Re: simple security

[Mohacsi Janos <mohacsi@niif.hu>]

On Wed, 24 Mar 2010, Mark Townsley wrote:

> On 3/23/10 3:02 PM, Lee Howard wrote:
> > The simple-security draft represents the best practice we know of for 
> > securing home networks.
> It's not a best-practice, it's a best-guess.
>
> Simple-security is being not being practiced at all on the vast majority of 
> IPv6 residential connections today.

I experience is different. The IPv6 capable CPEs mostly supporting some 
form of firewalling. The dumb one's (only with 6to4) are not.

> Advanced users know how to manually poke holes in firewalls, run the right 
> version of UPnP or NAT-PMP running, etc. Non-advanced users do not.  It's the 
> non-advanced users that need protocols to "just work".
>
> Firewalls make networking more frustrating, particularly for the non-advanced 
> users.

Non-firewalling might cause even more frustration. You might remember case 
of pre SP2 Windows XP: you cannot update win XP without firewall since by 
the time you started to download SP ar patches your operating system was 
already compromised.... You might expect something similar in the future 
over IPv6 also.. There is a need for firewalling! The location of the 
firewall is a different story.

> Yes, I know there are still OSes that will be compromised in a matter of 
> seconds on the open Internet. These, however, do not run IPv6. With IPv6, we 
> are really talking about Vista, Win 7, linux, and macosx. All ship with IPv6 
> firewalls (except linux I suppose), and far more secure IP stacks vs. that of 
> ten years ago. All have tethers back home for updates, in the event that a 
> new exploit is found. These firewalls are far more adaptive and secure than 
> the "IPv6 simple-security" firewall.
>
> I don't want any of these new IPv6-enabled OSes to think for a moment that 
> they can let their guard down just because they are plugged into a firewalled 
> residential gateway "most of the time".

I think differently. I wrote one of my previous e-mail. Think about ipv6 
capable, but somehow limited or crap devices:

- no longer supported but know to be vulnerable devices, servers
- devices without access control

You need firewalling on these case at the CPE or with dedicated firewall.


> >
> Bad analogy. The O-ring problem wasn't because of a hacker, it was 
> human/engineering error in a complex system. A bug. Rather than protecting 
> against bugs, firewalls increase the possibility of having more bugs.


No. Firewall can give time and possibility to fix some bugs later 
(unfortunately sometimes this time-window is infinite...)

> "simple-security" is "simple-minded". It is based on a security-model that is 
> rapidly becoming obsolete, and comes at the cost of complexity in both the 
> RG, the host, and the applications that have to try and work despite all the 
> various rules for having their packets dropped.


As simple minded as the current CPE. The residential gateway users are 
familiar with the the current IPv4 NAT behaviour. What they usuaally 
expecting - something similar for IPv6:
1. longer IP address? - understandable, but I don't care.
2. No NAT? - ok I get reasonable amount of subnet from my provider - If 
CPE copes with it, I don't mind.
3. No firewall? - what a hell? what will protect my extra-precious-hacked 
NAS? - They will sell a separate firewall for me? - No thanks!


Best Regards,
	Janos Mohacsi