Date: Thursday, 19 May 11:00 - 12:30 (UTC+2)
Chaired By: Benedikt Stockebrand, Jen Linkova, Raymond Jetten
Scribe: Gerardo Viviers
Status: Draft
Working Group Co-Chairs
Raymond Jetten, Working Group Co-Chair, welcomed everyone to the session and went over some rules of engagement.
There were no questions or comments.
Wilhelm Boeddinghaus, system.de
This presentation is available at:
https://ripe84.ripe.net/wp-content/uploads/presentations/100-Boeddinghaus-RIPE84-IPv6WG-Windows-Firewall.pdf
Wilhelm did an in-depth analysis of how IPv6 is handled by the Windows 10 Defender Firewall software. The presentation conclusions provided some advice on how to best configure the firewall to provide good security for IPv6.
Alvaro Vives, RIPE NCC, asked if there were improvements to the default firewall rules in Windows 11. Wilhelm said that he didn’t think so, but he had not yet looked into Windows 11, and that he didn’t expect the rules to be any better and maybe they should be proposed by the community.
Christian Bretterhofer, Andritz AG, asked if there is a tool which allows users to see the firewall rules. Wilhelm replied that the Microsoft administration interface displays the rules. Most of the outgoing rules are not needed, because everything outgoing is allowed. He suggested that there might be some other firewall tools which were better.
Kurt Kayser, Kurt Kayser Konsultation, commented that on the slides, the link local prefix was /64 and not /10. Wilhelm explained that this prefix size was mentioned in the Microsoft environments and simply took it over.
Jan Zorz, 6connect, asked if Wilhelm thinks it’s still a good idea to have a central firewall and not rely on the Windows 10 firewall. Wilhelm explained that you cannot rely on the Windows 10 firewall, but you must use it anyways. The central firewall does not protect your LAN. To ensure a secure environment, we need to use all the firewalls and packet filters available.
Kostas Zorbadelos, CANAL+ Telecom, said that a default rule set is a problem, and asked Wilhelm if he had a suggestion for what the default ruleset should be. Wilhelm answered that it was difficult to come up with a real new default ruleset, because it is application centred. It depends on where the PC is used – in a loose environment or in a strict environment. Maybe the community can come up with a better firewall rule set.
Maria Matejka, CZ.NIC, mentioned that one problem is a too-open firewall, and another is a too-closed firewall. The area of too closed and too open overlaps. We can’t find a solution to having the firewall not too open and not too closed. Rule confirmations pop up frequently and home users click without thinking about it. Wilhelm replied that home users usually don’t know much about packets and ports, so they don’t understand what is right or wrong. Maybe the enterprise admins can make better rules for their environment, as they have the knowledge.
Jen Linkova, Google, mentioned she is not a Windows user, but wondered if the firewall rules related to Neighbor Discovery might be useful for VMs on the same device. Wilhelm replied that he didn’t think so. The VM packets don’t need to be sent outside. Virtualisation is an enterprise feature and should be dealt with by the enterprise administrators.
Paolo Volpato, SID and Huawei Technologies
This presentation is available at:
https://ripe84.ripe.net/wp-content/uploads/presentations/114-IPv6_Status_Paolo_Volpato.pdf
Paolo presented on the status of IPv6 deployment around the world, pointing out how the statistics need a more refined interpretation to approach a true status.
Christian Bretterhofer, Andritz AG, asked when companies in China would get access to IPv6 and open connectivity. His experience in China was difficult and the ISPs offered only a /64 IPv6 prefix. Paolo said that the plan was to have a good percentage of IPv6-only networks in China by 2030. He added that the issue of open connectivity could not be addressed in the current session.
Maximilian Wilhelm, Cloudflare, commented that he felt IPv6 is a second-class citizen on Paolo’s platform and asked when will IPv6 be on par with IPv4. Paolo answered that he is confident IPv6 is not a second-class citizen and if there is something to be fixed, he will pass on any messages to the headquarters for support.
Jad el Cham, RIPE NCC, asked about IPv6 policies that have a good impact on IPv6 deployment. Paolo replied that certain policies in the USA have triggered some questions about IPv6 deployment. He added that his personal view was that the expectations are high and he doesn’t believe that the proposed dates are realistic. Paolo suggested looking at countries like India, China, and Brazil, along with the EU. He expects that 2030 might be the flag year in which we might actually transition networks to IPv6.
Maximilian Emig, aiticon GmbH, mentioned that Paolo’s employer, Huawei, has been pushing the “New IP” proposal, which has received extensive press coverage. He asked Paolo to elaborate on how it fits with IPv6. Paolo mentioned he did not have an official answer. His personal opinion is it was a mistake, and it is not related to IPv6.
Justin Lurman, ULiege, and Eric Vyncke, Cisco
This presentation is available at:
https://ripe84.ripe.net/wp-content/uploads/presentations/32-JAMES-RIPE84.pdf
Justin Lurman provided an overview of how IPv6 packets using Extension Headers are processed or dropped on the public Internet.
There were no questions or comments.
Matthias Scheer, AVM
The presentation is available at:
https://ripe84.ripe.net/wp-content/uploads/presentations/59-ripe84_ipv6wg_vpn_rotating_prefixes.pdf
Matthias Scheer presented on the challenges encountered by networks attempting to route IPv6 within VPNs, when the IPv6 prefixes assigned to the endpoints are rotated.
Christian Betterhofer, Andritz AG, asked if there was any chance to update the Fritz 7582, specially the Wireguard support. Matthias replied that Wireguard support is available. He suggested to go to website and try out the beta, which is quite safe.
Anže Jenšterle, AS211776, commented that Wireguard prefers IPv6 in DNS resolution only and this depends on how the resolver code is written.
Jen Linkova, Google, mentioned that strictly speaking RFC 4193 does not recommend, it says certain addresses “CAN” be used. The language is not “SHOULD”. Jen added that the default address selection is called “default” for a reason.
Jan Zorz, 6connect, pointed out that Matthias mentioned the problem of rotating prefixes. Jan asked Matthias that if he came across ISPs that do this, he should point them to RIPE 690. Jan also mentioned that RFC 9096 talks about ways to improve the reaction of CPEs to IPv6 renumbering events.
Gert Doering, congratulated AVM on working on IPv6 by default on their CPEs and on the work with IPv6 and VPNs. He mentioned that he liked the idea of using OSPFv3 to cope with renumbering events. Matthias remarked that he removed some slides that dealt with this topic due to time constraints.
David Lamparter, OpenSourceRouting and NetDEF, replied to Jan Zorz’s comment on RIPE 690 saying that he has customers that request prefix rotations. The RIPE document is not important for him. He applauded AVM’s work on solving the prefix rotation problem. Matthias agreed that it was a good idea to continue the dialogue and find a solution together.
Working Group Co-Chairs
The Working Group Co Chairs thanked the attendees for joining the session.