I've had some of these arguments before, but I'll write them down now so there's a record. Maybe we should document the debated points in a discussion draft, so we could invite further comment.
> And, most (cite?) actual attacks are not preventable with a $30 home > router. Most (cite?) homenet security issues are relate to phishing > and users downloading and installing malware with admin privilege, > which PCP and stateful firewalls cannot solve. Port scanning is largely blocked by stateful firewalls. Thus it's not the prevention of actual attacks, but the fact that attacks don't exist because they're useless given the existence of firewalls. > > So service providers are compelled to put firewalls in front of > > consumer customers (and even most small business) and have them > > enabled by default. btw, I realize we operated from different assumptions. My default view is that the customer manages the gateway/firewall, not the ISP (or maybe in addition to the ISP). So in my world view, it's clear that the user (or host, or application) sets the security policy, which is enforced by the firewall. So if one OS believes it is invulnerable, it can signal the firewall to allow all traffic to it. If another OS wants defense in depth, it can signal the firewall to allow only wanted traffic. You may s/OS/app. > Is there proof that $30 home routers protect computers and "move the > needle" on malware? Or is this left over mindset from the 1990s? I argue they hold the needle on malware, and there's no reason to make it easier to attack ignorant users. Somebody else once said: > There are no attacks in IPv6, what are we protecting against? We should design security in before there are attacks, not wait and see what gets attacked. To be constructive, I would like home routers (or at least home border gateways) have a "default deny" security policy, which can be overriden by user configuration or signaling from internal hosts that traffic is wanted. "Signaling" could be PCP, uPNP, SYN, etc. Lee This E-mail and any of its attachments may contain Time Warner Cable proprietary information, which is privileged, confidential, or subject to copyright belonging to Time Warner Cable. This E-mail is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient of this E-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this E-mail is strictly prohibited and may be unlawful. If you have received this E-mail in error, please notify the sender immediately and permanently delete the original and any copy of this E-mail and any printout. _______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
