A challenge (was Re: Default security functions on an IPv6 CPE)

Mark Smith msmith at internode.com.au
Thu May 19 10:12:12 CEST 2011


On 19/05/2011 5:36 PM, Frank Bulk - iName.com wrote:
> If the end-user's IPv6 address is known, a CPE with a firewall is an
> effective means against unsolicited connection attempts.
>

Yet no more effective than the firewall residing on the end-host, and 
potentially less - the end-host knows what applications it is running, 
so it can make more informed decisions about what it's firewall will 
allow to pass or not.


Regards,
Mark.

> Frank
>
> -----Original Message-----
> From: ipv6-ops-bounces+frnkblk=iname.com at lists.cluenet.de
> [mailto:ipv6-ops-bounces+frnkblk=iname.com at lists.cluenet.de] On Behalf Of
> Mark Smith
> Sent: Thursday, May 19, 2011 2:17 AM
> To: ipv6-ops at lists.cluenet.de
> Subject: Re: A challenge (was Re: Default security functions on an IPv6 CPE)
>
> <snip>
>
> The original question was whether to enable a CPE firewall by default.
> The discussion is therefore constrained to threats for which a CPE
> firewall is a possible mitigation. As a CPE firewall is not effective
> mitigations against those other threats, those other threats are
> irrelevant to the discussion as to whether to enable a CPE firewall by
> default or not.
>
> If people want to expand the scope of the discussion to other threats,
> then by all means do so. That is the only way to be sure that all
> threats have been considered and mitigated, if necessary, by appropriate
> security measures.
>
>> I do not agree with Ted on just shutting down
>> inbound completely, but -this- is a strawman, and I dislike fud.
>
> So they can correct me on their assumptions if they're different to what
> I stated.
>
> FUD is not realising that Internet security landscape has changed in the
> last 10 years, and believing that the threats to IPv6 are both  exactly
> the same types and likelihoods as those to IPv4.
>
>
> Regards,
> Mark.
>
>




More information about the ipv6-ops mailing list