[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: simple security
On Wed, 24 Mar 2010, Mark Townsley wrote:
Your NAS should run link-local or ULA if you don't want it to reach the
"simple-security" is "simple-minded". It is based on a security-model that
is rapidly becoming obsolete, and comes at the cost of complexity in both
the RG, the host, and the applications that have to try and work despite
all the various rules for having their packets dropped.
As simple minded as the current CPE. The residential gateway users are
familiar with the the current IPv4 NAT behaviour. What they usually
expecting - something similar for IPv6:
1. longer IP address? - understandable, but I don't care.
2. No NAT? - ok I get reasonable amount of subnet from my provider - If CPE
copes with it, I don't mind.
3. No firewall? - what a hell? what will protect my extra-precious-hacked
NAS? - They will sell a separate firewall for me? - No thanks!
How to configure the NAS for such a setup?
- If I use SLAAC? Do I have to prevent RAs with global prefix to be
arrived to NAS? Do I have to filter on NAS? But what about the ULA? Do I
get ULA via SLAAC? This requires a pretty complex setup.
- If I use DHCPv6? I have to configure DHCPv6 server not to distribute
global address to NAS - only ULA...uh oh. Do we expect residential users
to configure such a things in DHCPv6? in IPv4 they did not configure
anything on DHCP..... Can I use DHCPv6 in every situation (if I use Mac
- Do I have to put a different subnet the NAS than the computers to have
separate address distribution policy? What happens to the discovery
protocols - most of the NAS devices using some form of on-link discovery
for setup applications? Do I have to go thru the CPE in order to transfer
files? The performance will be horrific....CPEs was not designed for such
a task - packet forwarding between LAN and WAN side is done by a few 100
Mhz processor - CPU power was selected by the limitation of broadband
What setup do you think is working?