<div dir="ltr">Is this actually a realistic fear? Let me preface this by saying that I find NAT extremely distasteful, however, the one thing that NAT provides some modicum of advantage from is inbound scans of end systems. With IPv6 this is functionally a non-issue from a shotgun scan perspective. Most devices that come with IPv6 enabled require a prefix delegation, which in my opinion should be enabled by default. In the US, a great deal of the major broadband providers are moving toward an all in one, ISP managed gateway that has all of this enabled and filters IPv6 inbound (although, again, I'm not sure that it's actually more than a perceived issue and is likely more of a CYA). Even the smaller ISPs that I have worked with are enabling IPv6 with the same methodology. Mobile networks enable v6 by default as well, although I am not able to reach my EUI-64 addresses on my mobile devices - they appear to be filtered as well. <br><div>Realistically the deployments should have as much parity as possible between v4 and v6, which I believe most reasonable consumer CPE do. </div><div>I remember going through this a lifetime ago with IPv4 before ISPs moved to NAT at the CPE, this really isn't much different and should be reasonably easier with v6 due to the inherent tracking you get from PD and privacy addressing on by default with almost everything.</div><div><br></div><div>nb</div><div> </div></div><div hspace="streak-pt-mark" style="max-height:1px"><img style="width:0px;max-height:0px;overflow:hidden" src="https://mailfoogae.appspot.com/t?sender=abmlja0BidXJhZ2xpby5jb20%3D&type=zerocontent&guid=6b83f76e-08dc-479a-8619-093ce06be621"><font color="#ffffff" size="1">ᐧ</font></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Mar 1, 2017 at 3:11 AM, Mikael Abrahamsson <span dir="ltr"><<a href="mailto:swmike@swm.pp.se" target="_blank">swmike@swm.pp.se</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Wed, 1 Mar 2017, Bjørn Mork wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
As an ISP: If you don't manage the CPE, should you even care?<br>
</blockquote>
<br></span>
That is good question. In Sweden ISPs have gotten in trouble historically for not filtering stuff and customers files were exposed. For instance when ETTH had people plug their computers directly into the ETTH RJ45 jack (12-15 years ago), had no-password SMB shares on their computers, and there was no broadcast filtering on the LAN. Then they could "see" other users SMB shares and access them, and this made the papers as "unsecure". This was blamed on ISPs, not users.<br>
<br>
So when IPv6 now comes along, ISPs are scared that users might have no-firewall IPv6 devices, so when IPv6 is enabled all of a sudden lots of unsecured devices are then reachable from the Internet, devices that were configured in that way because before NAT "protected" them.<span class=""><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
yes, yes, being nice is good. But this is an impossible task. There is<br>
no way you can make assumptions about the security of any unmanaged CPE,<br>
with or without IPv6.<br>
</blockquote>
<br></span>
I tend to agree, but I can also understand why an ISP might hesitate in this case.<div class="HOEnZb"><div class="h5"><br>
<br>
-- <br>
Mikael Abrahamsson email: <a href="mailto:swmike@swm.pp.se" target="_blank">swmike@swm.pp.se</a></div></div></blockquote></div><br></div>