[AusNOG] IPv6 excuses

Shane C shanec-au at outlook.com
Fri May 27 23:34:47 EST 2016


Excuse my ignorance, but what’s the “real” argument against rolling out IPv6?

 

There are clearly costs associated with prolonging the life of IPv4 in things like CGNAT. Other than labour, which you’re paying for anyway, is there any significantly measurable costs of just knuckling down and getting it done? Are those costs really higher than the cost of IPv4 and the tech/engineering being invested to avoid v6?

 

 

From: AusNOG [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Robert Hudson
Sent: Friday, 27 May 2016 8:38 PM
To: Jesse Fusarelli <jesse at azapp.com.au>
Cc: ausnog at lists.ausnog.net
Subject: Re: [AusNOG] IPv6 excuses

 

The immediate issue with this that springs to mind is that if people don't bother with IPv6 before customers ask for it, then they won't be ready for IPv6 when customers DO ask for it.

That doesn't strike me as good business sense to my way of thinking. But what would I know, I'm just a customer who already wants IPv6 but can't get it on a decent speed connection.

On 27 May 2016 5:26 PM, "Jesse Fusarelli" <jesse at azapp.com.au <mailto:jesse at azapp.com.au> > wrote:

This is an interesting topic one we discussed recently internally - we can deploy ipv6 quiet easily on our handful of servers, we currently don't see a benefit as all current traffic can be routed via ipv4. "End users don't care about IPv6" is pretty much the reason we haven't switched it on and until then it will most likely remain on hold - and I'm sure I'm not the only one with this opinion. I do agree though this is a trivial against argument but one that is hard to overcome currently - until someone really steps into play and enforces ipv6 we will most likely see it remain in the dark. 




Azapp IT Support and Solutions

 

On Fri, May 27, 2016 at 5:10 PM, Mark Andrews <marka at isc.org <mailto:marka at isc.org> > wrote:


In message <5747E0FF.3020706 at 0xc0dedbad.com <mailto:5747E0FF.3020706 at 0xc0dedbad.com> >, Peter Fern writes:
> On 05/27/16 15:11, Pete Mundy wrote:
> > <snip>
> > One particular message from the thread that sums it up well is quoted
> > follow below. But there are others, so it's worth reviewing the entire
> > thread.
> > <snip>
> >
> > On 6/05/2016, at 8:45 am, Mark Smith <markzzzsmith at gmail.com <mailto:markzzzsmith at gmail.com> 
> > <mailto:markzzzsmith at gmail.com <mailto:markzzzsmith at gmail.com> >> wrote:
> >
> > On 5 May 2016 20:28, "Peter Fern" <ausnog at 0xc0dedbad.com <mailto:ausnog at 0xc0dedbad.com> 
> > <mailto:ausnog at 0xc0dedbad.com <mailto:ausnog at 0xc0dedbad.com> >> wrote:
> > >
> > > What do the default firewalls look like on those modems?  Will we
> > > suddenly find thousands of Windows PCs directly accessible on the
> > Internet?
> >
> > Possibly, and it doesn't matter.
> >
> > https://technet.microsoft.com/library/bb877979
> >
> > Every version of Windows since then has had a host firewall, mainly
> > courtesy of this guy - http://www.huitema.net/bio.asp (his "Routing In
> > The Internet" book is excellent).
> >
> > The easier target these days is the unmaintained CPE itself, and
> > they're much easier to find.
> >
> > http://routersecurity.org/bugs.php
> >
> > People need to stop thinking that host security is stuck in the in the
> > 1990s/early 2000s. There are instances where it is, but it is not
> > universal.
> >
>
> I'll respond here where I didn't in the last thread due to the immediate
> pile-on.  Windows was intended as tongue-in-cheek, but was obviously a
> poor example.  How does this logic hold up if you replace Windows with
> OSX, Linux, webcams, appliances, IoT devices, toasters, etc?  *Plenty*
> of devices do not ship/enable host firewalls by default, and expose
> numerous services that are best walled-off from the Internet.

OSX has the host firewall on by default.  Linux has host firewall
and depending upon the distro it many be on or off by default.  In
reality you don't need a host firewall for most things.  A simple
acl after accept is enough as you only have a single port open if
any at all.

e.g. TV's don't need to be listening on the net.

What is needed is to build with concept that there is a hostile
environment out there and to validate all inputs before otherwise
using them.

This is what we do with BIND.  We code assuming that there is nothing
between the server and the rest of the world.  We have machines
continually attempting to break it.  We issue advisaries when we
find a issue.  We assume there are blackhats inspecting every change
we make in a attempt to find a way in.  We also have thousands of
internal consistancy checks.

> If the ISP has supplied a CPE, enables IPv6 without notification,
> assistance, or recommendations, and the CPEs are inadequately configured
> to protect users, then the expectations of risk for (particularly
> less-savvy) end-users changes dramatically.  This would seem to me to be
> a problem.
>
> There is some level of validity to the argument that larger address
> space makes scanning more expensive, but when the scanning is being done
> by swarms of zombies, that just slows the process (a lot, granted),
> though there may be ways to improve the hit-rate there too.
>
> On 05/27/16 15:18, Mark Andrews wrote:
> > It isn't the ISP's job.
>
> That seems rather short-sighted, and additionally problematic if the ISP
> supplies the CPE and configuration.

If the ISP supplies the CPE then they need to source a CPE with
equivalent functionality which do exist.

> >  If manufacturers are selling consumer equipement that is incapable of
> > being exposed to the net directly they should be being fined for
> > selling substandard products and be forced to recall / provide updates.
>
> Except that this is far removed from reality.

It shouldn't be.  We have strong consumer protection laws in this
country and we pay a premium for this.

Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 <tel:%2B61%202%209871%204742>                  INTERNET: marka at isc.org <mailto:marka at isc.org> 

_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net> 
http://lists.ausnog.net/mailman/listinfo/ausnog

 


_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net> 
http://lists.ausnog.net/mailman/listinfo/ausnog

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20160527/769a9126/attachment.html>


More information about the AusNOG mailing list