[AusNOG] IPv6 excuses

Peter Fern ausnog at 0xc0dedbad.com
Fri May 27 15:54:07 EST 2016 

On 05/27/16 15:11, Pete Mundy wrote:
> <snip>
> One particular message from the thread that sums it up well is quoted
> follow below. But there are others, so it's worth reviewing the entire
> thread.
> <snip>
>
> On 6/05/2016, at 8:45 am, Mark Smith <markzzzsmith at gmail.com
> <mailto:markzzzsmith at gmail.com>> wrote:
>
> On 5 May 2016 20:28, "Peter Fern" <ausnog at 0xc0dedbad.com
> <mailto:ausnog at 0xc0dedbad.com>> wrote:
> >
> > What do the default firewalls look like on those modems?  Will we
> > suddenly find thousands of Windows PCs directly accessible on the
> Internet?
>
> Possibly, and it doesn't matter.
>
> https://technet.microsoft.com/library/bb877979
>
> Every version of Windows since then has had a host firewall, mainly
> courtesy of this guy - http://www.huitema.net/bio.asp (his "Routing In
> The Internet" book is excellent).
>
> The easier target these days is the unmaintained CPE itself, and
> they're much easier to find.
>
> http://routersecurity.org/bugs.php
>
> People need to stop thinking that host security is stuck in the in the
> 1990s/early 2000s. There are instances where it is, but it is not
> universal.
>

I'll respond here where I didn't in the last thread due to the immediate
pile-on.  Windows was intended as tongue-in-cheek, but was obviously a
poor example.  How does this logic hold up if you replace Windows with
OSX, Linux, webcams, appliances, IoT devices, toasters, etc?  *Plenty*
of devices do not ship/enable host firewalls by default, and expose
numerous services that are best walled-off from the Internet.

If the ISP has supplied a CPE, enables IPv6 without notification,
assistance, or recommendations, and the CPEs are inadequately configured
to protect users, then the expectations of risk for (particularly
less-savvy) end-users changes dramatically.  This would seem to me to be
a problem.

There is some level of validity to the argument that larger address
space makes scanning more expensive, but when the scanning is being done
by swarms of zombies, that just slows the process (a lot, granted),
though there may be ways to improve the hit-rate there too.

On 05/27/16 15:18, Mark Andrews wrote:
> It isn't the ISP's job.

That seems rather short-sighted, and additionally problematic if the ISP
supplies the CPE and configuration.

>  If manufacturers are selling consumer equipement that is incapable of
> being exposed to the net directly they should be being fined for
> selling substandard products and be forced to recall / provide updates.  

Except that this is far removed from reality.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20160527/0801d9ac/attachment.html>

More information about the AusNOG mailing list