[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: simple security

To: Mark Townsley <townsley@cisco.com>
Subject: Re: simple security
From: Mohacsi Janos <mohacsi@niif.hu>
Date: Wed, 24 Mar 2010 17:32:35 +0100 (CET)
Cc: Lee Howard <lee@asgard.org>, v6ops@ops.ietf.org
In-reply-to: <4BAA2BF5.20400@cisco.com>
References: <001501caca91$769511b0$63bf3510$@org> <4BA9F465.8060608@cisco.com> <alpine.BSF.2.00.1003241512110.74067@mignon.ki.iif.hu> <4BAA2BF5.20400@cisco.com>
User-agent: Alpine 2.00 (BSF 1167 2008-08-23)




On Wed, 24 Mar 2010, Mark Townsley wrote:

"simple-security" is "simple-minded". It is based on a security-model thatis rapidly becoming obsolete, and comes at the cost of complexity in boththe RG, the host, and the applications that have to try and work despiteall the various rules for having their packets dropped.
As simple minded as the current CPE. The residential gateway users arefamiliar with the the current IPv4 NAT behaviour. What they usuallyexpecting - something similar for IPv6:
1. longer IP address? - understandable, but I don't care.
2. No NAT? - ok I get reasonable amount of subnet from my provider - If CPEcopes with it, I don't mind.3. No firewall? - what a hell? what will protect my extra-precious-hackedNAS? - They will sell a separate firewall for me? - No thanks!
Your NAS should run link-local or ULA if you don't want it to reach theoutside world.


How to configure the NAS for such a setup?

- If I use SLAAC? Do I have to prevent RAs with global prefix to bearrived to NAS? Do I have to filter on NAS? But what about the ULA? Do Iget ULA via SLAAC? This requires a pretty complex setup.

- If I use DHCPv6? I have to configure DHCPv6 server not to distributeglobal address to NAS - only ULA...uh oh. Do we expect residential usersto configure such a things in DHCPv6? in IPv4 they did not configureanything on DHCP..... Can I use DHCPv6 in every situation (if I use MacOS X)?

- Do I have to put a different subnet the NAS than the computers to haveseparate address distribution policy? What happens to the discoveryprotocols - most of the NAS devices using some form of on-link discoveryfor setup applications? Do I have to go thru the CPE in order to transferfiles? The performance will be horrific....CPEs was not designed for sucha task - packet forwarding between LAN and WAN side is done by a few 100Mhz processor - CPU power was selected by the limitation of broadbandspeed....


What setup do you think is working?

Best Regards,
		Janos Mohacsi

Follow-Ups:
- Re: simple security
  - From: Konrad Rosenbaum <konrad@silmor.de>

References:
- simple security
  - From: "Lee Howard" <lee@asgard.org>
- Re: simple security
  - From: Mark Townsley <townsley@cisco.com>
- Re: simple security
  - From: Mohacsi Janos <mohacsi@niif.hu>
- Re: simple security
  - From: Mark Townsley <townsley@cisco.com>

Prev by Date: Re: simple security
Next by Date: Re: simple security
Previous by thread: Re: simple security
Next by thread: Re: simple security
Index(es):
- Date
- Thread