<div dir="ltr">Hi,<div><br></div><div>What about alle the people that are not able to setup their own filters and other security mechanisms? Most people got this computer stuff for usage and not to thinker with or spend ours figuring out the best type of configuration.</div><div>How do we give them a bit more security than wide open devices?</div><div><br></div><div>Pedro</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Dec 11, 2017 at 10:12 PM, Kristian McColm <span dir="ltr"><<a href="mailto:Kristian.McColm@rci.rogers.com" target="_blank">Kristian.McColm@rci.rogers.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div class="m_-2942182690567789323WordSection1">
<p class="MsoNormal">Fernando, sorry but we’ll have to agree to disagree. I personally see stateful firewalls as a pain point. They don’t do a very good job of tracking socket states and often cause packet loss for this reason, they are not well aware of the
true socket state, they just try to replicate it based on sniffing, which doesn’t work very well for stateless protocols I might add. Of course all this sniffing is something the forefathers of the internet never intended us to need to do. I would suggest
you can always implement filters and other security mechanisms on your own devices, which should be done as a matter of best practice regardless. I certainly wouldn’t want to rely on some ‘crap’ CPE given to me by my service provider to protect my end devices
from all the other ‘crap’ out there <span style="font-family:"Segoe UI Emoji",sans-serif">
😊</span></p>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<hr style="display:inline-block;width:98%">
<div id="m_-2942182690567789323divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><span class=""><b>From:</b> <a href="mailto:fernando.gont.netbook.win@gmail.com" target="_blank">fernando.gont.netbook.win@<wbr>gmail.com</a> <<a href="mailto:fernando.gont.netbook.win@gmail.com" target="_blank">fernando.gont.netbook.win@<wbr>gmail.com</a>> on behalf of Fernando Gont <<a href="mailto:fernando@gont.com.ar" target="_blank">fernando@gont.com.ar</a>><br>
</span><b>Sent:</b> Monday, December 11, 2017 4:00:17 PM<span class=""><br>
<b>To:</b> Kristian McColm<br>
<b>Cc:</b> <a href="mailto:ipv6-ops@lists.cluenet.de" target="_blank">ipv6-ops@lists.cluenet.de</a>; Fernando Gont<br>
<b>Subject:</b> Re: UPnP/IPv6 support in home routers?</span></font>
<div> </div>
</div>
<div>
<div dir="ltr">The crap doesn't get fixed because that's the software development we are used to. Windows 10 was Windows '95 in the '90s. So give the IoT stuff 15-20 years to get to a sensible quality/state/security and/or enough widespread trouble/exploitation.
<div><br>
</div>
<div>Pragmatically speaking, people will connect that crap to the 'net... and the "less connected" such devices are, the better.</div>
<div>So, please, don't remove FWs. :-)</div>
<div><br>
</div>
<div>Cheers,</div>
<div>Fernando</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</div><div><div class="h5">
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, Dec 11, 2017 at 5:50 PM, Kristian McColm <span dir="ltr">
<<a href="mailto:Kristian.McColm@rci.rogers.com" target="_blank">Kristian.McColm@rci.rogers.<wbr>com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div class="m_-2942182690567789323m_4485947259875688868WordSection1">
<p class="MsoNormal">And therein lies the root of the problem.. the ‘crap’ never gets fixed because it has the firewall isolating it, but this causes problems for devices and applications which are not ‘crap.’ I realize this is more idealistic than pragmatic,
but we will have much smoother network integration if we don’t have to deal with the many problems that so called stateful firewalls bring along with them. Now that IPv6 is set to do away with (P/N)AT, we’re halfway there.
</p>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<hr style="display:inline-block;width:98%">
<div id="m_-2942182690567789323m_4485947259875688868divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b>
<a href="mailto:fernando.gont.netbook.win@gmail.com" target="_blank">fernando.gont.netbook.win@gmai<wbr>l.com</a> <<a href="mailto:fernando.gont.netbook.win@gmail.com" target="_blank">fernando.gont.netbook.win@gma<wbr>il.com</a>> on behalf of Fernando Gont
<<a href="mailto:fernando@gont.com.ar" target="_blank">fernando@gont.com.ar</a>><br>
<b>Sent:</b> Monday, December 11, 2017 3:43:27 PM<br>
<b>To:</b> Kristian McColm<br>
<b>Cc:</b> <a href="mailto:ipv6-ops@lists.cluenet.de" target="_blank">ipv6-ops@lists.cluenet.de</a>; Fernando Gont
<div>
<div class="m_-2942182690567789323h5"><br>
<b>Subject:</b> Re: UPnP/IPv6 support in home routers?</div>
</div>
</font>
<div> </div>
</div>
<div>
<div class="m_-2942182690567789323h5">
<div>
<div dir="ltr">Kristian,
<div><br>
</div>
<div>I see no reason for which they should disappear. Actually, quite the opposite; we keep connecting more and more crap to the net (the so called IoT), which clearly cannot defend itself.</div>
<div><br>
</div>
<div>The "principle of least privilege" applies to connectivity, too.</div>
<div><br>
</div>
<div>Thanks!</div>
<div>Fernando</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, Dec 11, 2017 at 12:28 PM, Kristian McColm <span dir="ltr">
<<a href="mailto:Kristian.McColm@rci.rogers.com" target="_blank">Kristian.McColm@rci.rogers.co<wbr>m</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div lang="EN-CA" link="blue" vlink="#954F72">
<div class="m_-2942182690567789323m_4485947259875688868m_-7766900305409585934x_WordSection1">
<p class="m_-2942182690567789323m_4485947259875688868m_-7766900305409585934x_MsoNormal">Corporate and/or specific network requirements notwithstanding, in my opinion this is just another example of why in IPv6, firewalls in general could/should be retired. If the end user device
is required to be responsible for it’s own security, it can open the necessary ports via whatever firewall API it provides to applications running on it.</p>
<p class="m_-2942182690567789323m_4485947259875688868m_-7766900305409585934x_MsoNormal"> </p>
</div>
<hr style="display:inline-block;width:98%">
<div id="m_-2942182690567789323m_4485947259875688868m_-7766900305409585934x_divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> ipv6-ops-bounces+kristian.mcco<wbr>lm=<a href="mailto:rci.rogers.com@lists.cluenet.de" target="_blank">rci.rogers.com@lists.cluene<wbr>t.de</a>
<ipv6-ops-bounces+kristian.mcc<wbr>olm=<a href="mailto:rci.rogers.com@lists.cluenet.de" target="_blank">rci.rogers.com@lists.cluen<wbr>et.de</a>> on behalf of Doug McIntyre <<a href="mailto:merlyn@geeks.org" target="_blank">merlyn@geeks.org</a>><br>
<b>Sent:</b> Monday, December 11, 2017 10:22:39 AM<br>
<b>To:</b> <a href="mailto:ipv6-ops@lists.cluenet.de" target="_blank">ipv6-ops@lists.cluenet.de</a><br>
<b>Subject:</b> Re: UPnP/IPv6 support in home routers?</font>
<div> </div>
</div>
</div>
<div>
<div class="m_-2942182690567789323m_4485947259875688868h5"><font size="2"><span style="font-size:10pt">
<div class="m_-2942182690567789323m_4485947259875688868m_-7766900305409585934PlainText">On Mon, Dec 11, 2017 at 04:03:27PM +0100, Gert Doering wrote:<br>
> On Mon, Dec 11, 2017 at 11:54:15AM +0000, Tom Hill wrote:<br>
> > "Dear Gateway, I am definitely not a compromised host, please open all<br>
> > ports toward me."<br>
> <br>
> But that's the whole idea of UPnP or IGD. Whether you open one port or<br>
> all of them, on request of a possibly-compromised host, is of no relevance.<br>
<br>
<br>
I think the thinking is that since most IPv4 "home" protocols (which<br>
is really only where UPnP exists, since Enterprise class firewalls<br>
almost never want to have anything to do with it), is that most of the<br>
"home" protocols (eg. games, streaming, etc) have mostly converged to<br>
a model not expecting end-to-end connectivity, and hidden behind a NAT<br>
thing, that anything now transitioning to IPv6 will follow suit when<br>
they add that support to whatever needs to punch holes in things,<br>
instead checking in constantly with the "central server" instead of<br>
assuming end-to-end connectivity.<br>
<br>
That said, I think the IPv6 firewalls need better home connectivity<br>
support as well. I once put in a ticket to Fortinet to ask if there<br>
could be made an ACL object that tracked the prefix mask delivered via<br>
DHCP6_PD, such that we could write policies such as<br>
allow remote_ipv6_address ${PREFIX1}::1f5d:50 22<br>
<br>
But that couldn't be impressed on the first tiers of support<br>
what-so-ever. That totally confused them to no end. Unlike my IPv4<br>
address which almost never changes at Comcast, the IPv6 prefixes I get<br>
change on every connection. <br>
<br>
</div>
</span></font><br>
<br>
<br>
<br>
</div>
</div>
<hr width="100%">
This communication is confidential. We only send and receive email on the basis of the terms set out at
<a href="http://www.rogers.com/web/content/emailnotice" target="_blank">www.rogers.com/web/content/ema<wbr>ilnotice</a><br>
<br>
<br>
<br>
Ce message est confidentiel. Notre transmission et réception de courriels se fait strictement suivant les modalités énoncées dans l’avis publié à
<a href="http://www.rogers.com/aviscourriel" target="_blank">www.rogers.com/aviscourriel
</a>
<hr width="100%">
</div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div class="m_-2942182690567789323m_4485947259875688868gmail_signature" data-smartmail="gmail_signature">
Fernando Gont<br>
e-mail: <a href="mailto:fernando@gont.com.ar" target="_blank">fernando@gont.com.ar</a> ||
<a href="mailto:fgont@acm.org" target="_blank">fgont@acm.org</a><br>
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1</div>
</div>
</div>
<br>
<br>
<br>
<br>
<hr width="100%">
This communication is confidential. We only send and receive email on the basis of the terms set out at
<a href="http://www.rogers.com/web/content/emailnotice" target="_blank">www.rogers.com/web/content/ema<wbr>ilnotice</a><br>
<br>
<br>
<br>
Ce message est confidentiel. Notre transmission et réception de courriels se fait strictement suivant les modalités énoncées dans l’avis publié à
<a href="http://www.rogers.com/aviscourriel" target="_blank">www.rogers.com/aviscourriel
</a>
<hr width="100%">
</div>
</div>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div class="m_-2942182690567789323gmail_signature" data-smartmail="gmail_signature">Fernando Gont<br>
e-mail: <a href="mailto:fernando@gont.com.ar" target="_blank">fernando@gont.com.ar</a> ||
<a href="mailto:fgont@acm.org" target="_blank">fgont@acm.org</a><br>
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1</div>
</div>
</div></div></div><div><div class="h5">
<br>
<br>
<br>
<br>
<hr width="100%">
This communication is confidential. We only send and receive email on the basis of the terms set out at
<a href="http://www.rogers.com/web/content/emailnotice" target="_blank">www.rogers.com/web/content/<wbr>emailnotice</a><br>
<br>
<br>
<br>
Ce message est confidentiel. Notre transmission et réception de courriels se fait strictement suivant les modalités énoncées dans l’avis publié à
<a href="http://www.rogers.com/aviscourriel" target="_blank">www.rogers.com/aviscourriel </a>
<hr width="100%">
</div></div></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div><div style="font-size:12.8px">Jan Pedro Tumusok</div><div style="font-size:12.8px">CEO</div><div style="font-size:12.8px">Eye Networks AS</div><div style="font-size:12.8px">Skype: jpedrot | Office phone: <a href="tel:%2B47%2022%2082%2008%2080" value="+4722820880" style="color:rgb(17,85,204)" target="_blank">+47 22 82 08 80</a></div><div style="font-size:12.8px"><a href="https://eyenetworks.no/" style="color:rgb(17,85,204)" target="_blank">https://eyenetworks.no</a> | <a href="https://eyesaas.com/" style="color:rgb(17,85,204)" target="_blank">https://eyesaas.com</a></div></div></div></div></div>
</div>