A challenge (was Re: Default security functions on an IPv6 CPE)

Mark Smith msmith at internode.com.au
Thu May 19 09:40:20 CEST 2011


On 19/05/2011 4:54 PM, Frank Bulk - iName.com wrote:
> And providing CPE that's totally unsecured lessens business risk?
>

I'm pretty sure this is not about whether or not the CPE is protecting 
itself, it is whether or not it passes traffic from the Internet towards 
the end-nodes behind it or not in an unrestricted manner. I'd interpret 
"totally" unsecured to mean that the CPE doesn't protect itself either. 
The CPE should protect itself - the CPE in this sense is a host, and is 
performing host based firewalling.


Regards,
Mark.

> Frank
>
> -----Original Message-----
> From: Mark Smith [mailto:msmith at internode.com.au]
> Sent: Wednesday, May 18, 2011 11:44 PM
> To: ipv6-ops at lists.cluenet.de; cb.list6 at gmail.com; Frank Bulk
> Subject: Re: A challenge (was Re: Default security functions on an IPv6 CPE)
>
> On 19/05/2011 2:03 PM, Cameron Byrne wrote:
>> On Wed, May 18, 2011 at 9:24 PM, Frank Bulk<fbulk at mypremieronline.com>
> wrote:
>>> The typical customer cares only about security when their computer
> becomes unusable because it's so infected with malware.  99.9% of SP
> customers won't care or remember if I tell them that host-based security is
> their responsibility when they use IPv6.  If anything, that's a deterrent to
> consumer adoption of IPv6.  Subscriber talks to friend, "My ISP tells me
> that I have to buy a new router to use this thing they call eye-pea-vee-6,
> but that I will have to take extra steps to secure my PC.  Seems like too
> much cost and work for me."
>>>
>>> As much as IPv6 gives us a less scannable address space and typically
> runs on Microsoft computers with a firewall, I'd rather keep my customers on
> the side of caution.  If they want to turn off their router's IPv6 firewall
> now or in the future, they're free to do so, but it was an active choice on
> their part making it their responsibility.
>>>
>>
>> Slippery slope.  Host security is always the responsibility of the
>> subscriber, no?
>>
>> If you are making security decisions for the subscriber, are you now
>> responsible when things go wrong?  Private data was exposed?
>>
>
> +1
>
> Even if you disclaim that responsibility and state its limits when you
> chose to provide one limited component of the "security solution" , if a
> customer has a perception that you are taking complete responsibility,
> and they get breached, they can waste your time and money by taking you
> to court, encourage a class action against you etc. IOW, doing a small
> amount of limited security on your customers behalf creates an increased
> business risk.
>
>>
>> CB
>>
>>> Frank
>>>
>>> -----Original Message-----
>>> From: ipv6-ops-bounces+frnkblk=iname.com at lists.cluenet.de
> [mailto:ipv6-ops-bounces+frnkblk=iname.com at lists.cluenet.de] On Behalf Of
> Mark Smith
>>> Sent: Wednesday, May 18, 2011 4:50 PM
>>> To: Jon Bane
>>> Cc: ipv6-ops at lists.cluenet.de
>>> Subject: Re: A challenge (was Re: Default security functions on an IPv6
> CPE)
>>>
>>> <snip>
>>>
>>> That's debatable. The lack of recognition of the recognition of IPv6
>>> security can mean that people have been lax about it, making it a more
>>> interesting target.
>>>
>>> Even then, how is a IPv6 CPE firewall going to protect users when it is
>>> at home and they've got their laptop at the local cafe - both now and
>>> in 5 years time? If you tell your SP customers that you've enabled IPv6
>>> firewalling for them, isn't there a risk that they won't exactly
>>> understand what you're saying, and believe that they're protected where
>>> every they access the IPv6 Internet? While typical SP customers won't
>>> understand security measures, what they do, and where they apply, they
>>> are far more likely to understand if you tell them you're not providing
>>> them with any and that it is completely their responsibility.
>>>
>>>
>>> Regards,
>>> Mark.
>>>
>>>> -Jon
>>>
>
>
>




More information about the ipv6-ops mailing list