[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: simple security
On Tuesday 23 March 2010 16:02:18 Lee Howard, you wrote:
> The simple-security draft represents the best practice we know of for
> securing home networks. It describes the behavior that should be the
> default for all home networking gateways. Advanced users who know what
> they're getting into can change those default rules.
I've kept saying the same thing for three years now. But anyway. This
assertion raises the a much more systematic question:
What's the use of IPv6 (then)? IPv6 with a stateful firewall is essentially
just as bad as IPv4 with a NAT in terms of connectivity. Also IPv6 has
fundamentally higher overhead (both in terms of packet header size and of
So the simple security draft seems highly paradoxical to me. A "solution"
would be to specify a functional hole punching mechanism. But that key part
part is missing. I am not comfortable with having the simple security document
without a hole punching document too.
Some people will doubtless argue that there should not be a hole punching
mechanism. But then, I would like them to answer the question above...
(Standardization engineer job security is not a good reason for IPv6 to me)
> Some people argued that a stateful firewall is no longer needed because
> attackers no longer use vectors that a firewall protects against. This
> sounds like circular reasoning to me, as if you no longer need a roof
> because rain hasn't fallen on your head for years.
Do you take vaccinations for illenesses that don't exist anymore? Most people
don't even take vaccinations for some that do exist but not where they live.
Why would you protect IPv6 systems for old (now fixed) vulnerabilities in IPv4
> It was also argued that attacks of this kind simply don't exist in IPv6.
Which is true.
> That sounds like the argument that faults in the space shuttle o-ring
> haven't caused explosions before, so it's safe.
No. It's just an argument that operating systems have already been fixed
*before* they implemented IPv6. Common attack vectors are in different
(higher) parts of the software stack, against which stateful firewalls are
> I'll also point out that
> OSes with smaller market share have fewer exploits written for them because
> they are a smaller target; as IPv6 exceeds 50%, there will be more attacks.
That is a severe misrepresentation of reality. You will find exploits written
for very obscure vulnerabilities. Of course, they are not commonly (mis)used,
but they are available.
Nokia Corporation / Maemo Devices R&D