[AusNOG] IPv6 excuses

Jesse Fusarelli jesse at azapp.com.au
Fri May 27 17:25:25 EST 2016


This is an interesting topic one we discussed recently internally - we can
deploy ipv6 quiet easily on our handful of servers, we currently don't see
a benefit as all current traffic can be routed via ipv4. "End users don't
care about IPv6" is pretty much the reason we haven't switched it on and
until then it will most likely remain on hold - and I'm sure I'm not the
only one with this opinion. I do agree though this is a trivial
against argument but one that is hard to overcome currently - until someone
really steps into play and enforces ipv6 we will most likely see it remain
in the dark.

Azapp IT Support and Solutions

On Fri, May 27, 2016 at 5:10 PM, Mark Andrews <marka at isc.org> wrote:

>
> In message <5747E0FF.3020706 at 0xc0dedbad.com>, Peter Fern writes:
> > On 05/27/16 15:11, Pete Mundy wrote:
> > > <snip>
> > > One particular message from the thread that sums it up well is quoted
> > > follow below. But there are others, so it's worth reviewing the entire
> > > thread.
> > > <snip>
> > >
> > > On 6/05/2016, at 8:45 am, Mark Smith <markzzzsmith at gmail.com
> > > <mailto:markzzzsmith at gmail.com>> wrote:
> > >
> > > On 5 May 2016 20:28, "Peter Fern" <ausnog at 0xc0dedbad.com
> > > <mailto:ausnog at 0xc0dedbad.com>> wrote:
> > > >
> > > > What do the default firewalls look like on those modems?  Will we
> > > > suddenly find thousands of Windows PCs directly accessible on the
> > > Internet?
> > >
> > > Possibly, and it doesn't matter.
> > >
> > > https://technet.microsoft.com/library/bb877979
> > >
> > > Every version of Windows since then has had a host firewall, mainly
> > > courtesy of this guy - http://www.huitema.net/bio.asp (his "Routing In
> > > The Internet" book is excellent).
> > >
> > > The easier target these days is the unmaintained CPE itself, and
> > > they're much easier to find.
> > >
> > > http://routersecurity.org/bugs.php
> > >
> > > People need to stop thinking that host security is stuck in the in the
> > > 1990s/early 2000s. There are instances where it is, but it is not
> > > universal.
> > >
> >
> > I'll respond here where I didn't in the last thread due to the immediate
> > pile-on.  Windows was intended as tongue-in-cheek, but was obviously a
> > poor example.  How does this logic hold up if you replace Windows with
> > OSX, Linux, webcams, appliances, IoT devices, toasters, etc?  *Plenty*
> > of devices do not ship/enable host firewalls by default, and expose
> > numerous services that are best walled-off from the Internet.
>
> OSX has the host firewall on by default.  Linux has host firewall
> and depending upon the distro it many be on or off by default.  In
> reality you don't need a host firewall for most things.  A simple
> acl after accept is enough as you only have a single port open if
> any at all.
>
> e.g. TV's don't need to be listening on the net.
>
> What is needed is to build with concept that there is a hostile
> environment out there and to validate all inputs before otherwise
> using them.
>
> This is what we do with BIND.  We code assuming that there is nothing
> between the server and the rest of the world.  We have machines
> continually attempting to break it.  We issue advisaries when we
> find a issue.  We assume there are blackhats inspecting every change
> we make in a attempt to find a way in.  We also have thousands of
> internal consistancy checks.
>
> > If the ISP has supplied a CPE, enables IPv6 without notification,
> > assistance, or recommendations, and the CPEs are inadequately configured
> > to protect users, then the expectations of risk for (particularly
> > less-savvy) end-users changes dramatically.  This would seem to me to be
> > a problem.
> >
> > There is some level of validity to the argument that larger address
> > space makes scanning more expensive, but when the scanning is being done
> > by swarms of zombies, that just slows the process (a lot, granted),
> > though there may be ways to improve the hit-rate there too.
> >
> > On 05/27/16 15:18, Mark Andrews wrote:
> > > It isn't the ISP's job.
> >
> > That seems rather short-sighted, and additionally problematic if the ISP
> > supplies the CPE and configuration.
>
> If the ISP supplies the CPE then they need to source a CPE with
> equivalent functionality which do exist.
>
> > >  If manufacturers are selling consumer equipement that is incapable of
> > > being exposed to the net directly they should be being fined for
> > > selling substandard products and be forced to recall / provide updates.
> >
> > Except that this is far removed from reality.
>
> It shouldn't be.  We have strong consumer protection laws in this
> country and we pay a premium for this.
>
> Mark
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20160527/e0f692a3/attachment.html>


More information about the AusNOG mailing list