I'm using a Linksys wrt610n router (lets call it Eve) at home at the moment and noticed upon upgrading that my home server suddenly had IPv6 connectivity to the world. Apparently Eve supports IPv6, neat! Nowhere in its admin interface are there any settings to control IPv6 behavior.
What does this mean?
Eve has handed out a 6to4 IPv6 address to my internal hosts and is routing IPv6 traffic encapsulated to the IPv4 6to4 anycast 192.88.99.1 address. My current ISP, Comcast, is happily routing this to a 6to4 router. So I have IPv6 connectivity at home. yay... but wait.
Big Trouble In Little Router
Realizing that I had an IPv6 address visible to the world it dawned on me to ask, "hey, what happens to inbound connections? Is there a firewall?".
So I tested it from an IPv6 enabled host at work. Turns out there was no firewall. The entire world (err, the entire 0.01% of it that speaks IPv6 anyways) could connect to my internal file and print servers (samba and cups) among other things. Eek. I solved that by altering the configuration of those servers for now. I really should also configure a firewall on the system to limit what is allowed in.
Cisco (Linksys): The default configuration for any router claiming to be a firewall should be to block inbound connections on IPv6 since the router supports IPv6. Second, the IPv6 firewall should obey the existing port forwarding settings using the associated 6to4 address to allow port forwarding to work the same regardless of IPv4 or IPv6.
Stupid Network Admins In Giant ISP
Comcast is routing the 6to4 anycast 192.88.99.1 traffic to a 6to4 tunnel exit node in Amsterdam. Yes, thats right. My IPv6 traffic on comcast in California is taking an additional 150ms round trip across the Atlantic Ocean to go to a local data center (he.net), wasting transatlantic bandwidth and making the user experience (ie: latency) of most things on IPv6 painful.
Comcast: Stop routing around the world! There are local IPv6 6to4 gateways all around the world. Better yet, setup your own. I realize native IPv6 on cable modem service is a long ways off, likely waiting for DOCSIS 3.0 deployment, but thats no reason to make the experience of IPv6 users suck by default. End users should not need to know anything about IPv6, it should just work. Adding 150ms latency is horrible and will make customers hate you and your customer support will not have a clue how to fix their problems.
P.S. I do not recommend the Linksys wrt610n. It has horrible signal strength compared to anything with external antennas.
Friday, January 23, 2009
Subscribe to:
Posts (Atom)