[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: On saving end-to-end transparency

To: Rémi Després <remi.despres@free.fr>
Subject: Re: On saving end-to-end transparency
From: Marco Hogewoning <marcoh@marcoh.net>
Date: Tue, 23 Mar 2010 16:45:56 +0100
Cc: IPv6 v6ops <v6ops@ops.ietf.org>, Gert Doering <gert@space.net>, Fred Baker <fred@cisco.com>, Mark Townsley <townsley@cisco.com>, Mohacsi Janos <mohacsi@niif.hu>
In-reply-to: <F6008F79-C5C1-4DA9-8E52-94AB8A80DAB8@free.fr>
References: <4BA78BE7.6010005@cisco.com> <D543E465-CC85-4F2E-B794-A7B457AA0D28@cisco.com> <20100322160911.GU69383@Space.Net> <alpine.BSF.2.00.1003231426310.74067@mignon.ki.iif.hu> <F6008F79-C5C1-4DA9-8E52-94AB8A80DAB8@free.fr>

On 23 mrt 2010, at 16:00, Rémi Després wrote:

> For information: the IPv6 we have here is WITHOUT any filter (confirmed by the IETF NOC).
> Does anyone report a security problem ;-) ?

I guess  time will tell. After all in the old days dialin with built-in modems also worked without NAT and usually without firewalls and nobody seemed to care. Guess that with NAT acting as a firewall people got lazy and spoiled :(

From an operational perspective there is only so much you can prevent by introducing a default deny policy. From what I see and hear a lot, even most of the problems are caused by trojans downloaded by people. Then again, earlier worm outbreaks do prove it might be handy to have something in place and for us this is the main driver.

We can go all religious about end-to-end connectivity being the one true internet and trust me I work for a company that does care and exists long enough to remember what it was like. Reality with a couple of hundred thousands residentials is that we do want some form of 'nat like' behavior by default on IPv6, simply beacuse people expect it to work that way. We keep trying to convince them they should run regular updates for scanners and software, we even offer courses on it, but in practice they don't.

So for now dropping all inbound connections feels good, expecially if we want the masses to start using IPv6 fast. And yes there should be an easy button in that CPE/RG to disable that firewall and yes it should come with a BIG warning about the risks they just took.

Groet,

MarcoH

Follow-Ups:
- Re: On saving end-to-end transparency
  - From: Rémi Després <remi.despres@free.fr>

References:
- On saving end-to-end transparency (was: Re: I-D.ietf-v6ops-cpe-simple-security-09)
  - From: Mark Townsley <townsley@cisco.com>
- Re: On saving end-to-end transparency (was: Re: I-D.ietf-v6ops-cpe-simple-security-09)
  - From: Fred Baker <fred@cisco.com>
- Re: On saving end-to-end transparency (was: Re: I-D.ietf-v6ops-cpe-simple-security-09)
  - From: Gert Doering <gert@space.net>
- Re: On saving end-to-end transparency (was: Re: I-D.ietf-v6ops-cpe-simple-security-09)
  - From: Mohacsi Janos <mohacsi@niif.hu>
- Re: On saving end-to-end transparency
  - From: Rémi Després <remi.despres@free.fr>

Prev by Date: Re: On saving end-to-end transparency
Next by Date: Re: simple security
Previous by thread: Re: On saving end-to-end transparency
Next by thread: Re: On saving end-to-end transparency
Index(es):
- Date
- Thread