In message <[email protected]>, Ashok Narayanan wr ites: > On Mar 13, 2012, at 3/13 9:16 PM, Cameron Byrne wrote: > > >=20 > > > That's reality, and much as I love the e2e principle I think the = > ordinary > > > citizen is better off behind default-deny. > > > > >=20 > > I am not trying to be dense, but why? > >=20 > > What is the negative scenario of not having a homenet firewall on? = > Using real examples from the last 5 years .... I would like to know how = > a cpe firewall protects against real threats to modern software. > >=20 > It seems hard to predict a priori what a "real threat" is going to be. = > And it seems unlikely that "modern software" is all that will be found = > in average homes. For example, will the Android version on the = > refrigerator display be updated?=20 > > > > > Personally I haven't run without an on-board firewall since I got my > > > first wireless card (late 1999?). But we can't assume that applies = > to > > > every home device. > > > > >=20 > > Most PC software has shipped with a firewall on for the last ~10 years > >=20 > And these have to be then managed, and the triggers for "should this = > flow be allowed" will then transition to the PC as opposed to the CPE. = > Did the system become any simpler, really? > > But the real issue to my mind is _non-PC_ software; the firmware on some = > power-line bridge written for the cheapest dollar by pulling together = > some version of Linux because the device had to sell for $25. Not only = > do all these devices now need firewalls (unlikely), they now need an = > easy way to manage these firewalls (next to impossible).
And for most of them "drop !RA-ANNOUNCED(source)" would be sufficient and achieves what a default drop at the CPE does. What would be really good would be to add a site prefix length to the RA prefix option. There is room in the option to do this. Knowing this would be useful for source/destination address selection. > -Ashok > > > Cb > > > Brian > > > _______________________________________________ > > > homenet mailing list > > > [email protected] > > > https://www.ietf.org/mailman/listinfo/homenet > > _______________________________________________ > > homenet mailing list > > [email protected] > > https://www.ietf.org/mailman/listinfo/homenet -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
