[190397] in North American Network Operators' Group
RE: IPv6 deployment excuses
daemon@ATHENA.MIT.EDU (Keith Medcalf)
Sat Jul 2 11:38:26 2016
X-Original-To: nanog@nanog.org
Date: Sat, 02 Jul 2016 09:37:13 -0600
In-Reply-To: <CAAAas8HKyPkHXYdAHGMefh8kd71Ocxv5Nmo3Pb2gzLeHwUcNdQ@mail.gmail.com>
From: "Keith Medcalf" <kmedcalf@dessus.com>
To: "nanog list" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
> There is no difference between IPv4 and IPv6 when it comes to
> firewalls and reachability. It is worth noting that hosts which
> support IPv6 are typically a lot more secure than older IPv4-only
> hosts. As an example every version of Windows that ships with IPv6
> support also ships with the firewall turned on by default.
Just because the firewall is turned on does not mean that it is configured =
properly.
Every version of Windows that ships with IPv6 support also ships with the F=
irewall configured in such a fashion that you may as well have it turned of=
f.
This is especially true in Windows 8 and later where the firewall is reconf=
igured without your permission by Microsoft every time you install any upda=
te whatsoever back to the "totally insecure" default state -- and there is =
absolutely no way to fix this other than to check, every single minute, tha=
t the firewall is still configured as you configured it, and not as Microso=
ft (and their NSA partners) choose to configure it.
All versions of Windows 8 and later whether using IPv4 or IPv6 are complete=
ly unsuitable for use on a network attached to the Internet by any means (w=
hether using NAT or not) that does not include an external (to Windows) -- =
ie, in network -- statefull firewall over which Windows, Microsoft, (and th=
eir NSA partners) have no automatic means of control. If you allow UPnP co=
ntrol of the external statefull firewall from Windows version 8 or later, y=
ou may as well not bother having any firewall at all because it is not unde=
r your control.
