[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: simple security

To: Philip Homburg <pch-v6ops@u-1.phicoh.com>
Subject: Re: simple security
From: "Rémi Denis-Courmont" <remi@remlab.net>
Date: Wed, 24 Mar 2010 16:44:44 +0200
Cc: Mark Townsley <townsley@cisco.com>, v6ops@ops.ietf.org
In-reply-to: <m1NuQa9-0001dlC@stereo.hq.phicoh.net>
Organization: Remlab.net
References: <001501caca91$769511b0$63bf3510$@org> <4BA9F465.8060608@cisco.com> <m1NuQa9-0001dlC@stereo.hq.phicoh.net>
User-agent: KMail/1.12.4 (Linux/2.6.32.9; KDE/4.3.5; i686; ; )

On Wednesday 24 March 2010 15:25:12 Philip Homburg, you wrote:
> I think it is ironic that in one thread we are discussing devices that are
> so resource constrained that they can't even afford to implement DHCPv6,
> and have to rely on RFC-5006 to get the locations of DNS servers. And in
> the next thread it is assumed that all devices have stateful firewalls and
> automatically update themselves whenever a new bug is discovered.

Any mobile device today could implement DHCPv6. Those are more powerful than 
the computers upon which IPv6 was trialed in the early days.

But anyway. A host-based firewall is most trivial to implement. Just don't 
send TCP/RST and ICMP port unreachable errors and you're done. In fact, it 
takes less resources to have a firewall than not to have one, in that respect.

Oh yeah, if you have a port open it will let traffic through. But that's why 
the port is open... to let traffic through. My 3G operator provides public IP 
addresses without inbound firewalling. My mobile phone has no open ports (or 
it had none until I explicitly installed SSH on it). From security point of 
view, the firewall would have no effect.

To be fair, the firewall would have one positive effect: my device would not 
need to wake up its radio interface when receiving bogus packets from the 
Internet. Those packets would be dropped before they get to the air radio 
interface. Personnally, I would in fact prefer firewall with hole punching 
either to firewall without hole punching or to no firewall at all.

> Somehow that doesn't seem to add up.

> Is it really that case that all that will be connected to the IPv6 internet
> are Windows, Linux, and MacOS systems? No printers, no multi-media devices,
> no light switches or other home automation systems? Or is every light
>  switch expected to come with it's own host-based firewall solution?

That goes the other way too: if those device can be connected to the Internet, 
we cannot assume they are firewalled because:
 - the firewall may be disabled (with your all-or-nothing firewall switch),
 - there may be no firewall (e.g. direct connection).
So those devices will have to protect themselves.

For things like printer and UPnP devices, ignoring connections *not* from 
private address space (e.g. fc00::/8) seems like a reasonable option. It does 
not hamper the connectivity of *OTHER* devices.

Also it won't make the printer suddenly vulnerable because *another* device 
needed the firewall disabled for the entire home network. That's what will 
happen if CPE ship with a "turn off the firewall" button on the HTTP 
interface. From a security perspective, having a firewall with:
 - a hole punching system (à la NAT-PMPv6), and/or
 - a non-routed ULA prefix inside the home,
seems a hell of a lot more secure than just a plain firewall in that respect.

-- 
Rémi Denis-Courmont

Follow-Ups:
- Re: simple security
  - From: Mark Townsley <townsley@cisco.com>

References:
- simple security
  - From: "Lee Howard" <lee@asgard.org>
- Re: simple security
  - From: Mark Townsley <townsley@cisco.com>
- Re: simple security
  - From: Philip Homburg <pch-v6ops@u-1.phicoh.com>

Prev by Date: Re: simple security
Next by Date: Re: On filibusters as a mode of technical discussion
Previous by thread: Re: simple security
Next by thread: Re: simple security
Index(es):
- Date
- Thread