Re: Random Port Blocking at Hotels (was: Re: quietly....)
On Sat, Feb 5, 2011 at 5:34 PM, Derek J. Balling wrote: > > On Feb 5, 2011, at 8:14 PM, Mark Andrews wrote: >> I have told a hotel they need to install equipment that supports RA >> guard as I've checked out. This was a hotel that only offered IPv4. > > Wow... Could that be any more of a waste of yours and their time? > > This is like telling the cashier at the hospital when you're being > discharged, "y'know, I'm not sure that they're using the proper stitch-knot > in the ER. You should have someone look at that." > > Do you honestly think that feedback is even *understood*, let alone passed on > to anyone even close to the problem? > Well, around here the front desk would pass it along and it would reach me; more so if they don't understand it. Though if it wasn't in writing, it would probably become unintelligible. Am I in a position to do something about it? Probably not.
Re: Random Port Blocking at Hotels (was: Re: quietly....)
Derek J. Balling wrote: On Feb 5, 2011, at 11:15 PM, Paul Timmins wrote: I know a hospital in Metro Detroit that was offering it on their patient and guest WiFi in 2009. Of course, neither they, nor the individual running the rogue IPv6 router knew that, but as a person running an IPv6 enabled OS, it was really screwing up access to my dual stacked hosts to be getting RAs on their wireless with no prefixes on them. I had to filter out RAs in iptables in order to effectively use their WiFi, which was a mess to begin with. Wouldn't it have been awesome if, y'know, you hadn't had to worry about the RAs at all, but had just connected your single client machine, and gotten your simple gateway address from the DHCP server along with all the rest of your network configuration settings, just like has worked pretty darned well for a number of years? Because rogue DHCP servers have never been a problem. Switches supported keeping those secure since before DHCP was even commonly used, right? -Paul
Re: Random Port Blocking at Hotels (was: Re: quietly....)
On Feb 5, 2011, at 8:30 PM, Matthew Kaufman wrote: > On 2/5/2011 8:15 PM, Paul Timmins wrote: >> OR just upgrade your gear, and while you're at it, you can now safely enable >> IPv6 anyway. > > Well, enable IPv6. Safely? I don't see how upgrading your gear magically > makes the various security threats -- including the current topic of rogue > RAs -- go away. > > Matthew Kaufman Most rogue RAs are problematic on networks that don't have legitimate RAs to override them. Yes, someone can do a malicious RA, but, the current problem is mostly people doing accidental RAs thanks to Micr0$0ft's convenient "Click here to screw your neighbors" buttons. Owen
Re: Random Port Blocking at Hotels (was: Re: quietly....)
On Feb 5, 2011, at 11:15 PM, Paul Timmins wrote: > I know a hospital in Metro Detroit that was offering it on their patient and > guest WiFi in 2009. Of course, neither they, nor the individual running the > rogue IPv6 router knew that, but as a person running an IPv6 enabled OS, it > was really screwing up access to my dual stacked hosts to be getting RAs on > their wireless with no prefixes on them. I had to filter out RAs in iptables > in order to effectively use their WiFi, which was a mess to begin with. Wouldn't it have been awesome if, y'know, you hadn't had to worry about the RAs at all, but had just connected your single client machine, and gotten your simple gateway address from the DHCP server along with all the rest of your network configuration settings, just like has worked pretty darned well for a number of years? Oh, right... IPv6, whose mascot should be the camel[1]. Cheers, D [1] http://bit.ly/enLk3c
Re: Random Port Blocking at Hotels (was: Re: quietly....)
On 2/5/2011 8:15 PM, Paul Timmins wrote: OR just upgrade your gear, and while you're at it, you can now safely enable IPv6 anyway. Well, enable IPv6. Safely? I don't see how upgrading your gear magically makes the various security threats -- including the current topic of rogue RAs -- go away. Matthew Kaufman
Re: Random Port Blocking at Hotels (was: Re: quietly....)
John R. Levine wrote: I have told a hotel they need to install equipment that supports RA guard as I've checked out. This was a hotel that only offered IPv4. Hotels ask for feedback on their services. If you see a fault report it in writing. Sure. Bet you ten bucks that no hotel in North America offers IPv6 this year in the wifi they provide to customers. (Conference networks don't count.) I know a hospital in Metro Detroit that was offering it on their patient and guest WiFi in 2009. Of course, neither they, nor the individual running the rogue IPv6 router knew that, but as a person running an IPv6 enabled OS, it was really screwing up access to my dual stacked hosts to be getting RAs on their wireless with no prefixes on them. I had to filter out RAs in iptables in order to effectively use their WiFi, which was a mess to begin with. The guilty party should remain nameless for google's sake, but if you're a netadmin in a largeish, three location hospital entirely in the detroit suburbs, say the largest inpatient hospital in the country, please make sure you either filter IPv6 or offer it yourself so you'll at least know if it's broken. As much as I hear people whining these days about how to handle rogue RAs, they don't seem to realize that this is ALREADY an issue on their network, even if they haven't, or won't adopt IPv6, and so this is a NOW problem either way and needs to be addressed. It's not a barrier to IPv6 adoption, it's a security threat right this minute. Either block protocol 0x86dd using a mac address prefix list, or traffic with a destination of 33:33:00:00:00:01 from all untrusted ports and you can now safely enable IPv6, OR just upgrade your gear, and while you're at it, you can now safely enable IPv6 anyway. -Paul
Re: Random Port Blocking at Hotels (was: Re: quietly....)
On Feb 5, 2011, at 5:14 PM, Mark Andrews wrote: > > In message <20110205150005.40621.qm...@joyce.lan>, John Levine writes: >>> and saying "by God, this Owen character is right, we're in breach of >>> contract and his definition of the purity of Internet ports has so >>> stunned us with its symmetry and loveliness that we shall bow down and >>> sin no more! Thank you Mr. DeLong from making the blind see again!" >> >> More likely "uh, oh, we've got a loony one here. Maybe if I give him >> his ten bucks back, he'll go away." >> >> R's, >> John > > I have told a hotel they need to install equipment that supports RA > guard as I've checked out. This was a hotel that only offered IPv4. > > Hotels ask for feedback on their services. If you see a fault report > it in writing. > Rest assured, I do that as well. I also end up usually spending a fair amount of time on the phone with their contracted support desk which is usually staffed by people that can barely spell IP and get confused if you suffix it with v4 or v6. When I inquired about IPv4 and IPv6 support, I had one literally tell me "We don't support either of those. Just ordinary Internet Protocol." Owen
Re: Random Port Blocking at Hotels (was: Re: quietly....)
On 2/5/2011 8:06 PM, John R. Levine wrote: Sure. Bet you ten bucks that no hotel in North America offers IPv6 this year in the wifi they provide to customers. (Conference networks don't count.) http://twitter.com/unquietwiki/status/449593712050176 springs to mind -- it was even *last* year. I think you owe Mark $10. Jima
Re: Random Port Blocking at Hotels (was: Re: quietly....)
In message , "Derek J. Balli ng" writes: > > On Feb 5, 2011, at 8:14 PM, Mark Andrews wrote: > > I have told a hotel they need to install equipment that supports RA > > guard as I've checked out. This was a hotel that only offered IPv4. > > Wow... Could that be any more of a waste of yours and their time? I put it writing so it could be sent to someone that could actually do something about it. I didn't expect the girl at the desk to do anything about it other than make sure the report got to the right department. I expressed in terms of this is a future problem and you need to be planning for it. Bitching about problems with hotels networks here doesn't get them fixed. Complaining, in writing, has a chance of getting the problem fixed. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: Random Port Blocking at Hotels (was: Re: quietly....)
In message , "John R. Levine" wr ites: > > I have told a hotel they need to install equipment that supports RA > > guard as I've checked out. This was a hotel that only offered IPv4. > > > > Hotels ask for feedback on their services. If you see a fault report > > it in writing. > > Sure. Bet you ten bucks that no hotel in North America offers IPv6 this > year in the wifi they provide to customers. (Conference networks don't > count.) The point I was trying to make is that hotel still needs to protect their customers from bad actions by other customers. Investing in RA guard gives their current customers a better experience *now* and is not a wasted expense as they will continue to need it when they get IPv6 connectivity. The alternative is to filter all IPv6 packets and remember to turn off the filter when they go to turn on IPv6. The RA guard can be configured to allow the hotels routers to work when IPv6 is finally enabled on them. Anyway it's all about educating people to be aware that they need to purchace stuff with IPv6 in mind even if they don't yet use IPv6. Anything bought now is likely to be used in a envionment with IPv6 enabled at some point. Mark > Regards, > John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for Dummies > ", > Please consider the environment before reading this e-mail. http://jl.ly -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
RE: Random Port Blocking at Hotels (was: Re: quietly....)
> Sure. Bet you ten bucks that no hotel in North America offers IPv6 this year > in the wifi they provide to customers. (Conference networks don't > count.) John - I happen to know with absolute certainty that the above statement is false. But I'd be happy to take your money! :-) Nathan
Re: Random Port Blocking at Hotels (was: Re: quietly....)
I have told a hotel they need to install equipment that supports RA guard as I've checked out. This was a hotel that only offered IPv4. Hotels ask for feedback on their services. If you see a fault report it in writing. Sure. Bet you ten bucks that no hotel in North America offers IPv6 this year in the wifi they provide to customers. (Conference networks don't count.) Regards, John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly
Re: Random Port Blocking at Hotels (was: Re: quietly....)
On Feb 5, 2011, at 8:14 PM, Mark Andrews wrote: > I have told a hotel they need to install equipment that supports RA > guard as I've checked out. This was a hotel that only offered IPv4. Wow... Could that be any more of a waste of yours and their time? This is like telling the cashier at the hospital when you're being discharged, "y'know, I'm not sure that they're using the proper stitch-knot in the ER. You should have someone look at that." Do you honestly think that feedback is even *understood*, let alone passed on to anyone even close to the problem? D
Re: Random Port Blocking at Hotels (was: Re: quietly....)
In message <20110205150005.40621.qm...@joyce.lan>, John Levine writes: > >and saying "by God, this Owen character is right, we're in breach of > >contract and his definition of the purity of Internet ports has so > >stunned us with its symmetry and loveliness that we shall bow down and > >sin no more! Thank you Mr. DeLong from making the blind see again!" > > More likely "uh, oh, we've got a loony one here. Maybe if I give him > his ten bucks back, he'll go away." > > R's, > John I have told a hotel they need to install equipment that supports RA guard as I've checked out. This was a hotel that only offered IPv4. Hotels ask for feedback on their services. If you see a fault report it in writing. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: Random Port Blocking at Hotels (was: Re: quietly....)
>and saying "by God, this Owen character is right, we're in breach of >contract and his definition of the purity of Internet ports has so >stunned us with its symmetry and loveliness that we shall bow down and >sin no more! Thank you Mr. DeLong from making the blind see again!" More likely "uh, oh, we've got a loony one here. Maybe if I give him his ten bucks back, he'll go away." R's, John
