Microsoft: Give Xbox One users IPv6 connectivity

Marco Sommani marcosommani at gmail.com
Fri Mar 14 00:21:58 CET 2014


On 13/mar/2014, at 20:12, Eric Vyncke (evyncke) <evyncke at cisco.com> wrote:

> Jakob
> 
> What annoys me more if the fact that AVM (and they are not the only one --
> see Technicolor & others) naively believes that NAT44 offered some
> security by preventing inbound connections... This means that there is NO
> open connectivity between two X/Box behind a closed AVM CPE... Hence X/Box
> has no choice and is smart enough to fall back in the legacy NAT44 mode
> with a TURN (or in this case Teredo) to bypass NAT. A very nice
> opportunity to run man-in-the-middle attack on a foreign ground.

AVM is not alone in its choices: they just do what is suggested in RFC 6092 - "Recommended Simple Security Capabilities in Customer Premises Equipment (CPE) for Providing Residential IPv6 Internet Service". I don't like what they do, but maybe we should blame IETF.

Marco

> 
> I still wonder why people REALLY believe in the security of NAT (in the
> sense of blocking inbound connections) in 2014 while most of the botnet
> members are behind a NAT...
> 
> Christopher and others => you are RIGHT! Do not change your mind
> 
> -éric (see also 
> http://tools.ietf.org/html/draft-ietf-v6ops-balanced-ipv6-security-01 for
> my point of view :-))
> 
> 
> On 13/03/14 18:43, "Jakob Hirsch" <jh at plonk.de> wrote:
> 
>> Hi!
>> 
>> Christopher Palmer, 2013-10-10 03:22:
>>> 
>>> http://download.microsoft.com/download/A/C/4/AC4484B8-AA16-446F-86F8-BDFC
>>> 498F8732/Xbox%20One%20Technical%20Details.docx
>> 
>> Nice, but why do you absolutely require Teredo even for boxes with
>> native IPv6? Of course there's the advantage of direct client2client
>> communication (less latency for clients and less traffic on Teredo
>> relays), but the box should at least fall back to native IPv6 if Teredo
>> is not available (quite odd to talk about native IPv6 being a fallback
>> to Teredo, but anyway).
>> 
>> There's at least one CPE manufacturer (quite prevalent in Europe or at
>> least in Germany) that filters out Teredo if native IPv6 is available by
>> default. They added an option to disable this filter, but that's not a
>> good thing. See
>> http://service.avm.de/support/en/skb/FRITZ-Box-7390-int/1439:Cannot-play-o
>> nline-games-with-Xbox-One
>> 
>> In the current state, the XBox One is doing more harm to IPv6 than good.
>> People encounter problems after having IPv6 activated (there are forum
>> posts which told people to disable IPv6 to fix this issue) and Network
>> operators will see less increase in IPv6 traffic (which lowers the
>> incentive to improve IPv6 support).
>> 
>> 
>> Regards
>> Jakob
>> 
> 

--
Marco Sommani
Via Contessa Matilde 64C
56123 Pisa - Italia
phone: +390500986728
mobile: +393487981019
fax: +390503869728
email: marcosommani at gmail.com





More information about the ipv6-ops mailing list