A challenge (was Re: Default security functions on an IPv6 CPE)
Mark Smith
msmith at internode.com.au
Thu May 19 09:16:57 CEST 2011
On 19/05/2011 3:54 PM, S.P.Zeidler wrote:
> Thus wrote Mark Smith (nanog at 85d5b20a518b8f6864949bd940457dc124746ddc.nosense.org):
>
>> The part of the threat model that people are using to justify IPv6 CPE
>> firewalling is invalid, because it is based on the invalid assumptions
>> that:
>>
>> o IPv6's address space is the same size as IPv4's
> [...]
>> o that inbound unsolicited address scanning is the most likely attack
>> vector.
>
> No. There are other ways to get at addresses but scanning, as has been
> mentioned several times.
The original question was whether to enable a CPE firewall by default.
The discussion is therefore constrained to threats for which a CPE
firewall is a possible mitigation. As a CPE firewall is not effective
mitigations against those other threats, those other threats are
irrelevant to the discussion as to whether to enable a CPE firewall by
default or not.
If people want to expand the scope of the discussion to other threats,
then by all means do so. That is the only way to be sure that all
threats have been considered and mitigated, if necessary, by appropriate
security measures.
> I do not agree with Ted on just shutting down
> inbound completely, but -this- is a strawman, and I dislike fud.
>
So they can correct me on their assumptions if they're different to what
I stated.
FUD is not realising that Internet security landscape has changed in the
last 10 years, and believing that the threats to IPv6 are both exactly
the same types and likelihoods as those to IPv4.
Regards,
Mark.
More information about the ipv6-ops
mailing list