Re: IPv6 Ingress traffic by default

[Mark Andrews <marka () isc org>]

In message <B950E696-1A72-4166-B615-A68BF30AD4F2 () puck nether net>, Jared Mauch writes:
> > On Jun 20, 2016, at 1:30 PM, Owen DeLong <owen () delong com> wrote:
> >
> >
> > > On Jun 17, 2016, at 10:10 , Mark Milhollan <mlm () pixelgate net> wrote:
> > >
> > > On Tue, 14 Jun 2016, Owen DeLong wrote:
> > > > On Jun 14, 2016, at 11:57 , Ricky Beam <jfbeam () gmail com> wrote:
> > >
> > > > > I've seen many "IPv6 Capable" CPEs that apply ZERO security to IPv6
> traffic.
> > > > Those are by definition poorly designed CPE.
> > >
> > > This (open by default vs closed) has been discussed before, with
> plenty
> > > of people on either side.
> > >
> > >
> > > /mark
> >
> > I’m unaware of anyone advocating open inbound by default residential
> CPE.
>
> I’m sure changing the subject line will draw out the purists at heart :)
>
> > I’m not saying they don’t exist, but I can’t imagine how anyone could
> possibly defend that position rationally.
>
> I think certain things, eg: SSH would be ‘safe-ish’ to support ingress,
> but at the same time, you connect something like a Raspberry PI w/ global
> V6 and someone is doing honeypot stuff in pool.ntp.org you may get
> someone doing ssh pi/raspberry with automation before you can even change
> the passwords.

And that is the fault of the Raspberry PI.  There is zero reason for
the Raspberry PI to be open to the world before it has been configured.
It could have a initial configuration that is just

        permit <local-prefixes>/64 any port 22
        deny any any port 22

That is just as safe as the CPE firewall would have been and doesn't
require a external firewall.  It would be nice if that could have
been

        permit <local-prefixes>/48 any port 22

but a group of ISP's thought they knew better than the IETF and
decided that they would not listen to the advice that every site
gets a /48 so now there is no sensible site wide default prefix.

> > I’m pretty much in favor of open by default in most things, but for
> > inbound traffic to residential CPE? Even I find that hard to rationalize.
>
> What I find frustrating is that my current ISP requires a managed CPE
> where I can disable the IPv6 firewall so I can access devices at home
> over IPv6, but there is no way to download/upload the config, and they
> don’t store it on their side either.  This means when a device is
> swapped, it must be reprogrammed to disable this stuff, meaning I must be
> on-site or have something phone-home to disable their DHCP server and
> other elements.
>
> I also can’t triage why it keeps rebooting every few days as it doesn’t
> tell me anything about debug logs, if it uploaded a core file, etc.
>
> I’m guessing there is some ‘exotic’ L2 traffic I have that is hosing it,
> but haven’t gone so far as to tcpdump the entire network for the possible
> offending traffic.
>
> - Jared

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka () isc org