My personal take on the situation is that security threats and tolerance levels vary per organization and per individual. There's no point in the IETF trying to perform a Business Impact Analysis and then attempting to generate the appropriate Security Norms as defined in the ISO27000 series on behalf of all Internet users. It simply can't be done.

Suggested Homenet Security Goal: Provide feature equivalence to today's IPv4 solutions that are already widely deployed in the home.

Simple, clear, and addresses the concerns expressed in the NIST advisory CVE-2007-1338 and the marketing department.

Or would you like to swim against the tide of operational expectations and huge installed base of devices inherited from IPv4? That would seem to me like a very bad idea to deploy as default behavior in a dual stack World where IPv4 and IPv6 run in parallel over the same devices and links.

Equally, choosing for a security model based on equivalence with existing IPv4-functionality would at first glance seem to place draft-vyncke-advanced-ipv6-security-03 out of reach until the devices were IPv6 only. But to me that draft just seems like too radical a step towards an IDP type approach to be able to gain traction quickly in the home, at least as default behavior. Who's going to want to pay for maintaining attack signatures?

One useful compromise would be for Homenet to explicitly add the option for a user to be able to completely disable the default stateful packet filtering firewall of RFC6092 (ask a grown up before selecting this option), so that the user could deploy the model described in draft-vyncke-advanced-ipv6-security-03 using their favorite open-source IDP with attack signatures, or other security model, should they really want to.

Intentionally disabling /bypassing NAT and the built in firewall in IPv4 devices was really hard. IMHO We should at least make that easy in Homenet devices for those who really want non-default behavior (via PCP and manual configuration options).

regards,
RayH

Cameron Byrne wrote:


On Mar 13, 2012 5:38 PM, "Brian E Carpenter" <[email protected] <mailto:[email protected]>> wrote:
>
> On 2012-03-14 11:25, Fred Baker wrote:
> ...
> > First is a personal experience. At my home, I have a standing load of about 25 (plus or minus) packets per second that are discarded by the firewall. I don't know what they are, and I don't honestly care. They don't have my permission to be in my network, and I have to assume that if they were to get into it, the hosts in my network would have to deal with them.
>
> From time to time I look at TCPView to see what's going on. At this
> instant, to my knowledge, I'm doing nothing on my machine except typing
> this email. TCPView tells me I have 63 endpoints (sockets) open, with
> 18 established TCP connections, and 14 sockets listening. Admittedly
> some of these sockets are connected to the loopback address, but even
> so, it's scary. What are all those .exe files listening on a socket
> all day?
>
> Windows Firewall is dropping about 3 UDP packets per second, and that's
> behind our campus firewall.
>
> That's reality, and much as I love the e2e principle I think the ordinary
> citizen is better off behind default-deny.
>

I am not trying to be dense, but why?

What is the negative scenario of not having a homenet firewall on? Using real examples from the last 5 years .... I would like to know how a cpe firewall protects against real threats to modern software.

> Personally I haven't run without an on-board firewall since I got my
> first wireless card (late 1999?). But we can't assume that applies to
> every home device.
>

Most PC software has shipped with a firewall on for the last ~10 years

Cb
>   Brian
> _______________________________________________
> homenet mailing list
> [email protected] <mailto:[email protected]>
> https://www.ietf.org/mailman/listinfo/homenet


_______________________________________________
homenet mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/homenet

Reply via email to