CPE Residential IPv6 Security Poll

Ted Mittelstaedt tedm at ipinc.net
Tue Sep 27 06:59:43 CEST 2016



On 9/26/2016 10:30 AM, Tore Anderson wrote:
> * Ted Mittelstaedt
>
>> This kind of mirrors the "default" security policy on IPv4 CPEs (since
>> those CPE's have NAT automatically turned on which creates a "block
>> in, permit out" kind of approach.) so I'm not sure why you would want
>> to default it to being different for IPv6.
>
> There are a gazillion pages out there on the Internet where you'll find
> people trying to figure out how to open ports in their router, make
> their PlayStation or Xbox online gaming Just Work instead of
> complaining about NAT problems, and so on. And this is mostly regarding
> IPv4, where we've already have a solution in the form of UPnP (a
> security nightmare in its own right).
>
> The situation is not exactly user friendly.

I DO NOT see a problem with this and I will explain why a bit later.

> The IPv4 NATs are making
> applications suffer and people are strugging or failing to work around
> them. We now have the opportunity to do better with IPv6,

We have an opportunity to screw it up worse.

> and I'm
> hoping the ISPs will carefully consider doing so, instead of just
> defaulting to whatever looks the most similar to what they've were
> forced to do for IPv4.
>
> [I say «forced», because NAT and its intrinsic «drop all inbound» policy
> came about as a way of conserving scarce IPv4 addresses, not as a
> security mechanism. This is obviously not an issue for IPv6.]
>
> So it'd be interesting to see some solid empirical data that explained
> to what extent a default-drop-inbound firewall really increases
> security, and to what extent it impairs applications and thus makes
> users unhappy.
>
> For what it's worth, the Swisscom approach seems sensible to me. At
> least if I understand it correctly, in that they by default only block
> ports associated with application protocols known to be insecure, meant
> for home network use only, etc. All other ports and protocols not on
> the blacklist are let through in both directions. As far as I know this
> has been working out fine for them.
>

Until someone invents a new application that uses new ports and has bugs
in it.   Or an app that seeks new ports because it thinks others are 
blocked.

I do my own auto repairs, and my own home repairs, and my own
electrical and plumbing and painting and so on, so I will tell a story 
here that attempts to illustrate some things about the society we live
in that relates to this issue.

Back in the 1960's we had vehicles in the US that just had an engine,
and transmission, and mechanically controlled carburetor.  You could 
adjust the mixture very easily to make your car more powerful (and
polluting) just change the jets and turn the idle screw.

But, as time went on we decided as a society that making it this easy
to tamper with the engine mixture (and thus get more power and pollute
more) may have resulted in a small benefit for the vehicle owner but
at a large expense to society.

So we first started fitting carbs with anti-tamper caps on the idle
mixture screws (since the idle circuit is used at half-throttle so
fiddling with this gave you a power boost until you hit WOT in which
case you had to change jets)

Then we put computer-controlled carbs on cars which took more effort
to defeat, the usual method was to replace the intake manifold and
carb with aftermarket mechanical

Then we got rid of that and put engine computers on, and later on
we removed all mechanical systems and just had the computer do
everything.

It is still possible of course, to adjust the mixture and get more
power but you have to do it by spending a lot of money and replacing
your engine computer and also it will destroy your catcon.  Today,
just about all backyard mechanics can no longer do this so they
content themselves with attaching "fart cans" to the exhausts of
their cars and telling themselves they are getting 10 extra horsepower
that way.

In short, because automobiles were so successful, the industry had to
make them so complicated to work on that the only people who are NOT
professional mechanics who can still work on them, are lost causes like
me who isn't a professional mechanic yet I have $10,000 worth of tools
in my garage along with a 60 gallon shop air compressor, that I've 
collected over 30 years, many of those tools are complete specialty ones 
that cost several hundred bucks to buy and were used 1 time for 1 
specific job on a car that I probably drove into the ground and sold
to a wrecker a decade ago.

The auto industry considers this a roaring success because today, the
barnyard "mekaniks" cannot tamper with their cars and thus release
clouds of pollution, and the few skilled people like me who aren't
safely under the wing of a business somewhere that's scared to death
of violating laws (and thus prohibits their mechanics from tampering)
are educated enough to know that tampering is just going to make the
car run slower and ruin systems in it, and we don't want to spend
$500-$1000 to do it the right way and end up with an actual gain of
10 HP for that money.  So, we repair our cars exactly the way a
professional would repair it.  (actually most of the time we do a
better job of it because we don't cut corners but that's a different
story)

So, that is the story.   Now, here is how I think it applies to the
ISP industry.

ISPs need to understand that the Internet today is mission-critical for
a great many people out there who AREN'T their customers - and they need
to step up to the plate like the auto industry has done.

Allowing your customers to EASILY setup xboxes and other such nonsense
when they don't know what they are doing, well that can cause impacts
far, far, far beyond your own little customer base.

You have a responsibility to the rest of the Internet that is, I 
believe, equal to your responsibility to your customers.

Your responsibility is to make tampering with the CPE difficult
for the ignorant.

If one of your customers is hell-bent on setting up their own servers,
they are going to throw out your CPE and find a different one if you
make your CPE such that they cannot just turn off all the firewalling.
So in that case your responsibility to your customer, to supply a
CPE that can have all the firewalling turned off, is the highest.

BUT, if one of your customers is too CHEAP to buy their own router,
and they are too IGNORANT to safely configure your CPE, and too
OBSTINATE to spend the time learning how to safely open ports - well
then the responsibility there to protect the rest of us on the
Internet from your cheap, ignorant, obstinate customer outweighs
any responsibility you have to your customer to make it easy for
them to be cheap, ignorant, and obstinate - and annoy the rest of
us.

Because if they cannot take the time to LEARN how to do it right,
then why would you expect them to keep a server patched so that it
does not become a mule for some nasty cracker out there to attack
us?

This is WHY I am saying that the current situation of making it
difficult to troubleshoot network issues on a CPE is a GOOD THING.

High Tech has figured this out with a great many other things - this
is why now that you have to really know what you are doing and have
special tooling to replace the battery in your cell phone.   These
bits of tech are being taken for granted and causing problems when
they are mishandled.  So we make them complicated to use to defeat
the nincompoops who don't know what they are doing.

I will leave you with a TIMELESS message I think you should take
to heart:


ACHTUNG!ALLES TURISTEN UND NONTEKNISCHEN LOOKENPEEPERS!DAS 
KOMPUTERMASCHINE IST NICHT FÜR DER GEFINGERPOKEN UND MITTENGRABEN! 
ODERWISE IST EASY TO SCHNAPPEN DER SPRINGENWERK, BLOWENFUSEN UND 
POPPENCORKEN MIT SPITZENSPARKEN.IST NICHT FÜR GEWERKEN BEI DUMMKOPFEN. 
DER RUBBERNECKEN SIGHTSEEREN KEEPEN DAS COTTONPICKEN HÄNDER IN DAS 
POCKETS MUSS.ZO RELAXEN UND WATSCHEN DER BLINKENLICHTEN.


https://en.wikipedia.org/wiki/Blinkenlights



Ted



---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus




More information about the ipv6-ops mailing list