[190256] in North American Network Operators' Group
IPv6 Ingress traffic by default
daemon@ATHENA.MIT.EDU (Jared Mauch)
Mon Jun 20 13:38:11 2016
X-Original-To: nanog@nanog.org
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <E67D028D-2A66-453C-9D8B-0AC8FEA88131@delong.com>
Date: Mon, 20 Jun 2016 13:38:07 -0400
To: Owen DeLong <owen@delong.com>
Cc: NANOG list <nanog@nanog.org>, Mark Milhollan <mlm@pixelgate.net>
Errors-To: nanog-bounces@nanog.org
> On Jun 20, 2016, at 1:30 PM, Owen DeLong <owen@delong.com> wrote:
>=20
>=20
>> On Jun 17, 2016, at 10:10 , Mark Milhollan <mlm@pixelgate.net> wrote:
>>=20
>> On Tue, 14 Jun 2016, Owen DeLong wrote:
>>> On Jun 14, 2016, at 11:57 , Ricky Beam <jfbeam@gmail.com> wrote:
>>=20
>>>> I've seen many "IPv6 Capable" CPEs that apply ZERO security to IPv6 =
traffic.=20
>>>=20
>>> Those are by definition poorly designed CPE.=20
>>=20
>> This (open by default vs closed) has been discussed before, with =
plenty=20
>> of people on either side.
>>=20
>>=20
>> /mark
>=20
> I=E2=80=99m unaware of anyone advocating open inbound by default =
residential CPE.
I=E2=80=99m sure changing the subject line will draw out the purists at =
heart :)
> I=E2=80=99m not saying they don=E2=80=99t exist, but I can=E2=80=99t =
imagine how anyone could possibly defend that position rationally.
I think certain things, eg: SSH would be =E2=80=98safe-ish=E2=80=99 to =
support ingress, but at the same time, you connect something like a =
Raspberry PI w/ global V6 and someone is doing honeypot stuff in =
pool.ntp.org you may get someone doing ssh pi/raspberry with automation =
before you can even change the passwords.
> I=E2=80=99m pretty much in favor of open by default in most things, =
but for inbound traffic to residential CPE? Even I find that hard to =
rationalize.
What I find frustrating is that my current ISP requires a managed CPE =
where I can disable the IPv6 firewall so I can access devices at home =
over IPv6, but there is no way to download/upload the config, and they =
don=E2=80=99t store it on their side either. This means when a device =
is swapped, it must be reprogrammed to disable this stuff, meaning I =
must be on-site or have something phone-home to disable their DHCP =
server and other elements.
I also can=E2=80=99t triage why it keeps rebooting every few days as it =
doesn=E2=80=99t tell me anything about debug logs, if it uploaded a core =
file, etc.
I=E2=80=99m guessing there is some =E2=80=98exotic=E2=80=99 L2 traffic I =
have that is hosing it, but haven=E2=80=99t gone so far as to tcpdump =
the entire network for the possible offending traffic.
- Jared=
