Mailing List Archive

On 11/12/17 05:21, Fernando Gont wrote:
> one would want to be able to whitelist all ports
> for a given IP address

What? No!

"Dear Gateway, I am definitely not a compromised host, please open all
ports toward me."

I don't disregard the idea that one would want to manually configure
this behaviour, but not automatically from the host itself.

--
Tom

On 12/11/2017 08:54 AM, Tom Hill wrote:
> On 11/12/17 05:21, Fernando Gont wrote:
>> one would want to be able to whitelist all ports
>> for a given IP address
>
> What? No!
>
> "Dear Gateway, I am definitely not a compromised host, please open all
> ports toward me."
>
> I don't disregard the idea that one would want to manually configure
> this behaviour, but not automatically from the host itself.

No, certainly not automatically. But would like to be able to.

e.g., want to be able to put a node in a "DMZ", allowing even e.g.
things tunneled on top of IPv6.

If UPnP needs t be aware about transport ports, then anything not TCP or
UDP (you might also say SCTP and such, but I think they are not
supported, anyway) would be ruled out.


--
Fernando Gont
e-mail: fernando@gont.com.ar || fgont@si6networks.com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1

Hi,

On Mon, Dec 11, 2017 at 11:54:15AM +0000, Tom Hill wrote:
> "Dear Gateway, I am definitely not a compromised host, please open all
> ports toward me."

But that's the whole idea of UPnP or IGD. Whether you open one port or
all of them, on request of a possibly-compromised host, is of no relevance.

Gert Doering
-- NetMaster
--
have you enabled IPv6 on something today...?

SpaceNet AG Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279

On Mon, Dec 11, 2017 at 04:03:27PM +0100, Gert Doering wrote:
> On Mon, Dec 11, 2017 at 11:54:15AM +0000, Tom Hill wrote:
> > "Dear Gateway, I am definitely not a compromised host, please open all
> > ports toward me."
>
> But that's the whole idea of UPnP or IGD. Whether you open one port or
> all of them, on request of a possibly-compromised host, is of no relevance.


I think the thinking is that since most IPv4 "home" protocols (which
is really only where UPnP exists, since Enterprise class firewalls
almost never want to have anything to do with it), is that most of the
"home" protocols (eg. games, streaming, etc) have mostly converged to
a model not expecting end-to-end connectivity, and hidden behind a NAT
thing, that anything now transitioning to IPv6 will follow suit when
they add that support to whatever needs to punch holes in things,
instead checking in constantly with the "central server" instead of
assuming end-to-end connectivity.

That said, I think the IPv6 firewalls need better home connectivity
support as well. I once put in a ticket to Fortinet to ask if there
could be made an ACL object that tracked the prefix mask delivered via
DHCP6_PD, such that we could write policies such as
allow remote_ipv6_address ${PREFIX1}::1f5d:50 22

But that couldn't be impressed on the first tiers of support
what-so-ever. That totally confused them to no end. Unlike my IPv4
address which almost never changes at Comcast, the IPv6 prefixes I get
change on every connection.

Corporate and/or specific network requirements notwithstanding, in my opinion this is just another example of why in IPv6, firewalls in general could/should be retired. If the end user device is required to be responsible for it?s own security, it can open the necessary ports via whatever firewall API it provides to applications running on it.



________________________________
From: ipv6-ops-bounces+kristian.mccolm=rci.rogers.com@lists.cluenet.de <ipv6-ops-bounces+kristian.mccolm=rci.rogers.com@lists.cluenet.de> on behalf of Doug McIntyre <merlyn@geeks.org>
Sent: Monday, December 11, 2017 10:22:39 AM
To: ipv6-ops@lists.cluenet.de
Subject: Re: UPnP/IPv6 support in home routers?

On Mon, Dec 11, 2017 at 04:03:27PM +0100, Gert Doering wrote:
> On Mon, Dec 11, 2017 at 11:54:15AM +0000, Tom Hill wrote:
> > "Dear Gateway, I am definitely not a compromised host, please open all
> > ports toward me."
>
> But that's the whole idea of UPnP or IGD. Whether you open one port or
> all of them, on request of a possibly-compromised host, is of no relevance.


I think the thinking is that since most IPv4 "home" protocols (which
is really only where UPnP exists, since Enterprise class firewalls
almost never want to have anything to do with it), is that most of the
"home" protocols (eg. games, streaming, etc) have mostly converged to
a model not expecting end-to-end connectivity, and hidden behind a NAT
thing, that anything now transitioning to IPv6 will follow suit when
they add that support to whatever needs to punch holes in things,
instead checking in constantly with the "central server" instead of
assuming end-to-end connectivity.

That said, I think the IPv6 firewalls need better home connectivity
support as well. I once put in a ticket to Fortinet to ask if there
could be made an ACL object that tracked the prefix mask delivered via
DHCP6_PD, such that we could write policies such as
allow remote_ipv6_address ${PREFIX1}::1f5d:50 22

But that couldn't be impressed on the first tiers of support
what-so-ever. That totally confused them to no end. Unlike my IPv4
address which almost never changes at Comcast, the IPv6 prefixes I get
change on every connection.





________________________________
This communication is confidential. We only send and receive email on the basis of the terms set out at www.rogers.com/web/content/emailnotice<http://www.rogers.com/web/content/emailnotice>



Ce message est confidentiel. Notre transmission et r?ception de courriels se fait strictement suivant les modalit?s ?nonc?es dans l?avis publi? ? www.rogers.com/aviscourriel <http://www.rogers.com/aviscourriel>
________________________________

Hi,

On Mon, Dec 11, 2017 at 09:22:39AM -0600, Doug McIntyre wrote:
> That said, I think the IPv6 firewalls need better home connectivity
> support as well. I once put in a ticket to Fortinet to ask if there
> could be made an ACL object that tracked the prefix mask delivered via
> DHCP6_PD, such that we could write policies such as
> allow remote_ipv6_address ${PREFIX1}::1f5d:50 22

Which is about the only thing that makes sense.

> But that couldn't be impressed on the first tiers of support
> what-so-ever. That totally confused them to no end.

... but that is the standard vendor response. "Huh, what?". :-(

AVM gets this somewhat right for directly connected hosts, but for
DHCPv6-PD delegated prefixes, ACL support was "close! all! always!"
for the longest time, and only recently they made it work better...

Gert Doering
-- NetMaster
--
have you enabled IPv6 on something today...?

SpaceNet AG Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279

>> That said, I think the IPv6 firewalls need better home connectivity
>> support as well. I once put in a ticket to Fortinet to ask if there
>> could be made an ACL object that tracked the prefix mask delivered via
>> DHCP6_PD, such that we could write policies such as
>> allow remote_ipv6_address ${PREFIX1}::1f5d:50 22
>
> Which is about the only thing that makes sense.
But only for (somehow) fixed interface identifier (IID).
With RFC7217 based IIDs this one will change together with the prefix
(which is, in fact not useful for desktop devices).

>> But that couldn't be impressed on the first tiers of support
>> what-so-ever. That totally confused them to no end.
>
> ... but that is the standard vendor response. "Huh, what?". :-(
>
> AVM gets this somewhat right for directly connected hosts, but for
No. The AVM mechanism is based on fixed IIDs as well *and* requires that
the link local interface identifier is the same as the one used for the
global address.

> DHCPv6-PD delegated prefixes, ACL support was "close! all! always!"
> for the longest time, and only recently they made it work better...

Holger

Kristian,

I see no reason for which they should disappear. Actually, quite the
opposite; we keep connecting more and more crap to the net (the so called
IoT), which clearly cannot defend itself.

The "principle of least privilege" applies to connectivity, too.

Thanks!
Fernando






On Mon, Dec 11, 2017 at 12:28 PM, Kristian McColm <
Kristian.McColm@rci.rogers.com> wrote:

> Corporate and/or specific network requirements notwithstanding, in my
> opinion this is just another example of why in IPv6, firewalls in general
> could/should be retired. If the end user device is required to be
> responsible for it’s own security, it can open the necessary ports via
> whatever firewall API it provides to applications running on it.
>
>
> ------------------------------
> *From:* ipv6-ops-bounces+kristian.mccolm=rci.rogers.com@lists.cluenet.de
> <ipv6-ops-bounces+kristian.mccolm=rci.rogers.com@lists.cluenet.de> on
> behalf of Doug McIntyre <merlyn@geeks.org>
> *Sent:* Monday, December 11, 2017 10:22:39 AM
> *To:* ipv6-ops@lists.cluenet.de
> *Subject:* Re: UPnP/IPv6 support in home routers?
>
> On Mon, Dec 11, 2017 at 04:03:27PM +0100, Gert Doering wrote:
> > On Mon, Dec 11, 2017 at 11:54:15AM +0000, Tom Hill wrote:
> > > "Dear Gateway, I am definitely not a compromised host, please open all
> > > ports toward me."
> >
> > But that's the whole idea of UPnP or IGD. Whether you open one port or
> > all of them, on request of a possibly-compromised host, is of no
> relevance.
>
>
> I think the thinking is that since most IPv4 "home" protocols (which
> is really only where UPnP exists, since Enterprise class firewalls
> almost never want to have anything to do with it), is that most of the
> "home" protocols (eg. games, streaming, etc) have mostly converged to
> a model not expecting end-to-end connectivity, and hidden behind a NAT
> thing, that anything now transitioning to IPv6 will follow suit when
> they add that support to whatever needs to punch holes in things,
> instead checking in constantly with the "central server" instead of
> assuming end-to-end connectivity.
>
> That said, I think the IPv6 firewalls need better home connectivity
> support as well. I once put in a ticket to Fortinet to ask if there
> could be made an ACL object that tracked the prefix mask delivered via
> DHCP6_PD, such that we could write policies such as
> allow remote_ipv6_address ${PREFIX1}::1f5d:50 22
>
> But that couldn't be impressed on the first tiers of support
> what-so-ever. That totally confused them to no end. Unlike my IPv4
> address which almost never changes at Comcast, the IPv6 prefixes I get
> change on every connection.
>
>
>
>
>
> ------------------------------
> This communication is confidential. We only send and receive email on the
> basis of the terms set out at www.rogers.com/web/content/emailnotice
>
>
>
> Ce message est confidentiel. Notre transmission et réception de courriels
> se fait strictement suivant les modalités énoncées dans l’avis publié à www.rogers.com/aviscourriel
>
> ------------------------------
>



--
Fernando Gont
e-mail: fernando@gont.com.ar || fgont@acm.org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1

And therein lies the root of the problem.. the ?crap? never gets fixed because it has the firewall isolating it, but this causes problems for devices and applications which are not ?crap.? I realize this is more idealistic than pragmatic, but we will have much smoother network integration if we don?t have to deal with the many problems that so called stateful firewalls bring along with them. Now that IPv6 is set to do away with (P/N)AT, we?re halfway there.

________________________________
From: fernando.gont.netbook.win@gmail.com <fernando.gont.netbook.win@gmail.com> on behalf of Fernando Gont <fernando@gont.com.ar>
Sent: Monday, December 11, 2017 3:43:27 PM
To: Kristian McColm
Cc: ipv6-ops@lists.cluenet.de; Fernando Gont
Subject: Re: UPnP/IPv6 support in home routers?

Kristian,

I see no reason for which they should disappear. Actually, quite the opposite; we keep connecting more and more crap to the net (the so called IoT), which clearly cannot defend itself.

The "principle of least privilege" applies to connectivity, too.

Thanks!
Fernando






On Mon, Dec 11, 2017 at 12:28 PM, Kristian McColm <Kristian.McColm@rci.rogers.com<mailto:Kristian.McColm@rci.rogers.com>> wrote:

Corporate and/or specific network requirements notwithstanding, in my opinion this is just another example of why in IPv6, firewalls in general could/should be retired. If the end user device is required to be responsible for it?s own security, it can open the necessary ports via whatever firewall API it provides to applications running on it.



________________________________
From: ipv6-ops-bounces+kristian.mccolm=rci.rogers.com@lists.cluenet.de<mailto:rci.rogers.com@lists.cluenet.de> <ipv6-ops-bounces+kristian.mccolm=rci.rogers.com@lists.cluenet.de<mailto:rci.rogers.com@lists.cluenet.de>> on behalf of Doug McIntyre <merlyn@geeks.org<mailto:merlyn@geeks.org>>
Sent: Monday, December 11, 2017 10:22:39 AM
To: ipv6-ops@lists.cluenet.de<mailto:ipv6-ops@lists.cluenet.de>
Subject: Re: UPnP/IPv6 support in home routers?

On Mon, Dec 11, 2017 at 04:03:27PM +0100, Gert Doering wrote:
> On Mon, Dec 11, 2017 at 11:54:15AM +0000, Tom Hill wrote:
> > "Dear Gateway, I am definitely not a compromised host, please open all
> > ports toward me."
>
> But that's the whole idea of UPnP or IGD. Whether you open one port or
> all of them, on request of a possibly-compromised host, is of no relevance.


I think the thinking is that since most IPv4 "home" protocols (which
is really only where UPnP exists, since Enterprise class firewalls
almost never want to have anything to do with it), is that most of the
"home" protocols (eg. games, streaming, etc) have mostly converged to
a model not expecting end-to-end connectivity, and hidden behind a NAT
thing, that anything now transitioning to IPv6 will follow suit when
they add that support to whatever needs to punch holes in things,
instead checking in constantly with the "central server" instead of
assuming end-to-end connectivity.

That said, I think the IPv6 firewalls need better home connectivity
support as well. I once put in a ticket to Fortinet to ask if there
could be made an ACL object that tracked the prefix mask delivered via
DHCP6_PD, such that we could write policies such as
allow remote_ipv6_address ${PREFIX1}::1f5d:50 22

But that couldn't be impressed on the first tiers of support
what-so-ever. That totally confused them to no end. Unlike my IPv4
address which almost never changes at Comcast, the IPv6 prefixes I get
change on every connection.





________________________________
This communication is confidential. We only send and receive email on the basis of the terms set out at www.rogers.com/web/content/emailnotice<http://www.rogers.com/web/content/emailnotice>



Ce message est confidentiel. Notre transmission et r?ception de courriels se fait strictement suivant les modalit?s ?nonc?es dans l?avis publi? ? www.rogers.com/aviscourriel <http://www.rogers.com/aviscourriel>
________________________________



--
Fernando Gont
e-mail: fernando@gont.com.ar<mailto:fernando@gont.com.ar> || fgont@acm.org<mailto:fgont@acm.org>
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1




________________________________
This communication is confidential. We only send and receive email on the basis of the terms set out at www.rogers.com/web/content/emailnotice<http://www.rogers.com/web/content/emailnotice>



Ce message est confidentiel. Notre transmission et r?ception de courriels se fait strictement suivant les modalit?s ?nonc?es dans l?avis publi? ? www.rogers.com/aviscourriel <http://www.rogers.com/aviscourriel>
________________________________

The crap doesn't get fixed because that's the software development we are
used to. Windows 10 was Windows '95 in the '90s. So give the IoT stuff
15-20 years to get to a sensible quality/state/security and/or enough
widespread trouble/exploitation.

Pragmatically speaking, people will connect that crap to the 'net... and
the "less connected" such devices are, the better.
So, please, don't remove FWs. :-)

Cheers,
Fernando





On Mon, Dec 11, 2017 at 5:50 PM, Kristian McColm <
Kristian.McColm@rci.rogers.com> wrote:

> And therein lies the root of the problem.. the ‘crap’ never gets fixed
> because it has the firewall isolating it, but this causes problems for
> devices and applications which are not ‘crap.’ I realize this is more
> idealistic than pragmatic, but we will have much smoother network
> integration if we don’t have to deal with the many problems that so called
> stateful firewalls bring along with them. Now that IPv6 is set to do away
> with (P/N)AT, we’re halfway there.
>
>
> ------------------------------
> *From:* fernando.gont.netbook.win@gmail.com <fernando.gont.netbook.win@
> gmail.com> on behalf of Fernando Gont <fernando@gont.com.ar>
> *Sent:* Monday, December 11, 2017 3:43:27 PM
> *To:* Kristian McColm
> *Cc:* ipv6-ops@lists.cluenet.de; Fernando Gont
>
> *Subject:* Re: UPnP/IPv6 support in home routers?
>
> Kristian,
>
> I see no reason for which they should disappear. Actually, quite the
> opposite; we keep connecting more and more crap to the net (the so called
> IoT), which clearly cannot defend itself.
>
> The "principle of least privilege" applies to connectivity, too.
>
> Thanks!
> Fernando
>
>
>
>
>
>
> On Mon, Dec 11, 2017 at 12:28 PM, Kristian McColm <
> Kristian.McColm@rci.rogers.com> wrote:
>
>> Corporate and/or specific network requirements notwithstanding, in my
>> opinion this is just another example of why in IPv6, firewalls in general
>> could/should be retired. If the end user device is required to be
>> responsible for it’s own security, it can open the necessary ports via
>> whatever firewall API it provides to applications running on it.
>>
>>
>> ------------------------------
>> *From:* ipv6-ops-bounces+kristian.mccolm=rci.rogers.com@lists.cluenet.de
>> <ipv6-ops-bounces+kristian.mccolm=rci.rogers.com@lists.cluenet.de> on
>> behalf of Doug McIntyre <merlyn@geeks.org>
>> *Sent:* Monday, December 11, 2017 10:22:39 AM
>> *To:* ipv6-ops@lists.cluenet.de
>> *Subject:* Re: UPnP/IPv6 support in home routers?
>>
>> On Mon, Dec 11, 2017 at 04:03:27PM +0100, Gert Doering wrote:
>> > On Mon, Dec 11, 2017 at 11:54:15AM +0000, Tom Hill wrote:
>> > > "Dear Gateway, I am definitely not a compromised host, please open all
>> > > ports toward me."
>> >
>> > But that's the whole idea of UPnP or IGD. Whether you open one port or
>> > all of them, on request of a possibly-compromised host, is of no
>> relevance.
>>
>>
>> I think the thinking is that since most IPv4 "home" protocols (which
>> is really only where UPnP exists, since Enterprise class firewalls
>> almost never want to have anything to do with it), is that most of the
>> "home" protocols (eg. games, streaming, etc) have mostly converged to
>> a model not expecting end-to-end connectivity, and hidden behind a NAT
>> thing, that anything now transitioning to IPv6 will follow suit when
>> they add that support to whatever needs to punch holes in things,
>> instead checking in constantly with the "central server" instead of
>> assuming end-to-end connectivity.
>>
>> That said, I think the IPv6 firewalls need better home connectivity
>> support as well. I once put in a ticket to Fortinet to ask if there
>> could be made an ACL object that tracked the prefix mask delivered via
>> DHCP6_PD, such that we could write policies such as
>> allow remote_ipv6_address ${PREFIX1}::1f5d:50 22
>>
>> But that couldn't be impressed on the first tiers of support
>> what-so-ever. That totally confused them to no end. Unlike my IPv4
>> address which almost never changes at Comcast, the IPv6 prefixes I get
>> change on every connection.
>>
>>
>>
>>
>>
>> ------------------------------
>> This communication is confidential. We only send and receive email on the
>> basis of the terms set out at www.rogers.com/web/content/emailnotice
>>
>>
>>
>> Ce message est confidentiel. Notre transmission et réception de courriels
>> se fait strictement suivant les modalités énoncées dans l’avis publié à www.rogers.com/aviscourriel
>>
>> ------------------------------
>>
>
>
>
> --
> Fernando Gont
> e-mail: fernando@gont.com.ar || fgont@acm.org
> PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
>
>
>
>
> ------------------------------
> This communication is confidential. We only send and receive email on the
> basis of the terms set out at www.rogers.com/web/content/emailnotice
>
>
>
> Ce message est confidentiel. Notre transmission et réception de courriels
> se fait strictement suivant les modalités énoncées dans l’avis publié à www.rogers.com/aviscourriel
>
> ------------------------------
>



--
Fernando Gont
e-mail: fernando@gont.com.ar || fgont@acm.org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1

But the FW doesn't (can't) protect the IoT device from other malicious IoT devices sharing the local network behind the firewall.

Isn't it better to forego the boarder firewall completely and make implementing that service the responsibility of each host for itself?

Pete


> On 12/12/2017, at 10:00 AM, Fernando Gont <fernando@gont.com.ar> wrote:
>
> The crap doesn't get fixed because that's the software development we are used to. Windows 10 was Windows '95 in the '90s. So give the IoT stuff 15-20 years to get to a sensible quality/state/security and/or enough widespread trouble/exploitation.
>
> Pragmatically speaking, people will connect that crap to the 'net... and the "less connected" such devices are, the better.
> So, please, don't remove FWs. :-)
>
> Cheers,
> Fernando

Fernando, sorry but we’ll have to agree to disagree. I personally see stateful firewalls as a pain point. They don’t do a very good job of tracking socket states and often cause packet loss for this reason, they are not well aware of the true socket state, they just try to replicate it based on sniffing, which doesn’t work very well for stateless protocols I might add. Of course all this sniffing is something the forefathers of the internet never intended us to need to do. I would suggest you can always implement filters and other security mechanisms on your own devices, which should be done as a matter of best practice regardless. I certainly wouldn’t want to rely on some ‘crap’ CPE given to me by my service provider to protect my end devices from all the other ‘crap’ out there ????

________________________________
From: fernando.gont.netbook.win@gmail.com <fernando.gont.netbook.win@gmail.com> on behalf of Fernando Gont <fernando@gont.com.ar>
Sent: Monday, December 11, 2017 4:00:17 PM
To: Kristian McColm
Cc: ipv6-ops@lists.cluenet.de; Fernando Gont
Subject: Re: UPnP/IPv6 support in home routers?

The crap doesn't get fixed because that's the software development we are used to. Windows 10 was Windows '95 in the '90s. So give the IoT stuff 15-20 years to get to a sensible quality/state/security and/or enough widespread trouble/exploitation.

Pragmatically speaking, people will connect that crap to the 'net... and the "less connected" such devices are, the better.
So, please, don't remove FWs. :-)

Cheers,
Fernando





On Mon, Dec 11, 2017 at 5:50 PM, Kristian McColm <Kristian.McColm@rci.rogers.com<mailto:Kristian.McColm@rci.rogers.com>> wrote:
And therein lies the root of the problem.. the ‘crap’ never gets fixed because it has the firewall isolating it, but this causes problems for devices and applications which are not ‘crap.’ I realize this is more idealistic than pragmatic, but we will have much smoother network integration if we don’t have to deal with the many problems that so called stateful firewalls bring along with them. Now that IPv6 is set to do away with (P/N)AT, we’re halfway there.

________________________________
From: fernando.gont.netbook.win@gmail.com<mailto:fernando.gont.netbook.win@gmail.com> <fernando.gont.netbook.win@gmail.com<mailto:fernando.gont.netbook.win@gmail.com>> on behalf of Fernando Gont <fernando@gont.com.ar<mailto:fernando@gont.com.ar>>
Sent: Monday, December 11, 2017 3:43:27 PM
To: Kristian McColm
Cc: ipv6-ops@lists.cluenet.de<mailto:ipv6-ops@lists.cluenet.de>; Fernando Gont

Subject: Re: UPnP/IPv6 support in home routers?

Kristian,

I see no reason for which they should disappear. Actually, quite the opposite; we keep connecting more and more crap to the net (the so called IoT), which clearly cannot defend itself.

The "principle of least privilege" applies to connectivity, too.

Thanks!
Fernando






On Mon, Dec 11, 2017 at 12:28 PM, Kristian McColm <Kristian.McColm@rci.rogers.com<mailto:Kristian.McColm@rci.rogers.com>> wrote:

Corporate and/or specific network requirements notwithstanding, in my opinion this is just another example of why in IPv6, firewalls in general could/should be retired. If the end user device is required to be responsible for it’s own security, it can open the necessary ports via whatever firewall API it provides to applications running on it.



________________________________
From: ipv6-ops-bounces+kristian.mccolm=rci.rogers.com@lists.cluenet.de<mailto:rci.rogers.com@lists.cluenet.de> <ipv6-ops-bounces+kristian.mccolm=rci.rogers.com@lists.cluenet.de<mailto:rci.rogers.com@lists.cluenet.de>> on behalf of Doug McIntyre <merlyn@geeks.org<mailto:merlyn@geeks.org>>
Sent: Monday, December 11, 2017 10:22:39 AM
To: ipv6-ops@lists.cluenet.de<mailto:ipv6-ops@lists.cluenet.de>
Subject: Re: UPnP/IPv6 support in home routers?

On Mon, Dec 11, 2017 at 04:03:27PM +0100, Gert Doering wrote:
> On Mon, Dec 11, 2017 at 11:54:15AM +0000, Tom Hill wrote:
> > "Dear Gateway, I am definitely not a compromised host, please open all
> > ports toward me."
>
> But that's the whole idea of UPnP or IGD. Whether you open one port or
> all of them, on request of a possibly-compromised host, is of no relevance.


I think the thinking is that since most IPv4 "home" protocols (which
is really only where UPnP exists, since Enterprise class firewalls
almost never want to have anything to do with it), is that most of the
"home" protocols (eg. games, streaming, etc) have mostly converged to
a model not expecting end-to-end connectivity, and hidden behind a NAT
thing, that anything now transitioning to IPv6 will follow suit when
they add that support to whatever needs to punch holes in things,
instead checking in constantly with the "central server" instead of
assuming end-to-end connectivity.

That said, I think the IPv6 firewalls need better home connectivity
support as well. I once put in a ticket to Fortinet to ask if there
could be made an ACL object that tracked the prefix mask delivered via
DHCP6_PD, such that we could write policies such as
allow remote_ipv6_address ${PREFIX1}::1f5d:50 22

But that couldn't be impressed on the first tiers of support
what-so-ever. That totally confused them to no end. Unlike my IPv4
address which almost never changes at Comcast, the IPv6 prefixes I get
change on every connection.





________________________________
This communication is confidential. We only send and receive email on the basis of the terms set out at www.rogers.com/web/content/emailnotice<http://www.rogers.com/web/content/emailnotice>



Ce message est confidentiel. Notre transmission et réception de courriels se fait strictement suivant les modalités énoncées dans l’avis publié à www.rogers.com/aviscourriel <http://www.rogers.com/aviscourriel>
________________________________



--
Fernando Gont
e-mail: fernando@gont.com.ar<mailto:fernando@gont.com.ar> || fgont@acm.org<mailto:fgont@acm.org>
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1




________________________________
This communication is confidential. We only send and receive email on the basis of the terms set out at www.rogers.com/web/content/emailnotice<http://www.rogers.com/web/content/emailnotice>



Ce message est confidentiel. Notre transmission et réception de courriels se fait strictement suivant les modalités énoncées dans l’avis publié à www.rogers.com/aviscourriel <http://www.rogers.com/aviscourriel>
________________________________



--
Fernando Gont
e-mail: fernando@gont.com.ar<mailto:fernando@gont.com.ar> || fgont@acm.org<mailto:fgont@acm.org>
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1




________________________________
This communication is confidential. We only send and receive email on the basis of the terms set out at www.rogers.com/web/content/emailnotice<http://www.rogers.com/web/content/emailnotice>



Ce message est confidentiel. Notre transmission et réception de courriels se fait strictement suivant les modalités énoncées dans l’avis publié à www.rogers.com/aviscourriel <http://www.rogers.com/aviscourriel>
________________________________

Hi,

On Mon, Dec 11, 2017 at 06:00:17PM -0300, Fernando Gont wrote:
> So, please, don't remove FWs. :-)

And, while at it, turn them around. Keep the crap inside.

So, what are these FWs protecting today? Really?

Gert Doering
-- NetMaster
--
have you enabled IPv6 on something today...?

SpaceNet AG Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279

Operationally, you can deploy a firewall, but have no say in the poor
software development practices of your IoT vendor.
Compartmentalization -- yes, within the compartment, the IoT devices can
kill each other. :-) If the compartment granularity is not fine enough,
improve it.

P.S.: Yes, I'd like secure IoT devices. I would also like to erradicate
poverty and other things...

Fernando

On Mon, Dec 11, 2017 at 6:09 PM, Pete Mundy <pete@fiberphone.co.nz> wrote:

>
> But the FW doesn't (can't) protect the IoT device from other malicious IoT
> devices sharing the local network behind the firewall.
>
> Isn't it better to forego the boarder firewall completely and make
> implementing that service the responsibility of each host for itself?
>
> Pete
>
>
> > On 12/12/2017, at 10:00 AM, Fernando Gont <fernando@gont.com.ar> wrote:
> >
> > The crap doesn't get fixed because that's the software development we
> are used to. Windows 10 was Windows '95 in the '90s. So give the IoT stuff
> 15-20 years to get to a sensible quality/state/security and/or enough
> widespread trouble/exploitation.
> >
> > Pragmatically speaking, people will connect that crap to the 'net... and
> the "less connected" such devices are, the better.
> > So, please, don't remove FWs. :-)
> >
> > Cheers,
> > Fernando
>
>


--
Fernando Gont
e-mail: fernando@gont.com.ar || fgont@acm.org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1

I'm not so worried about secure IoT devices. The insecure ones will get hacked, and the secure ones will do their job.

I just want direct uninhibited and unmodified end to end connectivity across the IPv6 internet.

:)


> On 12/12/2017, at 10:15 AM, Fernando Gont <fernando@gont.com.ar> wrote:
>
> P.S.: Yes, I'd like secure IoT devices. I would also like to erradicate poverty and other things...
>

On Mon, Dec 11, 2017 at 6:18 PM, Pete Mundy <pete@fiberphone.co.nz> wrote:

>
> I'm not so worried about secure IoT devices. The insecure ones will get
> hacked, and the secure ones will do their job.
>
> I just want direct uninhibited and unmodified end to end connectivity
> across the IPv6 internet.
>


That train has left, already. -- Include RFC7872 there.

Fernando

>> one would want to be able to whitelist all ports
>> for a given IP address
>
> What? No!
>
> "Dear Gateway, I am definitely not a compromised host, please open all
> ports toward me."
>
> I don't disregard the idea that one would want to manually configure
> this behaviour, but not automatically from the host itself.

Indeed. I find the argument that I must have a firewall, but I also must have a highly insecure way of automatically disabling it highly amusing.
(I guess PCP was what was intended to replace UPnP for this in IPv6.)

Best regards,
Ole

Hi,

What about alle the people that are not able to setup their own filters and
other security mechanisms? Most people got this computer stuff for usage
and not to thinker with or spend ours figuring out the best type of
configuration.
How do we give them a bit more security than wide open devices?

Pedro

On Mon, Dec 11, 2017 at 10:12 PM, Kristian McColm <
Kristian.McColm@rci.rogers.com> wrote:

> Fernando, sorry but we’ll have to agree to disagree. I personally see
> stateful firewalls as a pain point. They don’t do a very good job of
> tracking socket states and often cause packet loss for this reason, they
> are not well aware of the true socket state, they just try to replicate it
> based on sniffing, which doesn’t work very well for stateless protocols I
> might add. Of course all this sniffing is something the forefathers of the
> internet never intended us to need to do. I would suggest you can always
> implement filters and other security mechanisms on your own devices, which
> should be done as a matter of best practice regardless. I certainly
> wouldn’t want to rely on some ‘crap’ CPE given to me by my service provider
> to protect my end devices from all the other ‘crap’ out there ????
>
>
> ------------------------------
> *From:* fernando.gont.netbook.win@gmail.com <fernando.gont.netbook.win@
> gmail.com> on behalf of Fernando Gont <fernando@gont.com.ar>
> *Sent:* Monday, December 11, 2017 4:00:17 PM
> *To:* Kristian McColm
> *Cc:* ipv6-ops@lists.cluenet.de; Fernando Gont
> *Subject:* Re: UPnP/IPv6 support in home routers?
>
> The crap doesn't get fixed because that's the software development we are
> used to. Windows 10 was Windows '95 in the '90s. So give the IoT stuff
> 15-20 years to get to a sensible quality/state/security and/or enough
> widespread trouble/exploitation.
>
> Pragmatically speaking, people will connect that crap to the 'net... and
> the "less connected" such devices are, the better.
> So, please, don't remove FWs. :-)
>
> Cheers,
> Fernando
>
>
>
>
>
> On Mon, Dec 11, 2017 at 5:50 PM, Kristian McColm <
> Kristian.McColm@rci.rogers.com> wrote:
>
>> And therein lies the root of the problem.. the ‘crap’ never gets fixed
>> because it has the firewall isolating it, but this causes problems for
>> devices and applications which are not ‘crap.’ I realize this is more
>> idealistic than pragmatic, but we will have much smoother network
>> integration if we don’t have to deal with the many problems that so called
>> stateful firewalls bring along with them. Now that IPv6 is set to do away
>> with (P/N)AT, we’re halfway there.
>>
>>
>> ------------------------------
>> *From:* fernando.gont.netbook.win@gmail.com <
>> fernando.gont.netbook.win@gmail.com> on behalf of Fernando Gont <
>> fernando@gont.com.ar>
>> *Sent:* Monday, December 11, 2017 3:43:27 PM
>> *To:* Kristian McColm
>> *Cc:* ipv6-ops@lists.cluenet.de; Fernando Gont
>>
>> *Subject:* Re: UPnP/IPv6 support in home routers?
>>
>> Kristian,
>>
>> I see no reason for which they should disappear. Actually, quite the
>> opposite; we keep connecting more and more crap to the net (the so called
>> IoT), which clearly cannot defend itself.
>>
>> The "principle of least privilege" applies to connectivity, too.
>>
>> Thanks!
>> Fernando
>>
>>
>>
>>
>>
>>
>> On Mon, Dec 11, 2017 at 12:28 PM, Kristian McColm <
>> Kristian.McColm@rci.rogers.com> wrote:
>>
>>> Corporate and/or specific network requirements notwithstanding, in my
>>> opinion this is just another example of why in IPv6, firewalls in general
>>> could/should be retired. If the end user device is required to be
>>> responsible for it’s own security, it can open the necessary ports via
>>> whatever firewall API it provides to applications running on it.
>>>
>>>
>>> ------------------------------
>>> *From:* ipv6-ops-bounces+kristian.mccolm=rci.rogers.com@lists.cluenet.de
>>> <ipv6-ops-bounces+kristian.mccolm=rci.rogers.com@lists.cluenet.de> on
>>> behalf of Doug McIntyre <merlyn@geeks.org>
>>> *Sent:* Monday, December 11, 2017 10:22:39 AM
>>> *To:* ipv6-ops@lists.cluenet.de
>>> *Subject:* Re: UPnP/IPv6 support in home routers?
>>>
>>> On Mon, Dec 11, 2017 at 04:03:27PM +0100, Gert Doering wrote:
>>> > On Mon, Dec 11, 2017 at 11:54:15AM +0000, Tom Hill wrote:
>>> > > "Dear Gateway, I am definitely not a compromised host, please open
>>> all
>>> > > ports toward me."
>>> >
>>> > But that's the whole idea of UPnP or IGD. Whether you open one port or
>>> > all of them, on request of a possibly-compromised host, is of no
>>> relevance.
>>>
>>>
>>> I think the thinking is that since most IPv4 "home" protocols (which
>>> is really only where UPnP exists, since Enterprise class firewalls
>>> almost never want to have anything to do with it), is that most of the
>>> "home" protocols (eg. games, streaming, etc) have mostly converged to
>>> a model not expecting end-to-end connectivity, and hidden behind a NAT
>>> thing, that anything now transitioning to IPv6 will follow suit when
>>> they add that support to whatever needs to punch holes in things,
>>> instead checking in constantly with the "central server" instead of
>>> assuming end-to-end connectivity.
>>>
>>> That said, I think the IPv6 firewalls need better home connectivity
>>> support as well. I once put in a ticket to Fortinet to ask if there
>>> could be made an ACL object that tracked the prefix mask delivered via
>>> DHCP6_PD, such that we could write policies such as
>>> allow remote_ipv6_address ${PREFIX1}::1f5d:50 22
>>>
>>> But that couldn't be impressed on the first tiers of support
>>> what-so-ever. That totally confused them to no end. Unlike my IPv4
>>> address which almost never changes at Comcast, the IPv6 prefixes I get
>>> change on every connection.
>>>
>>>
>>>
>>>
>>>
>>> ------------------------------
>>> This communication is confidential. We only send and receive email on
>>> the basis of the terms set out at www.rogers.com/web/content/emailnotice
>>>
>>>
>>>
>>> Ce message est confidentiel. Notre transmission et réception de
>>> courriels se fait strictement suivant les modalités énoncées dans l’avis
>>> publié à www.rogers.com/aviscourriel
>>> ------------------------------
>>>
>>
>>
>>
>> --
>> Fernando Gont
>> e-mail: fernando@gont.com.ar || fgont@acm.org
>> PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
>>
>>
>>
>>
>> ------------------------------
>> This communication is confidential. We only send and receive email on the
>> basis of the terms set out at www.rogers.com/web/content/emailnotice
>>
>>
>>
>> Ce message est confidentiel. Notre transmission et réception de courriels
>> se fait strictement suivant les modalités énoncées dans l’avis publié à www.rogers.com/aviscourriel
>>
>> ------------------------------
>>
>
>
>
> --
> Fernando Gont
> e-mail: fernando@gont.com.ar || fgont@acm.org
> PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
>
>
>
>
> ------------------------------
> This communication is confidential. We only send and receive email on the
> basis of the terms set out at www.rogers.com/web/content/emailnotice
>
>
>
> Ce message est confidentiel. Notre transmission et réception de courriels
> se fait strictement suivant les modalités énoncées dans l’avis publié à www.rogers.com/aviscourriel
>
> ------------------------------
>



--
Jan Pedro Tumusok
CEO
Eye Networks AS
Skype: jpedrot | Office phone: +47 22 82 08 80
https://eyenetworks.no | https://eyesaas.com

Is it not feasible just as it is for CPE to come with a firewall with a sane set of defaults, that the device manufacturer would sell it with a similar set of defaults? Perhaps we can go as far as writing this into an RFC or expanding upon RFC 7721?

________________________________
From: ipv6-ops-bounces+kristian.mccolm=rci.rogers.com@lists.cluenet.de <ipv6-ops-bounces+kristian.mccolm=rci.rogers.com@lists.cluenet.de> on behalf of Jan Pedro Tumusok <jpt@eyenetworks.no>
Sent: Tuesday, December 12, 2017 9:45:17 AM
To: ipv6-ops@lists.cluenet.de
Subject: Re: UPnP/IPv6 support in home routers?

Hi,

What about alle the people that are not able to setup their own filters and other security mechanisms? Most people got this computer stuff for usage and not to thinker with or spend ours figuring out the best type of configuration.
How do we give them a bit more security than wide open devices?

Pedro

On Mon, Dec 11, 2017 at 10:12 PM, Kristian McColm <Kristian.McColm@rci.rogers.com<mailto:Kristian.McColm@rci.rogers.com>> wrote:
Fernando, sorry but we’ll have to agree to disagree. I personally see stateful firewalls as a pain point. They don’t do a very good job of tracking socket states and often cause packet loss for this reason, they are not well aware of the true socket state, they just try to replicate it based on sniffing, which doesn’t work very well for stateless protocols I might add. Of course all this sniffing is something the forefathers of the internet never intended us to need to do. I would suggest you can always implement filters and other security mechanisms on your own devices, which should be done as a matter of best practice regardless. I certainly wouldn’t want to rely on some ‘crap’ CPE given to me by my service provider to protect my end devices from all the other ‘crap’ out there ????

________________________________
From: fernando.gont.netbook.win@gmail.com<mailto:fernando.gont.netbook.win@gmail.com> <fernando.gont.netbook.win@gmail.com<mailto:fernando.gont.netbook.win@gmail.com>> on behalf of Fernando Gont <fernando@gont.com.ar<mailto:fernando@gont.com.ar>>
Sent: Monday, December 11, 2017 4:00:17 PM
To: Kristian McColm
Cc: ipv6-ops@lists.cluenet.de<mailto:ipv6-ops@lists.cluenet.de>; Fernando Gont
Subject: Re: UPnP/IPv6 support in home routers?

The crap doesn't get fixed because that's the software development we are used to. Windows 10 was Windows '95 in the '90s. So give the IoT stuff 15-20 years to get to a sensible quality/state/security and/or enough widespread trouble/exploitation.

Pragmatically speaking, people will connect that crap to the 'net... and the "less connected" such devices are, the better.
So, please, don't remove FWs. :-)

Cheers,
Fernando





On Mon, Dec 11, 2017 at 5:50 PM, Kristian McColm <Kristian.McColm@rci.rogers.com<mailto:Kristian.McColm@rci.rogers.com>> wrote:
And therein lies the root of the problem.. the ‘crap’ never gets fixed because it has the firewall isolating it, but this causes problems for devices and applications which are not ‘crap.’ I realize this is more idealistic than pragmatic, but we will have much smoother network integration if we don’t have to deal with the many problems that so called stateful firewalls bring along with them. Now that IPv6 is set to do away with (P/N)AT, we’re halfway there.

________________________________
From: fernando.gont.netbook.win@gmail.com<mailto:fernando.gont.netbook.win@gmail.com> <fernando.gont.netbook.win@gmail.com<mailto:fernando.gont.netbook.win@gmail.com>> on behalf of Fernando Gont <fernando@gont.com.ar<mailto:fernando@gont.com.ar>>
Sent: Monday, December 11, 2017 3:43:27 PM
To: Kristian McColm
Cc: ipv6-ops@lists.cluenet.de<mailto:ipv6-ops@lists.cluenet.de>; Fernando Gont

Subject: Re: UPnP/IPv6 support in home routers?

Kristian,

I see no reason for which they should disappear. Actually, quite the opposite; we keep connecting more and more crap to the net (the so called IoT), which clearly cannot defend itself.

The "principle of least privilege" applies to connectivity, too.

Thanks!
Fernando






On Mon, Dec 11, 2017 at 12:28 PM, Kristian McColm <Kristian.McColm@rci.rogers.com<mailto:Kristian.McColm@rci.rogers.com>> wrote:

Corporate and/or specific network requirements notwithstanding, in my opinion this is just another example of why in IPv6, firewalls in general could/should be retired. If the end user device is required to be responsible for it’s own security, it can open the necessary ports via whatever firewall API it provides to applications running on it.



________________________________
From: ipv6-ops-bounces+kristian.mccolm=rci.rogers.com@lists.cluenet.de<mailto:rci.rogers.com@lists.cluenet.de> <ipv6-ops-bounces+kristian.mccolm=rci.rogers.com@lists.cluenet.de<mailto:rci.rogers.com@lists.cluenet.de>> on behalf of Doug McIntyre <merlyn@geeks.org<mailto:merlyn@geeks.org>>
Sent: Monday, December 11, 2017 10:22:39 AM
To: ipv6-ops@lists.cluenet.de<mailto:ipv6-ops@lists.cluenet.de>
Subject: Re: UPnP/IPv6 support in home routers?

On Mon, Dec 11, 2017 at 04:03:27PM +0100, Gert Doering wrote:
> On Mon, Dec 11, 2017 at 11:54:15AM +0000, Tom Hill wrote:
> > "Dear Gateway, I am definitely not a compromised host, please open all
> > ports toward me."
>
> But that's the whole idea of UPnP or IGD. Whether you open one port or
> all of them, on request of a possibly-compromised host, is of no relevance.


I think the thinking is that since most IPv4 "home" protocols (which
is really only where UPnP exists, since Enterprise class firewalls
almost never want to have anything to do with it), is that most of the
"home" protocols (eg. games, streaming, etc) have mostly converged to
a model not expecting end-to-end connectivity, and hidden behind a NAT
thing, that anything now transitioning to IPv6 will follow suit when
they add that support to whatever needs to punch holes in things,
instead checking in constantly with the "central server" instead of
assuming end-to-end connectivity.

That said, I think the IPv6 firewalls need better home connectivity
support as well. I once put in a ticket to Fortinet to ask if there
could be made an ACL object that tracked the prefix mask delivered via
DHCP6_PD, such that we could write policies such as
allow remote_ipv6_address ${PREFIX1}::1f5d:50 22

But that couldn't be impressed on the first tiers of support
what-so-ever. That totally confused them to no end. Unlike my IPv4
address which almost never changes at Comcast, the IPv6 prefixes I get
change on every connection.





________________________________
This communication is confidential. We only send and receive email on the basis of the terms set out at www.rogers.com/web/content/emailnotice<http://www.rogers.com/web/content/emailnotice>



Ce message est confidentiel. Notre transmission et réception de courriels se fait strictement suivant les modalités énoncées dans l’avis publié à www.rogers.com/aviscourriel <http://www.rogers.com/aviscourriel>
________________________________



--
Fernando Gont
e-mail: fernando@gont.com.ar<mailto:fernando@gont.com.ar> || fgont@acm.org<mailto:fgont@acm.org>
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1




________________________________
This communication is confidential. We only send and receive email on the basis of the terms set out at www.rogers.com/web/content/emailnotice<http://www.rogers.com/web/content/emailnotice>



Ce message est confidentiel. Notre transmission et réception de courriels se fait strictement suivant les modalités énoncées dans l’avis publié à www.rogers.com/aviscourriel <http://www.rogers.com/aviscourriel>
________________________________



--
Fernando Gont
e-mail: fernando@gont.com.ar<mailto:fernando@gont.com.ar> || fgont@acm.org<mailto:fgont@acm.org>
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1




________________________________
This communication is confidential. We only send and receive email on the basis of the terms set out at www.rogers.com/web/content/emailnotice<http://www.rogers.com/web/content/emailnotice>



Ce message est confidentiel. Notre transmission et réception de courriels se fait strictement suivant les modalités énoncées dans l’avis publié à www.rogers.com/aviscourriel <http://www.rogers.com/aviscourriel>
________________________________



--
Jan Pedro Tumusok
CEO
Eye Networks AS
Skype: jpedrot | Office phone: +47 22 82 08 80<tel:%2B47%2022%2082%2008%2080>
https://eyenetworks.no<https://eyenetworks.no/> | https://eyesaas.com<https://eyesaas.com/>




________________________________
This communication is confidential. We only send and receive email on the basis of the terms set out at www.rogers.com/web/content/emailnotice<http://www.rogers.com/web/content/emailnotice>



Ce message est confidentiel. Notre transmission et réception de courriels se fait strictement suivant les modalités énoncées dans l’avis publié à www.rogers.com/aviscourriel <http://www.rogers.com/aviscourriel>
________________________________

Is that not RFC6092?

iirc, that supports e2e IKE+IPSec, for example.

Tim

> On 12 Dec 2017, at 15:03, Kristian McColm <Kristian.McColm@rci.rogers.com> wrote:
>
> Is it not feasible just as it is for CPE to come with a firewall with a sane set of defaults, that the device manufacturer would sell it with a similar set of defaults? Perhaps we can go as far as writing this into an RFC or expanding upon RFC 7721?
>
> From: ipv6-ops-bounces+kristian.mccolm=rci.rogers.com@lists.cluenet.de <ipv6-ops-bounces+kristian.mccolm=rci.rogers.com@lists.cluenet.de> on behalf of Jan Pedro Tumusok <jpt@eyenetworks.no>
> Sent: Tuesday, December 12, 2017 9:45:17 AM
> To: ipv6-ops@lists.cluenet.de
> Subject: Re: UPnP/IPv6 support in home routers?
>
> Hi,
>
> What about alle the people that are not able to setup their own filters and other security mechanisms? Most people got this computer stuff for usage and not to thinker with or spend ours figuring out the best type of configuration.
> How do we give them a bit more security than wide open devices?
>
> Pedro
>
> On Mon, Dec 11, 2017 at 10:12 PM, Kristian McColm <Kristian.McColm@rci.rogers.com> wrote:
> Fernando, sorry but we’ll have to agree to disagree. I personally see stateful firewalls as a pain point. They don’t do a very good job of tracking socket states and often cause packet loss for this reason, they are not well aware of the true socket state, they just try to replicate it based on sniffing, which doesn’t work very well for stateless protocols I might add. Of course all this sniffing is something the forefathers of the internet never intended us to need to do. I would suggest you can always implement filters and other security mechanisms on your own devices, which should be done as a matter of best practice regardless. I certainly wouldn’t want to rely on some ‘crap’ CPE given to me by my service provider to protect my end devices from all the other ‘crap’ out there ????
>
> From: fernando.gont.netbook.win@gmail.com <fernando.gont.netbook.win@gmail.com> on behalf of Fernando Gont <fernando@gont.com.ar>
> Sent: Monday, December 11, 2017 4:00:17 PM
> To: Kristian McColm
> Cc: ipv6-ops@lists.cluenet.de; Fernando Gont
> Subject: Re: UPnP/IPv6 support in home routers?
>
> The crap doesn't get fixed because that's the software development we are used to. Windows 10 was Windows '95 in the '90s. So give the IoT stuff 15-20 years to get to a sensible quality/state/security and/or enough widespread trouble/exploitation.
>
> Pragmatically speaking, people will connect that crap to the 'net... and the "less connected" such devices are, the better.
> So, please, don't remove FWs. :-)
>
> Cheers,
> Fernando
>
>
>
>
>
> On Mon, Dec 11, 2017 at 5:50 PM, Kristian McColm <Kristian.McColm@rci.rogers.com> wrote:
> And therein lies the root of the problem.. the ‘crap’ never gets fixed because it has the firewall isolating it, but this causes problems for devices and applications which are not ‘crap.’ I realize this is more idealistic than pragmatic, but we will have much smoother network integration if we don’t have to deal with the many problems that so called stateful firewalls bring along with them. Now that IPv6 is set to do away with (P/N)AT, we’re halfway there.
>
> From: fernando.gont.netbook.win@gmail.com <fernando.gont.netbook.win@gmail.com> on behalf of Fernando Gont <fernando@gont.com.ar>
> Sent: Monday, December 11, 2017 3:43:27 PM
> To: Kristian McColm
> Cc: ipv6-ops@lists.cluenet.de; Fernando Gont
>
> Subject: Re: UPnP/IPv6 support in home routers?
>
> Kristian,
>
> I see no reason for which they should disappear. Actually, quite the opposite; we keep connecting more and more crap to the net (the so called IoT), which clearly cannot defend itself.
>
> The "principle of least privilege" applies to connectivity, too.
>
> Thanks!
> Fernando
>
>
>
>
>
>
> On Mon, Dec 11, 2017 at 12:28 PM, Kristian McColm <Kristian.McColm@rci.rogers.com> wrote:
> Corporate and/or specific network requirements notwithstanding, in my opinion this is just another example of why in IPv6, firewalls in general could/should be retired. If the end user device is required to be responsible for it’s own security, it can open the necessary ports via whatever firewall API it provides to applications running on it.
>
>
> From: ipv6-ops-bounces+kristian.mccolm=rci.rogers.com@lists.cluenet.de <ipv6-ops-bounces+kristian.mccolm=rci.rogers.com@lists.cluenet.de> on behalf of Doug McIntyre <merlyn@geeks.org>
> Sent: Monday, December 11, 2017 10:22:39 AM
> To: ipv6-ops@lists.cluenet.de
> Subject: Re: UPnP/IPv6 support in home routers?
>
> On Mon, Dec 11, 2017 at 04:03:27PM +0100, Gert Doering wrote:
> > On Mon, Dec 11, 2017 at 11:54:15AM +0000, Tom Hill wrote:
> > > "Dear Gateway, I am definitely not a compromised host, please open all
> > > ports toward me."
> >
> > But that's the whole idea of UPnP or IGD. Whether you open one port or
> > all of them, on request of a possibly-compromised host, is of no relevance.
>
>
> I think the thinking is that since most IPv4 "home" protocols (which
> is really only where UPnP exists, since Enterprise class firewalls
> almost never want to have anything to do with it), is that most of the
> "home" protocols (eg. games, streaming, etc) have mostly converged to
> a model not expecting end-to-end connectivity, and hidden behind a NAT
> thing, that anything now transitioning to IPv6 will follow suit when
> they add that support to whatever needs to punch holes in things,
> instead checking in constantly with the "central server" instead of
> assuming end-to-end connectivity.
>
> That said, I think the IPv6 firewalls need better home connectivity
> support as well. I once put in a ticket to Fortinet to ask if there
> could be made an ACL object that tracked the prefix mask delivered via
> DHCP6_PD, such that we could write policies such as
> allow remote_ipv6_address ${PREFIX1}::1f5d:50 22
>
> But that couldn't be impressed on the first tiers of support
> what-so-ever. That totally confused them to no end. Unlike my IPv4
> address which almost never changes at Comcast, the IPv6 prefixes I get
> change on every connection.
>
>
>
>
>
> This communication is confidential. We only send and receive email on the basis of the terms set out at www.rogers.com/web/content/emailnotice
>
>
>
> Ce message est confidentiel. Notre transmission et réception de courriels se fait strictement suivant les modalités énoncées dans l’avis publié àwww.rogers.com/aviscourriel
>
>
>
> --
> Fernando Gont
> e-mail: fernando@gont.com.ar || fgont@acm.org
> PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
>
>
>
>
> This communication is confidential. We only send and receive email on the basis of the terms set out at www.rogers.com/web/content/emailnotice
>
>
>
> Ce message est confidentiel. Notre transmission et réception de courriels se fait strictement suivant les modalités énoncées dans l’avis publié àwww.rogers.com/aviscourriel
>
>
>
> --
> Fernando Gont
> e-mail: fernando@gont.com.ar || fgont@acm.org
> PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
>
>
>
>
> This communication is confidential. We only send and receive email on the basis of the terms set out at www.rogers.com/web/content/emailnotice
>
>
>
> Ce message est confidentiel. Notre transmission et réception de courriels se fait strictement suivant les modalités énoncées dans l’avis publié àwww.rogers.com/aviscourriel
>
>
>
> --
> Jan Pedro Tumusok
> CEO
> Eye Networks AS
> Skype: jpedrot | Office phone: +47 22 82 08 80
> https://eyenetworks.no | https://eyesaas.com
>
>
>
>
> This communication is confidential. We only send and receive email on the basis of the terms set out at www.rogers.com/web/content/emailnotice
>
>
>
> Ce message est confidentiel. Notre transmission et réception de courriels se fait strictement suivant les modalités énoncées dans l’avis publié àwww.rogers.com/aviscourriel

I believe that one is regarding the CPE (router) basic level security recommendations. Something similar for the end devices would be better IMO, as it can provide an API to the applications running on the machine to enable inbound/outbound flows as required with required user interaction prompts (do you want to allow application ‘x’ to do action ‘y’)? That way instead of having to perform sniffing to know the state of the socket, it can be managed by a kernel level API.



________________________________
From: Tim Chown <Tim.Chown@jisc.ac.uk>
Sent: Tuesday, December 12, 2017 10:17:33 AM
To: Kristian McColm
Cc: Jan Pedro Tumusok; ipv6-ops@lists.cluenet.de
Subject: Re: UPnP/IPv6 support in home routers?

Is that not RFC6092?

iirc, that supports e2e IKE+IPSec, for example.

Tim

> On 12 Dec 2017, at 15:03, Kristian McColm <Kristian.McColm@rci.rogers.com> wrote:
>
> Is it not feasible just as it is for CPE to come with a firewall with a sane set of defaults, that the device manufacturer would sell it with a similar set of defaults? Perhaps we can go as far as writing this into an RFC or expanding upon RFC 7721?
>
> From: ipv6-ops-bounces+kristian.mccolm=rci.rogers.com@lists.cluenet.de <ipv6-ops-bounces+kristian.mccolm=rci.rogers.com@lists.cluenet.de> on behalf of Jan Pedro Tumusok <jpt@eyenetworks.no>
> Sent: Tuesday, December 12, 2017 9:45:17 AM
> To: ipv6-ops@lists.cluenet.de
> Subject: Re: UPnP/IPv6 support in home routers?
>
> Hi,
>
> What about alle the people that are not able to setup their own filters and other security mechanisms? Most people got this computer stuff for usage and not to thinker with or spend ours figuring out the best type of configuration.
> How do we give them a bit more security than wide open devices?
>
> Pedro
>
> On Mon, Dec 11, 2017 at 10:12 PM, Kristian McColm <Kristian.McColm@rci.rogers.com> wrote:
> Fernando, sorry but we’ll have to agree to disagree. I personally see stateful firewalls as a pain point. They don’t do a very good job of tracking socket states and often cause packet loss for this reason, they are not well aware of the true socket state, they just try to replicate it based on sniffing, which doesn’t work very well for stateless protocols I might add. Of course all this sniffing is something the forefathers of the internet never intended us to need to do. I would suggest you can always implement filters and other security mechanisms on your own devices, which should be done as a matter of best practice regardless. I certainly wouldn’t want to rely on some ‘crap’ CPE given to me by my service provider to protect my end devices from all the other ‘crap’ out there ????
>
> From: fernando.gont.netbook.win@gmail.com <fernando.gont.netbook.win@gmail.com> on behalf of Fernando Gont <fernando@gont.com.ar>
> Sent: Monday, December 11, 2017 4:00:17 PM
> To: Kristian McColm
> Cc: ipv6-ops@lists.cluenet.de; Fernando Gont
> Subject: Re: UPnP/IPv6 support in home routers?
>
> The crap doesn't get fixed because that's the software development we are used to. Windows 10 was Windows '95 in the '90s. So give the IoT stuff 15-20 years to get to a sensible quality/state/security and/or enough widespread trouble/exploitation.
>
> Pragmatically speaking, people will connect that crap to the 'net... and the "less connected" such devices are, the better.
> So, please, don't remove FWs. :-)
>
> Cheers,
> Fernando
>
>
>
>
>
> On Mon, Dec 11, 2017 at 5:50 PM, Kristian McColm <Kristian.McColm@rci.rogers.com> wrote:
> And therein lies the root of the problem.. the ‘crap’ never gets fixed because it has the firewall isolating it, but this causes problems for devices and applications which are not ‘crap.’ I realize this is more idealistic than pragmatic, but we will have much smoother network integration if we don’t have to deal with the many problems that so called stateful firewalls bring along with them. Now that IPv6 is set to do away with (P/N)AT, we’re halfway there.
>
> From: fernando.gont.netbook.win@gmail.com <fernando.gont.netbook.win@gmail.com> on behalf of Fernando Gont <fernando@gont.com.ar>
> Sent: Monday, December 11, 2017 3:43:27 PM
> To: Kristian McColm
> Cc: ipv6-ops@lists.cluenet.de; Fernando Gont
>
> Subject: Re: UPnP/IPv6 support in home routers?
>
> Kristian,
>
> I see no reason for which they should disappear. Actually, quite the opposite; we keep connecting more and more crap to the net (the so called IoT), which clearly cannot defend itself.
>
> The "principle of least privilege" applies to connectivity, too.
>
> Thanks!
> Fernando
>
>
>
>
>
>
> On Mon, Dec 11, 2017 at 12:28 PM, Kristian McColm <Kristian.McColm@rci.rogers.com> wrote:
> Corporate and/or specific network requirements notwithstanding, in my opinion this is just another example of why in IPv6, firewalls in general could/should be retired. If the end user device is required to be responsible for it’s own security, it can open the necessary ports via whatever firewall API it provides to applications running on it.
>
>
> From: ipv6-ops-bounces+kristian.mccolm=rci.rogers.com@lists.cluenet.de <ipv6-ops-bounces+kristian.mccolm=rci.rogers.com@lists.cluenet.de> on behalf of Doug McIntyre <merlyn@geeks.org>
> Sent: Monday, December 11, 2017 10:22:39 AM
> To: ipv6-ops@lists.cluenet.de
> Subject: Re: UPnP/IPv6 support in home routers?
>
> On Mon, Dec 11, 2017 at 04:03:27PM +0100, Gert Doering wrote:
> > On Mon, Dec 11, 2017 at 11:54:15AM +0000, Tom Hill wrote:
> > > "Dear Gateway, I am definitely not a compromised host, please open all
> > > ports toward me."
> >
> > But that's the whole idea of UPnP or IGD. Whether you open one port or
> > all of them, on request of a possibly-compromised host, is of no relevance.
>
>
> I think the thinking is that since most IPv4 "home" protocols (which
> is really only where UPnP exists, since Enterprise class firewalls
> almost never want to have anything to do with it), is that most of the
> "home" protocols (eg. games, streaming, etc) have mostly converged to
> a model not expecting end-to-end connectivity, and hidden behind a NAT
> thing, that anything now transitioning to IPv6 will follow suit when
> they add that support to whatever needs to punch holes in things,
> instead checking in constantly with the "central server" instead of
> assuming end-to-end connectivity.
>
> That said, I think the IPv6 firewalls need better home connectivity
> support as well. I once put in a ticket to Fortinet to ask if there
> could be made an ACL object that tracked the prefix mask delivered via
> DHCP6_PD, such that we could write policies such as
> allow remote_ipv6_address ${PREFIX1}::1f5d:50 22
>
> But that couldn't be impressed on the first tiers of support
> what-so-ever. That totally confused them to no end. Unlike my IPv4
> address which almost never changes at Comcast, the IPv6 prefixes I get
> change on every connection.
>
>
>
>
>
> This communication is confidential. We only send and receive email on the basis of the terms set out at www.rogers.com/web/content/emailnotice<http://www.rogers.com/web/content/emailnotice>
>
>
>
> Ce message est confidentiel. Notre transmission et réception de courriels se fait strictement suivant les modalités énoncées dans l’avis publié àwww.rogers.com/aviscourriel
>
>
>
> --
> Fernando Gont
> e-mail: fernando@gont.com.ar || fgont@acm.org
> PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
>
>
>
>
> This communication is confidential. We only send and receive email on the basis of the terms set out at www.rogers.com/web/content/emailnotice<http://www.rogers.com/web/content/emailnotice>
>
>
>
> Ce message est confidentiel. Notre transmission et réception de courriels se fait strictement suivant les modalités énoncées dans l’avis publié àwww.rogers.com/aviscourriel
>
>
>
> --
> Fernando Gont
> e-mail: fernando@gont.com.ar || fgont@acm.org
> PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
>
>
>
>
> This communication is confidential. We only send and receive email on the basis of the terms set out at www.rogers.com/web/content/emailnotice<http://www.rogers.com/web/content/emailnotice>
>
>
>
> Ce message est confidentiel. Notre transmission et réception de courriels se fait strictement suivant les modalités énoncées dans l’avis publié àwww.rogers.com/aviscourriel
>
>
>
> --
> Jan Pedro Tumusok
> CEO
> Eye Networks AS
> Skype: jpedrot | Office phone: +47 22 82 08 80
> https://eyenetworks.no | https://eyesaas.com
>
>
>
>
> This communication is confidential. We only send and receive email on the basis of the terms set out at www.rogers.com/web/content/emailnotice<http://www.rogers.com/web/content/emailnotice>
>
>
>
> Ce message est confidentiel. Notre transmission et réception de courriels se fait strictement suivant les modalités énoncées dans l’avis publié àwww.rogers.com/aviscourriel





________________________________
This communication is confidential. We only send and receive email on the basis of the terms set out at www.rogers.com/web/content/emailnotice<http://www.rogers.com/web/content/emailnotice>



Ce message est confidentiel. Notre transmission et réception de courriels se fait strictement suivant les modalités énoncées dans l’avis publié à www.rogers.com/aviscourriel <http://www.rogers.com/aviscourriel>
________________________________

Hi,

On Tue, Dec 12, 2017 at 03:45:17PM +0100, Jan Pedro Tumusok wrote:
> What about alle the people that are not able to setup their own filters and
> other security mechanisms? Most people got this computer stuff for usage
> and not to thinker with or spend ours figuring out the best type of
> configuration.
> How do we give them a bit more security than wide open devices?

Besides the IoT crap, most devices nowadays have not been "wide open"
in a long time.

So either you assume the devices are vulnerable to network attacks - and
in that case, they should not share a network with IoT and other crap.

Or you assume the devices are indeed hardened properly (otherwise, I
would not connect a laptop to a public wifi either...) - in which case a
firewall mostly gets in the way of getting work done.

Now, the IoT crap should just be moved to the garbage bin, and *that*
would help.

Gert Doering
-- NetMaster
--
have you enabled IPv6 on something today...?

SpaceNet AG Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279

That is a Microsoft problem and they are working on it. The problem
of course is that the end user has the most to gain by locking THEM
(Microsoft) out and Microsoft isn't about to let that happen.

Ted

On 12/12/2017 6:45 AM, Jan Pedro Tumusok wrote:
> Hi,
>
> What about alle the people that are not able to setup their own filters
> and other security mechanisms? Most people got this computer stuff for
> usage and not to thinker with or spend ours figuring out the best type
> of configuration.
> How do we give them a bit more security than wide open devices?
>
> Pedro
>
> On Mon, Dec 11, 2017 at 10:12 PM, Kristian McColm
> <Kristian.McColm@rci.rogers.com <mailto:Kristian.McColm@rci.rogers.com>>
> wrote:
>
> Fernando, sorry but we’ll have to agree to disagree. I personally
> see stateful firewalls as a pain point. They don’t do a very good
> job of tracking socket states and often cause packet loss for this
> reason, they are not well aware of the true socket state, they just
> try to replicate it based on sniffing, which doesn’t work very well
> for stateless protocols I might add. Of course all this sniffing is
> something the forefathers of the internet never intended us to need
> to do. I would suggest you can always implement filters and other
> security mechanisms on your own devices, which should be done as a
> matter of best practice regardless. I certainly wouldn’t want to
> rely on some ‘crap’ CPE given to me by my service provider to
> protect my end devices from all the other ‘crap’ out there ????
>
> __ __
>
> ------------------------------------------------------------------------
> *From:* fernando.gont.netbook.win@gmail.com
> <mailto:fernando.gont.netbook.win@gmail.com>
> <fernando.gont.netbook.win@gmail.com
> <mailto:fernando.gont.netbook.win@gmail.com>> on behalf of Fernando
> Gont <fernando@gont.com.ar <mailto:fernando@gont.com.ar>>
> *Sent:* Monday, December 11, 2017 4:00:17 PM
> *To:* Kristian McColm
> *Cc:* ipv6-ops@lists.cluenet.de <mailto:ipv6-ops@lists.cluenet.de>;
> Fernando Gont
> *Subject:* Re: UPnP/IPv6 support in home routers?
> The crap doesn't get fixed because that's the software development
> we are used to. Windows 10 was Windows '95 in the '90s. So give the
> IoT stuff 15-20 years to get to a sensible quality/state/security
> and/or enough widespread trouble/exploitation.
>
> Pragmatically speaking, people will connect that crap to the 'net...
> and the "less connected" such devices are, the better.
> So, please, don't remove FWs. :-)
>
> Cheers,
> Fernando
>
>
>
>
>
> On Mon, Dec 11, 2017 at 5:50 PM, Kristian McColm
> <Kristian.McColm@rci.rogers.com
> <mailto:Kristian.McColm@rci.rogers.com>> wrote:
>
> And therein lies the root of the problem.. the ‘crap’ never gets
> fixed because it has the firewall isolating it, but this causes
> problems for devices and applications which are not ‘crap.’ I
> realize this is more idealistic than pragmatic, but we will have
> much smoother network integration if we don’t have to deal with
> the many problems that so called stateful firewalls bring along
> with them. Now that IPv6 is set to do away with (P/N)AT, we’re
> halfway there.
>
> __ __
>
> ------------------------------------------------------------------------
> *From:* fernando.gont.netbook.win@gmail.com
> <mailto:fernando.gont.netbook.win@gmail.com>
> <fernando.gont.netbook.win@gmail.com
> <mailto:fernando.gont.netbook.win@gmail.com>> on behalf of
> Fernando Gont <fernando@gont.com.ar <mailto:fernando@gont.com.ar>>
> *Sent:* Monday, December 11, 2017 3:43:27 PM
> *To:* Kristian McColm
> *Cc:* ipv6-ops@lists.cluenet.de
> <mailto:ipv6-ops@lists.cluenet.de>; Fernando Gont
>
> *Subject:* Re: UPnP/IPv6 support in home routers?
> Kristian,
>
> I see no reason for which they should disappear. Actually, quite
> the opposite; we keep connecting more and more crap to the net
> (the so called IoT), which clearly cannot defend itself.
>
> The "principle of least privilege" applies to connectivity, too.
>
> Thanks!
> Fernando
>
>
>
>
>
>
> On Mon, Dec 11, 2017 at 12:28 PM, Kristian McColm
> <Kristian.McColm@rci.rogers.com
> <mailto:Kristian.McColm@rci.rogers.com>> wrote:
>
> Corporate and/or specific network requirements
> notwithstanding, in my opinion this is just another example
> of why in IPv6, firewalls in general could/should be
> retired. If the end user device is required to be
> responsible for it’s own security, it can open the necessary
> ports via whatever firewall API it provides to applications
> running on it.
>
> ------------------------------------------------------------------------
> *From:*
> ipv6-ops-bounces+kristian.mccolm=rci.rogers.com@lists.cluenet.de
> <mailto:rci.rogers.com@lists.cluenet.de>
> <ipv6-ops-bounces+kristian.mccolm=rci.rogers.com@lists.cluenet.de
> <mailto:rci.rogers.com@lists.cluenet.de>> on behalf of Doug
> McIntyre <merlyn@geeks.org <mailto:merlyn@geeks.org>>
> *Sent:* Monday, December 11, 2017 10:22:39 AM
> *To:* ipv6-ops@lists.cluenet.de
> <mailto:ipv6-ops@lists.cluenet.de>
> *Subject:* Re: UPnP/IPv6 support in home routers?
> On Mon, Dec 11, 2017 at 04:03:27PM +0100, Gert Doering wrote:
> > On Mon, Dec 11, 2017 at 11:54:15AM +0000, Tom Hill wrote:
> > > "Dear Gateway, I am definitely not a compromised host,
> please open all
> > > ports toward me."
> >
> > But that's the whole idea of UPnP or IGD. Whether you
> open one port or
> > all of them, on request of a possibly-compromised host, is
> of no relevance.
>
>
> I think the thinking is that since most IPv4 "home"
> protocols (which
> is really only where UPnP exists, since Enterprise class
> firewalls
> almost never want to have anything to do with it), is that
> most of the
> "home" protocols (eg. games, streaming, etc) have mostly
> converged to
> a model not expecting end-to-end connectivity, and hidden
> behind a NAT
> thing, that anything now transitioning to IPv6 will follow
> suit when
> they add that support to whatever needs to punch holes in
> things,
> instead checking in constantly with the "central server"
> instead of
> assuming end-to-end connectivity.
>
> That said, I think the IPv6 firewalls need better home
> connectivity
> support as well. I once put in a ticket to Fortinet to ask
> if there
> could be made an ACL object that tracked the prefix mask
> delivered via
> DHCP6_PD, such that we could write policies such as
> allow remote_ipv6_address ${PREFIX1}::1f5d:50 22
>
> But that couldn't be impressed on the first tiers of support
> what-so-ever. That totally confused them to no end. Unlike
> my IPv4
> address which almost never changes at Comcast, the IPv6
> prefixes I get
> change on every connection.
>
>
>
>
>
> ------------------------------------------------------------------------
> This communication is confidential. We only send and receive
> email on the basis of the terms set out at
> www.rogers.com/web/content/emailnotice
> <http://www.rogers.com/web/content/emailnotice>
>
>
>
> Ce message est confidentiel. Notre transmission et réception
> de courriels se fait strictement suivant les modalités
> énoncées dans l’avis publié à www.rogers.com/aviscourriel
> <http://www.rogers.com/aviscourriel>
> ------------------------------------------------------------------------
>
>
>
>
> --
> Fernando Gont
> e-mail: fernando@gont.com.ar <mailto:fernando@gont.com.ar> ||
> fgont@acm.org <mailto:fgont@acm.org>
> PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
>
>
>
>
> ------------------------------------------------------------------------
> This communication is confidential. We only send and receive
> email on the basis of the terms set out at
> www.rogers.com/web/content/emailnotice
> <http://www.rogers.com/web/content/emailnotice>
>
>
>
> Ce message est confidentiel. Notre transmission et réception de
> courriels se fait strictement suivant les modalités énoncées
> dans l’avis publié à www.rogers.com/aviscourriel
> <http://www.rogers.com/aviscourriel>
> ------------------------------------------------------------------------
>
>
>
>
> --
> Fernando Gont
> e-mail: fernando@gont.com.ar <mailto:fernando@gont.com.ar> ||
> fgont@acm.org <mailto:fgont@acm.org>
> PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
>
>
>
>
> ------------------------------------------------------------------------
> This communication is confidential. We only send and receive email
> on the basis of the terms set out at
> www.rogers.com/web/content/emailnotice
> <http://www.rogers.com/web/content/emailnotice>
>
>
>
> Ce message est confidentiel. Notre transmission et réception de
> courriels se fait strictement suivant les modalités énoncées dans
> l’avis publié à www.rogers.com/aviscourriel
> <http://www.rogers.com/aviscourriel>
> ------------------------------------------------------------------------
>
>
>
>
> --
> Jan Pedro Tumusok
> CEO
> Eye Networks AS
> Skype: jpedrot | Office phone: +47 22 82 08 80
> <tel:%2B47%2022%2082%2008%2080>
> https://eyenetworks.no <https://eyenetworks.no/> | https://eyesaas.com
> <https://eyesaas.com/>

You can have this until one of your devices is no longer "supported" by
it's manufacturer. Which I guarantee is going to happen long before the
device actually dies of a hardware failure. And this of course assumes
that you are one of the .02% of users out there who regularly applies
firmware updates released by the manufacturer.

Ted

On 12/11/2017 1:18 PM, Pete Mundy wrote:
>
> I'm not so worried about secure IoT devices. The insecure ones will get
> hacked, and the secure ones will do their job.
>
> I just want direct uninhibited and unmodified end to end connectivity
> across the IPv6 internet.
>
> :)
>
>
>> On 12/12/2017, at 10:15 AM, Fernando Gont <fernando@gont.com.ar
>> <mailto:fernando@gont.com.ar>> wrote:
>>
>> P.S.: Yes, I'd like secure IoT devices. I would also like to
>> erradicate poverty and other things...
>>
>