On Tue, 2012-04-24 at 00:51 +0200, Michael Markstaller wrote: > (I remember the IPv6-day last year, it was funny, even Google failed > 30-50%..)
That's an... interesting assertion that I've not heard before. Google's own analysis was significantly different. They said: "We carried about 65% more IPv6 traffic than usual, saw no significant issues and did not have to disable IPv6 access for any networks or services." And "on the surface, the first global test of IPv6 passed without incident." http://googleblog.blogspot.co.uk/2011/06/world-ipv6-day-begins-24-hours-from-now.html > Do you expect any DSL user or Soho-Admin which doesn't even understand > what an (IPv4) Subnet-mask is to understand that.. Of course not. That's why we're working on stuff like PD so that it just gets delegated by the ISP and all works automatically. > a) It's a big security risk at first as noone really knows whats going > on with IPv6 (at least on customer/user-side!) With respect, that's complete crap. The security implications are exactly the same with IPv6 as with Legacy IP. By *default* for the home user, you want a connection-tracking firewall that allows outbound-only connections. Some people are naïve enough to think that NAT gives you some kind of security. That's complete crap too. With ALGs automatically opening up return paths, and with uPnP allowing you to open them willy-nilly, allowing an inbound connection when you're behind NAT isn't *that* much harder than just calling listen(). For Legacy IP, a decent connection-tracking firewall is perfectly sufficient and arguably *better* than the false security of NAT. For IPv6 it's just the same. > So the first thing before even considering it, is the Firewall on the > router (here: OpenWRT) should be at least as closed as for IPv4 with > NAT by default. Is it? I *think* it is, but I'm not sure. I vaguely remember having to turn the poxy thing off in order to get inbound connections working properly. > That beams the Internet back to 1990, where you just trusted that the > others won't do no harm anyway, the only current protection is IMHO > that noone knows, how to exploit it.. No, this is also absolutely wrong. In 1990, servers and protocols weren't really designed to cope with a malicious network. There was no SSL. We used telnet, not SSH. And you could crash most boxes by sending fragmented packets that added up to more than 64KiB. In 1990, a firewall might have actually made *sense*. These days, a huge proportion of devices are mobile (phones, laptops), and will connect to arbitrary wireless networks when they're out and about. They may well get an address which isn't firewalled from the outside world (even if it has NAT, it probably still allows some incoming connections), and which almost *certainly* isn't firewalled from all the other untrusted machines on the same network. If those devices are *really* stuck in the 1990s in every other respect, and are only relying on a firewall as a band-aid to let them survive in the 21st century, as you suggest, they they have already lost the game. Thankfully, that just isn't the case. So no, you are absolutely wrong to suggest that *if* we didn't have a firewall enabled by default, "that beams the Internet back to 1990". Not that it's relevant anyway, because we *should* (and do?) have a firewall enabled by default. It's a stupid band-aid to work around broken software, and should never really be necessary in an ideal world — but it's a fact of life that people expect it and in some rare cases, if they're really stupid, intentionally rely on it. > b) As you mentioned in later posts, it's a pain mixed with more pain, > 6to4, 6rd, causes timeouts, problems, troubles (how do I teach that my > 6 Cisco Border-Routers? oh well I could buy new ones with 8x RAM > etc..)-> which end-user wants them and - who pays for? Noone.. I'm not quite sure if you're making a serious point here or just wittering. Yes, 6to4 is a bad way to provide IPv6 connectivity. So is RFC1149. Your point? I've been running IPv6 for years, and I still see *more* problems with Legacy IP, for example morons filtering ICMP and breaking path MTU discovery, than I ever do with IPv6. And often, IPv6 has allowed things to keep working while Legacy IP is failing for some reason. I strongly suspect that 8x RAM on the border routers is an exaggeration. Do you have a reference for that figure? > To find some conclusion at least for myself, as soon as deploying IPv6 > on End-Users is painless *and at least as secure as v4 with NAT* I'd > think about to enable it - and happy to work on. As long as we have that connection-tracking firewall, it *is* at least as secure as Legacy IP. -- dwmw2
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
