Security of devices other than the Gateway (was Re: simple security)

[Mark Townsley <townsley@cisco.com>]

On 3/28/10 6:41 PM, Konrad Rosenbaum wrote:
> On Wednesday 24 March 2010, Mohacsi Janos wrote:
>    
> > > Your NAS should run link-local or ULA if you don't want it to reach the
> > > outside world.
> > >        
> > How to configure the NAS for such a setup?
> > - If I use SLAAC? Do I have to prevent RAs with global prefix to be
> > arrived to NAS? Do I have to filter on NAS? But what about the ULA? Do I
> > get ULA via SLAAC? This requires a pretty complex setup.
> >      
> If I would build the NAS I would let it operate as usual, but add a few
> simple packet filter rules to the rudimentary firewall inside the device:
> allow absolutely everything out; allow everything in that targets me at
> fe80::/10; allow everything in that targets me at fc00::/7 if it comes from
> a locally advertise network, do not allow anything else in. I would also
> give the user an option to disable the packet dropping code (if I felt too
> lazy to implement a proper configuration). I wouldn't expect the router or
> any other device to protect or fool my NAS device.
>
> Maybe someone needs to define a few more simple-security rules for devices
> other than CPE gateways?
>    
Not a bad idea at all. Security certainly doesn't start or stop at the 
gateway.

> I don't really see an incentive for device engineers to put proper security
> into "dumb" devices if there is no spec - they are used to letting
> the "magic of NAT" take care of this.
>    
Agreed. If the applications (or devices built for a specific 
application) were a bit more aware of the scoping of an IPv6 address, 
perhaps they could use this for better security, not to mention ease of 
use.

These problems aren't easy, and probably require peeking into APIs and 
such to be done properly, but perhaps this is where our efforts should 
be directed.

- Mark

> 	Konrad
>