IPv6 Ingress traffic by default
Jared Mauch
jared at puck.nether.net
Mon Jun 20 17:38:07 UTC 2016
> On Jun 20, 2016, at 1:30 PM, Owen DeLong <owen at delong.com> wrote:
>
>
>> On Jun 17, 2016, at 10:10 , Mark Milhollan <mlm at pixelgate.net> wrote:
>>
>> On Tue, 14 Jun 2016, Owen DeLong wrote:
>>> On Jun 14, 2016, at 11:57 , Ricky Beam <jfbeam at gmail.com> wrote:
>>
>>>> I've seen many "IPv6 Capable" CPEs that apply ZERO security to IPv6 traffic.
>>>
>>> Those are by definition poorly designed CPE.
>>
>> This (open by default vs closed) has been discussed before, with plenty
>> of people on either side.
>>
>>
>> /mark
>
> I’m unaware of anyone advocating open inbound by default residential CPE.
I’m sure changing the subject line will draw out the purists at heart :)
> I’m not saying they don’t exist, but I can’t imagine how anyone could possibly defend that position rationally.
I think certain things, eg: SSH would be ‘safe-ish’ to support ingress, but at the same time, you connect something like a Raspberry PI w/ global V6 and someone is doing honeypot stuff in pool.ntp.org you may get someone doing ssh pi/raspberry with automation before you can even change the passwords.
> I’m pretty much in favor of open by default in most things, but for inbound traffic to residential CPE? Even I find that hard to rationalize.
What I find frustrating is that my current ISP requires a managed CPE where I can disable the IPv6 firewall so I can access devices at home over IPv6, but there is no way to download/upload the config, and they don’t store it on their side either. This means when a device is swapped, it must be reprogrammed to disable this stuff, meaning I must be on-site or have something phone-home to disable their DHCP server and other elements.
I also can’t triage why it keeps rebooting every few days as it doesn’t tell me anything about debug logs, if it uploaded a core file, etc.
I’m guessing there is some ‘exotic’ L2 traffic I have that is hosing it, but haven’t gone so far as to tcpdump the entire network for the possible offending traffic.
- Jared
More information about the NANOG
mailing list