Default security functions on an IPv6 CPE

Ted Mittelstaedt tedm at ipinc.net
Thu May 12 12:28:15 CEST 2011


On 5/12/2011 2:49 AM, Mikael Abrahamsson wrote:
> On Thu, 12 May 2011, Ted Mittelstaedt wrote:
>
>> I don't see why it would. Any e2e application written with any modicum
>> of regard for the user is going to be done in such a way that the
>> "receiving" user will be requested whether or not they want to receive
>> incoming traffic from the other end. When they indicate yes then their
>> client can issue a UPNPv6 request to the firewall.
>
> How would the e2e application know if it's being contacted if it can't
> receive traffic from the Internet in the first place?If you say "via
> the server it connected to initially" then you have just defined a
> non-e2e application (it's not standalone).
>

OK so imagine I have my shiny refrigerator with the new IPv6 number
on it.  I want all my grocery stores to snoop my refrigerator.  I
therefore login to my refrigerator interface and tell it to open
up.  It sends the command to the router, the router opens it's
hole, then the world's grocery stores are able to enter and have
their way with my refrigerator any time they want.

But, my girl friend bought the same refrigerator and unlike me
she doesn't want the world coming into her firewalls hole and
have it's way with her refrigerator.  She logs into her refrigerator
interface and tells it to be safe and not allow the world in.

that's how.

> So with a FW on, you *need* UPNP, and in a hierichal network home
> (multiple gateways getting prefixes through PD), these UPNP messages
> need to traverse multiple potential gateways as well.
>

why use a hierarchical home net?

Ted

> It's complicated, it's going to cause problems, but I don't really see
> how it can be avoided.
>




More information about the ipv6-ops mailing list