On 23 mar 2010, at 19.14, Victor Kuarsingh wrote: > > I think that it's premature to assume the "home" network is ready for > unrestricted connectivity. The dynamics of the "home" networks are changing > so fast, that the risks of this environment are not known. Just because we > have not seen IPv6 based penetration and attacks as we have in the IPv4 > space does not mean it won't happen (just give is time). As an example, it > took a while from the inception of mass broadband connectivity (90s-2000s) > to finally see attackers lock on and begin to expose home environments based > on "always" on connectivity. (in the early days, many did not have home > firewalls or protective gateways) And here I think we have the core of the issue. I think we all agree that the advantages of IPv6 is more address space, and hence we can again restore end-to-end connectivity. However, at the same time we know that some network services are inherently insecure - IPv4 or IPV6. I would for example not run rsh on IPv6 just as little as I would over IPv4. From what I remember us discussing back in Philadelphia (I think it was) was that we need to agree on a minimum of these services that we believe should be filtered out. I'd like us to refocuse to that discussion - which services are we convinced we can block, and will provide additional security for the end-user (like rsh6) and at the same time not limiting future services for the end-user. So, as I see this - the entire discussion seems to have focused on the inbound traffic capability, where three options exists 1) Leave open and allow any traffic (that is not filtered on port) in 2) Only allow traffic that has been initiated from the inside to be passed through 3) Some hole-punching mechanism + 2) Now, James said the next draft will make it clear this is not an IETF recommendation, just an outline of what you want to filter when you do advertise simple CPE security. Best regards, - kurtis -
Attachment:
PGP.sig
Description: This is a digitally signed message part