IETF Logo Mail Archive

Re: [v6ops] Thoughts about wider operational input

JORDI PALET MARTINEZ <jordi.palet@consulintel.es> Mon, 04 April 2022 10:20 UTC

Return-Path: <prvs=1093b5d1d9=jordi.palet@consulintel.es>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C735C3A2011 for <v6ops@ietfa.amsl.com>; Mon, 4 Apr 2022 03:20:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.008
X-Spam-Level:
X-Spam-Status: No, score=-2.008 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=consulintel.es
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qfzb6R_ggk5C for <v6ops@ietfa.amsl.com>; Mon, 4 Apr 2022 03:20:30 -0700 (PDT)
Received: from mail.consulintel.es (mail.consulintel.es [IPv6:2001:470:1f09:495::5]) by ietfa.amsl.com (Postfix) with ESMTP id DDF483A2016 for <v6ops@ietf.org>; Mon, 4 Apr 2022 03:20:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=consulintel.es; s=MDaemon; t=1649067624; x=1649672424; i=jordi.palet@consulintel.es; q=dns/txt; h=User-Agent:Date: Subject:From:To:Message-ID:Thread-Topic:References:In-Reply-To: Mime-version:Content-type:Content-transfer-encoding; bh=xmf8wgAi v91V0yCVFJ8W/q3mVNVqTuV5PcSFqdSWICU=; b=wdPkDSD/0hHvnkbo3Q1uNaf/ Pnu8/gDoVbzH6gHbC650U+kZz3FapPI+9C1lqyHkyECgE4T+iLglJZsfYPplsIxK NQl9sj/me4UXMYHIDRcoPLnVJUyIeGBHP3HkGyakDFSNyde2ImyztynS4nDhHi0N Oyevx56p64QlibNErC8=
X-Spam-Processed: mail.consulintel.es, Mon, 04 Apr 2022 12:20:23 +0200
Received: from [10.10.10.145] by mail.consulintel.es (MDaemon PRO v16.5.2) with ESMTPA id md50000836854.msg for <v6ops@ietf.org>; Mon, 04 Apr 2022 12:20:22 +0200
X-MDRemoteIP: 2001:470:1f09:495:618d:c93c:1b85:8ebe
X-MDHelo: [10.10.10.145]
X-MDArrival-Date: Mon, 04 Apr 2022 12:20:22 +0200
X-Authenticated-Sender: jordi.palet@consulintel.es
X-Return-Path: prvs=1093b5d1d9=jordi.palet@consulintel.es
X-Envelope-From: jordi.palet@consulintel.es
X-MDaemon-Deliver-To: v6ops@ietf.org
User-Agent: Microsoft-MacOutlook/16.60.22022702
Date: Mon, 04 Apr 2022 12:20:18 +0200
From: JORDI PALET MARTINEZ <jordi.palet@consulintel.es>
To: v6ops@ietf.org
Message-ID: <70C561C0-F518-4AEF-8AD1-35F871D37C03@consulintel.es>
Thread-Topic: [v6ops] Thoughts about wider operational input
References: <52661a3d-75dc-111a-3f23-09b10d7cb8d4@gmail.com> <A72CDDDB-CDCE-4EAF-B95E-997C764DB2C4@gmail.com> <9175dc32-45c1-e948-c20a-3bcc958b77b9@gmail.com> <YjmJQMNgnJoSInUw@Space.Net> <D75EF08F-6A41-41B2-AFB2-649CBCC1D83E@consulintel.es> <CAPt1N1nRnYUFA=yyJHx6t52yqWbmcd2Tf1H8gQuCZBd3Q3VqJw@mail.gmail.com> <7F4AEB43-4B24-4A21-AE9D-3EB512B98C46@consulintel.es> <8fac4314b8244ba6b33eea68694296d0@huawei.com> <9A13E47B-75D0-443F-9EE9-D2917ACB2D0F@consulintel.es> <CAO42Z2xUG+BXj+VQpajed9aGjH+q-HR7RX7C-T4DsTbouz7xWQ@mail.gmail.com> <F6A90BBF-7F44-403E-960A-8F756353B562@chinatelecom.cn> <B49417F7-3EFB-4A4D-9D1A-0D21574EA4F2@consulintel.es> <44B01ACA-3D5C-4618-B608-3B3479D29875@consulintel.es> <62447DCB.1010206@jmaimon.com> <7228D9A7-54A8-4BAE-9299-204C049F600B@consulintel.es> <de1d6cf9-ce16-4347-dfdf-17a427468199@gmail.com>
In-Reply-To: <de1d6cf9-ce16-4347-dfdf-17a427468199@gmail.com>
Mime-version: 1.0
Content-type: text/plain; charset="UTF-8"
Content-transfer-encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/9kdUrabFj1Lm5wkIBRrDLWfmARI>
Subject: Re: [v6ops] Thoughts about wider operational input
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Apr 2022 10:20:37 -0000

Yep, that's part of the problem.

I don't think typically "non-home-oriented-CPEs" have an IPv6 firewall, or at least not enabled by default.

"small" SMEs most of the time use the same connectivity as a household subscriber, so most of the time the same "home-oriented-CPE".

If we move to medium SMEs, and of course, enterprises, they should have, in addition to the CPE, a firewall. It may happen that in many cases, they have it, but not neccesarily all.

Regards,
Jordi
@jordipalet
 
 

El 30/3/22, 23:16, "v6ops en nombre de Brian E Carpenter" <v6ops-bounces@ietf.org en nombre de brian.e.carpenter@gmail.com> escribió:

    Jordi,

    As we all know, home gateways that support IPv6 are shipped with a quite adequate default firewall configuration. Is there a good specification for a default firewall configuration for an SME CE router?

    Probably this isn't realistic for large enterprises?

        Brian
    On 31-Mar-22 07:27, JORDI PALET MARTINEZ wrote:
    > Because if you don't have NAT, you are forced to properly configure a firewall.
    > 
    > With a NAT, many don't even have a firewall or is not sufficiently well 
    configured.
    > 
    > Regards,
    > Jordi
    > @jordipalet
    >   
    >   
    > 
    > El 30/3/22, 17:58, "v6ops en nombre de Joe Maimon" <v6ops-bounces@ietf.org en nombre de jmaimon@jmaimon.com> escribió:
    > 
    > 
    > 
    >      JORDI PALET MARTINEZ wrote:
    >      >
    >      > To demonstrate how NAT is not security, you just need to enable Teredo
    >      > or any other UDP tunneling traversing the NAT, so the security guys
    >      > can see that without any special config in the NAT, you can dig a
    >      > whole on it (Teredo Navalis = Shipworm).
    >      >
    >      > Regards,
    >      >
    >      > Jordi
    >      >
    >      > @jordipalet
    >      >
    > 
    >      And then you need to demonstrate how the equivalent would not happen on
    >      IPv6.
    > 
    >      Joe
    > 
    >      _______________________________________________
    >      v6ops mailing list
    >      v6ops@ietf.org
    >      https://www.ietf.org/mailman/listinfo/v6ops
    > 
    > 
    > 
    > **********************************************
    > IPv4 is over
    > Are you ready for the new Internet ?
    > http://www.theipv6company.com
    > The IPv6 Company
    > 
    > This electronic message contains information which may be privileged or 
    confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is 
    strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete 
    it.
    > 
    > 
    > 
    > _______________________________________________
    > v6ops mailing list
    > v6ops@ietf.org
    > https://www.ietf.org/mailman/listinfo/v6ops
    > 

    _______________________________________________
    v6ops mailing list
    v6ops@ietf.org
    https://www.ietf.org/mailman/listinfo/v6ops



**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

v2.23.0 | Report a Bug | By Email