SV: Application that actually requests "pinholes" ?
Plex media server for OSX. Also I belive iChat uses UPnP. Listing from my home device: HiMac:~ eriktar$ upnpc -l upnpc : miniupnpc library test client, version 2.0. (c) 2005-2016 Thomas Bernard. Go to http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/ for more information. List of UPNP devices found on the network : desc: http://10.0.0.138:6/426311d0/gatedesc1.xml st: urn:schemas-upnp-org:device:InternetGatewayDevice:1 Found valid IGD : http://10.0.0.138:6/426311d0/upnp/control/WANIPConn1 Local LAN ip address : 10.0.0.1 Connection Type : IP_Routed Status : Connected, uptime=321271s, LastConnectionError : ERROR_NONE Time started : Mon Sep 10 20:43:42 2018 MaxBitRateDown : 1048576000 bps (1048.5 Mbps) MaxBitRateUp 1048576000 bps (1048.5 Mbps) ExternalIPAddress = 88.95.45.143 i protocol exPort->inAddr:inPort description remoteHost leaseTime 0 TCP 12068->10.0.0.1:32400 'Plex Media Server' '' 0 1 UDP 5354->10.0.0.2:5353 'iC5354' '' 0 2 UDP 4501->10.0.0.2:4500 'iC4501' '' 0 3 UDP 4502->10.0.0.1:4500 'iC4502' '' 0 4 UDP 5355->10.0.0.1:5353 'iC5355' '' 0 5 UDP 4500->10.0.0.3:4500 'iC4500' '' 0 6 UDP 5353->10.0.0.3:5353 'iC5353' '' 0 GetGenericPortMappingEntry() returned 713 (SpecifiedArrayIndexInvalid) Fra: ipv6-ops-bounces+erik.taraldsen=telenor@lists.cluenet.de på vegne av Brandon Applegate Sendt: 14. september 2018 13:55 Til: ipv6-ops mailing list Emne: Application that actually requests "pinholes" ? Hello, I wanted to see if anyone on the list knows of a current application that actually tries to request pinhole/port mapping etc ? This would be via UPnP IGDv2 WANIPv6FirewallControl or the PCP protocol. I’m playing with miniupnpd on my firewall, and I have it configured to the point where this is working. I can use the upnpc utility to manually request an IPv6 pinhole and this works. I’d just like to see a “real” application using it and working. Thanks. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 0641 D285 A36F 533A 73E5 2541 4920 533C C616 703A "For thousands of years men dreamed of pacts with demons. Only now are such things possible."
SV: BBWF Beer meetup
For those not yet killed, I've gotten this suggestion off-list http://www.foxbars.com/foxexcel/excel-bars/ "... our Warehouse Bar is the go to place for post-exhibition goers." -Erik Fra: Gert Doering Sendt: 8. oktober 2016 12:22 Til: Eric Wisner Kopi: Anfinsen, Ragnar; Taraldsen Erik; ipv6-ops@lists.cluenet.de Emne: Re: BBWF Beer meetup Hi, On Sat, Oct 08, 2016 at 09:17:53PM +1100, Eric Wisner wrote: > KILL ME I take the beer was good, and lots of it? :-) Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AGVorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
BBWF Beer meetup
Terribly sorry if this is an misuse of the list. I know people here are not shy to speek up if they feel it is, so feel free to bash my head in that case. :) I'm arriving Tuesday, staying untill Thursday. How about a meetup at a bar not to far from Excel Tuesday? It's my second visit to London so I have absolutely no knowledge of recomended bars. In my oppinion it should be some where they don't play to loud music so we can talk, not shout to each other (yes I'm that old and boring)(Anyone who recomends disco, you are banned to IPv4 CGN for the rest of your life). Recomandations? Say that we start approx 20.00? -Erik
SV: SV: SV: CPE Residential IPv6 Security Poll
>>And just to trow this conversation futher of, anybody else here coming to >>BBWF this year? > > I’ll be there... Beers? Good idea. Any non-Norwegians who would like to join? :) -E
SV: SV: CPE Residential IPv6 Security Poll
> > We also hoped that UPnP/PCP would be activly used in IPv6, punching > > firewall holes as needed. > > But that seems to not get any traction. > > any good documents on this issue (upnp and IPv6) ? UPnP and IPv6: https://openconnectivity.org/upnp/specifications/internet-gateway-device-igd-v-2-0 http://upnp.org/specs/gw/UPnP-gw-InternetGatewayDevice-v2-Device.pdf Chapter 2.3.5, WANIPv6FirewallControl:1 If you ment documentation on (lack of) traction I just have the answers in the RFQ's we have sent + talks we have with vendors at such events as BBFW (https://tmt.knect365.com/bbwf/). The RFQ's are under NDA so I can't disclose who or what capabilitys they offer. But in general, very little UPnP + IPv6. And just to trow this conversation futher of, anybody else here coming to BBWF this year? -Erik
SV: SV: CPE Residential IPv6 Security Poll
1) In theory you are right. In practise it is not that black and white. We never buy an excisting product, we buy an future product which has to be developed for us. That include physical features which may not have beed release from Broadcom yet (11ac 3x3 we were the first mass order from Broadcom for example). That means that we usualy have an development periode with the vendor, and a release target (VDSL launch for example) Sometimes the have to rush the CPE side to meet the network side launch. This again means that we usualy launch with a fair number of bug and un-optimized software, and features missing. And since we don't buy in Comcast type volumes we don not have the purchasing power to instruct the vendors to do absolutly everything, we have an limited development team working for us and we have to prioritize what they should work on. And so far UPnP has not gotten above that treshold. (And the above is a bit besides the point, we seem to be the only ISP who want UPnP. That don't help our customers a lot. In order for UPnP to work you also need support in the clients, and those we talk to who do develop clients badly want to get away from UPnP) 2) You may have more luck with your forum posts, but on the norwegian forums the loudest answer wins the day. Reason cannot stand up to the forces of loud ignorance. 3) As stated in 1, limited recources dictates that we prioritice security, features which support payable services, then the stuff we network geeks want. And since I do know a lot of smaller ISP's and retailers of off-the-shelf products, I do know that those products do very seldom get anything other than bug fixes for anything other that flaws which may refelct badly on the CPE vendor. 4) The customers are paying for internet access. That used to mean an ethernet port and two IPv4 addresses. Today the costomers define it as wifi access on the phone in the room the furthest away from the router. The level of knowledge in the user base is dropping like a stone. If we can have an technical solutin which prevents the customer from having issues and calling us, we go for it. -Erik Fra: ipv6-ops-bounces+erik.taraldsen=telenor@lists.cluenet.de på vegne av Ted Mittelstaedt Sendt: 20. september 2016 18:52 Til: ipv6-ops@lists.cluenet.de Emne: Re: SV: CPE Residential IPv6 Security Poll Erik, I think you have to follow these precepts (keep in mind this is an American capitalist perspective not a European cooperative socialist perspective) 1) You got the money, tell your vendors to either do what you want (put IPv6 UPnP in CPEs they sell you) or you are going to kick their ass. It's your money! They want your money do they not? That's why they are selling CPEs to you - so why do you tolerate any crap from them? Tell them either put UPnP in the code or your going elsewhere for your CPEs and you are going to tell all your other ISP friends to go elsewhere for their CPEs. Enough Mr. Nice Guy. 2) It's not your problem if Ma & Pa Kettle find a wannabe power user. If you don't like being bad-mouthed by wannabe power users on the online forums then get your ass on the online forums and start engaging. Refute those "need bigger antennas" posts with logic and reason. I guarantee to you that 1 correct post is worth 100 baloney posts from wannabe power users. 3) How on Earth can you make the case that your ISP router patches security holes and adds features yet turn around and claim that you can't push your CPE vendors to add UPnP support? Either you have power to get your CPE vendors to issue updates or not. If you do - then quit complaining that no CPE's have UPnP support for IPv6. If you don't - then quit claiming your CPE is better. 4) What is your customers perception that they are paying for and what are they REALLY paying for? If they think they are paying for access only - and you think they are paying for access plus your management of their network CPE - then I can see why you might be wondering why they aren't complaining to you when there's a problem and going to the wannabe power users. Maybe you just need to do some more customer education? Ted On 9/20/2016 1:24 AM, erik.tarald...@telenor.com wrote: > With all due respect to the actual power user out there. For each one of > them, there is at least 20 who think they are power users who base their > knowledge on rumors and misconceptions. They are often vocal (forums and > coments on news sites) and they are the once who often are enlisted to help > Ma& Pa Kettle. At least that is what we see a lot of in Norway. They > simply do not have the ability to correctly diagnose the issues. Solutions > often involve "you need bigger antennas on the router", "Apple routers are > allways the best", "the
SV: CPE Residential IPv6 Security Poll
With all due respect to the actual power user out there. For each one of them, there is at least 20 who think they are power users who base their knowledge on rumors and misconceptions. They are often vocal (forums and coments on news sites) and they are the once who often are enlisted to help Ma & Pa Kettle. At least that is what we see a lot of in Norway. They simply do not have the ability to correctly diagnose the issues. Solutions often involve "you need bigger antennas on the router", "Apple routers are allways the best", "the ISP supplied router allways suck". So Bob-the-power-user buy the expencive huge antenna router and install at M&PK. It does not have dual stack, therefore the application at M&PK therefore never tries IPv6 and the older UPnP solution works for them. Bob gets an re confrimation that big antenas helps, and that the ISP router sucks. Where a simpler and cheeper solution would be to modify the firewall settings of the ISP router. Since I reprecent the ISP and spesificaly the ISP supplied router (where we do patch security flaws, add features, optimise DSL and wlan drivers, attack bufferbloat and give the customers the posibility of remote support. Unlike a lot of retail products which often have to live with the software it was shiped with). How do we set up the routers IPv6 setting in such a way that Bob-the-power-user do not have to be called in by M&PK to fix their broken app/network, but still maintain a level of security for them? Is some sort of balanced the way to go? Should we again push our vendors for PCP/UPnP support? -Erik ____ Fra: ipv6-ops-bounces+erik.taraldsen=telenor@lists.cluenet.de på vegne av Ted Mittelstaedt Sendt: 19. september 2016 23:23 Til: Bjørn Mork Kopi: ipv6-ops@lists.cluenet.de Emne: Re: CPE Residential IPv6 Security Poll I can tell you that -today- in my location both CenturyLink and Comcast (giant ISPs) supply IPv6 by default on their residential CPEs - and both of those CPEs have "inbound block outbound allow" on by default on IPv6. As far as I know neither support UPnP on IPv6 I think you are overthinking this. If a CPE has no IPv6 support but it has UPnP support over IPv4 then things "work" If a CPE has IPv6 support but no UPnP support over IPv6, then things are also going to "work" - on IPv4. They may break on IPv6 with a "block everything" IPv6 rule in which case the end user is undoubtedly going to complain to the toaster manufacturer not you, and that toaster maker is either going to tell their customer "disable ipv6 on your ISP CPE" or they are going to fix their toaster so that it doesn't try using UPnP over IPv6, only IPv4. Your job is to not assume your customers are all morons. It is to make it safe for the ones who are, and make it usable for the ones who aren't and want to run their own show. Provide the needed buttons in the CPE to enable or disable IPv6 and to allow your customers to shut off your CPE's interference and be done with it. As an ISP you of all people should understand how powerful the Internet is. If you make your stuff configurable for power users, and document it, then the Ma & Pa Kettle customers are going to engage their friend's son who IS a power user and can search the Internet and follow simple directions and fix their problem with their web cam or whatever it is that is demanding UPnP. If however you default to open, then when Ma & Pa Kettle eventually get cracked, and call in the power user, that power user is going to discover your default firewall on IPv6 is open and realize that you created a huge whole bunch of work for him since he will now have to put back together a PC for the morons. He isn't going to appreciate that and will badmouth you online. Nobody with brains is going to go online and badmouth an ISP that supplies a CPE that has defaults that error on the side of protection-of-morons. But they are going to badmouth an ISP that supplies a CPE that has defaults that allow morons to get easily broken into - because it's them who are going to be sucked into putting those systems back together. And they are really going to badmouth an ISP that supplies a CPE that can't have it's internal firewall turned off. Ted On 9/19/2016 1:29 PM, Bjørn Mork wrote: > Ted Mittelstaedt writes: > >> This kind of mirrors the "default" security policy on IPv4 CPEs (since >> those CPE's have NAT automatically turned on which creates a "block in, >> permit out" kind of approach.) so I'm not sure why you would want to >> default it to being different for IPv6. > > I was explained one reason today: No CPEs implement UPnP support for > IPv6 [1]. > > This makes the effect of the similar IPv4 and IPv6 pol
SV: CPE Residential IPv6 Security Poll
I'm dealing with the CPE's for Telenor here in Norway. And indeed a part of the Norwegain discussion. Today we block incoming traffic to protect the customers. We seek to have the same security policy as for IPv4. Meaning statefull firewall which the customer can configure if they want to. The reason is partly internal policy (Telenor seeks to be seen as the secure internet provider in Norway, disabling firewalls and allowing all of the internets deviants access to the NAS with pictures of your children seems like a bad marketing move). We also hoped that UPnP/PCP would be activly used in IPv6, punching firewall holes as needed. But that seems to not get any traction. As for customer complaints, none. But that does not mean that the customers are not suffering. It may just as well be that the application reverts to UPnP/STUN over IPv4 or fails without the customer beeing able to diagnose why. -Erik Fra: ipv6-ops-bounces+erik.taraldsen=telenor@lists.cluenet.de på vegne av Anfinsen, Ragnar Sendt: 19. september 2016 14:32 Til: IPv6 Ops list Emne: CPE Residential IPv6 Security Poll Hi all. In light of a new discussion blossoming in Norway, we are curious about the IPv6 security policy different ISP’s has adopted. So it would be very helpful if you could do a quick response, either here or directly to me, on the following question: Which security policy are you using for you residential IPv6 enabled CPE’s? (RFC6092, fully open, balanced or other) Why did you adopt this policy? Any good or not so good experience with the choice? All answers are very much appreciated, and I will post the results here after a week or so. Thank you very much. Best Regards Ragnar Anfinsen Chief Architect CPE IP Address Architect Infrastructure Technology Altibox AS E-mail: ragnar.anfin...@altibox.no www.altibox.no<http://www.altibox.no/> [cid:image001.png@01D21282.A1DD77A0] [cid:image002.png@01D21282.A1DD77A0] <http://facebook.altibox.no/> [cid:image003.png@01D21282.A1DD77A0] <http://twitter.altibox.no/> CONFIDENTIAL The content of this e-mail is intended solely for the use of the individual or entity to whom it is addressed. If you have received this communication in error, be aware that forwarding it, copying it, or in any way disclosing its content to any other person, is strictly prohibited. If you have received this communication in error, please notify the author by replying to this e-mail immediately, deleting this message and destruct all received documents.
SV: Samsung phones block WiFi IPv6 when sleeping, delayed notifications
> I believe our Cisco equipment defaults to 10 minutes (600 seconds). There > will also be RAs in response > to RS messages. >From the googeling I've done it seems that the defaults span from 180 to 600 >seconds. Have not yet found any reccomandation. Either as a sane dafult value or a calculation from the life time. -- Erik Taraldsen
SV: Samsung phones block WiFi IPv6 when sleeping, delayed notifications
> I see that. I don’t think the problem is confined to Samsung or that it can > be completed solved in isolation from fixing wireless AP router behaviour. > At the edge of the WiFi network I also see the IPv6 connectivity dropping > while IPv4 stays up. I’ve a ZyXEL home router that sends periodic RAs every > 15 seconds > and a Huawei home router that sends them every 1800 seconds. Any opinions on what a sane default value for what the RA interval should be? I have not conserned myself with that interval before, but I see that the residential devices we ship are on a very low interval. -- Erik Taraldsen
SV: Why do we still need IPv4 when we are migrating to IPv6...
> This might be so in Norway. In German customer portals the gamers mostly > demand ipv4 (public ipv4 address to their home) instead of DS-Lite. They > have already native IPv6 but avm was forced to allow "teredo" over DS > and DS-lite - because xbox has problems with native IPv6. > > xbox is no good example for *wanting* IPv6. Could you elaborate on the IPv6 issues for xbox? I was under the impresion that xbox works well with IPv6. -- Erik Taraldsen
SV: Some very nice IPv6 growth as measured by Google
I work with the residential gateways in Telenor Norway. We have two linux based Zyxel devices which support IPv6 native. We have done pilot trials since approx Easter, and since this summer we have started rolling out IPv6 where we can. Not all dslams support IPv6 native, and there is other restrictions as well. But we will be able to provide IPv6 to a majority of the user base within the year. Given that the user has a IPv6 capable RG. We have some trouble understanding the September dip in the graph, as we have not done a rollback. We were in fact rolling out in that time period. http://stats.labs.apnic.net/ipv6/AS2119?a=2119&c=NO&x=0&s=1&p=1&w=10&s=0 As for lessons learned, start slow. Try and catch as many bugs as possible before doing a large scale roll out. Even when hitting bugs, try and understand user impact before panicking. Browsers has pretty aggressive "happy eyeballs" algorithms, so you can get away with some (seldom occurring) bugs in production. We use the same principle for IPv6 security as for IPv4 security. Meaning state full firewall blocking all incoming traffic, allowing all outgoing. But the user has full control to do as she likes. -Erik Taraldsen ____ Fra: ipv6-ops-bounces+erik.taraldsen=telenor@lists.cluenet.de [ipv6-ops-bounces+erik.taraldsen=telenor@lists.cluenet.de] på vegne av Geoff Huston [g...@apnic.net] Sendt: 3. november 2014 09:25 Til: Eric Vyncke (evyncke) Kopi: ipv6-ops@lists.cluenet.de Emne: Re: Some very nice IPv6 growth as measured by Google > On 3 Nov 2014, at 6:43 pm, Eric Vyncke (evyncke) wrote: > > [As a side note, it seems that the European 'google' statistics are now more > in line with the expectation] > > Several countries have recently made good progress dixit Google & Apnic (URL > are simply a different way of presenting Google data): > • US has reached 10%, welcome to the 10%-club > • Estonia has a VERY impressive growth approaching 5%: > https://www.vyncke.org/ipv6status/plotpenetration.php?country=ee > • Other European countries with a recent growth: > • Austria: > https://www.vyncke.org/ipv6status/plotpenetration.php?country=at > • Czech republic: > https://www.vyncke.org/ipv6status/plotpenetration.php?country=cz Telefonica Czech Republic: http://stats.labs.apnic.net/ipv6/AS5610?a=5610&c=CZ&x=1&s=1&p=1&w=1&s=0 > • Norway: > https://www.vyncke.org/ipv6status/plotpenetration.php?country=no Telenor : http://stats.labs.apnic.net/ipv6/AS2119?a=2119&c=NO&x=0&s=1&p=1&w=10&s=0 > • Greece: > https://www.vyncke.org/ipv6status/plotpenetration.php?country=gr Hellenic Telecommunications: http://stats.labs.apnic.net/ipv6/AS6799?a=6799&c=GR&x=1&s=1&p=1&w=1&s=0 > • Portugal: > https://www.vyncke.org/ipv6status/plotpenetration.php?country=pt Telepac PT : http://stats.labs.apnic.net/ipv6/AS3243?a=3243&c=PT&x=1&s=1&p=1&w=1&s=0 > If you are behind those growths, I would love to hear more details: > technology used, issues, … > Gepff
SV: Google IPv6 measurements in Europe appear heading down...
Telenor Norway has had an pretty steep growth in IPv6 enabled subscribers since the summer. We are the larges ISP in Norway, so rollouts we do usually are somewhat reflected in the graphs. On the fixed access (DSL and fiber) we had approx. 60.000 lines 1. oct. Today (24.oct) we have more than 100.000 lines activated. Yet the graph for Norway shows an flattening in the same time period. https://www.vyncke.org/ipv6status/compare.php?metric=p&countries=no. -Erik Fra: ipv6-ops-bounces+erik.taraldsen=telenor@lists.cluenet.de [ipv6-ops-bounces+erik.taraldsen=telenor@lists.cluenet.de] på vegne av Sander Steffann [san...@steffann.nl] Sendt: 24. oktober 2014 02:25 Til: Erik Nygren Kopi: Eric Vyncke; ipv6-ops@lists.cluenet.de Emne: Re: Google IPv6 measurements in Europe appear heading down... Hi Erik, > Not seeing this in the Akamai data. See for Germany and Belgium. Your graphs show the best results (even going over 30% occasionally for Belgium) so let's go with your data. :) Cheers, Sander /me likes picking the data that best represents what I *want* to see ;)
SV: Microsoft: Give Xbox One users IPv6 connectivity
I don't have numbers for other markets, but in Norway I would say more than 80% have UPnP enabled gateways. At least the ISP I work for have provided customers with UPnP enabled gateways the last 7+ years. Most devices I can see in the Norwegian market (online and physical stores) have support for UPnP. But not to derail the discussion to much. Even with UPnP enabled, there are apparently very different ways to enterpete how to use UPnP. Some clients fail misserably if they dont get the port they seek, some release the port as soon as it has been granted (older version of microsoft messenger did this, caused a lot of cpu usage on the gateways). Some clients do not understand that they have a port, and proceede to the next port and then use up all ports on the gateway. -Erik Taraldsen Telenor Fra: ipv6-ops-bounces+erik.taraldsen=telenor@lists.cluenet.de [ipv6-ops-bounces+erik.taraldsen=telenor@lists.cluenet.de] på vegne av Mikael Abrahamsson [swm...@swm.pp.se] Sendt: 11. oktober 2013 06:50 To: Christopher Palmer Cc: ipv6-ops@lists.cluenet.de Emne: RE: Microsoft: Give Xbox One users IPv6 connectivity On Thu, 10 Oct 2013, Christopher Palmer wrote: > The thing about protocols like UPnP - the vendors who would ignore an > IETF recommendation are likely to be the same vendors to skip out on > making an adequate UPnP stack. Most people today do NOT have home > routers that support UPnP. Do you have numbers on this? My belief has been that most people today who care about anything more than web surfing would have a decently new gateway (less than 3-5 years old) and that this would support UPnP. I don't have any numbers so I would like to know more :) -- Mikael Abrahamssonemail: swm...@swm.pp.se
