IPv6 deployment excuses

Mike Hammett nanog at ics-il.net
Sat Jul 2 18:42:54 UTC 2016


Security that is too strict will be disabled and be far less effective than proper security measures. Security zealots are often blind to that. 




----- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 



Midwest Internet Exchange 
http://www.midwest-ix.com 


----- Original Message -----

From: "Keith Medcalf" <kmedcalf at dessus.com> 
To: "nanog list" <nanog at nanog.org> 
Sent: Saturday, July 2, 2016 11:41:48 AM 
Subject: RE: IPv6 deployment excuses 


Yes, the default is "on". An exception is added for EVERY SINGLE PIECE of Microsoft Crapware, whether it is needed or not (and in every single case, it is not). And if you turn those exceptions "off", then they are turned back on by Microsoft and their NSA partners for you, without your permission, whenever automatic updates run (and also at other times that I have not determined the trigger). You must continuously check that the firewall (although ON) remains configured as you configured it, or if Microsoft (and their NSA partners) have changed the configuration without your permission. 

Of course, most people do not bother configuring the firewall and do not wonder why every piece of Crapware has in incoming exception, and do not bother to turn those off (including some on this list apparently). So they will never notice these nefarious doings which have been a hotbed of discussion on the Internet for many years. 

And this is on the latest distribution of Windows 10 including the upcoming anniversary edition and has been that way since at least the first version of Windows 8. 

Whether or not Windows 7 also behaves the same way I do not know because I never ran it. 

> -----Original Message----- 
> From: Spencer Ryan [mailto:sryan at arbor.net] 
> Sent: Saturday, 2 July, 2016 10:08 
> To: Keith Medcalf 
> Cc: North American Network Operators' Group 
> Subject: RE: IPv6 deployment excuses 
> 
> Windows 8 and 10 with the most recent service packs default the firewall 
> to on with very few inbound exemptions. 
> 
> 
> On Jul 2, 2016 11:38 AM, "Keith Medcalf" <kmedcalf at dessus.com> wrote: 
> 
> 
> 
> > There is no difference between IPv4 and IPv6 when it comes to 
> > firewalls and reachability. It is worth noting that hosts which 
> > support IPv6 are typically a lot more secure than older IPv4-only 
> > hosts. As an example every version of Windows that ships with IPv6 
> > support also ships with the firewall turned on by default. 
> 
> Just because the firewall is turned on does not mean that it is 
> configured properly. 
> 
> Every version of Windows that ships with IPv6 support also ships 
> with the Firewall configured in such a fashion that you may as well have 
> it turned off. 
> 
> This is especially true in Windows 8 and later where the firewall is 
> reconfigured without your permission by Microsoft every time you install 
> any update whatsoever back to the "totally insecure" default state -- and 
> there is absolutely no way to fix this other than to check, every single 
> minute, that the firewall is still configured as you configured it, and 
> not as Microsoft (and their NSA partners) choose to configure it. 
> 
> All versions of Windows 8 and later whether using IPv4 or IPv6 are 
> completely unsuitable for use on a network attached to the Internet by any 
> means (whether using NAT or not) that does not include an external (to 
> Windows) -- ie, in network -- statefull firewall over which Windows, 
> Microsoft, (and their NSA partners) have no automatic means of control. 
> If you allow UPnP control of the external statefull firewall from Windows 
> version 8 or later, you may as well not bother having any firewall at all 
> because it is not under your control. 
> 
> 
> 
> 
> 








More information about the NANOG mailing list