 27 May 2016 at 14:55, Philip Loenneker
<Philip.Loenneker at tasmanet.com.au> wrote:
> I'm curious to know if/how providers that have enabled IPv6 are protecting users after the introduction of IPv6. The majority of end users are not capable, and probably should not be expected to be capable, of maintaining a suitable firewall. The wide variety of routers available would offer an equally wide variety of protection to IPv6 clients.
>
> Despite all the shortcomings, NAT provides a very convenient barrier between the Internet and customer internal networks.
>

Your knowledge of the state of Internet CPE and host security is out of date.

Using Windows as an example, Windows has had an IPv6 firewall, enabled
by default, since Windows XP Service Pack 2, released in August 2004.
Many other OSes have had host firewalls installed and enabled by
default for years for both IPv4 and IPv6.

Your NAT box that is providing the "barrier" is now the target because
it is the weakest point.

http://routersecurity.org/bugs.php


If you're assuming IPv6 is just IPv4 with bigger addresses, it is more
than that. However, even the "bigger addresses" helps - unsolicited
address probing from the Internet to discover IPv4 devices is easily
practical, where as for IPv6 it isn't unless you can guess something
about the IPv6 addresses in use to shrink the search space.

"Network Reconnaissance in IPv6 Networks"
https://tools.ietf.org/rfc/rfc7707.txt


Regards,
Mark.




> -----Original Message-----
> From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Mark Smith
> Sent: Friday, 27 May 2016 2:30 PM
> To: Mark Andrews <marka at isc.org>
> Cc: AusNOG Mailing List <ausnog at ausnog.net>
> Subject: Re: [AusNOG] IPv6 excuses
>
> On 27 May 2016 at 13:56, Mark Andrews <marka at isc.org> wrote:
>>
>> In message <CAO42Z2y87pe4M44V5jjuDGAOZQe1YfKvs1f7zhbgLDsJAxVrMg at mail.gmail.com>, Mark Smith writes:
>>> On 27 May 2016 at 12:32, Skeeve Stevens
>>> <skeeve+ausnog at eintellegonetworks.com> wrote:
>>> >
>>> > Love it...
>>> >
>>> > Most of them are true... except
>>> >
>>> > "None of our customers want it" and "End users don't care about IPv6"
>>> >
>>> > Are true... they don't and won't... but it isn't a valid reason not to
>>> > roll it out... but it is a painful one when justifying the business case.
>>> >
>>>
>>> I doubt many of them wanted IPv4 either. They wanted Internet access,
>>> or probably more specifically, email and world-wide-web access.
>>>
>>> IPv4 and IPv6 are the 'whats' not the 'whys'.
>>>
>>> If you walk up to somebody, even a technical manager, and say "we need
>>> to deploy IPv6", their likely answer will be the question "why?" (or
>>> "<sigh> Not this again."). You need to have an answer, and it needs to
>>> be valid for the situation.
>>>
>>> On the Internet, IPv6 is optional, because somebody can access
>>> everything with just an IPv4 address.
>>
>> This has not been true for 20 years now.  The moment we were forced
>> into using NAT to connect people could connect to everything they
>> wanted to.  Just because we have put up with degraded service through
>> neccesity doesn't mean that there isn't a issue.  CGNAT just made
>> the probem worse as many workarounds don't work with CGNAT.
>>
>> NAT and CGNAT are stop gap mechanisms.  People have forgotten this
>> as they have had to live with it for too long.
>>
>
> I think the trouble has been that the costs of NAT in IPv4 at the
> customer premise have been small enough that they've been tolerated,
> perhaps also because they've been unavoidable - we probably couldn't
> have deployed broadband Internet access without it, because there were
> too many things that weren't IPv6 capable at the time. With the IPv4
> NAT cost being low and already paid, even though IPv6 can remove them,
> there hasn't been a strong enough incentive to remove them.
>
> CGN at the ISP, where the NAT costs are greater in both equipment
> capacity and to the helpdesk (as a consequence of dual inline-NATs),
> might change that if those increased costs are passed onto IPv4/NAT
> only customers.
>
> Regards,
> Mark.
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog

More information about the AusNOG mailing list