I would like to propose some form of "ParanoidOpeness" (Rule #7) from draft-vyncke-advanced-ipv6-security-01 to be brought into the simple-security draft.
The basic idea is that rather than blocking otherwise unauthorized inbound connections outright, the CPE rate-limits them according to a variable setting. When that setting is 0, all incoming packets are dropped. When set to its maximum, all packets are permitted (as if the firewall function is configured off). In-between, the CPE rate-limits incoming packets to reduce probing of the home network, but to allow just enough packets through that, if a host inside responds, a pinhole is opened for the communication to occur. Of course, the hard part is what the default setting should be, but I'd like to get a sense first of whether we can bring this function in.
James, I think I remember you being warm to the idea in some (jabber?) comments during the meeting in Hiroshima when I presented this first.
Thanks, - Mark On 3/4/10 12:06 AM, james woodyatt wrote:
everyone-- Once again, I'd like to ask for some discussion and feedback on this draft. Is there any reason this revision of the draft should not proceed to Working Group Last Call at this time? -- james woodyatt<jhw@apple.com> member of technical staff, communications engineering