IPv6 Ingress traffic by default
Mark Andrews
marka at isc.org
Mon Jun 20 22:09:24 UTC 2016
In message <B950E696-1A72-4166-B615-A68BF30AD4F2 at puck.nether.net>, Jared Mauch writes:
>
> > On Jun 20, 2016, at 1:30 PM, Owen DeLong <owen at delong.com> wrote:
> >
> >
> >> On Jun 17, 2016, at 10:10 , Mark Milhollan <mlm at pixelgate.net> wrote:
> >>
> >> On Tue, 14 Jun 2016, Owen DeLong wrote:
> >>> On Jun 14, 2016, at 11:57 , Ricky Beam <jfbeam at gmail.com> wrote:
> >>
> >>>> I've seen many "IPv6 Capable" CPEs that apply ZERO security to IPv6
> traffic.
> >>>
> >>> Those are by definition poorly designed CPE.
> >>
> >> This (open by default vs closed) has been discussed before, with
> plenty
> >> of people on either side.
> >>
> >>
> >> /mark
> >
> > Iâm unaware of anyone advocating open inbound by default residential
> CPE.
>
> Iâm sure changing the subject line will draw out the purists at heart :)
>
> > Iâm not saying they donât exist, but I canât imagine how anyone could
> possibly defend that position rationally.
>
> I think certain things, eg: SSH would be âsafe-ishâ to support ingress,
> but at the same time, you connect something like a Raspberry PI w/ global
> V6 and someone is doing honeypot stuff in pool.ntp.org you may get
> someone doing ssh pi/raspberry with automation before you can even change
> the passwords.
And that is the fault of the Raspberry PI. There is zero reason for
the Raspberry PI to be open to the world before it has been configured.
It could have a initial configuration that is just
permit <local-prefixes>/64 any port 22
deny any any port 22
That is just as safe as the CPE firewall would have been and doesn't
require a external firewall. It would be nice if that could have
been
permit <local-prefixes>/48 any port 22
but a group of ISP's thought they knew better than the IETF and
decided that they would not listen to the advice that every site
gets a /48 so now there is no sensible site wide default prefix.
> > Iâm pretty much in favor of open by default in most things, but for
> > inbound traffic to residential CPE? Even I find that hard to rationalize.
>
> What I find frustrating is that my current ISP requires a managed CPE
> where I can disable the IPv6 firewall so I can access devices at home
> over IPv6, but there is no way to download/upload the config, and they
> donât store it on their side either. This means when a device is
> swapped, it must be reprogrammed to disable this stuff, meaning I must be
> on-site or have something phone-home to disable their DHCP server and
> other elements.
>
> I also canât triage why it keeps rebooting every few days as it doesnât
> tell me anything about debug logs, if it uploaded a core file, etc.
>
> Iâm guessing there is some âexoticâ L2 traffic I have that is hosing it,
> but havenât gone so far as to tcpdump the entire network for the possible
> offending traffic.
>
> - Jared
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the NANOG
mailing list