SV: SV: CPE Residential IPv6 Security Poll

erik.taraldsen at erik.taraldsen at
Sun Sep 25 09:08:46 CEST 2016

1) In theory you are right.  In practise it is not that black and white.  We never buy an excisting product, we buy an future product which has to be developed for us.  That include physical features which may not have beed release from Broadcom yet (11ac 3x3 we were the first mass order from Broadcom for example).  That means that we usualy have an development periode with the vendor, and a release target (VDSL launch for example)  Sometimes the have to rush the CPE side to meet the network side launch.  This again means that we usualy launch with a fair number of bug and un-optimized software, and features missing.  And since we don't buy in Comcast type volumes we don not have the purchasing power to instruct the vendors to do absolutly everything, we have an limited development team working for us and we have to prioritize what they should work on.  And so far UPnP has not gotten above that treshold.

(And the above is a bit besides the point, we seem to be the only ISP who want UPnP.  That don't help our customers a lot.  In order for UPnP to work you also need support in the clients, and those we talk to who do develop clients badly want to get away from UPnP)

2) You may have more luck with your forum posts, but on the norwegian forums the loudest answer wins the day. Reason cannot stand up to the forces of loud ignorance.

3) As stated in 1, limited recources dictates that we prioritice security, features which support payable services, then the stuff we network geeks want.  And since I do know a lot of smaller ISP's and retailers of off-the-shelf products, I do know that those products do very seldom get anything other than bug fixes for anything other that flaws which may refelct badly on the CPE vendor.

4) The customers are paying for internet access.  That used to mean an ethernet port and two IPv4 addresses.  Today the costomers define it as wifi access on the phone in the room the furthest away from the router.  The level of knowledge in the user base is dropping like a stone.  If we can have an technical solutin which prevents the customer from having issues and calling us, we go for it.


Fra: at < at> på vegne av Ted Mittelstaedt <tedm at>
Sendt: 20. september 2016 18:52
Til: ipv6-ops at
Emne: Re: SV: CPE Residential IPv6 Security Poll


I think you have to follow these precepts (keep in mind this is an
American capitalist perspective not a European cooperative socialist

1) You got the money, tell your vendors to either do what you want (put
IPv6 UPnP in CPEs they sell you) or you are going to kick their ass.
It's your money!  They want your money do they not?  That's why they are
selling CPEs to you - so why do you tolerate any crap from them?  Tell
them either put UPnP in the code or your going elsewhere for your CPEs
and you are going to tell all your other ISP friends to go elsewhere for
their CPEs.   Enough Mr. Nice Guy.

2) It's not your problem if Ma & Pa Kettle find a wannabe power user.
If you don't like being bad-mouthed by wannabe power users on the online
forums then get your ass on the online forums and start engaging.
Refute those "need bigger antennas" posts with logic and reason.
I guarantee to you that 1 correct post is worth 100 baloney posts from
wannabe power users.

3) How on Earth can you make the case that your ISP router patches
security holes and adds features yet turn around and claim that you
can't push your CPE vendors to add UPnP support?   Either you have power
to get your CPE vendors to issue updates or not.  If you do - then
quit complaining that no CPE's have UPnP support for IPv6.  If you
don't - then quit claiming your CPE is better.

4) What is your customers perception that they are paying for and
what are they REALLY paying for?   If they think they are paying for
access only - and you think they are paying for access plus your
management of their network CPE - then I can see why you might be
wondering why they aren't complaining to you when there's a problem
and going to the wannabe power users.  Maybe you just need to do some
more customer education?


On 9/20/2016 1:24 AM, erik.taraldsen at wrote:
> With all due respect to the actual power user out there.  For each one of them, there is at least 20 who think they are power users who base their knowledge on rumors and misconceptions.   They are often vocal (forums and coments on news sites) and they are the once who often are enlisted to help Ma&  Pa Kettle.  At least that is what we see a lot of in Norway.  They simply do not have the ability to correctly diagnose the issues.  Solutions often involve "you need bigger antennas on the router", "Apple routers are allways the best", "the ISP supplied router allways suck".
> So Bob-the-power-user buy the expencive huge antenna router and install at M&PK.  It does not have dual stack, therefore the application at M&PK therefore never tries IPv6 and the older UPnP solution works for them.  Bob gets an re confrimation that big antenas helps, and that the ISP router sucks.  Where a simpler and cheeper solution would be to modify the firewall settings of the ISP router.
> Since I reprecent the ISP and spesificaly the ISP supplied router (where we do patch security flaws, add features, optimise DSL and wlan drivers, attack bufferbloat and give the customers the posibility of remote support.  Unlike a lot of retail products which often have to live with the software it was shiped with).  How do we set up the routers IPv6 setting in such a way that Bob-the-power-user do not have to be called in by M&PK to fix their broken app/network, but still maintain a level of security for them?  Is some sort of balanced the way to go?  Should we again push our vendors for PCP/UPnP support?
> -Erik
> ________________________________________
> Fra: at< at>  på vegne av Ted Mittelstaedt<tedm at>
> Sendt: 19. september 2016 23:23
> Til: Bjørn Mork
> Kopi: ipv6-ops at
> Emne: Re: CPE Residential IPv6 Security Poll
> I can tell you that -today- in my location both CenturyLink and Comcast
> (giant ISPs) supply IPv6 by default on their residential CPEs - and both
> of those CPEs have "inbound block outbound allow" on by default on IPv6.
>    As far as I know neither support UPnP on IPv6
> I think you are overthinking this.  If a CPE has no IPv6 support but it
> has UPnP support over IPv4 then things "work"   If a CPE has IPv6
> support but no UPnP support over IPv6, then things are also going to
> "work" - on IPv4.  They may break on IPv6 with a "block everything" IPv6
> rule in which case the end user is undoubtedly going to complain to the
> toaster manufacturer not you, and that toaster maker is either
> going to tell their customer "disable ipv6 on your ISP CPE" or they are
> going to fix their toaster so that it doesn't try using UPnP over IPv6,
> only IPv4.
> Your job is to not assume your customers are all morons.  It is to make
> it safe for the ones who are, and make it usable for the ones who aren't
> and want to run their own show.  Provide the needed buttons in the CPE
> to enable or disable IPv6 and to allow your customers to shut off your
> CPE's interference and be done with it.
> As an ISP you of all people should understand how powerful the Internet
> is.  If you make your stuff configurable for power users, and document
> it, then the Ma&  Pa Kettle customers are going to engage their friend's
> son who IS a power user and can search the Internet and follow simple
> directions and fix their problem with their web cam or whatever it is
> that is demanding UPnP.
> If however you default to open, then when Ma&  Pa Kettle eventually get
> cracked, and call in the power user, that power user is going to
> discover your default firewall on IPv6 is open and realize that you
> created a huge whole bunch of work for him since he will now have to
> put back together a PC for the morons.   He isn't going to appreciate
> that and will badmouth you online.
> Nobody with brains is going to go online and badmouth an ISP that
> supplies a CPE that has defaults that error on the side of
> protection-of-morons.   But they are going to badmouth an ISP that
> supplies a CPE
> that has defaults that allow morons to get easily broken into - because
> it's them who are going to be sucked into putting those systems back
> together.  And they are really going to badmouth an ISP that supplies a
> CPE that can't have it's internal firewall turned off.
> Ted
> On 9/19/2016 1:29 PM, Bjørn Mork wrote:
>> Ted Mittelstaedt<tedm at>   writes:
>>> This kind of mirrors the "default" security policy on IPv4 CPEs (since
>>> those CPE's have NAT automatically turned on which creates a "block in,
>>> permit out" kind of approach.) so I'm not sure why you would want to
>>> default it to being different for IPv6.
>> I was explained one reason today: No CPEs implement UPnP support for
>> IPv6 [1].
>> This makes the effect of the similar IPv4 and IPv6 policies quite
>> different.  UPnP aware applications will set up the necessary NAT rules
>> for IPv4, allowing inbound connections etc. But if you want the same
>> applications to work over IPv6, then the policy must be more open by
>> default. Letting the user disable IPv6 filtering is not going to help
>> the masses I'm afraid...
>> So the question remains: What do ISPs actually do to
>>    - allow IPv6, and
>>    - secure the end users' networks, and
>>    - not break dual stack applications wanting incoming connections
>> all at the same time?  Looks like a classical "pick any two".
>> Bjørn
>> [1] I'm sure someone will come up with an obscure and expensive example
>>    of the contrary - the point is that IPv6 UPnP support is not readily
>>    available in the residential CPE market.
> ---
> This email has been checked for viruses by Avast antivirus software.

This email has been checked for viruses by Avast antivirus software.

More information about the ipv6-ops mailing list