IPv6 Firewall on CPEs - Default on or off

Fernando Gont fernando at gont.com.ar
Sat Dec 1 05:58:00 CET 2012


On 11/26/2012 03:38 PM, Cameron Byrne wrote:
> 
> But, please don't say  turn on a firewall without giving an explicit
> problem the firewall solves for said user.  Please cite CVE IDs  in
> your threat analysis / risk assessment.

I should comment requiring CVEs IDs is not that sensible these days
(although it should). There are lots of stories on how painful sometimes
it gets to get them assigned. 8I could mention the story of reporting
the same vulnerability to two CVE-assigning-authority vendors, and
having both of them tell me that 'the other vendor should do the CVE
assignment".

As a data-point, me, I don't care about having CVEs assigned anymore.
So, for any stuff I may have already found or may find in the future,
just note that I won't bother to have them assigned a CVE entry.



> I fear that the culture of "IT" is that we needed network firewall to
> protect broken hosts in 2003, and since then we have been carrying
> that lesson with us without revisiting the need.

Many implementations are still broken. When it comes to robustness of
IPv6 implementations, in many cases "it sucks". The hosts that were
broken in 2003 are now running software produced by the same vendor
that, when reported a vulnerability that requires "access to the local
network to exploit", they claim they won't fix it, because that
requirement already sets the bar high enough -- yes, I did explain to
them that their customers might attend 1000+ attendees conferences and
the like.

Cheers,
-- 
Fernando Gont
e-mail: fernando at gont.com.ar || fgont at si6networks.com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1






More information about the ipv6-ops mailing list