On Oct 12, 2011, at 4:58 AM, Russ White wrote: > No, not really, because it assumes just what I don't want to assume > --that end-to-end reachability is the default, and I must take specific > actions in order to block specific pieces of reachability.
Those of us who still bear the scars of the debate over RFC 6092 well remember that the Simple Security document takes great pains to make no such assumption. >> 1.2. Use of Normative Keywords >> >> NOTE WELL: This document is not a standard, and conformance with >> it is not required in order to claim conformance with IETF >> standards for IPv6. It uses the normative keywords defined in the >> previous section only for precision. >> >> Particular attention is drawn to recommendation REC-49, which calls >> for an easy way to set a gateway to a transparent mode of operation. >> >> [...] >> 3.4. Passive Listeners >> >> REC-49: Internet gateways with IPv6 simple security capabilities MUST >> provide an easily selected configuration option that permits a >> "transparent mode" of operation that forwards all unsolicited flows >> regardless of forwarding direction, i.e., not to use the IPv6 simple >> security capabilities of the gateway. The transparent mode of >> operation MAY be the default configuration. >> >> In general, "transparent mode" will enable more flexibility and >> reliability for applications that require devices to be contacted >> inside the home directly, particularly in the absence of a protocol >> as described in REC-48. Operating in transparent mode may come at >> the expense of security if there are IPv6 nodes in the home that do >> not have their own host-based firewall capability and require a >> firewall in the gateway in order not to be compromised. The "MAY" in that recommendation was the subject of about two years of teeth gnashing and garment rending, which I hope this working group shall not repeat. -- james woodyatt <[email protected]> member of technical staff, core os networking _______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
