[AusNOG] IPv6 excuses
Mark Andrews
marka at isc.org
Fri May 27 17:10:38 EST 2016
In message <5747E0FF.3020706 at 0xc0dedbad.com>, Peter Fern writes:
> On 05/27/16 15:11, Pete Mundy wrote:
> > <snip>
> > One particular message from the thread that sums it up well is quoted
> > follow below. But there are others, so it's worth reviewing the entire
> > thread.
> > <snip>
> >
> > On 6/05/2016, at 8:45 am, Mark Smith <markzzzsmith at gmail.com
> > <mailto:markzzzsmith at gmail.com>> wrote:
> >
> > On 5 May 2016 20:28, "Peter Fern" <ausnog at 0xc0dedbad.com
> > <mailto:ausnog at 0xc0dedbad.com>> wrote:
> > >
> > > What do the default firewalls look like on those modems? Will we
> > > suddenly find thousands of Windows PCs directly accessible on the
> > Internet?
> >
> > Possibly, and it doesn't matter.
> >
> > https://technet.microsoft.com/library/bb877979
> >
> > Every version of Windows since then has had a host firewall, mainly
> > courtesy of this guy - http://www.huitema.net/bio.asp (his "Routing In
> > The Internet" book is excellent).
> >
> > The easier target these days is the unmaintained CPE itself, and
> > they're much easier to find.
> >
> > http://routersecurity.org/bugs.php
> >
> > People need to stop thinking that host security is stuck in the in the
> > 1990s/early 2000s. There are instances where it is, but it is not
> > universal.
> >
>
> I'll respond here where I didn't in the last thread due to the immediate
> pile-on. Windows was intended as tongue-in-cheek, but was obviously a
> poor example. How does this logic hold up if you replace Windows with
> OSX, Linux, webcams, appliances, IoT devices, toasters, etc? *Plenty*
> of devices do not ship/enable host firewalls by default, and expose
> numerous services that are best walled-off from the Internet.
OSX has the host firewall on by default. Linux has host firewall
and depending upon the distro it many be on or off by default. In
reality you don't need a host firewall for most things. A simple
acl after accept is enough as you only have a single port open if
any at all.
e.g. TV's don't need to be listening on the net.
What is needed is to build with concept that there is a hostile
environment out there and to validate all inputs before otherwise
using them.
This is what we do with BIND. We code assuming that there is nothing
between the server and the rest of the world. We have machines
continually attempting to break it. We issue advisaries when we
find a issue. We assume there are blackhats inspecting every change
we make in a attempt to find a way in. We also have thousands of
internal consistancy checks.
> If the ISP has supplied a CPE, enables IPv6 without notification,
> assistance, or recommendations, and the CPEs are inadequately configured
> to protect users, then the expectations of risk for (particularly
> less-savvy) end-users changes dramatically. This would seem to me to be
> a problem.
>
> There is some level of validity to the argument that larger address
> space makes scanning more expensive, but when the scanning is being done
> by swarms of zombies, that just slows the process (a lot, granted),
> though there may be ways to improve the hit-rate there too.
>
> On 05/27/16 15:18, Mark Andrews wrote:
> > It isn't the ISP's job.
>
> That seems rather short-sighted, and additionally problematic if the ISP
> supplies the CPE and configuration.
If the ISP supplies the CPE then they need to source a CPE with
equivalent functionality which do exist.
> > If manufacturers are selling consumer equipement that is incapable of
> > being exposed to the net directly they should be being fined for
> > selling substandard products and be forced to recall / provide updates.
>
> Except that this is far removed from reality.
It shouldn't be. We have strong consumer protection laws in this
country and we pay a premium for this.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the AusNOG
mailing list