IPv6 Firewall on CPEs - Default on or off
nick at foobar.org
Tue Nov 27 11:07:33 CET 2012
On 27/11/2012 08:30, Lorenzo Colitti wrote:
> Well, but isn't that a little like saying that the blame for the accident
> will be placed on the faster car the customer has bought instead of the
> carelessness of the driver? I mean, what the question boils down to is:
That doesn't mean that it's bad to have:
- air bags
- seat belts
- abs brakes
- crumple zones
- smart frame design
- extensive crash testing
> - What should we do? Should we allow this new capability, or should we turn
> it off because with great power comes great responsibility and we're afraid
> we might get hurt by it?
It's a default. If the user wants to change it, they can.
> There's also a security advantage, but as others have said, the security
> advantage provided by NATs has eroded over time. Attacks and malware moved
> away from port scans and connection attempts a very long time ago.
they moved away because it became impossible to directly address the end
host. If we create a default which allows attackers/malware to directly
contact the end host again, then they'll move back to that method because
it's easier than the other way around.
More information about the ipv6-ops