Default security functions on an IPv6 CPE
cb.list6 at gmail.com
Wed May 11 23:45:19 CEST 2011
On Wed, May 11, 2011 at 2:29 PM, Jon Bane <jon at nnbfn.net> wrote:
>> - Hosts that have IPv6 enabled having also their internal firewalls enabled, the practical danger of CPE transparency to IPv6 is inexistent in unmanaged residential sites.
> I really do not understand this conclusion. Vista/Win7 do have
> firewalls enabled by default, but the first time the machine detects
> it is connected to a new network it asks what kind of network you are
> on. The options being Public, Home or Work. If the user choses
> "Home" the firewall is effectively disabled as all of the SMB/NBT
> ports are opened up, as well as several ports for media sharing.
> Ubuntu, does not have the firewall turned on by default and OS X
> doesn't either. Arguably, they aren't the concern.
> So, while all of the modern and most prevalent OSes do have firewalls,
> they are either disabled or are likely to be opened up by default.
>> - Now, grandma's CPE should be plug and play, including when some applications start taking advantage of the e2e transparency IPv6 has restored.
> Transparency can be achieved easily with the use of the UPnP IGD v6
> firewall spec. While many on this list probably groan at this idea,
> UPnP is already integrated into just about every home device and is
> the mechanism used to create the little e2e transparency we have
> today. It is already the norm for how the masses get ports opened and
> forwarded in the v4 world.
> e2e is an ideal state. It is also a blue skies kind of desire.
> Exposing your average end user to the internet at large will only
> invite the resurgence of the easy, direct attacks. Phishing is a lot
> more complicated than pointing metasploit at an IP. For those arguing
> that a host will be in a sea of billions of addresses in a /64, it is
> trivial to harvest valid addresses by simply pulling logs from a
> website. If those IPs are unprotected at the gateway, it falls on
> the user to react appropriately and we know that for the most they
> will not.
What problem are you trying to solve by putting a software based home
router (~$50) in front of a PC?
Are home routers inherently more secure than your average current PCs?
If so, why? Please provide specific data.
Regarding the harvesting of specific address from the /64, i suggest
you look into privacy addresses.... i believe Window 7 has them on by
default. Furthermore, this limits the potential number of entities
that can find from a (set of sites i go to) vs the entire internet.
More information about the ipv6-ops