IPv6 content experiment

Brandon Butterworth brandon at bogons.net
Tue Apr 10 13:51:43 CEST 2007

> But you'll find that the majority of firewalls do not
> blanket filter inbound connections by default, and there's no good
> reason for them to either.

That depends, in a corporate environment saying it's OK to
let single packet windows infection come in to all the MSSQL servers
isn't acceptable. It's questionable why end users should accept it too.

One assumed model doesn't fit all.

> Personally I don't think it is the job of protocol designers to tolerate
> firewalls, that just gets us a billion protocols which all tunnel over

Protocol designers not allowing for firewalls also leads to everything
tunneled over HTTP as application designers bodge around the problem

> In short; end to
> end connectivity (which I don't consider a holy grail btw, just a bare
> minimum for genuine internet participation) encourages greater security
> because it diminishes the prevalence of stupid hacks.

That's not how the windows eco system works, if there's a secuirty
problem a company will try and sell a product to address it, until
the next one is found, the bodges get layered not fundamental problems
fixed, why is there still anti virus software? Hence firewalls asking
users if it's OK to allow a connection they have no understanding
of. That's not really security, that's darwinism. 

> NAT is not a firewall, and does not meaningfully protect these users.

True, I've never claimed it is, but it has helped save some

> It's not like we don't already see millions of those bozes participating
> in botnets already. Nor does the removal of NAT leave them open to
> access by all.

I don't think it's reasonable to say that 1 million infected
by one vector should mean it's not worth saving another million
under threat via a different vector

This is getting off topic but may indicate why v6 isn't going
quickly, it's not solving a problem people have and assumptions
are likely to create additional problems that put people off.

If v6 solved the security model problem so firewalls aren't
hacks it'd have a selling point over v4

> Why not just have www.ipv6.bbc.co.uk ? Does that really represent much
> risk? Seems like a better idea to iron out those problems before hand.

We could, we may well do, but it's not putting live content on v6
as people want. Who would use an v6 ghetto (besides us), it's not
like we have some porn to put on it.


More information about the ipv6-ops mailing list