UPnP/IPv6 support in home routers?

Mon Dec 11 22:00:17 CET 2017

The crap doesn't get fixed because that's the software development we are
used to. Windows 10 was Windows '95 in the '90s. So give the IoT stuff
15-20 years to get to a sensible quality/state/security and/or enough
widespread trouble/exploitation.

Pragmatically speaking, people will connect that crap to the 'net... and
the "less connected" such devices are, the better.
So, please, don't remove FWs. :-)

Cheers,
Fernando

On Mon, Dec 11, 2017 at 5:50 PM, Kristian McColm <
Kristian.McColm at rci.rogers.com> wrote:

> And therein lies the root of the problem.. the ‘crap’ never gets fixed
> because it has the firewall isolating it, but this causes problems for
> devices and applications which are not ‘crap.’ I realize this is more
> idealistic than pragmatic, but we will have much smoother network
> integration if we don’t have to deal with the many problems that so called
> stateful firewalls bring along with them. Now that IPv6 is set to do away
> with (P/N)AT, we’re halfway there.
>
>
> ------------------------------
> *From:* fernando.gont.netbook.win at gmail.com <fernando.gont.netbook.win@
> gmail.com> on behalf of Fernando Gont <fernando at gont.com.ar>
> *Sent:* Monday, December 11, 2017 3:43:27 PM
> *To:* Kristian McColm
> *Cc:* ipv6-ops at lists.cluenet.de; Fernando Gont
>
> *Subject:* Re: UPnP/IPv6 support in home routers?
>
> Kristian,
>
> I see no reason for which they should disappear. Actually, quite the
> opposite; we keep connecting more and more crap to the net (the so called
> IoT), which clearly cannot defend itself.
>
> The "principle of least privilege" applies to connectivity, too.
>
> Thanks!
> Fernando
>
>
>
>
>
>
> On Mon, Dec 11, 2017 at 12:28 PM, Kristian McColm <
> Kristian.McColm at rci.rogers.com> wrote:
>
>> Corporate and/or specific network requirements notwithstanding, in my
>> opinion this is just another example of why in IPv6, firewalls in general
>> could/should be retired. If the end user device is required to be
>> responsible for it’s own security, it can open the necessary ports via
>> whatever firewall API it provides to applications running on it.
>>
>>
>> ------------------------------
>> *From:* ipv6-ops-bounces+kristian.mccolm=rci.rogers.com at lists.cluenet.de
>> <ipv6-ops-bounces+kristian.mccolm=rci.rogers.com at lists.cluenet.de> on
>> behalf of Doug McIntyre <merlyn at geeks.org>
>> *Sent:* Monday, December 11, 2017 10:22:39 AM
>> *To:* ipv6-ops at lists.cluenet.de
>> *Subject:* Re: UPnP/IPv6 support in home routers?
>>
>> On Mon, Dec 11, 2017 at 04:03:27PM +0100, Gert Doering wrote:
>> > On Mon, Dec 11, 2017 at 11:54:15AM +0000, Tom Hill wrote:
>> > > "Dear Gateway, I am definitely not a compromised host, please open all
>> > > ports toward me."
>> >
>> > But that's the whole idea of UPnP or IGD.  Whether you open one port or
>> > all of them, on request of a possibly-compromised host, is of no
>> relevance.
>>
>>
>> I think the thinking is that since most IPv4 "home" protocols (which
>> is really only where UPnP exists, since Enterprise class firewalls
>> almost never want to have anything to do with it), is that most of the
>> "home" protocols (eg. games, streaming, etc) have mostly converged to
>> a model not expecting end-to-end connectivity, and hidden behind a NAT
>> thing, that anything now transitioning to IPv6 will follow suit when
>> they add that support to whatever needs to punch holes in things,
>> instead checking in constantly with the "central server" instead of
>> assuming end-to-end connectivity.
>>
>> That said, I think the IPv6 firewalls need better home connectivity
>> support as well. I once put in a ticket to Fortinet to ask if there
>> could be made an ACL object that tracked the prefix mask delivered via
>> DHCP6_PD, such that we could write policies such as
>>           allow remote_ipv6_address ${PREFIX1}::1f5d:50 22
>>
>> But that couldn't be impressed on the first tiers of support
>> what-so-ever.  That totally confused them to no end. Unlike my IPv4
>> address which almost never changes at Comcast, the IPv6 prefixes I get
>> change on every connection.
>>
>>
>>
>>
>>
>> ------------------------------
>> This communication is confidential. We only send and receive email on the
>> basis of the terms set out at www.rogers.com/web/content/emailnotice
>>
>>
>>
>> Ce message est confidentiel. Notre transmission et réception de courriels
>> se fait strictement suivant les modalités énoncées dans l’avis publié à www.rogers.com/aviscourriel
>>
>> ------------------------------
>>
>
>
>
> --
> Fernando Gont
> e-mail: fernando at gont.com.ar || fgont at acm.org
> PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
>
>
>
>
> ------------------------------
> This communication is confidential. We only send and receive email on the
> basis of the terms set out at www.rogers.com/web/content/emailnotice
>
>
>
> Ce message est confidentiel. Notre transmission et réception de courriels
> se fait strictement suivant les modalités énoncées dans l’avis publié à www.rogers.com/aviscourriel
>
> ------------------------------
>

-- 
Fernando Gont
e-mail: fernando at gont.com.ar || fgont at acm.org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.cluenet.de/pipermail/ipv6-ops/attachments/20171211/fcfa2531/attachment.htm>