Re: [v4tov6transition] Ways to break IPv6

"Yiu L. Lee" <> Wed, 13 October 2010 02:44 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9ABD13A6B30 for <>; Tue, 12 Oct 2010 19:44:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -104.453
X-Spam-Status: No, score=-104.453 tagged_above=-999 required=5 tests=[AWL=1.943, BAYES_00=-2.599, HELO_EQ_MODEMCABLE=0.768, HOST_EQ_MODEMCABLE=1.368, RCVD_IN_DNSWL_HI=-8, RCVD_NUMERIC_HELO=2.067, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 75LbAeHfHlEB for <>; Tue, 12 Oct 2010 19:44:43 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 845C83A68BA for <>; Tue, 12 Oct 2010 19:44:43 -0700 (PDT)
Received: from ([]) by with ESMTP with TLS id 5503620.98357738; Tue, 12 Oct 2010 22:45:56 -0400
Received: from ( by ( with Microsoft SMTP Server id; Tue, 12 Oct 2010 22:45:56 -0400
Received: from ([]) by ([]) via Exchange Front-End Server ([]) with Microsoft Exchange Server HTTP-DAV ; Wed, 13 Oct 2010 02:45:56 +0000
User-Agent: Microsoft-Entourage/
Date: Tue, 12 Oct 2010 22:45:54 -0400
From: "Yiu L. Lee" <>
To: Ed Jankiewicz <>, <>
Message-ID: <>
Thread-Topic: [v4tov6transition] Ways to break IPv6
Thread-Index: ActqgME0Uv8KYj0/X0SRYP1X9adDgw==
In-Reply-To: <>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Subject: Re: [v4tov6transition] Ways to break IPv6
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 13 Oct 2010 02:44:44 -0000

This is expected behavior. Since IPv6 provides e2e connectivity, this is
required to enable FW by default. I think the FW is doing the right thing.
Despite the correct behavior, this will create a lot of confusion in the
beginning of launching IPv6. Education is needed to train the users to
realize the changes and this isn't going to be easy.

On 10/12/10 10:40 PM, "Ed Jankiewicz" <> wrote:

>   this is not a surprise, it is something that has been predicted by
> many as one of the "growing pains" of IPv6 transition.  Firewalls and
> other security software will "support" IPv6 initially by just blocking
> it - too much work (and too little demand) for a real implementation.
> Just loaded an updated version of the commercial anti-virus package that
> I've been using, let it remain nameless, it is certainly not the only
> offender in this area.  Unlike the previous version this includes an
> enhancement - it blocks all IPv6 and IPv6 over IPv4 traffic by default.
> The firewall rule can be disabled.
> If you are a network operator, there is a lot of mischief that can be
> done by software that the end-user downloads onto their machines that
> can make IPv6 appear broken.  This is another area that should get some
> attention - how will customer service and help desk people be trained to
> deal with "connectivity" problems the user can cause themselves?
> It took me a while to figure this out, and I'm one of the people who
> frequently predicted this would happen.  Imagine your average end-user
> who knows nothing about IPv6 and expects that "it just works".  Also,
> many books, websites and other security advice says "when in doubt, turn
> off IPv6".  At least in the foreseeable future, this will continue to be
> impedance against the uptake of IPv6.