On 3/24/10 3:36 PM, Mohacsi Janos wrote:
At least according to Google's stats, the majority of users they see are from from Free Telecom, none of which are behind a firewall.On Wed, 24 Mar 2010, Mark Townsley wrote:On 3/23/10 3:02 PM, Lee Howard wrote:The simple-security draft represents the best practice we know of for securing home networks.It's not a best-practice, it's a best-guess.Simple-security is being not being practiced at all on the vast majority of IPv6 residential connections today.I experience is different. The IPv6 capable CPEs mostly supporting some form of firewalling. The dumb one's (only with 6to4) are not.
Firewalls drop packets that legitimate applications would otherwise expect to be sent. They try also to drop packets from hackers. You can't expect them to always get it right.Advanced users know how to manually poke holes in firewalls, run the right version of UPnP or NAT-PMP running, etc. Non-advanced users do not. It's the non-advanced users that need protocols to "just work".Firewalls make networking more frustrating, particularly for the non-advanced users.Non-firewalling might cause even more frustration. You might remember case of pre SP2 Windows XP: you cannot update win XP without firewall since by the time you started to download SP ar patches your operating system was already compromised.... You might expect something similar in the future over IPv6 also.. There is a need for firewalling! The location of the firewall is a different story.
So, by definition there is a tradeoff here. As is the case for pretty much every security measure in the world. Boarding a plane with or without the shoe inspection, etc.
Sure, you could say that not being blown up is a feature in usability so we should thank the TSP for making our traveling in the airport so much easier ;-)
Turn one on for those or don't put them on the global Ipv6 Internet. But, don't turn it on for every device in the world in the process. That's what I have been saying.Yes, I know there are still OSes that will be compromised in a matter of seconds on the open Internet. These, however, do not run IPv6. With IPv6, we are really talking about Vista, Win 7, linux, and macosx. All ship with IPv6 firewalls (except linux I suppose), and far more secure IP stacks vs. that of ten years ago. All have tethers back home for updates, in the event that a new exploit is found. These firewalls are far more adaptive and secure than the "IPv6 simple-security" firewall.I don't want any of these new IPv6-enabled OSes to think for a moment that they can let their guard down just because they are plugged into a firewalled residential gateway "most of the time".I think differently. I wrote one of my previous e-mail. Think about ipv6 capable, but somehow limited or crap devices:- no longer supported but know to be vulnerable devices, servers - devices without access control You need firewalling on these case at the CPE or with dedicated firewall.
Your NAS should run link-local or ULA if you don't want it to reach the outside world. If it needs a UGA for fetching its own updates, it shouldn't allow any incoming connections on it. If you are an expert user and want to setup accessing your NAS from the internet, you had better be sure it can handle being on the Internet because you'll be doing that anyway if you open a pinhole to it from your firewall."simple-security" is "simple-minded". It is based on a security-model that is rapidly becoming obsolete, and comes at the cost of complexity in both the RG, the host, and the applications that have to try and work despite all the various rules for having their packets dropped.As simple minded as the current CPE. The residential gateway users are familiar with the the current IPv4 NAT behaviour. What they usuaally expecting - something similar for IPv6:1. longer IP address? - understandable, but I don't care.2. No NAT? - ok I get reasonable amount of subnet from my provider - If CPE copes with it, I don't mind. 3. No firewall? - what a hell? what will protect my extra-precious-hacked NAS? - They will sell a separate firewall for me? - No thanks!
- Mark
Best Regards,
Janos Mohacsi