Default security functions on an IPv6 CPE

Marshall Eubanks tme at americafree.tv
Thu May 12 13:52:54 CEST 2011 

On May 12, 2011, at 6:28 AM, Ted Mittelstaedt wrote:

> On 5/12/2011 2:49 AM, Mikael Abrahamsson wrote:
>> On Thu, 12 May 2011, Ted Mittelstaedt wrote:
>> 
>>> I don't see why it would. Any e2e application written with any modicum
>>> of regard for the user is going to be done in such a way that the
>>> "receiving" user will be requested whether or not they want to receive
>>> incoming traffic from the other end. When they indicate yes then their
>>> client can issue a UPNPv6 request to the firewall.
>> 
>> How would the e2e application know if it's being contacted if it can't
>> receive traffic from the Internet in the first place?If you say "via
>> the server it connected to initially" then you have just defined a
>> non-e2e application (it's not standalone).
>> 
> 
> OK so imagine I have my shiny refrigerator with the new IPv6 number
> on it.  I want all my grocery stores to snoop my refrigerator.  I
> therefore login to my refrigerator interface and tell it to open
> up.  It sends the command to the router, the router opens it's
> hole, then the world's grocery stores are able to enter and have
> their way with my refrigerator any time they want.
> 

I think that you have just revealed yourself to be in a very small minority of potential 
refrigerator purchasers. If they don't set the clocks on their DVRs or microwaves, they are
highly unlikely to log into a fridge and tell it to do or not do anything Internet related. 

Regards
Marshall 



> But, my girl friend bought the same refrigerator and unlike me
> she doesn't want the world coming into her firewalls hole and
> have it's way with her refrigerator.  She logs into her refrigerator
> interface and tells it to be safe and not allow the world in.
> 
> that's how.
> 
>> So with a FW on, you *need* UPNP, and in a hierichal network home
>> (multiple gateways getting prefixes through PD), these UPNP messages
>> need to traverse multiple potential gateways as well.
>> 
> 
> why use a hierarchical home net?
> 
> Ted
> 
>> It's complicated, it's going to cause problems, but I don't really see
>> how it can be avoided.
>> 
> 
>

More information about the ipv6-ops mailing list