In message <[email protected]>, Ashok Narayanan wr
ites:
> On Mar 13, 2012, at 3/13 9:16 PM, Cameron Byrne wrote:
> 
> >=20
> > > That's reality, and much as I love the e2e principle I think the =
> ordinary
> > > citizen is better off behind default-deny.
> > >
> >=20
> > I am not trying to be dense, but why?
> >=20
> > What is the negative scenario of not having a homenet firewall on? =
> Using real examples from the last 5 years .... I would like to know how =
> a cpe firewall protects against real threats to modern software.
> >=20
> It seems hard to predict a priori what a "real threat" is going to be. =
> And it seems unlikely that "modern software" is all that will be found =
> in average homes. For example, will the Android version on the =
> refrigerator display be updated?=20
> 
> 
> > > Personally I haven't run without an on-board firewall since I got my
> > > first wireless card (late 1999?). But we can't assume that applies =
> to
> > > every home device.
> > >
> >=20
> > Most PC software has shipped with a firewall on for the last ~10 years
> >=20
> And these have to be then managed, and the triggers for "should this =
> flow be allowed" will then transition to the PC as opposed to the CPE. =
> Did the system become any simpler, really?
> 
> But the real issue to my mind is _non-PC_ software; the firmware on some =
> power-line bridge written for the cheapest dollar by pulling together =
> some version of Linux because the device had to sell for $25. Not only =
> do all these devices now need firewalls (unlikely), they now need an =
> easy way to manage these firewalls (next to impossible).

And for most of them "drop !RA-ANNOUNCED(source)" would be sufficient
and achieves what a default drop at the CPE does.  What would be
really good would be to add a site prefix length to the RA prefix
option.  There is room in the option to do this.  Knowing this would
be useful for source/destination address selection.

> -Ashok
> 
> > Cb
> > >   Brian
> > > _______________________________________________
> > > homenet mailing list
> > > [email protected]
> > > https://www.ietf.org/mailman/listinfo/homenet
> > _______________________________________________
> > homenet mailing list
> > [email protected]
> > https://www.ietf.org/mailman/listinfo/homenet
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: [email protected]
_______________________________________________
homenet mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/homenet

Reply via email to