> On Apr 10, 2019, at 1:20 PM, Amos Rosenboim <a...@oasis-tech.net> wrote: > > Owen, > > Let me clarify a few points: > > 1. I am in favor of end to end connectivity and IPv6 can help restore this. > > 2. In the fixed broadband portion of the network this is the case. > IPv6 is routed to the subscriber CPE. > Firewall on the CPE is turned on by default, but can be turned off by the > user. > > 3. In the mobile portion life are a bit more complicated. > Unsolicited traffic from the internet towards an idle subscriber triggers a > signaling process called paging. > Extra paging is expensive in terms of signaling resource utilization, as well > as on device battery.
That’s a problem I leave for the developers of the platform to improve/solve in the design of 5G or subsequent protocols. It should not be worked around by permanently and irrevocably disabling end user functionality. Owen > > > Amos > > Sent from my iPhone > > On 10 Apr 2019, at 22:52, Owen DeLong <o...@delong.com > <mailto:o...@delong.com>> wrote: > >> >>> We have an ongoing discussion about Gi firewall (adding a firewall between >>> the subscribers and the internet, allowing only subscriber initiated >>> connections), for the IPv6 traffic. >>> >>> >>> >>> The firewall is doing very little security, the ruleset is very basic, >>> allowing anything from subscribers to the internet and blocking all traffic >>> from the internet towards the subscribers. >>> >>> We have a few rules to limit the number of connections per subscriber (to a >>> relatively high number) and that is it. >>> >> >> What would be the process for a subscriber who wishes to allow inbound >> connections? >> >> If you are simply saying that as a customer of your ISP you simply can’t >> allow inbound IPv6 connections at all, then you are becoming a very poor >> substitute for an ISP IMHO. >> >>> One of the arguments in favor of having the firewall is that unsolicited >>> traffic from the internet can “wake” idle mobile devices, and create >>> signaling (paging) storms as well as drain user batteries. >>> >>> >> >> There are lots of ways to configure alerts and reduce this problem space. If >> you want to provide a checkbox on the my.t-mobile page for the user to turn >> this firewall on or off on a per device basis, then sure, I could see that >> as viable. Even if it annoyingly defaults to on. >> >>> On the other hand, allowing only subscriber initiated traffic is mostly >>> achievable using ACLs on the mobile core facing routers, or is it with the >>> growing percentage of UDP traffic ? >>> >> Is it even desirable to allow only subscriber initiated traffic? >> >> Case in point, I will occasionally end up tethering my laptop (mobile hot >> spot) and want certain authorized individuals to be able to VNC into it via >> that tethering connection. >> >> There have been other times when I’ve had things on the other side of a >> tether that I wanted to ssh into. >> >> There are also things like Particle IONs where it is desirable to be able to >> push firmware updates OTA. I realize that Particle is sadly lagging on IPv6 >> support, but it will, hopefully, one day become a valid use case as well. >> >>> BTW – I don’t mention IPv4 traffic on the mobile network as it’s all behind >>> CGNAT which don’t allow internet initiated connections. >>> >> Yes, but IPv6 is supposed to hope us recover from this travesty. >> >>> Anyway, we are very interested to know hear more opinions, and especially >>> to hear what are other mobile operators do. >>> >> >> As is tradition, most operators screw the customer in one way or another in >> this regard. Some haven’t thought about screwing customers in this >> particular way in IPv6 yet and so IPv6 sometimes works as one would hope. >> >> Owen >> >>
