IPv6 and port blocking

  • Thread starter Thread starter vedantlath
  • Start date Start date
  • Replies Replies 9
  • Views Views 6,062
Status
Not open for further replies.
vedantlath

vedantlath

Member
Staff member
Messages
101
Location
NA
ISP
BSNL
Hi,In one thread you suddenly gave the news that the Hayai network will be IPv6 right from the start. I remember asking about IPv6 several months ago and had found out that IPv6 in India is a very far away dream. What has changed regarding IPv6 since then that you're rolling out the network IPv6 only (with some transition mechanisms)? Could you also give some general information about your IPv6 rollout, like the size of the block of addresses that will be given to home customers? Will you be using DHCPv6, PPPoE or some other protocol in the CPE? Today BCP 157 and RFC 6177 came out that obsoleted RFC 3177 which had recommended giving out /48 blocks to everybody.In the FAQ you have said that port blocking will be implemented. Could you have the list of blocked ports in a page or somewhere that remains current? Can special exceptions be made to have some ports (such as port 25 and 80) opened for specific home customers?
 
IPv6 can't really be that far "anywhere," specially when IPv4 have ended. Microsoft bought some IPv4 addresses from Nortel (now bankrupt) a few days ago, at over $1 million USD, they are not that freely available anymore.
 
Hi,

In one thread you suddenly gave the news that the Hayai network will be IPv6 right from the start. I remember asking about IPv6 several months ago and had found out that IPv6 in India is a very far away dream. What has changed regarding IPv6 since then that you're rolling out the network IPv6 only (with some transition mechanisms)?

It's not that far away, it just takes a few changes, but the thing with most consumer equipment is that it's not compatible... and rolling out IPv6 to a million customers would be a tough job, I suspect, however, since we're building a brand-new network, we don't have the issue of migration to worry about.

Could you also give some general information about your IPv6 rollout, like the size of the block of addresses that will be given to home customers? Will you be using DHCPv6, PPPoE or some other protocol in the CPE? Today BCP 157 and RFC 6177 came out that obsoleted RFC 3177 which had recommended giving out /48 blocks to everybody.

From memory I think /56 has been popular in Asia-Pacific (/48s popular in the US), but I'm expecting we'll just dish out /64s per the new recommendation. We've got a block of /32 IPv6 addresses which should be enough for 4 /64s for every person in India (which in turn equates to 18,446,744,073,709,551,616 IP addresses each).

Authentication is a combination of mechanisms which I think is discussed in the authentication thread or the IPv6 thread with the user known as "Torch".

In the FAQ you have said that port blocking will be implemented.

In order to try and stop having spam relays and proxies and whatnot on our network, yeah.

Could you have the list of blocked ports in a page or somewhere that remains current? Can special exceptions be made to have some ports (such as port 25 and 80) opened for specific home customers?

In most cases, no.

Basically, if you absolutely must use your own mail servers (instead of say, ours or a google one), you should probably use secure smtp on port 465 (assuming you're communicating with an IPv4 server).

IPv6 can't really be that far "anywhere," specially when IPv4 have ended. Microsoft bought some IPv4 addresses from Nortel (now bankrupt) a few days ago, at over $1 million USD, they are not that freely available anymore.

You can still get them. We're only buying a few thousand, mostly for 6to4 NAT and such.
 
IPv6 can't really be that far "anywhere," specially when IPv4 have ended. Microsoft bought some IPv4 addresses from Nortel (now bankrupt) a few days ago, at over $1 million USD, they are not that freely available anymore.

Yeah, but Indian ISPs haven't started using IPv6 in a major way yet. I hope they start the migration within a few months.

It's not that far away, it just takes a few changes, but the thing with most consumer equipment is that it's not compatible... and rolling out IPv6 to a million customers would be a tough job, I suspect, however, since we're building a brand-new network, we don't have the issue of migration to worry about.

Hehe, I remember you saying that NIXI and other operators here didn't have IPv6 yet; I somewhat understood that you couldn't get IPv6 routing. Regarding migration, BSNL is already giving out IPv6 compatible CPEs to new customers; I don't know about other providers. I suspect that the major ISPs are not interested to migrate existing IPv4 users yet; they first want a separate IPv6 network for new customers and see how it goes.

From memory I think /56 has been popular in Asia-Pacific (/48s popular in the US), but I'm expecting we'll just dish out /64s per the new recommendation. We've got a block of /32 IPv6 addresses which should be enough for 4 /64s for every person in India (which in turn equates to 18,446,744,073,709,551,616 IP addresses each).

That's great. However, I couldn't find the AS report of your network in cidr-report.org; so it seems a lot of stuff is to be done from the network side too.

In order to try and stop having spam relays and proxies and whatnot on our network, yeah.
Proxies are not bad; they provide a good way of circumventing draconian network policies in corporate networks.

In most cases, no.

Basically, if you absolutely must use your own mail servers (instead of say, ours or a google one), you should probably use secure smtp on port 465 (assuming you're communicating with an IPv4 server).

Uh, port 465 is not that widely-used; see, for example, http://serverfault.com/questions/123744/can-i-receive-mail-at-another-port-like-465-instead-of-default-25-on-my-mail-serv
 
Sod it. My previous reply got lost in the ether.

Yeah, but Indian ISPs haven't started using IPv6 in a major way yet. I hope they start the migration within a few months.

Hehe, I remember you saying that NIXI and other operators here didn't have IPv6 yet; I somewhat understood that you couldn't get IPv6 routing. Regarding migration, BSNL is already giving out IPv6 compatible CPEs to new customers; I don't know about other providers. I suspect that the major ISPs are not interested to migrate existing IPv4 users yet; they first want a separate IPv6 network for new customers and see how it goes.

NIXI doesn't, but Bharti, Reliance, Tata, NIB (BSNL), HNS, Dishnet and a few others are all announcing IPv6.

That's great. However, I couldn't find the AS report of your network in cidr-report.org; so it seems a lot of stuff is to be done from the network side too.



You seem surprised - we're not generating any traffic, so I would not have expected us to show up anywhere. As of now, we have "member" status at APNIC - standard policy is that for the first few hundred customers we're supposed to use our upstream's IP addresses, after which we're allowed to apply for our own for the low low price of AUD$3500 + however many IPs we get.

Proxies are not bad; they provide a good way of circumventing draconian network policies in corporate networks.

By proxies I meant zombies.

Uh, port 465 is not that widely-used; see, for example, smtp - Can I receive mail at another port like 465 instead of default 25 on my mail server? - Server Fault

Perhaps it's not widely used, but it should be, and shutting off port 25 for residential customers does more good than harm, as it means we have less to deal with on the our-customers-are-being-used-as-spam-relays-at-up-to-1000mbit/s front.

We just want to protect our network and do what we can to prevent our connections being abused as much as possible.
 
NIXI doesn't, but Bharti, Reliance, Tata, NIB (BSNL), HNS, Dishnet and a few others are all announcing IPv6.

Railtel too? Because if they don't, how will you be covering cities where peering with private companies is too costly?

You seem surprised - we're not generating any traffic, so I would not have expected us to show up anywhere. As of now, we have "member" status at APNIC - standard policy is that for the first few hundred customers we're supposed to use our upstream's IP addresses, after which we're allowed to apply for our own for the low low price of AUD$3500 + however many IPs we get.

Ah, I hadn't considered APNIC policies. So who is your main upstream provider? HNS? Or is it something you're unwilling to make public?

By proxies I meant zombies.

Okay. Will you be blocking IRC servers too?

Perhaps it's not widely used, but it should be, and shutting off port 25 for residential customers does more good than harm, as it means we have less to deal with on the our-customers-are-being-used-as-spam-relays-at-up-to-1000mbit/s front.

We just want to protect our network and do what we can to prevent our connections being abused as much as possible.

I completely support blocking port 25 incoming connections to residential customers but I wish some people could get exceptions for legitimate low-traffic use. I hope to have my own mail server soon.

I hope you won't be blocking port 25 outgoing connections from the customers too.
 

Railtel too? Because if they don't, how will you be covering cities where peering with private companies is too costly?

Yes, Railtel has IPv6 prefixes.

Ah, I hadn't considered APNIC policies. So who is your main upstream provider? HNS? Or is it something you're unwilling to make public?


Yes, HNS.

Okay. Will you be blocking IRC servers too?


We probably should, but it's hard to say whether it would be beneficial to do so or not - I'm aware that zombies that are controlled by botnets are usually controlled via IRC, but on the other hand, what is of equal concern is people's machines being used as proxies for nefarious means.

I completely support blocking port 25 incoming connections to residential customers but I wish some people could get exceptions for legitimate low-traffic use. I hope to have my own mail server soon.

I hope you won't be blocking port 25 outgoing connections from the customers too.

Basically it would be better for you to switch to the secure port (465).
 
OK so does port blocking mean no more Yahoo and Hotmail :huh:AND PLEASE KEEP IRC PORTS OPEN 🙂 mIRC client is very secure and the files being transferred through 1 person to another can be scanned through antivirus and also mIRC blocks out the channels it finds have violated the user agreementand also I have more work on IRC than other places 🙂
 
OK so does port blocking mean no more Yahoo and Hotmail :huh:

No. Hotmail and Yahoo don't allow relaying on port 25 anyway, and in Hotmail's case have port 587 as a secure option.

AND PLEASE KEEP IRC PORTS OPEN 🙂 mIRC client is very secure and the files being transferred through 1 person to another can be scanned through antivirus and also mIRC blocks out the channels it finds have violated the user agreement

Except a lot of the time botnet zombies are remote controlled via IRC. There might have to be some compromise here, allowing filtered access to the IRC ports or port forwarding of one or more ports to the standard IRC ports (as in, you use say 65432 and that forwards automatically to port 6667 on your chosen IRC server, but direct connections to 6667 are disabled).

Iiiiiiiiiiiiiif you think I'm being paranoid, you just have to search the web (better if you search in Russian) for a list of open relays/proxies/zombies. Some of the lists are free, others you have to pay for 😉

and also I have more work on IRC than other places 🙂

Yes, "work" 😉
 
No. Hotmail and Yahoo don't allow relaying on port 25 anyway, and in Hotmail's case have port 587 as a secure option.



Except a lot of the time botnet zombies are remote controlled via IRC. There might have to be some compromise here, allowing filtered access to the IRC ports or port forwarding of one or more ports to the standard IRC ports (as in, you use say 65432 and that forwards automatically to port 6667 on your chosen IRC server, but direct connections to 6667 are disabled).

Iiiiiiiiiiiiiif you think I'm being paranoid, you just have to search the web (better if you search in Russian) for a list of open relays/proxies/zombies. Some of the lists are free, others you have to pay for 😉



Yes, "work" 😉

lol no really i do have work 🙂 i manage 5 distro bots 🙂 and get slapped around a lot 🙂)
 
Status
Not open for further replies.

Top