[AusNOG] IPv6 excuses
Robert Hudson
hudrob at gmail.com
Fri May 27 21:08:02 EST 2016
The immediate issue with this that springs to mind is that if people don't
bother with IPv6 before customers ask for it, then they won't be ready for
IPv6 when customers DO ask for it.
That doesn't strike me as good business sense to my way of thinking. But
what would I know, I'm just a customer who already wants IPv6 but can't get
it on a decent speed connection.
On 27 May 2016 5:26 PM, "Jesse Fusarelli" <jesse at azapp.com.au> wrote:
> This is an interesting topic one we discussed recently internally - we can
> deploy ipv6 quiet easily on our handful of servers, we currently don't see
> a benefit as all current traffic can be routed via ipv4. "End users don't
> care about IPv6" is pretty much the reason we haven't switched it on and
> until then it will most likely remain on hold - and I'm sure I'm not the
> only one with this opinion. I do agree though this is a trivial
> against argument but one that is hard to overcome currently - until someone
> really steps into play and enforces ipv6 we will most likely see it remain
> in the dark.
>
> Azapp IT Support and Solutions
>
> On Fri, May 27, 2016 at 5:10 PM, Mark Andrews <marka at isc.org> wrote:
>
>>
>> In message <5747E0FF.3020706 at 0xc0dedbad.com>, Peter Fern writes:
>> > On 05/27/16 15:11, Pete Mundy wrote:
>> > > <snip>
>> > > One particular message from the thread that sums it up well is quoted
>> > > follow below. But there are others, so it's worth reviewing the entire
>> > > thread.
>> > > <snip>
>> > >
>> > > On 6/05/2016, at 8:45 am, Mark Smith <markzzzsmith at gmail.com
>> > > <mailto:markzzzsmith at gmail.com>> wrote:
>> > >
>> > > On 5 May 2016 20:28, "Peter Fern" <ausnog at 0xc0dedbad.com
>> > > <mailto:ausnog at 0xc0dedbad.com>> wrote:
>> > > >
>> > > > What do the default firewalls look like on those modems? Will we
>> > > > suddenly find thousands of Windows PCs directly accessible on the
>> > > Internet?
>> > >
>> > > Possibly, and it doesn't matter.
>> > >
>> > > https://technet.microsoft.com/library/bb877979
>> > >
>> > > Every version of Windows since then has had a host firewall, mainly
>> > > courtesy of this guy - http://www.huitema.net/bio.asp (his "Routing
>> In
>> > > The Internet" book is excellent).
>> > >
>> > > The easier target these days is the unmaintained CPE itself, and
>> > > they're much easier to find.
>> > >
>> > > http://routersecurity.org/bugs.php
>> > >
>> > > People need to stop thinking that host security is stuck in the in the
>> > > 1990s/early 2000s. There are instances where it is, but it is not
>> > > universal.
>> > >
>> >
>> > I'll respond here where I didn't in the last thread due to the immediate
>> > pile-on. Windows was intended as tongue-in-cheek, but was obviously a
>> > poor example. How does this logic hold up if you replace Windows with
>> > OSX, Linux, webcams, appliances, IoT devices, toasters, etc? *Plenty*
>> > of devices do not ship/enable host firewalls by default, and expose
>> > numerous services that are best walled-off from the Internet.
>>
>> OSX has the host firewall on by default. Linux has host firewall
>> and depending upon the distro it many be on or off by default. In
>> reality you don't need a host firewall for most things. A simple
>> acl after accept is enough as you only have a single port open if
>> any at all.
>>
>> e.g. TV's don't need to be listening on the net.
>>
>> What is needed is to build with concept that there is a hostile
>> environment out there and to validate all inputs before otherwise
>> using them.
>>
>> This is what we do with BIND. We code assuming that there is nothing
>> between the server and the rest of the world. We have machines
>> continually attempting to break it. We issue advisaries when we
>> find a issue. We assume there are blackhats inspecting every change
>> we make in a attempt to find a way in. We also have thousands of
>> internal consistancy checks.
>>
>> > If the ISP has supplied a CPE, enables IPv6 without notification,
>> > assistance, or recommendations, and the CPEs are inadequately configured
>> > to protect users, then the expectations of risk for (particularly
>> > less-savvy) end-users changes dramatically. This would seem to me to be
>> > a problem.
>> >
>> > There is some level of validity to the argument that larger address
>> > space makes scanning more expensive, but when the scanning is being done
>> > by swarms of zombies, that just slows the process (a lot, granted),
>> > though there may be ways to improve the hit-rate there too.
>> >
>> > On 05/27/16 15:18, Mark Andrews wrote:
>> > > It isn't the ISP's job.
>> >
>> > That seems rather short-sighted, and additionally problematic if the ISP
>> > supplies the CPE and configuration.
>>
>> If the ISP supplies the CPE then they need to source a CPE with
>> equivalent functionality which do exist.
>>
>> > > If manufacturers are selling consumer equipement that is incapable of
>> > > being exposed to the net directly they should be being fined for
>> > > selling substandard products and be forced to recall / provide
>> updates.
>> >
>> > Except that this is far removed from reality.
>>
>> It shouldn't be. We have strong consumer protection laws in this
>> country and we pay a premium for this.
>>
>> Mark
>> --
>> Mark Andrews, ISC
>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>> PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20160527/00c6154a/attachment.html>
More information about the AusNOG
mailing list