> On Jun 20, 2016, at 1:30 PM, Owen DeLong <o...@delong.com> wrote: > > >> On Jun 17, 2016, at 10:10 , Mark Milhollan <m...@pixelgate.net> wrote: >> >> On Tue, 14 Jun 2016, Owen DeLong wrote: >>> On Jun 14, 2016, at 11:57 , Ricky Beam <jfb...@gmail.com> wrote: >> >>>> I've seen many "IPv6 Capable" CPEs that apply ZERO security to IPv6 >>>> traffic. >>> >>> Those are by definition poorly designed CPE. >> >> This (open by default vs closed) has been discussed before, with plenty >> of people on either side. >> >> >> /mark > > I’m unaware of anyone advocating open inbound by default residential CPE.
I’m sure changing the subject line will draw out the purists at heart :) > I’m not saying they don’t exist, but I can’t imagine how anyone could > possibly defend that position rationally. I think certain things, eg: SSH would be ‘safe-ish’ to support ingress, but at the same time, you connect something like a Raspberry PI w/ global V6 and someone is doing honeypot stuff in pool.ntp.org you may get someone doing ssh pi/raspberry with automation before you can even change the passwords. > I’m pretty much in favor of open by default in most things, but for inbound > traffic to residential CPE? Even I find that hard to rationalize. What I find frustrating is that my current ISP requires a managed CPE where I can disable the IPv6 firewall so I can access devices at home over IPv6, but there is no way to download/upload the config, and they don’t store it on their side either. This means when a device is swapped, it must be reprogrammed to disable this stuff, meaning I must be on-site or have something phone-home to disable their DHCP server and other elements. I also can’t triage why it keeps rebooting every few days as it doesn’t tell me anything about debug logs, if it uploaded a core file, etc. I’m guessing there is some ‘exotic’ L2 traffic I have that is hosing it, but haven’t gone so far as to tcpdump the entire network for the possible offending traffic. - Jared
