Home page logo

nanog logo nanog mailing list archives

Re: IPv6 end user addressing
From: Matthew Moyle-Croft <mmc () internode com au>
Date: Mon, 15 Aug 2011 02:10:05 +0000

The CPE we're providing to our customers from Billion (78xxN/NL, 74xxNX etc) and AVM (Fritz!Box 7290 and 7390) that 
have IPv6 code do have IPv6 stateful firewalls.

Our requirement was that, as much as possible that the IPv4 and IPv6 outcome should be similar (with obvious exceptions 
around NAT).
Without IPv6 having a firewall in the CPE it'd be a difficult thing to convince people to do.

And here I'm speaking about "normal" customers.  The people who've taken up our IPv6 service so far are not typical 
customers but people who are, well, fairly switched on to this stuff.  So we had to look beyond the initial desires of 
our customers to what the general population would want.  (ie. someone who's regularly attending IETF meetings 
typically has a different outlook on what they want in a CPE vs what my Dad wants).


On 14/08/2011, at 5:49 AM, Carlos Martinez-Cagnazzo wrote:

You are assuming (as many, many people do) that public addresses equal
no firewall, and that IPv6 CPEs will have no stateful firewalling.

The thing is, just as they have a stateful firewall now for IPv4 they
will have one for IPv6 as well. The fact that your addressing is
public (or let's say, routeable) does not make a difference.

Again, it is not the NAT layer of your IPv4 CPE that protects you,
it's the stateful firewall.



On Thu, Aug 11, 2011 at 2:52 PM, Greg Ihnen <os10rules () gmail com<mailto:os10rules () gmail com>> wrote:

On Aug 11, 2011, at 1:04 PM, Owen DeLong wrote:

On Aug 11, 2011, at 5:41 AM, Jamie Bowden wrote:

Owen wrote:

-----Original Message-----
From: Owen DeLong [mailto:owen () delong com]
Sent: Wednesday, August 10, 2011 9:58 PM
To: William Herrin
Cc: nanog () nanog org<mailto:nanog () nanog org>
Subject: Re: IPv6 end user addressing

On Aug 10, 2011, at 6:46 PM, William Herrin wrote:

On Wed, Aug 10, 2011 at 9:32 PM, Owen DeLong <owen () delong com<mailto:owen () delong com>>
Someday, I expect the pantry to have a barcode reader on it
connected back
a computer setup for the kitchen someday.  Most of us already use
readers when we shop so its not a big step to home use.

Nah... That's short-term thinking. The future holds advanced
pantries with
RFID sensors that know what is in the pantry and when they were
what their expiration date is, etc.

And since your can of creamed corn is globally addressable, the rest
of the world knows what's in your pantry too. ;)

This definitely helps explain your misconceptions about NAT as a
security tool.

Globally addressable != globally reachable.

Things can have global addresses without having global reachability.
There are
these tools called access control lists and routing policies. Perhaps
you've heard
of them. They can be quite useful.

And your average home user, whose WiFi network is an open network named
"linksys" is going to do that how?

Because the routers that come on pantries and refrigerators will probably be
made by people smarter than the folks at Linksys?


I respectfully disagree. If appliance manufacturers jump on the bandwagon to make their device *Internet Ready!* we'll 
see appliance makers who have way less networking experience than Linksys/Cisco getting into the fray. I highly doubt 
the pontifications of these Good Morning America technology gurus who predict all these changes are coming to the home. 
Do we really think appliance manufacturers are going to agree on standards for keeping track of how much milk is in the 
fridge, especially as not just manufacturing but also engineering is moving to countries like China? How about the 
predictions that have been around for years about appliances which will alert the manufacturer about impending failure 
so they can call you and you can schedule the repair before there's a breakdown? Remember that one? We don't even have 
an "appliance about to break, call repairman" idiot light on appliances yet.

But I predict the coming of IPv6 to the home in a big way will have unintended consequences.

I think the big shock for home users regarding IPv6 will be suddenly having their IPv4 NAT firewall being gone and all 
their devices being exposed naked to everyone on the internet. Suddenly all their security shortcomings (no passwords, 
"password" for the password etc) are going to have catastrophic consequences. I foresee an exponential leap in the  
number of hacks of consumer devices which will have repercussions well beyond their local network. In my opinion that's 
going to be the biggest problem with IPv6, not all the concerns about the inner workings of the protocols. I'm guessing 
the manufacturers of consumer grade networkable devices are still thinking about security as it applies to LANs with 
rfc 1918 address space behind a firewall and haven't rethought security as it applies to IPv6.


Carlos M. Martinez-Cagnazzo

Matthew Moyle-Croft
Peering Manager and Team Lead - Commercial and DSLAMs
Internode /Agile
Level 5, 150 Grenfell Street, Adelaide, SA 5000 Australia
Email: mmc () internode com au<mailto:mmc () internode com au>    Web: http://www.on.net<http://www.on.net/>
Direct: +61-8-8228-2909      Mobile: +61-419-900-366
Reception: +61-8-8228-2999        Fax: +61-8-8235-6909

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]