RE: IPv6 deployment excuses

["Keith Medcalf" <kmedcalf () dessus com>]

This is a non sequitur.

In what way is the blocking of incoming unsolicited connections not a "proper security measure"?

What gives you (or anyone else) the right to "disable" security measures which you (or anyone else) consider "too 
strict"?

How do you arrive at the conclusion that disabling unsolicited incoming connections to software that does not require 
it (and which you do not want to accept such unsolicited incoming connections) is "far less effective" than "proper 
security measures" (and what are those alleged "proper security measures)?

Explain especially in light of built-in crapware which cannot otherwise be removed from the system because it has been 
"integrated" by scattering its parts (with no purpose other than to make the crapware non-removeable) into critical 
components so as to prevent removal without breaking the system?

Please explain how expecting firewall setting to remain set as they have been deliberately set makes one a "security 
zealot"?

If the ACLs on your Cisco router suddenly decided to change all by themselves because Cisco had decided they did not 
like the way you had set them, I am quite sure that you take an entirely different position!


> -----Original Message-----
> From: NANOG [mailto:nanog-bounces () nanog org] On Behalf Of Mike Hammett
> Sent: Saturday, 2 July, 2016 12:43
> Cc: nanog list
> Subject: Re: IPv6 deployment excuses
>
> Security that is too strict will be disabled and be far less effective
> than proper security measures. Security zealots are often blind to that.
>
>
>
>
> -----
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
>
>
> Midwest Internet Exchange
> http://www.midwest-ix.com
>
>
> ----- Original Message -----
>
> From: "Keith Medcalf" <kmedcalf () dessus com>
> To: "nanog list" <nanog () nanog org>
> Sent: Saturday, July 2, 2016 11:41:48 AM
> Subject: RE: IPv6 deployment excuses
>
>
> Yes, the default is "on". An exception is added for EVERY SINGLE PIECE of
> Microsoft Crapware, whether it is needed or not (and in every single case,
> it is not). And if you turn those exceptions "off", then they are turned
> back on by Microsoft and their NSA partners for you, without your
> permission, whenever automatic updates run (and also at other times that I
> have not determined the trigger). You must continuously check that the
> firewall (although ON) remains configured as you configured it, or if
> Microsoft (and their NSA partners) have changed the configuration without
> your permission.
>
> Of course, most people do not bother configuring the firewall and do not
> wonder why every piece of Crapware has in incoming exception, and do not
> bother to turn those off (including some on this list apparently). So they
> will never notice these nefarious doings which have been a hotbed of
> discussion on the Internet for many years.
>
> And this is on the latest distribution of Windows 10 including the
> upcoming anniversary edition and has been that way since at least the
> first version of Windows 8.
>
> Whether or not Windows 7 also behaves the same way I do not know because I
> never ran it.
>
> > -----Original Message-----
> > From: Spencer Ryan [mailto:sryan () arbor net]
> > Sent: Saturday, 2 July, 2016 10:08
> > To: Keith Medcalf
> > Cc: North American Network Operators' Group
> > Subject: RE: IPv6 deployment excuses
> >
> > Windows 8 and 10 with the most recent service packs default the firewall
> > to on with very few inbound exemptions.
> >
> >
> > On Jul 2, 2016 11:38 AM, "Keith Medcalf" <kmedcalf () dessus com> wrote:
> >
> >
> >
> > > There is no difference between IPv4 and IPv6 when it comes to
> > > firewalls and reachability. It is worth noting that hosts which
> > > support IPv6 are typically a lot more secure than older IPv4-only
> > > hosts. As an example every version of Windows that ships with IPv6
> > > support also ships with the firewall turned on by default.
> >
> > Just because the firewall is turned on does not mean that it is
> > configured properly.
> >
> > Every version of Windows that ships with IPv6 support also ships
> > with the Firewall configured in such a fashion that you may as well have
> > it turned off.
> >
> > This is especially true in Windows 8 and later where the firewall is
> > reconfigured without your permission by Microsoft every time you install
> > any update whatsoever back to the "totally insecure" default state --
> and
> > there is absolutely no way to fix this other than to check, every single
> > minute, that the firewall is still configured as you configured it, and
> > not as Microsoft (and their NSA partners) choose to configure it.
> >
> > All versions of Windows 8 and later whether using IPv4 or IPv6 are
> > completely unsuitable for use on a network attached to the Internet by
> any
> > means (whether using NAT or not) that does not include an external (to
> > Windows) -- ie, in network -- statefull firewall over which Windows,
> > Microsoft, (and their NSA partners) have no automatic means of control.
> > If you allow UPnP control of the external statefull firewall from
> Windows
> > version 8 or later, you may as well not bother having any firewall at
> all
> > because it is not under your control.