Mailing List Archive

> 1 mars 2017 kl. 08:06 skrev Mikael Abrahamsson <swmike@swm.pp.se>:
>
>
> Hi,
>
> I just had a discussion with people from an ISP in the process of implementing IPv6. They were afraid of turning on IPv6 for customers who had purchased their own routers themselves, because these routers might not have IPv6 firewalling on by default, thus exposing customers who used to be "protected" by IPv4 NAT, to now be exposed with unfirewalled IPv6.
>
> So my question:
>
> Devices that people buy in electronics stores etc, do they even come with IPv6 turned on by default?
>
> If they do, is firewalling turned on by default?

Swedish only - https://ipv6only.se/ <https://ipv6only.se/> - tested some routers bought in electronic stores and tested IPv6 and firewall and most don’t have firewall for IPv6 enabled.
I’ll install Google translate for the site in some minutes.

/Tobbe

>
> My Apple Airport Express at least came with firewalling turned on, I don't remember what the default setting was for IPv6 support. But if one turned on IPv6 support, then one had to unclick the firewall clickbox to be able to get incoming connections.
>
> I'm going to check the devices I have in my boxes here at home, but in the mean time would appreciate if others could share their experiences.
>
> --
> Mikael Abrahamsson email: swmike@swm.pp.se

What I’ve seen, yes is on by default, but I also heard the same complain, but actually never seen a device not-on by default … so I’m not really convinced is very real.

However, I believe that all the IPv6 OSs for hosts and servers, have the IPv6 firewall on by default, so this should not be a big issue, unless you have other devices with no IPv6 firewall (IP cameras?), which I think is not common, because those devices (what I’ve seen up to now), only respond to the port that they have designated to work on.

We had this debate several times in IETF I think …

There is some text about that in both RFC7084 (and bis that I’m working on https://tools.ietf.org/html/draft-palet-v6ops-rfc7084-bis-01) and RFC6092.

Regards,
Jordi


-----Mensaje original-----
De: <ipv6-ops-bounces+jordi.palet=consulintel.es@lists.cluenet.de> en nombre de Mikael Abrahamsson <swmike@swm.pp.se>
Organización: People's Front Against WWW
Responder a: <swmike@swm.pp.se>
Fecha: miércoles, 1 de marzo de 2017, 8:06
Para: <ipv6-ops@lists.cluenet.de>
Asunto: question regarding over the counter devices


Hi,

I just had a discussion with people from an ISP in the process of
implementing IPv6. They were afraid of turning on IPv6 for customers who
had purchased their own routers themselves, because these routers might
not have IPv6 firewalling on by default, thus exposing customers who used
to be "protected" by IPv4 NAT, to now be exposed with unfirewalled IPv6.

So my question:

Devices that people buy in electronics stores etc, do they even come with
IPv6 turned on by default?

If they do, is firewalling turned on by default?

My Apple Airport Express at least came with firewalling turned on, I don't
remember what the default setting was for IPv6 support. But if one turned
on IPv6 support, then one had to unclick the firewall clickbox to be able
to get incoming connections.

I'm going to check the devices I have in my boxes here at home, but in the
mean time would appreciate if others could share their experiences.

--
Mikael Abrahamsson email: swmike@swm.pp.se





**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.consulintel.es
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the use of the individual(s) named above. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, including attached files, is prohibited.

> However, I believe that all the IPv6 OSs for hosts and servers, have the IPv6 firewall on by default, so this should not be a big issue, unless you have other devices with no IPv6 firewall (IP cameras?), which I think is not common, because those devices (what I$,1ry(Bve seen up to now), only respond to the port that they have designated to work on.

FreeBSD, at least until 11.0-STABLE: No IPv6 firewall turned on by
default. Which is exactly what I want.

Steinar Haug, AS2116

On Wed, 1 Mar 2017, JORDI PALET MARTINEZ wrote:

> What I’ve seen, yes is on by default, but I also heard the same
> complain, but actually never seen a device not-on by default … so I’m
> not really convinced is very real.

"not-on", do you mean "IPv6" or "IPv6 firewalling"?

--
Mikael Abrahamsson email: swmike@swm.pp.se

IPv6 firewall non-on by default. I’ve not seen that myself in any product up to now.

Saludos,
Jordi


-----Mensaje original-----
De: <ipv6-ops-bounces+jordi.palet=consulintel.es@lists.cluenet.de> en nombre de Mikael Abrahamsson <swmike@swm.pp.se>
Organización: People's Front Against WWW
Responder a: <swmike@swm.pp.se>
Fecha: miércoles, 1 de marzo de 2017, 8:56
Para: JORDI PALET MARTINEZ <jordi.palet@consulintel.es>
CC: <ipv6-ops@lists.cluenet.de>
Asunto: Re: question regarding over the counter devices

On Wed, 1 Mar 2017, JORDI PALET MARTINEZ wrote:

> What I’ve seen, yes is on by default, but I also heard the same
> complain, but actually never seen a device not-on by default … so I’m
> not really convinced is very real.

"not-on", do you mean "IPv6" or "IPv6 firewalling"?

--
Mikael Abrahamsson email: swmike@swm.pp.se



**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.consulintel.es
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the use of the individual(s) named above. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, including attached files, is prohibited.

On Wed, 1 Mar 2017, JORDI PALET MARTINEZ wrote:

> IPv6 firewall non-on by default. I’ve not seen that myself in any product up to now.

How many products have you looked at? We're still talking about home
routers now, right?

I just checked Netgear R6100. Factory default has "IPv6 disabled", when I
change it to "Auto Detect" the setting "IPv6 filtering" is "secured" by
default.

So this seems to be same thing that you've been seeing.

--
Mikael Abrahamsson email: swmike@swm.pp.se

> > IPv6 firewall non-on by default. I$,1ry(Bve not seen that myself in any product up to now.
>
> How many products have you looked at? We're still talking about home
> routers now, right?

I was commenting on "all the IPv6 OSs *for hosts and servers*, have the
IPv6 firewall on by default" (my emphasis). This would seem to include
all the BSD variants, all the Linux variants, etc. And in that case, the
statement "IPv6 firewall on by default" is clearly not true.

Steinar Haug, AS2116

Yes, CEs used for residential and SMEs.

In all the products I’ve seen, IPv6 was even on by default (again, IPv6-on, firewall-on, but by default). For example, this is true for several FTTH (with and without embedded ONT) and DSL CPEs that Spanish providers deliver to customers, even if they don’t provide IPv6 yet. I’ve seen the same situation in several of my customers, recently in Latin and Central America countries.

I’ve looked at different models of about 11-12 vendors, but was just using/configuring them, so not on purpose for checking this matter. I’m talking about my memory collection from about 4-5 years ago, so will not be easy to remember exact models/firmware versions, etc. In my own home, I’ve right now access to 4 vendors, 5 products in total, and all them have the IPv6 firewall on by default. I’ve another one from TP-Link that I believe was on, but it has been reflashed with OpenWRT first, now to LEDE, so I can’t check it anymore … Of course, OpenWRT/LEDE have it on by default.

I’m not sure if they keep a record of that, but may be Tim/Erica (in copy) from UNH, that perform IPv6 Ready certification, have this detail in some kind of statistics? May be even they can ask the other labs that do the testing worldwide.

Regards,
Jordi


-----Mensaje original-----
De: <ipv6-ops-bounces+jordi.palet=consulintel.es@lists.cluenet.de> en nombre de Mikael Abrahamsson <swmike@swm.pp.se>
Organización: People's Front Against WWW
Responder a: <swmike@swm.pp.se>
Fecha: miércoles, 1 de marzo de 2017, 9:13
Para: JORDI PALET MARTINEZ <jordi.palet@consulintel.es>
CC: <ipv6-ops@lists.cluenet.de>
Asunto: Re: question regarding over the counter devices

On Wed, 1 Mar 2017, JORDI PALET MARTINEZ wrote:

> IPv6 firewall non-on by default. I’ve not seen that myself in any product up to now.

How many products have you looked at? We're still talking about home
routers now, right?

I just checked Netgear R6100. Factory default has "IPv6 disabled", when I
change it to "Auto Detect" the setting "IPv6 filtering" is "secured" by
default.

So this seems to be same thing that you've been seeing.

--
Mikael Abrahamsson email: swmike@swm.pp.se



**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.consulintel.es
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the use of the individual(s) named above. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, including attached files, is prohibited.

I guess the point here is to compare if they also have IPv4 firewall on by default.

However, I believe the point here is to understand if a user having a “standard” distribution of any BSD/Linux, is the one that don’t double check all the security of that OS. Maybe we need to look into those distributions of BSD/Linux made for non-techie users, that come with a “build-in” GUI, etc. I doubt those come with IPv6-enabled by default and the firewall-off, it will be a mistake, as they try to allow the users to work with those distributions replacing a Windows (which of course comes with IPv6 enabled and IPv6 firewall enabled by default).

Regards,
Jordi


-----Mensaje original-----
De: <sthaug@nethelp.no>
Responder a: <sthaug@nethelp.no>
Fecha: miércoles, 1 de marzo de 2017, 9:44
Para: <swmike@swm.pp.se>
CC: <jordi.palet@consulintel.es>, <ipv6-ops@lists.cluenet.de>
Asunto: Re: question regarding over the counter devices

> > IPv6 firewall non-on by default. I?$,1ryve not seen that myself in any product up to now.
>
> How many products have you looked at? We're still talking about home
> routers now, right?

I was commenting on "all the IPv6 OSs *for hosts and servers*, have the
IPv6 firewall on by default" (my emphasis). This would seem to include
all the BSD variants, all the Linux variants, etc. And in that case, the
statement "IPv6 firewall on by default" is clearly not true.

Steinar Haug, AS2116





**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.consulintel.es
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the use of the individual(s) named above. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, including attached files, is prohibited.

Mikael Abrahamsson <swmike@swm.pp.se> writes:

> I just had a discussion with people from an ISP in the process of
> implementing IPv6. They were afraid of turning on IPv6 for customers
> who had purchased their own routers themselves, because these routers
> might not have IPv6 firewalling on by default, thus exposing customers
> who used to be "protected" by IPv4 NAT, to now be exposed with
> unfirewalled IPv6.

As an ISP: If you don't manage the CPE, should you even care?

yes, yes, being nice is good. But this is an impossible task. There is
no way you can make assumptions about the security of any unmanaged CPE,
with or without IPv6.

If you care about the security of arbitrary customer owned devices, then
you should probably start by disabling IPv4.


Bjørn

On Wed, 1 Mar 2017, Bjørn Mork wrote:

> As an ISP: If you don't manage the CPE, should you even care?

That is good question. In Sweden ISPs have gotten in trouble historically
for not filtering stuff and customers files were exposed. For instance
when ETTH had people plug their computers directly into the ETTH RJ45 jack
(12-15 years ago), had no-password SMB shares on their computers, and
there was no broadcast filtering on the LAN. Then they could "see" other
users SMB shares and access them, and this made the papers as "unsecure".
This was blamed on ISPs, not users.

So when IPv6 now comes along, ISPs are scared that users might have
no-firewall IPv6 devices, so when IPv6 is enabled all of a sudden lots of
unsecured devices are then reachable from the Internet, devices that were
configured in that way because before NAT "protected" them.

> yes, yes, being nice is good. But this is an impossible task. There is
> no way you can make assumptions about the security of any unmanaged CPE,
> with or without IPv6.

I tend to agree, but I can also understand why an ISP might hesitate in
this case.

--
Mikael Abrahamsson email: swmike@swm.pp.se

JORDI PALET MARTINEZ <jordi.palet@consulintel.es> writes:

Hi,

> Maybe we need to look into those distributions of BSD/Linux made for
> non-techie users, that come with a “build-in” GUI, etc. I doubt those
> come with IPv6-enabled by default and the firewall-off, it will be a
> mistake, as they try to allow the users to work with those
> distributions replacing a Windows (which of course comes with IPv6
> enabled and IPv6 firewall enabled by default).

I just installed the latest Ubuntu Version (default Desktop
iInstallation) and there are no rules for IPv4 and IPv6.

Jens
--
----------------------------------------------------------------------------
| Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 |
| http://blog.quux.de | jabber: jenslink@quux.de | --------------- |
----------------------------------------------------------------------------

The IOL doesn't keep this data at hand for Ethernet CPEs, but I would guess
that over half today have IPv6 on by default. I will add when IPv6 is on
almost always they have a firewalll. If there is exact data the working
group wants we can try to run that down.

Tim

On Wed, Mar 1, 2017 at 3:54 AM JORDI PALET MARTINEZ <
jordi.palet@consulintel.es> wrote:

> Yes, CEs used for residential and SMEs.
>
> In all the products I’ve seen, IPv6 was even on by default (again,
> IPv6-on, firewall-on, but by default). For example, this is true for
> several FTTH (with and without embedded ONT) and DSL CPEs that Spanish
> providers deliver to customers, even if they don’t provide IPv6 yet. I’ve
> seen the same situation in several of my customers, recently in Latin and
> Central America countries.
>
> I’ve looked at different models of about 11-12 vendors, but was just
> using/configuring them, so not on purpose for checking this matter. I’m
> talking about my memory collection from about 4-5 years ago, so will not be
> easy to remember exact models/firmware versions, etc. In my own home, I’ve
> right now access to 4 vendors, 5 products in total, and all them have the
> IPv6 firewall on by default. I’ve another one from TP-Link that I believe
> was on, but it has been reflashed with OpenWRT first, now to LEDE, so I
> can’t check it anymore … Of course, OpenWRT/LEDE have it on by default.
>
> I’m not sure if they keep a record of that, but may be Tim/Erica (in copy)
> from UNH, that perform IPv6 Ready certification, have this detail in some
> kind of statistics? May be even they can ask the other labs that do the
> testing worldwide.
>
> Regards,
> Jordi
>
>
> -----Mensaje original-----
> De: <ipv6-ops-bounces+jordi.palet=consulintel.es@lists.cluenet.de> en
> nombre de Mikael Abrahamsson <swmike@swm.pp.se>
> Organización: People's Front Against WWW
> Responder a: <swmike@swm.pp.se>
> Fecha: miércoles, 1 de marzo de 2017, 9:13
> Para: JORDI PALET MARTINEZ <jordi.palet@consulintel.es>
> CC: <ipv6-ops@lists.cluenet.de>
> Asunto: Re: question regarding over the counter devices
>
> On Wed, 1 Mar 2017, JORDI PALET MARTINEZ wrote:
>
> > IPv6 firewall non-on by default. I’ve not seen that myself in any
> product up to now.
>
> How many products have you looked at? We're still talking about home
> routers now, right?
>
> I just checked Netgear R6100. Factory default has "IPv6 disabled",
> when I
> change it to "Auto Detect" the setting "IPv6 filtering" is "secured" by
> default.
>
> So this seems to be same thing that you've been seeing.
>
> --
> Mikael Abrahamsson email: swmike@swm.pp.se
>
>
>
> **********************************************
> IPv4 is over
> Are you ready for the new Internet ?
> http://www.consulintel.es
> The IPv6 Company
>
> This electronic message contains information which may be privileged or
> confidential. The information is intended to be for the use of the
> individual(s) named above. If you are not the intended recipient be aware
> that any disclosure, copying, distribution or use of the contents of this
> information, including attached files, is prohibited.
>
>
>
> --

Now offering testing for SDN applications and controllers in our SDN switch
test bed. Learn more today http://bit.ly/SDN_IOLPR

Is this actually a realistic fear? Let me preface this by saying that I
find NAT extremely distasteful, however, the one thing that NAT provides
some modicum of advantage from is inbound scans of end systems. With IPv6
this is functionally a non-issue from a shotgun scan perspective. Most
devices that come with IPv6 enabled require a prefix delegation, which in
my opinion should be enabled by default. In the US, a great deal of the
major broadband providers are moving toward an all in one, ISP managed
gateway that has all of this enabled and filters IPv6 inbound (although,
again, I'm not sure that it's actually more than a perceived issue and is
likely more of a CYA). Even the smaller ISPs that I have worked with are
enabling IPv6 with the same methodology. Mobile networks enable v6 by
default as well, although I am not able to reach my EUI-64 addresses on my
mobile devices - they appear to be filtered as well.
Realistically the deployments should have as much parity as possible
between v4 and v6, which I believe most reasonable consumer CPE do.
I remember going through this a lifetime ago with IPv4 before ISPs moved to
NAT at the CPE, this really isn't much different and should be reasonably
easier with v6 due to the inherent tracking you get from PD and privacy
addressing on by default with almost everything.

nb

?

On Wed, Mar 1, 2017 at 3:11 AM, Mikael Abrahamsson <swmike@swm.pp.se> wrote:

> On Wed, 1 Mar 2017, Bjørn Mork wrote:
>
> As an ISP: If you don't manage the CPE, should you even care?
>>
>
> That is good question. In Sweden ISPs have gotten in trouble historically
> for not filtering stuff and customers files were exposed. For instance when
> ETTH had people plug their computers directly into the ETTH RJ45 jack
> (12-15 years ago), had no-password SMB shares on their computers, and there
> was no broadcast filtering on the LAN. Then they could "see" other users
> SMB shares and access them, and this made the papers as "unsecure". This
> was blamed on ISPs, not users.
>
> So when IPv6 now comes along, ISPs are scared that users might have
> no-firewall IPv6 devices, so when IPv6 is enabled all of a sudden lots of
> unsecured devices are then reachable from the Internet, devices that were
> configured in that way because before NAT "protected" them.
>
> yes, yes, being nice is good. But this is an impossible task. There is
>> no way you can make assumptions about the security of any unmanaged CPE,
>> with or without IPv6.
>>
>
> I tend to agree, but I can also understand why an ISP might hesitate in
> this case.
>
>
> --
> Mikael Abrahamsson email: swmike@swm.pp.se
>

On Wed, 1 Mar 2017, Nick Buraglio wrote:

> Is this actually a realistic fear?

Let me put it this way, I have personally found an anon-ftp server with
company confidential documents on it, that was reachable from the outside
without the owners knowledge, because there was a port-forward in the
residential gateway that the owner wasn't actively aware of, and the NAS
had anon-ftp turned on without the owners active knowledge.

So google had indexed all files on this NAS. I contacted the person (did
some digging using pictures etc on this NAS) via their employer, and
talked to the person who had no idea.

Now, with unfiltered IPv6 it would be harder to actually find this NAS,
but once found, there is no need for port forward for it to be reachable
from the Internet.

So yes, I can understand the fear and I agree that it's realistic. That's
why most ISPs have chosen to have stateful filtering toward the customers
by default.

--
Mikael Abrahamsson email: swmike@swm.pp.se

Mikael Abrahamsson <swmike@swm.pp.se> writes:

> Let me put it this way, I have personally found an anon-ftp server with
> company confidential documents on it, that was reachable from the
> outside without the owners knowledge, because there was a port-forward
> in the residential gateway that the owner wasn't actively aware of, and
> the NAS had anon-ftp turned on without the owners active knowledge.

Just take a look at many university networks. The ones I know use
public IPv4 space, no NAT and many times not firewalls. Now take one of
those scanner / printer thinks with anon FTP saving all document
scanned on their local disk drive. Or power full laser with a power
supply accessible via SNMP private. I think many people are accustomed
to the "security" they get from NAT and don't think that there is
anything else.

Jens
--
----------------------------------------------------------------------------
| Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 |
| http://blog.quux.de | jabber: jenslink@quux.de | --------------- |
----------------------------------------------------------------------------

"...because there was a port-forward in the residential gateway..."

That's unrelated to the original query that started this thread. A user (or
device via UPnP, I suppose) had to have configured that port forward. What
happened there has nothing to do with default firewall behavior in SOHO
routers.

I could spout off personal experience but hard data would be better, and I
have none of that to contribute, unfortunately. Probably the best approach
would be for some group to spend a few thousand $currency and purchase a
load of SOHO routers for testing. I would hope that data would eventually
be published publicly, as it would be highly valuable.

I believe there was an offer further up the thread for the IETF to pick up
this work? I am not part of the relevant working group, but I would find
this data to be useful.

On Wed, Mar 1, 2017 at 2:18 PM, Mikael Abrahamsson <swmike@swm.pp.se> wrote:

> On Wed, 1 Mar 2017, Nick Buraglio wrote:
>
> Is this actually a realistic fear?
>>
>
> Let me put it this way, I have personally found an anon-ftp server with
> company confidential documents on it, that was reachable from the outside
> without the owners knowledge, because there was a port-forward in the
> residential gateway that the owner wasn't actively aware of, and the NAS
> had anon-ftp turned on without the owners active knowledge.
>
> So google had indexed all files on this NAS. I contacted the person (did
> some digging using pictures etc on this NAS) via their employer, and talked
> to the person who had no idea.
>
> Now, with unfiltered IPv6 it would be harder to actually find this NAS,
> but once found, there is no need for port forward for it to be reachable
> from the Internet.
>
> So yes, I can understand the fear and I agree that it's realistic. That's
> why most ISPs have chosen to have stateful filtering toward the customers
> by default.
>
>
> --
> Mikael Abrahamsson email: swmike@swm.pp.se
>

On Wed, 1 Mar 2017, Mikael Abrahamsson wrote:

> Devices that people buy in electronics stores etc, do they even come with
> IPv6 turned on by default?
>
> If they do, is firewalling turned on by default?

All the ones I've seen so far have IPv6 off by default. However, the IPv6
firewall default is a mixed bag. I've found most do have the IPv6
firewall on by default. My own home router, an older D-Link, has it off
by default when IPv6 is enabled.

Antonio Querubin
e-mail: tony@lavanauts.org
xmpp: antonioquerubin@gmail.com

Hi,

On Wed, Mar 01, 2017 at 08:39:43AM +0100, sthaug@nethelp.no wrote:
> FreeBSD, at least until 11.0-STABLE: No IPv6 firewall turned on by
> default. Which is exactly what I want.

Well, "have no services on by default" is good enough for the issue
at hand "can my devices protect themselves, or would a firewall be
beneficial in any way?"... :-)

Gert Doering
-- NetMaster
--
have you enabled IPv6 on something today...?

SpaceNet AG Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279

On Wed, Mar 01, 2017 at 08:06:02AM +0100, Mikael Abrahamsson wrote:
>
> Hi,
>
> I just had a discussion with people from an ISP in the process of
> implementing IPv6. They were afraid of turning on IPv6 for customers
> who had purchased their own routers themselves, because these
> routers might not have IPv6 firewalling on by default, thus exposing
> customers who used to be "protected" by IPv4 NAT, to now be exposed
> with unfirewalled IPv6.
>
> So my question:
>
> Devices that people buy in electronics stores etc, do they even come
> with IPv6 turned on by default?

With the AVM Fritz!Box line - yes - its enabled by default - And yes,
even the firewalling.

Nevertheless - As an ISP i would never enable IPv6 for Customers
without beeing shure that they are aware.

- Deploy IPv6 Dualstack from some point in time and making it clear
in your paperwork.
- Make it an option for legacy users to opt in.
- After some time - send emails telling the users
- Enable a captive portal for users to let them enable ipv6

If you are a xDSL provider you can even make this based on the
DSL Vendor and Version you get in the xDSL Handshake. You even
know what CPE the customer has and if its IPv6 Capable at all
or if its safe to enable.

Flo
--
Florian Lohoff f@zz.de
UTF-8 Test: The ???? ran after a ????, but the ???? ran away

Hi,

On Mon, Mar 06, 2017 at 11:37:30AM +0100, Florian Lohoff wrote:
> Nevertheless - As an ISP i would never enable IPv6 for Customers
> without beeing shure that they are aware.
>
> - Deploy IPv6 Dualstack from some point in time and making it clear
> in your paperwork.
> - Make it an option for legacy users to opt in.
> - After some time - send emails telling the users
> - Enable a captive portal for users to let them enable ipv6

This is "last century's process": wait for customers to ask for IPv6,
which they will not do, and then you can prove to your management that
"there is no demand", so you can continue to not roll out v6.

If we ever want to reach the point when we can stop bothering with
IPv4 on the server side, IPv6 needs to be on by default on *ALL*
access. Not opt-in. Not "it will take another 20 years".

Gert Doering
-- NetMaster
--
have you enabled IPv6 on something today...?

SpaceNet AG Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279

On Mon, Mar 06, 2017 at 11:41:54AM +0100, Gert Doering wrote:
> Hi,
>
> On Mon, Mar 06, 2017 at 11:37:30AM +0100, Florian Lohoff wrote:
> > Nevertheless - As an ISP i would never enable IPv6 for Customers
> > without beeing shure that they are aware.
> >
> > - Deploy IPv6 Dualstack from some point in time and making it clear
> > in your paperwork.
> > - Make it an option for legacy users to opt in.
> > - After some time - send emails telling the users
> > - Enable a captive portal for users to let them enable ipv6
>
> This is "last century's process": wait for customers to ask for IPv6,
> which they will not do, and then you can prove to your management that
> "there is no demand", so you can continue to not roll out v6.
>
> If we ever want to reach the point when we can stop bothering with
> IPv4 on the server side, IPv6 needs to be on by default on *ALL*
> access. Not opt-in. Not "it will take another 20 years".

You cant enable some feature for "Aunt Tilly" without her at least
beeing able to take action. And Aunt Tilly will never be able to take
action after you ship her the CPE. She will not even be able to log into
her CPE. And thats the todays Default customer. You need to tell
them to press the WPS Button to get their Mobile Phone online and they
wont find the button marked "WPS".

So the best bet is that you enable IPv6 for new contracts and shipments
and with the average contract time you age out your legacy products.

This is what Deutsche Telekom did. They bundled there IPv6 deployment
with their VDSL/FTTB deployment. So switching contracts means getting
a newer CPE and Dualstack.

I have been with a large Carrier in .de and we had the transitional
problems and we didnt fix/enable it at all until i left in 2011.
Although we enabled the core of my former employee to IPv6/6PE
and the BRAS were all IPv6 capable we didnt enable it. So around 1.7
million DSL Subscribers without IPv6. I and a few collegues started a
new carrier and we shipped 100% Dualstack but we knew the oldest Software
of our CPEs and we new the features. So it was much easier.

You need to start somewhere and the non-tier1 carriers with enough
IP Adresses dont even start enabling IPv6 because they have no answer
to the transition scenario.

If you have an existing ADSL deployment for 10 Years you have hundrets
of different customer owned CPEs in the field with a permutation of ALL broken
Software in the world one could imagine. You wont fix that. Enabling
IPv6 unconditionally will swamp your support with all sorts of obscure
Problems e.g. "I suddenly cant print anymore" - Yes - your Printer is ipv4 and your
clients are dualstacked now and Cups is broken as it does not try a
fallback to v4 if v6 fails ... Been there - Done that.


You are dealing with non technical people. So it must be easy, straight
forward and within their expectations that something changed.

Flo
--
Florian Lohoff f@zz.de
UTF-8 Test: The ???? ran after a ????, but the ???? ran away

Am 06.03.2017 um 12:11 schrieb Florian Lohoff:
> Aunt Tilly


> You are dealing with non technical people.


You contradict yourself.
Non technical people have no clue about IPv6/IPv4, some of them flood
the support(in Germany Unitymedia/UPC, Vodafone)) because their PS-games
don't work anymore with CGNAT as part of DS-lite.

But they got the change implicitly via the new AGB(Terms and Conditions
small printed) while upgrading the speed without being asked about the
protocol changes.


A further example is the mobile network. After changing the network
profile on IOS-devices, the user cannot opt out.

Without a choice (switched on is switched on the IPv6-monitoring must be
better.

Last Friday the IPv6-connection between DTAG and google was broken for
some hours.

Non technical people have no chance to debug the slow motion web sites
in this case.


Regards,
Thomas

Hi,

On Mon, Mar 06, 2017 at 12:11:53PM +0100, Florian Lohoff wrote:
> You cant enable some feature for "Aunt Tilly" without her at least
> beeing able to take action.

Aunt Tilly has no idea what IPv4, IPv6 or "Internet" is. As long as her
web browser will show cat videos, she's happy.

If you wait for Aunt Tilly to make a decision regarding "how should her
Internet access be provisioned?", nothing will ever happen.

[..]
> I have been with a large Carrier in .de and we had the transitional
> problems and we didnt fix/enable it at all until i left in 2011.
> Although we enabled the core of my former employee to IPv6/6PE
> and the BRAS were all IPv6 capable we didnt enable it. So around 1.7
> million DSL Subscribers without IPv6. I and a few collegues started a
> new carrier and we shipped 100% Dualstack but we knew the oldest Software
> of our CPEs and we new the features. So it was much easier.

If a CPE has no v6 support, having it available on the DSLAM (in passive
mode = do not start IPv6CP until the client initiates it) will not do harm.

> You need to start somewhere and the non-tier1 carriers with enough
> IP Adresses dont even start enabling IPv6 because they have no answer
> to the transition scenario.

Delaying the inevitable will just raise your costs more and more.

The mobile carriers nicely demonstrated how *not* to do it - by ignoring
the mandate for IPv6 in 3G, and rolling out huge masses of v4-only
handsets, they suddenly had a huge installed basis of, well, v4-only
legacy devices to deal with...

Gert Doering
-- NetMaster
--
have you enabled IPv6 on something today...?

SpaceNet AG Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279