On 13/mar/2014, at 20:12, Eric Vyncke (evyncke) <evyn...@cisco.com> wrote:
> Jakob > > What annoys me more if the fact that AVM (and they are not the only one -- > see Technicolor & others) naively believes that NAT44 offered some > security by preventing inbound connections... This means that there is NO > open connectivity between two X/Box behind a closed AVM CPE... Hence X/Box > has no choice and is smart enough to fall back in the legacy NAT44 mode > with a TURN (or in this case Teredo) to bypass NAT. A very nice > opportunity to run man-in-the-middle attack on a foreign ground. AVM is not alone in its choices: they just do what is suggested in RFC 6092 - "Recommended Simple Security Capabilities in Customer Premises Equipment (CPE) for Providing Residential IPv6 Internet Service". I don't like what they do, but maybe we should blame IETF. Marco > > I still wonder why people REALLY believe in the security of NAT (in the > sense of blocking inbound connections) in 2014 while most of the botnet > members are behind a NAT... > > Christopher and others => you are RIGHT! Do not change your mind > > -éric (see also > http://tools.ietf.org/html/draft-ietf-v6ops-balanced-ipv6-security-01 for > my point of view :-)) > > > On 13/03/14 18:43, "Jakob Hirsch" <j...@plonk.de> wrote: > >> Hi! >> >> Christopher Palmer, 2013-10-10 03:22: >>> >>> http://download.microsoft.com/download/A/C/4/AC4484B8-AA16-446F-86F8-BDFC >>> 498F8732/Xbox%20One%20Technical%20Details.docx >> >> Nice, but why do you absolutely require Teredo even for boxes with >> native IPv6? Of course there's the advantage of direct client2client >> communication (less latency for clients and less traffic on Teredo >> relays), but the box should at least fall back to native IPv6 if Teredo >> is not available (quite odd to talk about native IPv6 being a fallback >> to Teredo, but anyway). >> >> There's at least one CPE manufacturer (quite prevalent in Europe or at >> least in Germany) that filters out Teredo if native IPv6 is available by >> default. They added an option to disable this filter, but that's not a >> good thing. See >> http://service.avm.de/support/en/skb/FRITZ-Box-7390-int/1439:Cannot-play-o >> nline-games-with-Xbox-One >> >> In the current state, the XBox One is doing more harm to IPv6 than good. >> People encounter problems after having IPv6 activated (there are forum >> posts which told people to disable IPv6 to fix this issue) and Network >> operators will see less increase in IPv6 traffic (which lowers the >> incentive to improve IPv6 support). >> >> >> Regards >> Jakob >> > -- Marco Sommani Via Contessa Matilde 64C 56123 Pisa - Italia phone: +390500986728 mobile: +393487981019 fax: +390503869728 email: marcosomm...@gmail.com