Re: PCP, and 6434bis (was Re: IPv6 only host NAT64 requirements?)

[Mark Andrews <marka@isc.org>]

> On 17 Nov 2017, at 7:06 am, james woodyatt <jhw@google.com> wrote:
> 
> On Nov 16, 2017, at 07:26, Tim Chown <Tim.Chown@jisc.ac.uk> wrote:
>> On 16 Nov 2017, at 12:42, Ca By <cb.list6@gmail.com> wrote:
>>> 
>>> I assumed PCP was designed with an eye firmly on future routed home networks where firewall holes need to be opened. […]
> 
> It was. In fact, that was the reason NAT-PMP evolved into PCP in the first place: because we needed to extend NAT-PMP to support punching holes in RFC 6092 firewalls.
> 
>>> The alternative is secure host and no firewall. There is no firewall at the ietf conference right now, right?  Are you secure ? Is there a malware outbreak?
> 
> That’s the alternative, but it’s not the dominant practice.
> 
>> Yet in practice pretty much every ISP deploying IPv6 to residential is doing so with RFC 6092, or stricter. Perhaps with a toggle to turn off firewalling, but that’s the reality.
> 
> Surveys I’ve seen show that most IPv6 residential networks outside of a few large providers in USA are using something like RFC 6092 with no prior user action. Home users either have no option to disable the firewall or they have no knowledge of it. Anybody planning to deploy IPv6 applications in residential networks (and I’m absolutely one of them) would be absolutely stupid to expect any way for passive listeners to receive inbound flows from arbitrary remote endpoints. Both REC-48 and REC-49 in RFC 6092 are widely ignored in the field. (Which is the outcome I warned against when I was writing it.)

Then those ISP’s are delivering a broken Internet connection to their customers.

There is a significant customer base that configure their border routers to allow
incoming connections today.  The ability to do this is built into retail routers today.
Customers that need this ability don’t buy routers that don’t support it.

Personally I would prefer that a router just did anti spoofing filtering and nothing else by
default but that wasn’t the consensus.   Allow only allocated source addresses out
the north interface.  Block allocated source addresses in on the north interface.  This
stops compromised internal machines successfully spoofing someone else.   The
also prevents someone else using spoofed address you are using coming in at the
cost of not being able to send a source routed packet to yourself.

Mark

>> OTOH it seems that PCP support in hosts / CPEs isn't exactly widespread.
> 
> Is there support in FreeBSD, Linux or Windows? I don’t think so.
> 
>>> The fatal flaw in PCP (aside from the name) is that it assumes the host needs protection yet it gives the host the power to control the firewall.  Next gen malware will come via email (just like today), it will encrypt your hard drive, and then setup and c2 network on your pc via pcp controls.  Sad!
>> 
>> True, and that happens with UPnP today…
> 
> UPnP has the added festival of third-party option enabled by default. It’s truly a magical wonder.
> 
> 
> --james woodyatt <jhw@google.com>
> 
> 
> 

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org