question regarding over the counter devices
nick at buraglio.com
Wed Mar 1 15:56:18 CET 2017
Is this actually a realistic fear? Let me preface this by saying that I
find NAT extremely distasteful, however, the one thing that NAT provides
some modicum of advantage from is inbound scans of end systems. With IPv6
this is functionally a non-issue from a shotgun scan perspective. Most
devices that come with IPv6 enabled require a prefix delegation, which in
my opinion should be enabled by default. In the US, a great deal of the
major broadband providers are moving toward an all in one, ISP managed
gateway that has all of this enabled and filters IPv6 inbound (although,
again, I'm not sure that it's actually more than a perceived issue and is
likely more of a CYA). Even the smaller ISPs that I have worked with are
enabling IPv6 with the same methodology. Mobile networks enable v6 by
default as well, although I am not able to reach my EUI-64 addresses on my
mobile devices - they appear to be filtered as well.
Realistically the deployments should have as much parity as possible
between v4 and v6, which I believe most reasonable consumer CPE do.
I remember going through this a lifetime ago with IPv4 before ISPs moved to
NAT at the CPE, this really isn't much different and should be reasonably
easier with v6 due to the inherent tracking you get from PD and privacy
addressing on by default with almost everything.
On Wed, Mar 1, 2017 at 3:11 AM, Mikael Abrahamsson <swmike at swm.pp.se> wrote:
> On Wed, 1 Mar 2017, Bjørn Mork wrote:
> As an ISP: If you don't manage the CPE, should you even care?
> That is good question. In Sweden ISPs have gotten in trouble historically
> for not filtering stuff and customers files were exposed. For instance when
> ETTH had people plug their computers directly into the ETTH RJ45 jack
> (12-15 years ago), had no-password SMB shares on their computers, and there
> was no broadcast filtering on the LAN. Then they could "see" other users
> SMB shares and access them, and this made the papers as "unsecure". This
> was blamed on ISPs, not users.
> So when IPv6 now comes along, ISPs are scared that users might have
> no-firewall IPv6 devices, so when IPv6 is enabled all of a sudden lots of
> unsecured devices are then reachable from the Internet, devices that were
> configured in that way because before NAT "protected" them.
> yes, yes, being nice is good. But this is an impossible task. There is
>> no way you can make assumptions about the security of any unmanaged CPE,
>> with or without IPv6.
> I tend to agree, but I can also understand why an ISP might hesitate in
> this case.
> Mikael Abrahamsson email: swmike at swm.pp.se
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the ipv6-ops