[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: simple security
- To: Rémi Denis-Courmont <remi@remlab.net>, <v6ops@ops.ietf.org>
- Subject: Re: simple security
- From: Victor Kuarsingh <victor.kuarsingh@gmail.com>
- Date: Tue, 23 Mar 2010 11:14:00 -0700
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=user-agent:date:subject:from:to:message-id:thread-topic :thread-index:in-reply-to:mime-version:content-type :content-transfer-encoding; b=Bfle98VHhmBgb7vqlOBBDlC6xuVTMnnFjIKKAcSPXpCQp4RhGIRkRMRpA7M6fwFfXC pW+AO7yT9FEb4bZlourGADUvEOsWmGnTFMLEbHx3rU/ysetXveP4SkjyTLv8z/xzK8SH Tx+I/QNsb1h5zBtkJUNkQjAYLCp56L0ZrOlW8=
- In-reply-to: <201003231748.22841.remi@remlab.net>
- User-agent: Microsoft-Entourage/12.20.0.090605
I would tend to agree with Jeffery and Lee
Putting in baseline security from the outset would help protect the general
user base as they move to IPv6. From an operators perspective, the average
person has no idea how networks operate, how to secure them, and frankly
don't care. They expect things to work - i.e. Buy a PC, buy a home gateway,
pug it in and go. I wish this was not the case, but wishful thinking gets
me nowhere.
I think that it's premature to assume the "home" network is ready for
unrestricted connectivity. The dynamics of the "home" networks are changing
so fast, that the risks of this environment are not known. Just because we
have not seen IPv6 based penetration and attacks as we have in the IPv4
space does not mean it won't happen (just give is time). As an example, it
took a while from the inception of mass broadband connectivity (90s-2000s)
to finally see attackers lock on and begin to expose home environments based
on "always" on connectivity. (in the early days, many did not have home
firewalls or protective gateways)
Protecting the average person, with an option to "open" the cpe/gateway up
after provides a much safer framework. Someone who decides to "open" up the
gateway after the fact would do so knowingly and be prepared (in theory) to
protect their network (OS patching etc).
No one has robbed me in my current house, but that does not mean I will stop
locking my door. Sure they can come in through the window (which the few
robberies in my area have been though) - but if I stop locking my door, they
they will come in that way (much easier).
Victor K
On 23/03/10 8:48 AM, "Rémi Denis-Courmont" <remi@remlab.net> wrote:
> On Tuesday 23 March 2010 16:02:18 Lee Howard, you wrote:
>> The simple-security draft represents the best practice we know of for
>> securing home networks. It describes the behavior that should be the
>> default for all home networking gateways. Advanced users who know what
>> they're getting into can change those default rules.
>
> I've kept saying the same thing for three years now. But anyway. This
> assertion raises the a much more systematic question:
>
> What's the use of IPv6 (then)? IPv6 with a stateful firewall is essentially
> just as bad as IPv4 with a NAT in terms of connectivity. Also IPv6 has
> fundamentally higher overhead (both in terms of packet header size and of
> router processing).
>
> So the simple security draft seems highly paradoxical to me. A "solution"
> would be to specify a functional hole punching mechanism. But that key part
> part is missing. I am not comfortable with having the simple security document
> without a hole punching document too.
>
> Some people will doubtless argue that there should not be a hole punching
> mechanism. But then, I would like them to answer the question above...
> (Standardization engineer job security is not a good reason for IPv6 to me)
>
>> Some people argued that a stateful firewall is no longer needed because
>> attackers no longer use vectors that a firewall protects against. This
>> sounds like circular reasoning to me, as if you no longer need a roof
>> because rain hasn't fallen on your head for years.
>
> Do you take vaccinations for illenesses that don't exist anymore? Most people
> don't even take vaccinations for some that do exist but not where they live.
>
> Why would you protect IPv6 systems for old (now fixed) vulnerabilities in IPv4
> systems?
>
>> It was also argued that attacks of this kind simply don't exist in IPv6.
>
> Which is true.
>
>> That sounds like the argument that faults in the space shuttle o-ring
>> haven't caused explosions before, so it's safe.
>
> No. It's just an argument that operating systems have already been fixed
> *before* they implemented IPv6. Common attack vectors are in different
> (higher) parts of the software stack, against which stateful firewalls are
> totally helpless.
>
>> I'll also point out that
>> OSes with smaller market share have fewer exploits written for them because
>> they are a smaller target; as IPv6 exceeds 50%, there will be more attacks.
>
> That is a severe misrepresentation of reality. You will find exploits written
> for very obscure vulnerabilities. Of course, they are not commonly (mis)used,
> but they are available.