Re: simple security

[Mark Townsley <townsley@cisco.com>]

On 3/24/10 3:56 PM, Philip Homburg wrote:
> In your letter dated Wed, 24 Mar 2010 15:17:30 +0100 you wrote:
>    
> > If any of these devices get a global IPv6 address, I think they should
> > be expected to operate on the Global IPv6 Internet in a secure manner.
> >      
> I don't think anyone in the security community would find it reasonable
> to expect all devices with global IPv6 address to operate in a secure manner.
>    
"Secure" is a relative term.

Let me rephrase this to be that any device that configures a global IPv6 
address should expect that it may be connected to the global IPv6 
Internet and act accordingly.

> There is more than enough evidence to suggest that in practice it will be
> exactly the opposite.
>    
Perhaps if more devices were exposed to the Internet, they would operate 
in a more secure manner.
> And remember, in the typical SLAAC scenario any device that understands RAs
> will automatically get a global IPv6 address, there is not much you can
> do about it.
>    
But you don't have to open sockets that listen on that global address.

- Mark