IPv6 deployment excuses
Spencer Ryan
sryan at arbor.net
Sat Jul 2 16:07:55 UTC 2016
Windows 8 and 10 with the most recent service packs default the firewall to
on with very few inbound exemptions.
On Jul 2, 2016 11:38 AM, "Keith Medcalf" <kmedcalf at dessus.com> wrote:
>
> > There is no difference between IPv4 and IPv6 when it comes to
> > firewalls and reachability. It is worth noting that hosts which
> > support IPv6 are typically a lot more secure than older IPv4-only
> > hosts. As an example every version of Windows that ships with IPv6
> > support also ships with the firewall turned on by default.
>
> Just because the firewall is turned on does not mean that it is configured
> properly.
>
> Every version of Windows that ships with IPv6 support also ships with the
> Firewall configured in such a fashion that you may as well have it turned
> off.
>
> This is especially true in Windows 8 and later where the firewall is
> reconfigured without your permission by Microsoft every time you install
> any update whatsoever back to the "totally insecure" default state -- and
> there is absolutely no way to fix this other than to check, every single
> minute, that the firewall is still configured as you configured it, and not
> as Microsoft (and their NSA partners) choose to configure it.
>
> All versions of Windows 8 and later whether using IPv4 or IPv6 are
> completely unsuitable for use on a network attached to the Internet by any
> means (whether using NAT or not) that does not include an external (to
> Windows) -- ie, in network -- statefull firewall over which Windows,
> Microsoft, (and their NSA partners) have no automatic means of control. If
> you allow UPnP control of the external statefull firewall from Windows
> version 8 or later, you may as well not bother having any firewall at all
> because it is not under your control.
>
>
>
>
>
More information about the NANOG
mailing list