[External] Re: IPv6 uptake
Tim Howe
tim.h at bendtel.com
Mon Feb 19 18:31:20 UTC 2024
Some responses below.
On Mon, 19 Feb 2024 10:01:06 -0800
William Herrin <bill at herrin.us> wrote:
> > I've never once seen a device
> > that has v6 support and didn't have a stateful v6 firewall on by
> > default (if v6 was "on").
>
> Acknowledged.
>
> So when the user wants to run a home server, their IPv4 options are to
> create a TCP or UDP port forward for a single service port or perhaps
> create a generic port forward for every port to a single internal
> machine. Protocols other than TCP and UDP not supported.
OK, but I'm not sure what you are getting at by saying this is
TCP and UDP exclusive... I don't know why it would be; what's the
example you think is typically being denied?
> They might
> also have the option of a "bridge" mode in which only one internal
> host is usable and the IPv4 functions of the device are disabled. The
> bridge mode is the only "off" setting for the IPv4 firewall.
>
> Correct?
>
> Their IPv6 options *might* include these but also include the option
> to turn the IPv6 firewall off. At which point IPv4 is still firewalled
> but IPv6 is not and allows all L4 protocols, not just TCP and UDP.
>
> Also correct?
This isn't how I would characterize any of this, to be honest.
I think what you are trying to say is that a v6 firewall can be "off"
while IPv6 connectivity remains unhindered, but turning "off" an IPv4
firewall means no hosts behind NAT will continue to have connectivity.
The assumption being that a guardrail for someone being really
self-destructive is removed.
OK. So someone really wanted connectivity and really wanted to
disable security. Maybe.
I still believe that the statement "IPv6 is typically delivered
to "most people" without border security" to be demonstrably false.
--
TimH
More information about the NANOG
mailing list