[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: simple security

To: Philip Homburg <pch-v6ops@u-1.phicoh.com>
Subject: Re: simple security
From: Mark Townsley <townsley@cisco.com>
Date: Wed, 24 Mar 2010 15:17:30 +0100
Cc: v6ops@ops.ietf.org
In-reply-to: <m1NuQa9-0001dlC@stereo.hq.phicoh.net>
References: <001501caca91$769511b0$63bf3510$@org> <4BA9F465.8060608@cisco.com> <m1NuQa9-0001dlC@stereo.hq.phicoh.net>
User-agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.8) Gecko/20100227 Thunderbird/3.0.3

On 3/24/10 2:25 PM, Philip Homburg wrote:

Wed, 24 Mar 2010 12:15:49 +0100 Mark Townsley wrote:

Yes, I know there are still OSes that will be compromised in a matter of
seconds on the open Internet. These, however, do not run IPv6. With
IPv6, we are really talking about Vista, Win 7, linux, and macosx. All
ship with IPv6 firewalls (except linux I suppose), and far more secure
IP stacks vs. that of ten years ago. All have tethers back home for
updates, in the event that a new exploit is found. These firewalls are
far more adaptive and secure than the "IPv6 simple-security" firewall.

I think it is ironic that in one thread we are discussing devices that are
so resource constrained that they can't even afford to implement DHCPv6,
and have to rely on RFC-5006 to get the locations of DNS servers. And in
the next thread it is assumed that all devices have stateful firewalls and
automatically update themselves whenever a new bug is discovered.

Or simple-security for that matter.

I'm actually of the belief that the "dumb" RGs are on their way outanyway (and given uptick of actively SP-managed RGs in the world, Ithink there is evidence to support this claim).

For my part, the reason I support RFC 5006 moving to PS is because thereis already running code that I see no intent of people turning off,coupled with the fact that architecturally I think DNS should havefallen in the SLAAC bucket of "the bare minimum to get IP off theground" from the beginning. Nothing to do with CPU or Memory resources.

Somehow that doesn't seem to add up.

Is it really that case that all that will be connected to the IPv6 internet
are Windows, Linux, and MacOS systems? No printers, no multi-media devices,
no light switches or other home automation systems? Or is every light switch
expected to come with it's own host-based firewall solution?

If any of these devices get a global IPv6 address, I think they shouldbe expected to operate on the Global IPv6 Internet in a secure manner.If they want to operate with link-locals or ULAs, they can expect thatthey are not part of the Global IPv6 Internet and act accordingly.

Otherwise, they are all stuck thinking that they "might or might not" beon the Global IPv6 Internet. No way to know, really.


- Mark

Follow-Ups:
- Re: simple security
  - From: Philip Homburg <pch-v6ops@u-1.phicoh.com>

References:
- simple security
  - From: "Lee Howard" <lee@asgard.org>
- Re: simple security
  - From: Mark Townsley <townsley@cisco.com>
- Re: simple security
  - From: Philip Homburg <pch-v6ops@u-1.phicoh.com>

Prev by Date: Re: simple security
Next by Date: Re: On filibusters as a mode of technical discussion
Previous by thread: Re: simple security
Next by thread: Re: simple security
Index(es):
- Date
- Thread