Mailing List Archive

On Mon, 19 Sep 2016 12:32:27 +0000, Anfinsen, Ragnar wrote:
> Hi all.
>
> In light of a new discussion blossoming in Norway, we are curious
> about the IPv6 security policy different ISP’s has adopted. So it
> would be very helpful if you could do a quick response, either here
> or
> directly to me, on the following question:
>
> Which security policy are you using for you residential IPv6 enabled
> CPE’s? (RFC6092, fully open, balanced or other)
>
> Why did you adopt this policy?
>
> Any good or not so good experience with the choice?
>
> All answers are very much appreciated, and I will post the results
> here after a week or so. Thank you very much.

Not really for residential, but business/governmental related. We just
added IPv6 addresses to the IPv4 rule object and went on as before.
I guess none of the users know they are using IPv6 around 75-80% of
the time internal, or 20-30% on their external traffic either:-)



---

------------------------------
Roger Jorgensen | - ROJO9-RIPE
roger@jorgensen.no | - The Future is IPv6
-------------------------------------------------------

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

hey,

> I guess none of the users know they are using IPv6 around 75-80% of
> the time internal, or 20-30% on their external traffic either:-)

Indeed. I've been spreading knowledge about our deployment to our
customers and most of them have been amazed that they had no idea :) But
they have never had any trouble so overall feedback is still positive.

--
tarko

When we were still doing DSL I brought IPv6 online, but the only way our
customers could access it was to have the DSL modem/CPE in bridged mode,
and run their own router which was IPv6 compliant. Thus the "CPE"
security policy was whatever the router vendor defaulted. Our
observation was that the customers who didn't understand routing and
firewalling tended to buy lower-end routers that defaulted to blocking
any inbound traffic trying to initiate a connection, while the customers
who did understand it tended to buy Cisco routers and other higher-end
routers that defaulted to permit any any both directions - but since
they knew what they were doing, they would install their own security
policy.

IMHO a CPE that supports IPv6 should be designed to default to a
blocking inbound traffic on IPv6 but contain a provision for disabling
that AND a provision for disabling the entire CPE and the customer using
their own gear.

That way, you are not screwing over your ignorant customers by leaving
their networks wide open, and you are not screwing over your advanced
customers who want to use their own gear and/or provide IPv6-enabled
services on the Internet.

This kind of mirrors the "default" security policy on IPv4 CPEs (since
those CPE's have NAT automatically turned on which creates a "block in,
permit out" kind of approach.) so I'm not sure why you would want to
default it to being different for IPv6.

Ted

On 9/19/2016 5:32 AM, Anfinsen, Ragnar wrote:
> Hi all.
>
> In light of a new discussion blossoming in Norway, we are curious about the IPv6 security policy different ISP’s has adopted. So it would be very helpful if you could do a quick response, either here or directly to me, on the following question:
>
> Which security policy are you using for you residential IPv6 enabled CPE’s? (RFC6092, fully open, balanced or other)
>
> Why did you adopt this policy?
>
> Any good or not so good experience with the choice?
>
> All answers are very much appreciated, and I will post the results here after a week or so. Thank you very much.
>
> Best Regards
> Ragnar Anfinsen
>
> Chief Architect CPE
> IP Address Architect
> Infrastructure
> Technology
> Altibox AS
>
> E-mail: ragnar.anfinsen@altibox.no
> www.altibox.no<http://www.altibox.no/>
>
> [cid:image001.png@01D21282.A1DD77A0]
> [cid:image002.png@01D21282.A1DD77A0]<http://facebook.altibox.no/> [cid:image003.png@01D21282.A1DD77A0]<http://twitter.altibox.no/>
> CONFIDENTIAL
> The content of this e-mail is intended solely for the use of the individual or entity to whom it is addressed. If you have received this communication in error, be aware that forwarding it, copying it, or in any way disclosing its content to any other person, is strictly prohibited. If you have received this communication in error, please notify the author by replying to this e-mail immediately, deleting this message and destruct all received documents.

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

Ted Mittelstaedt <tedm@ipinc.net> writes:

> This kind of mirrors the "default" security policy on IPv4 CPEs (since
> those CPE's have NAT automatically turned on which creates a "block in,
> permit out" kind of approach.) so I'm not sure why you would want to
> default it to being different for IPv6.

I was explained one reason today: No CPEs implement UPnP support for
IPv6 [1].

This makes the effect of the similar IPv4 and IPv6 policies quite
different. UPnP aware applications will set up the necessary NAT rules
for IPv4, allowing inbound connections etc. But if you want the same
applications to work over IPv6, then the policy must be more open by
default. Letting the user disable IPv6 filtering is not going to help
the masses I'm afraid...

So the question remains: What do ISPs actually do to
- allow IPv6, and
- secure the end users' networks, and
- not break dual stack applications wanting incoming connections

all at the same time? Looks like a classical "pick any two".



Bjørn

[1] I'm sure someone will come up with an obscure and expensive example
of the contrary - the point is that IPv6 UPnP support is not readily
available in the residential CPE market.

I can tell you that -today- in my location both CenturyLink and Comcast
(giant ISPs) supply IPv6 by default on their residential CPEs - and both
of those CPEs have "inbound block outbound allow" on by default on IPv6.
As far as I know neither support UPnP on IPv6

I think you are overthinking this. If a CPE has no IPv6 support but it
has UPnP support over IPv4 then things "work" If a CPE has IPv6
support but no UPnP support over IPv6, then things are also going to
"work" - on IPv4. They may break on IPv6 with a "block everything" IPv6
rule in which case the end user is undoubtedly going to complain to the
toaster manufacturer not you, and that toaster maker is either
going to tell their customer "disable ipv6 on your ISP CPE" or they are
going to fix their toaster so that it doesn't try using UPnP over IPv6,
only IPv4.

Your job is to not assume your customers are all morons. It is to make
it safe for the ones who are, and make it usable for the ones who aren't
and want to run their own show. Provide the needed buttons in the CPE
to enable or disable IPv6 and to allow your customers to shut off your
CPE's interference and be done with it.

As an ISP you of all people should understand how powerful the Internet
is. If you make your stuff configurable for power users, and document
it, then the Ma & Pa Kettle customers are going to engage their friend's
son who IS a power user and can search the Internet and follow simple
directions and fix their problem with their web cam or whatever it is
that is demanding UPnP.

If however you default to open, then when Ma & Pa Kettle eventually get
cracked, and call in the power user, that power user is going to
discover your default firewall on IPv6 is open and realize that you
created a huge whole bunch of work for him since he will now have to
put back together a PC for the morons. He isn't going to appreciate
that and will badmouth you online.

Nobody with brains is going to go online and badmouth an ISP that
supplies a CPE that has defaults that error on the side of
protection-of-morons. But they are going to badmouth an ISP that
supplies a CPE
that has defaults that allow morons to get easily broken into - because
it's them who are going to be sucked into putting those systems back
together. And they are really going to badmouth an ISP that supplies a
CPE that can't have it's internal firewall turned off.

Ted

On 9/19/2016 1:29 PM, Bjørn Mork wrote:
> Ted Mittelstaedt<tedm@ipinc.net> writes:
>
>> This kind of mirrors the "default" security policy on IPv4 CPEs (since
>> those CPE's have NAT automatically turned on which creates a "block in,
>> permit out" kind of approach.) so I'm not sure why you would want to
>> default it to being different for IPv6.
>
> I was explained one reason today: No CPEs implement UPnP support for
> IPv6 [1].
>
> This makes the effect of the similar IPv4 and IPv6 policies quite
> different. UPnP aware applications will set up the necessary NAT rules
> for IPv4, allowing inbound connections etc. But if you want the same
> applications to work over IPv6, then the policy must be more open by
> default. Letting the user disable IPv6 filtering is not going to help
> the masses I'm afraid...
>
> So the question remains: What do ISPs actually do to
> - allow IPv6, and
> - secure the end users' networks, and
> - not break dual stack applications wanting incoming connections
>
> all at the same time? Looks like a classical "pick any two".
>
>
>
> Bjørn
>
> [1] I'm sure someone will come up with an obscure and expensive example
> of the contrary - the point is that IPv6 UPnP support is not readily
> available in the residential CPE market.

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

I'm dealing with the CPE's for Telenor here in Norway. And indeed a part of the Norwegain discussion.

Today we block incoming traffic to protect the customers. We seek to have the same security policy as for IPv4. Meaning statefull firewall which the customer can configure if they want to. The reason is partly internal policy (Telenor seeks to be seen as the secure internet provider in Norway, disabling firewalls and allowing all of the internets deviants access to the NAS with pictures of your children seems like a bad marketing move). We also hoped that UPnP/PCP would be activly used in IPv6, punching firewall holes as needed. But that seems to not get any traction.

As for customer complaints, none. But that does not mean that the customers are not suffering. It may just as well be that the application reverts to UPnP/STUN over IPv4 or fails without the customer beeing able to diagnose why.



-Erik


________________________________________
Fra: ipv6-ops-bounces+erik.taraldsen=telenor.com@lists.cluenet.de <ipv6-ops-bounces+erik.taraldsen=telenor.com@lists.cluenet.de> på vegne av Anfinsen, Ragnar <Ragnar.Anfinsen@altibox.no>
Sendt: 19. september 2016 14:32
Til: IPv6 Ops list
Emne: CPE Residential IPv6 Security Poll

Hi all.

In light of a new discussion blossoming in Norway, we are curious about the IPv6 security policy different ISP’s has adopted. So it would be very helpful if you could do a quick response, either here or directly to me, on the following question:

Which security policy are you using for you residential IPv6 enabled CPE’s? (RFC6092, fully open, balanced or other)

Why did you adopt this policy?

Any good or not so good experience with the choice?

All answers are very much appreciated, and I will post the results here after a week or so. Thank you very much.

Best Regards
Ragnar Anfinsen

Chief Architect CPE
IP Address Architect
Infrastructure
Technology
Altibox AS

E-mail: ragnar.anfinsen@altibox.no
www.altibox.no<http://www.altibox.no/>

[cid:image001.png@01D21282.A1DD77A0]
[cid:image002.png@01D21282.A1DD77A0] <http://facebook.altibox.no/> [cid:image003.png@01D21282.A1DD77A0] <http://twitter.altibox.no/>
CONFIDENTIAL
The content of this e-mail is intended solely for the use of the individual or entity to whom it is addressed. If you have received this communication in error, be aware that forwarding it, copying it, or in any way disclosing its content to any other person, is strictly prohibited. If you have received this communication in error, please notify the author by replying to this e-mail immediately, deleting this message and destruct all received documents.

With all due respect to the actual power user out there. For each one of them, there is at least 20 who think they are power users who base their knowledge on rumors and misconceptions. They are often vocal (forums and coments on news sites) and they are the once who often are enlisted to help Ma & Pa Kettle. At least that is what we see a lot of in Norway. They simply do not have the ability to correctly diagnose the issues. Solutions often involve "you need bigger antennas on the router", "Apple routers are allways the best", "the ISP supplied router allways suck".

So Bob-the-power-user buy the expencive huge antenna router and install at M&PK. It does not have dual stack, therefore the application at M&PK therefore never tries IPv6 and the older UPnP solution works for them. Bob gets an re confrimation that big antenas helps, and that the ISP router sucks. Where a simpler and cheeper solution would be to modify the firewall settings of the ISP router.

Since I reprecent the ISP and spesificaly the ISP supplied router (where we do patch security flaws, add features, optimise DSL and wlan drivers, attack bufferbloat and give the customers the posibility of remote support. Unlike a lot of retail products which often have to live with the software it was shiped with). How do we set up the routers IPv6 setting in such a way that Bob-the-power-user do not have to be called in by M&PK to fix their broken app/network, but still maintain a level of security for them? Is some sort of balanced the way to go? Should we again push our vendors for PCP/UPnP support?



-Erik


________________________________________
Fra: ipv6-ops-bounces+erik.taraldsen=telenor.com@lists.cluenet.de <ipv6-ops-bounces+erik.taraldsen=telenor.com@lists.cluenet.de> på vegne av Ted Mittelstaedt <tedm@ipinc.net>
Sendt: 19. september 2016 23:23
Til: Bjørn Mork
Kopi: ipv6-ops@lists.cluenet.de
Emne: Re: CPE Residential IPv6 Security Poll

I can tell you that -today- in my location both CenturyLink and Comcast
(giant ISPs) supply IPv6 by default on their residential CPEs - and both
of those CPEs have "inbound block outbound allow" on by default on IPv6.
As far as I know neither support UPnP on IPv6

I think you are overthinking this. If a CPE has no IPv6 support but it
has UPnP support over IPv4 then things "work" If a CPE has IPv6
support but no UPnP support over IPv6, then things are also going to
"work" - on IPv4. They may break on IPv6 with a "block everything" IPv6
rule in which case the end user is undoubtedly going to complain to the
toaster manufacturer not you, and that toaster maker is either
going to tell their customer "disable ipv6 on your ISP CPE" or they are
going to fix their toaster so that it doesn't try using UPnP over IPv6,
only IPv4.

Your job is to not assume your customers are all morons. It is to make
it safe for the ones who are, and make it usable for the ones who aren't
and want to run their own show. Provide the needed buttons in the CPE
to enable or disable IPv6 and to allow your customers to shut off your
CPE's interference and be done with it.

As an ISP you of all people should understand how powerful the Internet
is. If you make your stuff configurable for power users, and document
it, then the Ma & Pa Kettle customers are going to engage their friend's
son who IS a power user and can search the Internet and follow simple
directions and fix their problem with their web cam or whatever it is
that is demanding UPnP.

If however you default to open, then when Ma & Pa Kettle eventually get
cracked, and call in the power user, that power user is going to
discover your default firewall on IPv6 is open and realize that you
created a huge whole bunch of work for him since he will now have to
put back together a PC for the morons. He isn't going to appreciate
that and will badmouth you online.

Nobody with brains is going to go online and badmouth an ISP that
supplies a CPE that has defaults that error on the side of
protection-of-morons. But they are going to badmouth an ISP that
supplies a CPE
that has defaults that allow morons to get easily broken into - because
it's them who are going to be sucked into putting those systems back
together. And they are really going to badmouth an ISP that supplies a
CPE that can't have it's internal firewall turned off.

Ted

On 9/19/2016 1:29 PM, Bjørn Mork wrote:
> Ted Mittelstaedt<tedm@ipinc.net> writes:
>
>> This kind of mirrors the "default" security policy on IPv4 CPEs (since
>> those CPE's have NAT automatically turned on which creates a "block in,
>> permit out" kind of approach.) so I'm not sure why you would want to
>> default it to being different for IPv6.
>
> I was explained one reason today: No CPEs implement UPnP support for
> IPv6 [1].
>
> This makes the effect of the similar IPv4 and IPv6 policies quite
> different. UPnP aware applications will set up the necessary NAT rules
> for IPv4, allowing inbound connections etc. But if you want the same
> applications to work over IPv6, then the policy must be more open by
> default. Letting the user disable IPv6 filtering is not going to help
> the masses I'm afraid...
>
> So the question remains: What do ISPs actually do to
> - allow IPv6, and
> - secure the end users' networks, and
> - not break dual stack applications wanting incoming connections
>
> all at the same time? Looks like a classical "pick any two".
>
>
>
> Bjørn
>
> [1] I'm sure someone will come up with an obscure and expensive example
> of the contrary - the point is that IPv6 UPnP support is not readily
> available in the residential CPE market.

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

Hi,

> Should we again push our vendors for PCP/UPnP support?

Sounds like a chicken&egg problem that needs to be solved. Applications won't implement PCP/UPnP support for IPv6 because no router is offering the service, and routers won't implement it because no application is going to use it.

I think we need to push the router side to support it, so that it becomes interesting for applications to try to use it (and give developers the ability to test it).

Cheers,
Sander

Hi Ragnar and list,

as far as I can tell, little has changed at least in Germany since our
last discussion on this (except that I've since sobered up again:-)

I guess you won't be surprised that I still share the same opinion as
Ted:-)

So far all I've consciously seen on consumer CPEs is "per default, allow
all outbound, block all inbound". I'm not sure if there are any ultra
cheap CPEs out that don't even let users configure inbound rules, but
I've never had the need to deal with anything like that.

However, one rather interesting thing has changed here: Since August
this year, ISPs can by law no longer force their customers in Germany to
use the CPE they provide. The implications here are yet to appear, but
one possible effect might be that the ISPs move away from the
all-features-you-never-wanted-plus-some-extra CPEs they so far forced on
their customers to minimalistic devices they can just manage via TR-069
or similar (reaching a setup similar ot the old NT1/NT2 split with ISDN
in Europe), eventually leaving the filtering to the end user again.

With business customers the range obviously goes from "consumer grade is
good enough so why use anything else" for small businesses to dark fiber
for customers running their own AS.


Cheers,

Benedikt

--
Benedikt Stockebrand, Stepladder IT Training+Consulting
Dipl.-Inform. http://www.stepladder-it.com/

Business Grade IPv6 --- Consulting, Training, Projects

BIVBlog---Benedikt's IT Video Blog: http://www.stepladder-it.com/bivblog/

Hi,

Was this one of the questions asked in Jordi’s survey? I’m not sure I’ve seen the results published as yet, but he got a fantastic level of response (over 200 iirc)… Jordi? :)

Tim

> On 20 Sep 2016, at 13:44, Benedikt Stockebrand <bs@stepladder-it.com> wrote:
>
> Hi Ragnar and list,
>
> as far as I can tell, little has changed at least in Germany since our
> last discussion on this (except that I've since sobered up again:-)
>
> I guess you won't be surprised that I still share the same opinion as
> Ted:-)
>
> So far all I've consciously seen on consumer CPEs is "per default, allow
> all outbound, block all inbound". I'm not sure if there are any ultra
> cheap CPEs out that don't even let users configure inbound rules, but
> I've never had the need to deal with anything like that.
>
> However, one rather interesting thing has changed here: Since August
> this year, ISPs can by law no longer force their customers in Germany to
> use the CPE they provide. The implications here are yet to appear, but
> one possible effect might be that the ISPs move away from the
> all-features-you-never-wanted-plus-some-extra CPEs they so far forced on
> their customers to minimalistic devices they can just manage via TR-069
> or similar (reaching a setup similar ot the old NT1/NT2 split with ISDN
> in Europe), eventually leaving the filtering to the end user again.
>
> With business customers the range obviously goes from "consumer grade is
> good enough so why use anything else" for small businesses to dark fiber
> for customers running their own AS.
>
>
> Cheers,
>
> Benedikt
>
> --
> Benedikt Stockebrand, Stepladder IT Training+Consulting
> Dipl.-Inform. http://www.stepladder-it.com/
>
> Business Grade IPv6 --- Consulting, Training, Projects
>
> BIVBlog---Benedikt's IT Video Blog: http://www.stepladder-it.com/bivblog/
>

No, didn’t included anything about security, unfortunately (now I realize having missed it !) I will consider upgrading the actual questions or making a specific one related to security …

I’ve got already over 1.100 responses, and I’m waiting for Korean ISPs to start responding … I think is the only country which didn’t responded at all.

I did a quick presentation about the data both in the last v6ops and IEPG meetings. Will do a new presentation at the next LACNIC meeting and hopefully at the next RIPE one.

Regards,
Jordi


-----Mensaje original-----
De: <ipv6-ops-bounces+jordi.palet=consulintel.es@lists.cluenet.de> en nombre de Tim Chown <Tim.Chown@jisc.ac.uk>
Responder a: <Tim.Chown@jisc.ac.uk>
Fecha: martes, 20 de septiembre de 2016, 14:50
Para: Benedikt Stockebrand <bs@stepladder-it.com>, Jordi Palet Martinez <jordi.palet@consulintel.es>
CC: IPv6 Ops list <ipv6-ops@lists.cluenet.de>, "Anfinsen, Ragnar" <Ragnar.Anfinsen@altibox.no>
Asunto: Re: CPE Residential IPv6 Security Poll

Hi,

Was this one of the questions asked in Jordi’s survey? I’m not sure I’ve seen the results published as yet, but he got a fantastic level of response (over 200 iirc)… Jordi? :)

Tim

> On 20 Sep 2016, at 13:44, Benedikt Stockebrand <bs@stepladder-it.com> wrote:
>
> Hi Ragnar and list,
>
> as far as I can tell, little has changed at least in Germany since our
> last discussion on this (except that I've since sobered up again:-)
>
> I guess you won't be surprised that I still share the same opinion as
> Ted:-)
>
> So far all I've consciously seen on consumer CPEs is "per default, allow
> all outbound, block all inbound". I'm not sure if there are any ultra
> cheap CPEs out that don't even let users configure inbound rules, but
> I've never had the need to deal with anything like that.
>
> However, one rather interesting thing has changed here: Since August
> this year, ISPs can by law no longer force their customers in Germany to
> use the CPE they provide. The implications here are yet to appear, but
> one possible effect might be that the ISPs move away from the
> all-features-you-never-wanted-plus-some-extra CPEs they so far forced on
> their customers to minimalistic devices they can just manage via TR-069
> or similar (reaching a setup similar ot the old NT1/NT2 split with ISDN
> in Europe), eventually leaving the filtering to the end user again.
>
> With business customers the range obviously goes from "consumer grade is
> good enough so why use anything else" for small businesses to dark fiber
> for customers running their own AS.
>
>
> Cheers,
>
> Benedikt
>
> --
> Benedikt Stockebrand, Stepladder IT Training+Consulting
> Dipl.-Inform. http://www.stepladder-it.com/
>
> Business Grade IPv6 --- Consulting, Training, Projects
>
> BIVBlog---Benedikt's IT Video Blog: http://www.stepladder-it.com/bivblog/
>

Hi,

Thanks Jordi. And yes, hindsight is always easy!

It would be nice to have a survey report document online for anyone to read, to complement various powerpoint decks you’ve used.

Amazing to get such a large response - well done :)

Tim

> On 20 Sep 2016, at 14:49, JORDI PALET MARTINEZ <jordi.palet@consulintel.es> wrote:
>
> No, didn’t included anything about security, unfortunately (now I realize having missed it !) I will consider upgrading the actual questions or making a specific one related to security …
>
> I’ve got already over 1.100 responses, and I’m waiting for Korean ISPs to start responding … I think is the only country which didn’t responded at all.
>
> I did a quick presentation about the data both in the last v6ops and IEPG meetings. Will do a new presentation at the next LACNIC meeting and hopefully at the next RIPE one.
>
> Regards,
> Jordi
>
>
> -----Mensaje original-----
> De: <ipv6-ops-bounces+jordi.palet=consulintel.es@lists.cluenet.de> en nombre de Tim Chown <Tim.Chown@jisc.ac.uk>
> Responder a: <Tim.Chown@jisc.ac.uk>
> Fecha: martes, 20 de septiembre de 2016, 14:50
> Para: Benedikt Stockebrand <bs@stepladder-it.com>, Jordi Palet Martinez <jordi.palet@consulintel.es>
> CC: IPv6 Ops list <ipv6-ops@lists.cluenet.de>, "Anfinsen, Ragnar" <Ragnar.Anfinsen@altibox.no>
> Asunto: Re: CPE Residential IPv6 Security Poll
>
> Hi,
>
> Was this one of the questions asked in Jordi’s survey? I’m not sure I’ve seen the results published as yet, but he got a fantastic level of response (over 200 iirc)… Jordi? :)
>
> Tim
>
>> On 20 Sep 2016, at 13:44, Benedikt Stockebrand <bs@stepladder-it.com> wrote:
>>
>> Hi Ragnar and list,
>>
>> as far as I can tell, little has changed at least in Germany since our
>> last discussion on this (except that I've since sobered up again:-)
>>
>> I guess you won't be surprised that I still share the same opinion as
>> Ted:-)
>>
>> So far all I've consciously seen on consumer CPEs is "per default, allow
>> all outbound, block all inbound". I'm not sure if there are any ultra
>> cheap CPEs out that don't even let users configure inbound rules, but
>> I've never had the need to deal with anything like that.
>>
>> However, one rather interesting thing has changed here: Since August
>> this year, ISPs can by law no longer force their customers in Germany to
>> use the CPE they provide. The implications here are yet to appear, but
>> one possible effect might be that the ISPs move away from the
>> all-features-you-never-wanted-plus-some-extra CPEs they so far forced on
>> their customers to minimalistic devices they can just manage via TR-069
>> or similar (reaching a setup similar ot the old NT1/NT2 split with ISDN
>> in Europe), eventually leaving the filtering to the end user again.
>>
>> With business customers the range obviously goes from "consumer grade is
>> good enough so why use anything else" for small businesses to dark fiber
>> for customers running their own AS.
>>
>>
>> Cheers,
>>
>> Benedikt
>>
>> --
>> Benedikt Stockebrand, Stepladder IT Training+Consulting
>> Dipl.-Inform. http://www.stepladder-it.com/
>>
>> Business Grade IPv6 --- Consulting, Training, Projects
>>
>> BIVBlog---Benedikt's IT Video Blog: http://www.stepladder-it.com/bivblog/
>>
>
>
>
>
>
>

I’ve promised an article to RIPE and APNIC … will work on it once I’ve the Korean data … hopefully in a couple of weeks …

If somebody can help to disseminate the survey among Korean ISPs, please, let me know!

In case someone in this list still didn’t responded, here is the link:

http://survey.consulintel.es/index.php/175122

Regards,
Jordi


-----Mensaje original-----
De: Tim Chown <Tim.Chown@jisc.ac.uk>
Responder a: <Tim.Chown@jisc.ac.uk>
Fecha: martes, 20 de septiembre de 2016, 15:55
Para: "jordi.palet@consulintel.es" <jordi.palet@consulintel.es>
CC: Benedikt Stockebrand <bs@stepladder-it.com>, IPv6 Ops list <ipv6-ops@lists.cluenet.de>, "Anfinsen, Ragnar" <Ragnar.Anfinsen@altibox.no>
Asunto: Re: CPE Residential IPv6 Security Poll

Hi,

Thanks Jordi. And yes, hindsight is always easy!

It would be nice to have a survey report document online for anyone to read, to complement various powerpoint decks you’ve used.

Amazing to get such a large response - well done :)

Tim

> On 20 Sep 2016, at 14:49, JORDI PALET MARTINEZ <jordi.palet@consulintel.es> wrote:
>
> No, didn’t included anything about security, unfortunately (now I realize having missed it !) I will consider upgrading the actual questions or making a specific one related to security …
>
> I’ve got already over 1.100 responses, and I’m waiting for Korean ISPs to start responding … I think is the only country which didn’t responded at all.
>
> I did a quick presentation about the data both in the last v6ops and IEPG meetings. Will do a new presentation at the next LACNIC meeting and hopefully at the next RIPE one.
>
> Regards,
> Jordi
>
>
> -----Mensaje original-----
> De: <ipv6-ops-bounces+jordi.palet=consulintel.es@lists.cluenet.de> en nombre de Tim Chown <Tim.Chown@jisc.ac.uk>
> Responder a: <Tim.Chown@jisc.ac.uk>
> Fecha: martes, 20 de septiembre de 2016, 14:50
> Para: Benedikt Stockebrand <bs@stepladder-it.com>, Jordi Palet Martinez <jordi.palet@consulintel.es>
> CC: IPv6 Ops list <ipv6-ops@lists.cluenet.de>, "Anfinsen, Ragnar" <Ragnar.Anfinsen@altibox.no>
> Asunto: Re: CPE Residential IPv6 Security Poll
>
> Hi,
>
> Was this one of the questions asked in Jordi’s survey? I’m not sure I’ve seen the results published as yet, but he got a fantastic level of response (over 200 iirc)… Jordi? :)
>
> Tim
>
>> On 20 Sep 2016, at 13:44, Benedikt Stockebrand <bs@stepladder-it.com> wrote:
>>
>> Hi Ragnar and list,
>>
>> as far as I can tell, little has changed at least in Germany since our
>> last discussion on this (except that I've since sobered up again:-)
>>
>> I guess you won't be surprised that I still share the same opinion as
>> Ted:-)
>>
>> So far all I've consciously seen on consumer CPEs is "per default, allow
>> all outbound, block all inbound". I'm not sure if there are any ultra
>> cheap CPEs out that don't even let users configure inbound rules, but
>> I've never had the need to deal with anything like that.
>>
>> However, one rather interesting thing has changed here: Since August
>> this year, ISPs can by law no longer force their customers in Germany to
>> use the CPE they provide. The implications here are yet to appear, but
>> one possible effect might be that the ISPs move away from the
>> all-features-you-never-wanted-plus-some-extra CPEs they so far forced on
>> their customers to minimalistic devices they can just manage via TR-069
>> or similar (reaching a setup similar ot the old NT1/NT2 split with ISDN
>> in Europe), eventually leaving the filtering to the end user again.
>>
>> With business customers the range obviously goes from "consumer grade is
>> good enough so why use anything else" for small businesses to dark fiber
>> for customers running their own AS.
>>
>>
>> Cheers,
>>
>> Benedikt
>>
>> --
>> Benedikt Stockebrand, Stepladder IT Training+Consulting
>> Dipl.-Inform. http://www.stepladder-it.com/
>>
>> Business Grade IPv6 --- Consulting, Training, Projects
>>
>> BIVBlog---Benedikt's IT Video Blog: http://www.stepladder-it.com/bivblog/
>>
>
>
>
>
>
>

Erik,

I think you have to follow these precepts (keep in mind this is an
American capitalist perspective not a European cooperative socialist
perspective)

1) You got the money, tell your vendors to either do what you want (put
IPv6 UPnP in CPEs they sell you) or you are going to kick their ass.
It's your money! They want your money do they not? That's why they are
selling CPEs to you - so why do you tolerate any crap from them? Tell
them either put UPnP in the code or your going elsewhere for your CPEs
and you are going to tell all your other ISP friends to go elsewhere for
their CPEs. Enough Mr. Nice Guy.

2) It's not your problem if Ma & Pa Kettle find a wannabe power user.
If you don't like being bad-mouthed by wannabe power users on the online
forums then get your ass on the online forums and start engaging.
Refute those "need bigger antennas" posts with logic and reason.
I guarantee to you that 1 correct post is worth 100 baloney posts from
wannabe power users.

3) How on Earth can you make the case that your ISP router patches
security holes and adds features yet turn around and claim that you
can't push your CPE vendors to add UPnP support? Either you have power
to get your CPE vendors to issue updates or not. If you do - then
quit complaining that no CPE's have UPnP support for IPv6. If you
don't - then quit claiming your CPE is better.

4) What is your customers perception that they are paying for and
what are they REALLY paying for? If they think they are paying for
access only - and you think they are paying for access plus your
management of their network CPE - then I can see why you might be
wondering why they aren't complaining to you when there's a problem
and going to the wannabe power users. Maybe you just need to do some
more customer education?

Ted

On 9/20/2016 1:24 AM, erik.taraldsen@telenor.com wrote:
> With all due respect to the actual power user out there. For each one of them, there is at least 20 who think they are power users who base their knowledge on rumors and misconceptions. They are often vocal (forums and coments on news sites) and they are the once who often are enlisted to help Ma& Pa Kettle. At least that is what we see a lot of in Norway. They simply do not have the ability to correctly diagnose the issues. Solutions often involve "you need bigger antennas on the router", "Apple routers are allways the best", "the ISP supplied router allways suck".
>
> So Bob-the-power-user buy the expencive huge antenna router and install at M&PK. It does not have dual stack, therefore the application at M&PK therefore never tries IPv6 and the older UPnP solution works for them. Bob gets an re confrimation that big antenas helps, and that the ISP router sucks. Where a simpler and cheeper solution would be to modify the firewall settings of the ISP router.
>
> Since I reprecent the ISP and spesificaly the ISP supplied router (where we do patch security flaws, add features, optimise DSL and wlan drivers, attack bufferbloat and give the customers the posibility of remote support. Unlike a lot of retail products which often have to live with the software it was shiped with). How do we set up the routers IPv6 setting in such a way that Bob-the-power-user do not have to be called in by M&PK to fix their broken app/network, but still maintain a level of security for them? Is some sort of balanced the way to go? Should we again push our vendors for PCP/UPnP support?
>
>
>
> -Erik
>
>
> ________________________________________
> Fra: ipv6-ops-bounces+erik.taraldsen=telenor.com@lists.cluenet.de<ipv6-ops-bounces+erik.taraldsen=telenor.com@lists.cluenet.de> på vegne av Ted Mittelstaedt<tedm@ipinc.net>
> Sendt: 19. september 2016 23:23
> Til: Bjørn Mork
> Kopi: ipv6-ops@lists.cluenet.de
> Emne: Re: CPE Residential IPv6 Security Poll
>
> I can tell you that -today- in my location both CenturyLink and Comcast
> (giant ISPs) supply IPv6 by default on their residential CPEs - and both
> of those CPEs have "inbound block outbound allow" on by default on IPv6.
> As far as I know neither support UPnP on IPv6
>
> I think you are overthinking this. If a CPE has no IPv6 support but it
> has UPnP support over IPv4 then things "work" If a CPE has IPv6
> support but no UPnP support over IPv6, then things are also going to
> "work" - on IPv4. They may break on IPv6 with a "block everything" IPv6
> rule in which case the end user is undoubtedly going to complain to the
> toaster manufacturer not you, and that toaster maker is either
> going to tell their customer "disable ipv6 on your ISP CPE" or they are
> going to fix their toaster so that it doesn't try using UPnP over IPv6,
> only IPv4.
>
> Your job is to not assume your customers are all morons. It is to make
> it safe for the ones who are, and make it usable for the ones who aren't
> and want to run their own show. Provide the needed buttons in the CPE
> to enable or disable IPv6 and to allow your customers to shut off your
> CPE's interference and be done with it.
>
> As an ISP you of all people should understand how powerful the Internet
> is. If you make your stuff configurable for power users, and document
> it, then the Ma& Pa Kettle customers are going to engage their friend's
> son who IS a power user and can search the Internet and follow simple
> directions and fix their problem with their web cam or whatever it is
> that is demanding UPnP.
>
> If however you default to open, then when Ma& Pa Kettle eventually get
> cracked, and call in the power user, that power user is going to
> discover your default firewall on IPv6 is open and realize that you
> created a huge whole bunch of work for him since he will now have to
> put back together a PC for the morons. He isn't going to appreciate
> that and will badmouth you online.
>
> Nobody with brains is going to go online and badmouth an ISP that
> supplies a CPE that has defaults that error on the side of
> protection-of-morons. But they are going to badmouth an ISP that
> supplies a CPE
> that has defaults that allow morons to get easily broken into - because
> it's them who are going to be sucked into putting those systems back
> together. And they are really going to badmouth an ISP that supplies a
> CPE that can't have it's internal firewall turned off.
>
> Ted
>
> On 9/19/2016 1:29 PM, Bjørn Mork wrote:
>> Ted Mittelstaedt<tedm@ipinc.net> writes:
>>
>>> This kind of mirrors the "default" security policy on IPv4 CPEs (since
>>> those CPE's have NAT automatically turned on which creates a "block in,
>>> permit out" kind of approach.) so I'm not sure why you would want to
>>> default it to being different for IPv6.
>>
>> I was explained one reason today: No CPEs implement UPnP support for
>> IPv6 [1].
>>
>> This makes the effect of the similar IPv4 and IPv6 policies quite
>> different. UPnP aware applications will set up the necessary NAT rules
>> for IPv4, allowing inbound connections etc. But if you want the same
>> applications to work over IPv6, then the policy must be more open by
>> default. Letting the user disable IPv6 filtering is not going to help
>> the masses I'm afraid...
>>
>> So the question remains: What do ISPs actually do to
>> - allow IPv6, and
>> - secure the end users' networks, and
>> - not break dual stack applications wanting incoming connections
>>
>> all at the same time? Looks like a classical "pick any two".
>>
>>
>>
>> Bjørn
>>
>> [1] I'm sure someone will come up with an obscure and expensive example
>> of the contrary - the point is that IPv6 UPnP support is not readily
>> available in the residential CPE market.
>
> ---
> This email has been checked for viruses by Avast antivirus software.
> https://www.avast.com/antivirus
>

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

Hi Ted and list,

Ted Mittelstaedt <tedm@ipinc.net> writes:

> 1) You got the money, tell your vendors to either do what you want
> (put IPv6 UPnP in CPEs they sell you) or you are going to kick their
> ass. It's your money! [...]

that only works if you're big enough for that. If you're a small local
ISP (and I've done the odd training/consulting job with these) this is
frequently not an option.

Plus, you may as an ISP be unable to dictate your customers what CPE to
use. We've recently had a law introduced here (Germany) aimed to
prevent ISPs from forcing their CPEs down people's throats.

And finally, especially in a market which is largely price driven,
you're sometimes bound to buy the cheapest CPEs on the market. And
these then turn out to be so cheap because they have so little resources
that UPnP can't be implemented in them.

> 2) It's not your problem if Ma & Pa Kettle find a wannabe power
> user.

That's too simple. As soon as they call your first level support, then
it becomes your problem if only because you need to pay your first level
supporters.

> If you don't like being bad-mouthed by wannabe power users on the
> online forums then get your ass on the online forums and start
> engaging.

Definitely. But again, that involves paying people for doing so.

> Refute those "need bigger antennas" posts with logic and reason.

Hmm, that can actually be kind of tricky. If your organization has a
reputation of talking your way out of the problems you have, this will
be difficult at best.

There's a fairly large SIP operator (sipgate) here in Germany who for
quite some time has told people that their service not working over
DS-Lite was entirely a problem between the customer and their ISP,
giving technical reasons you can quite likely figure out yourself. With
DS-Lite gaining more and more of a foothold here---and at least one
major ISP slipstreaming that on existing lines without notifying the
customers---technical explanations are exactly not what to tell people
whose phones suddenly stopped working.

Once you screw your customer relation up with this sort of stunt it
takes a lot of time (and marketing) to fix that up again.


Cheers,

Benedikt

--
Benedikt Stockebrand, Stepladder IT Training+Consulting
Dipl.-Inform. http://www.stepladder-it.com/

Business Grade IPv6 --- Consulting, Training, Projects

BIVBlog---Benedikt's IT Video Blog: http://www.stepladder-it.com/bivblog/

On 2016-09-21 13:49, Benedikt Stockebrand wrote:
[..]
> There's a fairly large SIP operator (sipgate) here in Germany who for
> quite some time has told people that their service not working over
> DS-Lite was entirely a problem between the customer and their ISP,
> giving technical reasons you can quite likely figure out yourself. With
> DS-Lite gaining more and more of a foothold here---and at least one
> major ISP slipstreaming that on existing lines without notifying the
> customers---technical explanations are exactly not what to tell people
> whose phones suddenly stopped working.
>
> Once you screw your customer relation up with this sort of stunt it
> takes a lot of time (and marketing) to fix that up again.

sipgate messed up by not upgrading to IPv6 (though, yeah find an IPv6
SIP capable device, they are quite rare ;) which they knew was coming
and could have solved, as that clearly is a business case
(still waiting for Gigaset to make IPv6 upgrades...)

... this while Liberty Global is abusing their monopoly in all of Europe
by forcing people (without notification or contract change; well they
did remove the word "IPv4" from their new contracts at one point) onto
DS-Lite because "we are out of IPv4" while their business customers, who
are paying significantly more, cannot even get IPv6 even though they are
asking for it.

Oh, and yes, poor people who don't get proper IPv4 anymore and are still
waiting for Sony to make a move to IPv6; though apparently at least IPv6
addresses are now being configured since 4.00; that quite breaks
multiplayer games though...

It is sad that people didn't bother to listen and that literally
thousands are now noticing how crappy the industry handled this
"transition" to IPv6, as many ISPs seem to make it a flag day: one day
you have IPv4, the other you have broken IPv4 + 'working' IPv6...


The major mistake that ISPs are making here btw is marketing:
they are not informing their users

nor did they ask (or look with netflow) who are using IPv4 in a way that
would not work with the AFTR stuff they just push onto them.

I guess the loss of customers (for the few who have the choice to
change, many are stuck in monopoly situations) or the amount of support
desk calls is less cost than the money expected to be made by selling
IPv4 service to other parts of the company.

Sad that the Internet is so commercial and not about letting people
communicate... :(

Greets,
Jeroen

Am 21.09.2016 um 14:58 schrieb Jeroen Massar:
> The major mistake that ISPs are making here btw is marketing:
> they are not informing their users

I am not sure about this advice.

(I read the forum from vodafone, telekom and unitymedia in Germany daily)

One similar example: VOIP

The Deutsche Telekom has clearly stated what she planned - a complete
ip-infrastructure without ISDN, with marketing and so on...

What was the reaction? The people and also some journalist are against
VOIP. They found 1000 reasons why. Only the Telekom was blamed.

But - Kabel Deutschland (now Vodafone) and other ISPs did the same
without public trouble.

Apropos VOIP and Deutsche Telekom, my router phones still via ipv4,
while Liberty Global (Unitymedia) routers use partly IPv6.

Regards,
Thomas Schäfer




--

There’s no place like ::1

Thomas Schäfer (Systemverwaltung)
Ludwig-Maximilians-Universität
Centrum für Informations- und Sprachverarbeitung
Oettingenstraße 67 Raum C109
80538 München ☎ +49/89/2180-9706 ℻ +49/89/2180-9701

On 2016-09-21 15:48, Thomas Schäfer wrote:
> Am 21.09.2016 um 14:58 schrieb Jeroen Massar:
>> The major mistake that ISPs are making here btw is marketing:
>> they are not informing their users
>
> I am not sure about this advice.
>
> (I read the forum from vodafone, telekom and unitymedia in Germany
> daily)
>
> One similar example: VOIP
>
> The Deutsche Telekom has clearly stated what she planned - a complete
> ip-infrastructure without ISDN, with marketing and so on...
>
> What was the reaction? The people and also some journalist are against
> VOIP. They found 1000 reasons why. Only the Telekom was blamed.

Yes, DTAG "informed" users by doing it sort of the "right" way: They
actively terminated their old non-VoIP contracts. So they send
non-technical users a letter that they are unfortunately forced to
terminate 10+ year old contracts (some of them being on the very
expensive side for little service). All other players in the space
obviously do not want their users to gain a special right to termination
of their contracts because then they might move somewhere else.

Kind regards
Philipp Kern

Hello,

Thank you for your email. Are you referring to an order placed at the Valve Store? If this is regarding an in-game issue we kindly ask that you contact Steam Support directly as we are unable to help with any inquiries not regarding orders placed on http://valvestore.welovefine.com/"]http://valvestore.welovefine.com/. Please note that you are contacting Welovefine directly and we only handle Valve merchandise, we are not Valve or Steam.

If this is regarding a merchandise order placed at our store please respond with your order number so that I can look into this issue further.


Steam Support: https://support.steampowered.com/"]https://support.steampowered.com/


Thank You

1) In theory you are right. In practise it is not that black and white. We never buy an excisting product, we buy an future product which has to be developed for us. That include physical features which may not have beed release from Broadcom yet (11ac 3x3 we were the first mass order from Broadcom for example). That means that we usualy have an development periode with the vendor, and a release target (VDSL launch for example) Sometimes the have to rush the CPE side to meet the network side launch. This again means that we usualy launch with a fair number of bug and un-optimized software, and features missing. And since we don't buy in Comcast type volumes we don not have the purchasing power to instruct the vendors to do absolutly everything, we have an limited development team working for us and we have to prioritize what they should work on. And so far UPnP has not gotten above that treshold.

(And the above is a bit besides the point, we seem to be the only ISP who want UPnP. That don't help our customers a lot. In order for UPnP to work you also need support in the clients, and those we talk to who do develop clients badly want to get away from UPnP)


2) You may have more luck with your forum posts, but on the norwegian forums the loudest answer wins the day. Reason cannot stand up to the forces of loud ignorance.

3) As stated in 1, limited recources dictates that we prioritice security, features which support payable services, then the stuff we network geeks want. And since I do know a lot of smaller ISP's and retailers of off-the-shelf products, I do know that those products do very seldom get anything other than bug fixes for anything other that flaws which may refelct badly on the CPE vendor.

4) The customers are paying for internet access. That used to mean an ethernet port and two IPv4 addresses. Today the costomers define it as wifi access on the phone in the room the furthest away from the router. The level of knowledge in the user base is dropping like a stone. If we can have an technical solutin which prevents the customer from having issues and calling us, we go for it.


-Erik


________________________________________
Fra: ipv6-ops-bounces+erik.taraldsen=telenor.com@lists.cluenet.de <ipv6-ops-bounces+erik.taraldsen=telenor.com@lists.cluenet.de> på vegne av Ted Mittelstaedt <tedm@ipinc.net>
Sendt: 20. september 2016 18:52
Til: ipv6-ops@lists.cluenet.de
Emne: Re: SV: CPE Residential IPv6 Security Poll

Erik,

I think you have to follow these precepts (keep in mind this is an
American capitalist perspective not a European cooperative socialist
perspective)

1) You got the money, tell your vendors to either do what you want (put
IPv6 UPnP in CPEs they sell you) or you are going to kick their ass.
It's your money! They want your money do they not? That's why they are
selling CPEs to you - so why do you tolerate any crap from them? Tell
them either put UPnP in the code or your going elsewhere for your CPEs
and you are going to tell all your other ISP friends to go elsewhere for
their CPEs. Enough Mr. Nice Guy.

2) It's not your problem if Ma & Pa Kettle find a wannabe power user.
If you don't like being bad-mouthed by wannabe power users on the online
forums then get your ass on the online forums and start engaging.
Refute those "need bigger antennas" posts with logic and reason.
I guarantee to you that 1 correct post is worth 100 baloney posts from
wannabe power users.

3) How on Earth can you make the case that your ISP router patches
security holes and adds features yet turn around and claim that you
can't push your CPE vendors to add UPnP support? Either you have power
to get your CPE vendors to issue updates or not. If you do - then
quit complaining that no CPE's have UPnP support for IPv6. If you
don't - then quit claiming your CPE is better.

4) What is your customers perception that they are paying for and
what are they REALLY paying for? If they think they are paying for
access only - and you think they are paying for access plus your
management of their network CPE - then I can see why you might be
wondering why they aren't complaining to you when there's a problem
and going to the wannabe power users. Maybe you just need to do some
more customer education?

Ted

On 9/20/2016 1:24 AM, erik.taraldsen@telenor.com wrote:
> With all due respect to the actual power user out there. For each one of them, there is at least 20 who think they are power users who base their knowledge on rumors and misconceptions. They are often vocal (forums and coments on news sites) and they are the once who often are enlisted to help Ma& Pa Kettle. At least that is what we see a lot of in Norway. They simply do not have the ability to correctly diagnose the issues. Solutions often involve "you need bigger antennas on the router", "Apple routers are allways the best", "the ISP supplied router allways suck".
>
> So Bob-the-power-user buy the expencive huge antenna router and install at M&PK. It does not have dual stack, therefore the application at M&PK therefore never tries IPv6 and the older UPnP solution works for them. Bob gets an re confrimation that big antenas helps, and that the ISP router sucks. Where a simpler and cheeper solution would be to modify the firewall settings of the ISP router.
>
> Since I reprecent the ISP and spesificaly the ISP supplied router (where we do patch security flaws, add features, optimise DSL and wlan drivers, attack bufferbloat and give the customers the posibility of remote support. Unlike a lot of retail products which often have to live with the software it was shiped with). How do we set up the routers IPv6 setting in such a way that Bob-the-power-user do not have to be called in by M&PK to fix their broken app/network, but still maintain a level of security for them? Is some sort of balanced the way to go? Should we again push our vendors for PCP/UPnP support?
>
>
>
> -Erik
>
>
> ________________________________________
> Fra: ipv6-ops-bounces+erik.taraldsen=telenor.com@lists.cluenet.de<ipv6-ops-bounces+erik.taraldsen=telenor.com@lists.cluenet.de> på vegne av Ted Mittelstaedt<tedm@ipinc.net>
> Sendt: 19. september 2016 23:23
> Til: Bjørn Mork
> Kopi: ipv6-ops@lists.cluenet.de
> Emne: Re: CPE Residential IPv6 Security Poll
>
> I can tell you that -today- in my location both CenturyLink and Comcast
> (giant ISPs) supply IPv6 by default on their residential CPEs - and both
> of those CPEs have "inbound block outbound allow" on by default on IPv6.
> As far as I know neither support UPnP on IPv6
>
> I think you are overthinking this. If a CPE has no IPv6 support but it
> has UPnP support over IPv4 then things "work" If a CPE has IPv6
> support but no UPnP support over IPv6, then things are also going to
> "work" - on IPv4. They may break on IPv6 with a "block everything" IPv6
> rule in which case the end user is undoubtedly going to complain to the
> toaster manufacturer not you, and that toaster maker is either
> going to tell their customer "disable ipv6 on your ISP CPE" or they are
> going to fix their toaster so that it doesn't try using UPnP over IPv6,
> only IPv4.
>
> Your job is to not assume your customers are all morons. It is to make
> it safe for the ones who are, and make it usable for the ones who aren't
> and want to run their own show. Provide the needed buttons in the CPE
> to enable or disable IPv6 and to allow your customers to shut off your
> CPE's interference and be done with it.
>
> As an ISP you of all people should understand how powerful the Internet
> is. If you make your stuff configurable for power users, and document
> it, then the Ma& Pa Kettle customers are going to engage their friend's
> son who IS a power user and can search the Internet and follow simple
> directions and fix their problem with their web cam or whatever it is
> that is demanding UPnP.
>
> If however you default to open, then when Ma& Pa Kettle eventually get
> cracked, and call in the power user, that power user is going to
> discover your default firewall on IPv6 is open and realize that you
> created a huge whole bunch of work for him since he will now have to
> put back together a PC for the morons. He isn't going to appreciate
> that and will badmouth you online.
>
> Nobody with brains is going to go online and badmouth an ISP that
> supplies a CPE that has defaults that error on the side of
> protection-of-morons. But they are going to badmouth an ISP that
> supplies a CPE
> that has defaults that allow morons to get easily broken into - because
> it's them who are going to be sucked into putting those systems back
> together. And they are really going to badmouth an ISP that supplies a
> CPE that can't have it's internal firewall turned off.
>
> Ted
>
> On 9/19/2016 1:29 PM, Bjørn Mork wrote:
>> Ted Mittelstaedt<tedm@ipinc.net> writes:
>>
>>> This kind of mirrors the "default" security policy on IPv4 CPEs (since
>>> those CPE's have NAT automatically turned on which creates a "block in,
>>> permit out" kind of approach.) so I'm not sure why you would want to
>>> default it to being different for IPv6.
>>
>> I was explained one reason today: No CPEs implement UPnP support for
>> IPv6 [1].
>>
>> This makes the effect of the similar IPv4 and IPv6 policies quite
>> different. UPnP aware applications will set up the necessary NAT rules
>> for IPv4, allowing inbound connections etc. But if you want the same
>> applications to work over IPv6, then the policy must be more open by
>> default. Letting the user disable IPv6 filtering is not going to help
>> the masses I'm afraid...
>>
>> So the question remains: What do ISPs actually do to
>> - allow IPv6, and
>> - secure the end users' networks, and
>> - not break dual stack applications wanting incoming connections
>>
>> all at the same time? Looks like a classical "pick any two".
>>
>>
>>
>> Bjørn
>>
>> [1] I'm sure someone will come up with an obscure and expensive example
>> of the contrary - the point is that IPv6 UPnP support is not readily
>> available in the residential CPE market.
>
> ---
> This email has been checked for viruses by Avast antivirus software.
> https://www.avast.com/antivirus
>

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

On Sun, 25 Sep 2016 07:08:46 +0000, erik.taraldsen@telenor.com wrote:
> 1) In theory you are right. In practise it is not that black and
> white. We never buy an excisting product, we buy an future product
> which has to be developed for us. That include physical features
> which may not have beed release from Broadcom yet (11ac 3x3 we were
> the first mass order from Broadcom for example). That means that we
> usualy have an development periode with the vendor, and a release
> target (VDSL launch for example) Sometimes the have to rush the CPE
> side to meet the network side launch. This again means that we
> usualy
> launch with a fair number of bug and un-optimized software, and
> features missing. And since we don't buy in Comcast type volumes we
> don not have the purchasing power to instruct the vendors to do
> absolutly everything, we have an limited development team working for
> us and we have to prioritize what they should work on. And so far
> UPnP has not gotten above that treshold.
>
> (And the above is a bit besides the point, we seem to be the only ISP
> who want UPnP. That don't help our customers a lot. In order for
> UPnP to work you also need support in the clients, and those we talk
> to who do develop clients badly want to get away from UPnP)

... that has been said with regard to everything related to IPv6 for
nearly 20years. When will we stop using it as an excuse?

Someone has to be the first, even if it's just for the show and there
are no client side client.



---

------------------------------
Roger Jorgensen | - ROJO9-RIPE
roger@jorgensen.no | - The Future is IPv6
-------------------------------------------------------

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

On Tue, Sep 20, 2016 at 6:23 AM, Ted Mittelstaedt <tedm@ipinc.net> wrote:

> Nobody with brains is going to go online and badmouth an ISP that
> supplies a CPE that has defaults that error on the side of
> protection-of-morons.


Surely there's got to be a better solution here than
lowest-common-denominator engineering, a.k.a., "design your product for
your least knowledgeable customer"?

Lorenzo Colitti wrote:
> Surely there's got to be a better solution here than
> lowest-common-denominator engineering, a.k.a., "design your product for
> your least knowledgeable customer"?

sensible secure defaults for grandma + "Advanced" tab on CPE
configuration page for 10yo grandchild?

Nick

* Ted Mittelstaedt

> This kind of mirrors the "default" security policy on IPv4 CPEs (since
> those CPE's have NAT automatically turned on which creates a "block
> in, permit out" kind of approach.) so I'm not sure why you would want
> to default it to being different for IPv6.

There are a gazillion pages out there on the Internet where you'll find
people trying to figure out how to open ports in their router, make
their PlayStation or Xbox online gaming Just Work instead of
complaining about NAT problems, and so on. And this is mostly regarding
IPv4, where we've already have a solution in the form of UPnP (a
security nightmare in its own right).

The situation is not exactly user friendly. The IPv4 NATs are making
applications suffer and people are strugging or failing to work around
them. We now have the opportunity to do better with IPv6, and I'm
hoping the ISPs will carefully consider doing so, instead of just
defaulting to whatever looks the most similar to what they've were
forced to do for IPv4.

[.I say «forced», because NAT and its intrinsic «drop all inbound» policy
came about as a way of conserving scarce IPv4 addresses, not as a
security mechanism. This is obviously not an issue for IPv6.]

So it'd be interesting to see some solid empirical data that explained
to what extent a default-drop-inbound firewall really increases
security, and to what extent it impairs applications and thus makes
users unhappy.

For what it's worth, the Swisscom approach seems sensible to me. At
least if I understand it correctly, in that they by default only block
ports associated with application protocols known to be insecure, meant
for home network use only, etc. All other ports and protocols not on
the blacklist are let through in both directions. As far as I know this
has been working out fine for them.

Tore