In message <dcc302faa9fe5f4bba4dcad4656937791451334...@prvpexvs03.corp.twcable.com> "Howard, Lee" writes: > > -----Original Message----- > > From: Curtis Villamizar [mailto:[email protected]] > > Sent: Friday, October 21, 2011 12:20 PM > > To: Howard, Lee > > Cc: james woodyatt; [email protected]; [email protected] > > Subject: Re: [homenet] Homenet Architecture & Interim Meeting > > > > > > In message > > <dcc302faa9fe5f4bba4dcad4656937791451334...@prvpexvs03.corp.twcabl > > e.com> > > "Howard, Lee" writes: > > > > > > > > > -----Original Message----- > > > > From: [email protected] [mailto:[email protected]] On > > > > Behalf Of > > james > > > > woodyatt > > > > Sent: Monday, October 10, 2011 11:07 PM > > > > To: [email protected] > > > > Cc: [email protected] > > > > Subject: Re: [homenet] Homenet Architecture & Interim Meeting > > > > > > > > On Oct 10, 2011, at 19:45 , Curtis Villamizar wrote: > > > > > > > > > > All of this is only true for IPv4 but not for IPv6. > > > > > > > > I wasn't talking about IPv4 at all. My comments are relevant in a > > > > world entirely > > comprising > > > > IPv6-only service providers. The IPv6 Internet will be saddled with > > > > all of the problems > > of > > > > the IPv4 Internet with respect to devices on homenets having to beg the > > > > gateways to > > allow > > > > inbound packets from arbitrary remote destinations. It has nothing to > > > > do with NAT, > > and > > > > everything to do with firewalls and stateful filters. > > > > > > s/beg/authorize > > > > > > > > That response seems to be confirming the problem. > > > > The customer should not need the ISP to authorize inbound traffic. > > Otherwise the service should not be called an "Internet" service. It > > is a service providing only limited Internet connectivity. > > Perhaps I misunderstood the scenario. I would have the sentence read: > "Devices on homenets have to authorize gateways to allow inbound > packets from arbitrary remote destinations." > > Hosts can set their own security policy. If it's "send me > everything," it can signal a firewall (using e.g. PCP) to allow > everything. If it's "do not call," it can signal a firewall (using > e.g. PCP) to deny anything not explicitly allowed. > > I do not adhere to "default permit" as a security principle. > > Lee > > > Curtis
Lee, Thanks for the prompt response. Seems it was a misunderstanding and we are in agreement. I'm not fond of PCP so if it were my home router, I'd configure the exceptions on the router. That should always be an option. Curtis _______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
