IPv6 Firewall on CPEs - Default on or off

[Benedikt Stockebrand]

Hi Lorenzo and list,

Lorenzo Colitti <lorenzo at google.com> writes:

> But the one-way configuration is ham-fisted and stupid and ends up
> being overkill in many cases.

I'd consider it ham-fisted if it was forced onto the users, but if it
is configurable, then I'd consider it quite reasonable.

> [Various considerations on diode configurations snipped]

> If you will, it's a bit like pouring reinforced concrete on the
> floor of your garage just in case someone steals your car by digging
> a tunnel into the garage - sure, it prevents that particular mode of
> theft, but who's going to do that, really?

I like that analogy, but still it doesn't really hold at this point in
time.  Right now, people who don't understand any of the technese
we're writing here do have a certain expectation on how "their
Internet" works.  Give it another two years or so that expectation has
changed sufficiently to warrant an "all open" default setting, but
right now I'd consider that a bad move.

> Always remember that if the user is running a binary that listens on
> port udp/48993, then you have already lost - because all that binary
> needs to do is the extra, trivial step of setting up a rendezvous
> point (heck, even a teredo tunnel) to allow unsolicited incoming
> traffic anyway. And what does the firewall buy you? Nothing, really.

The pattern behind your reasoning here is "if you don't fix your
problems, then I don't have to fix mine".  We have problems with
"security" (I'd rather talk about "insecurities" in IT anyway, but
that's another topic), but to solve them everyone has to fix theirs.

And no matter what, with the current state of IT in general a multi
layer security approach is the best we have.


Cheers,

    Benedikt

-- 
			 Business Grade IPv6
		    Consulting, Training, Projects

Benedikt Stockebrand, Dipl.-Inform.   http://www.benedikt-stockebrand.de/