IPv6 Ingress traffic by default

Jared Mauch jared at puck.nether.net
Mon Jun 20 17:38:07 UTC 2016 

> On Jun 20, 2016, at 1:30 PM, Owen DeLong <owen at delong.com> wrote:
> 
> 
>> On Jun 17, 2016, at 10:10 , Mark Milhollan <mlm at pixelgate.net> wrote:
>> 
>> On Tue, 14 Jun 2016, Owen DeLong wrote:
>>> On Jun 14, 2016, at 11:57 , Ricky Beam <jfbeam at gmail.com> wrote:
>> 
>>>> I've seen many "IPv6 Capable" CPEs that apply ZERO security to IPv6 traffic. 
>>> 
>>> Those are by definition poorly designed CPE. 
>> 
>> This (open by default vs closed) has been discussed before, with plenty 
>> of people on either side.
>> 
>> 
>> /mark
> 
> I’m unaware of anyone advocating open inbound by default residential CPE.

I’m sure changing the subject line will draw out the purists at heart :)

> I’m not saying they don’t exist, but I can’t imagine how anyone could possibly defend that position rationally.

I think certain things, eg: SSH would be ‘safe-ish’ to support ingress, but at the same time, you connect something like a Raspberry PI w/ global V6 and someone is doing honeypot stuff in pool.ntp.org you may get someone doing ssh pi/raspberry with automation before you can even change the passwords.

> I’m pretty much in favor of open by default in most things, but for inbound traffic to residential CPE? Even I find that hard to rationalize.

What I find frustrating is that my current ISP requires a managed CPE where I can disable the IPv6 firewall so I can access devices at home over IPv6, but there is no way to download/upload the config, and they don’t store it on their side either.  This means when a device is swapped, it must be reprogrammed to disable this stuff, meaning I must be on-site or have something phone-home to disable their DHCP server and other elements.

I also can’t triage why it keeps rebooting every few days as it doesn’t tell me anything about debug logs, if it uploaded a core file, etc.

I’m guessing there is some ‘exotic’ L2 traffic I have that is hosing it, but haven’t gone so far as to tcpdump the entire network for the possible offending traffic.

- Jared

More information about the NANOG mailing list