My personal take on the situation is that security threats and tolerance
levels vary per organization and per individual. There's no point in the
IETF trying to perform a Business Impact Analysis and then attempting to
generate the appropriate Security Norms as defined in the ISO27000
series on behalf of all Internet users. It simply can't be done.
Suggested Homenet Security Goal: Provide feature equivalence to today's
IPv4 solutions that are already widely deployed in the home.
Simple, clear, and addresses the concerns expressed in the NIST advisory
CVE-2007-1338 and the marketing department.
Or would you like to swim against the tide of operational expectations
and huge installed base of devices inherited from IPv4? That would seem
to me like a very bad idea to deploy as default behavior in a dual stack
World where IPv4 and IPv6 run in parallel over the same devices and links.
Equally, choosing for a security model based on equivalence with
existing IPv4-functionality would at first glance seem to place
draft-vyncke-advanced-ipv6-security-03 out of reach until the devices
were IPv6 only. But to me that draft just seems like too radical a step
towards an IDP type approach to be able to gain traction quickly in the
home, at least as default behavior. Who's going to want to pay for
maintaining attack signatures?
One useful compromise would be for Homenet to explicitly add the option
for a user to be able to completely disable the default stateful packet
filtering firewall of RFC6092 (ask a grown up before selecting this
option), so that the user could deploy the model described in
draft-vyncke-advanced-ipv6-security-03 using their favorite open-source
IDP with attack signatures, or other security model, should they really
want to.
Intentionally disabling /bypassing NAT and the built in firewall in IPv4
devices was really hard. IMHO We should at least make that easy in
Homenet devices for those who really want non-default behavior (via PCP
and manual configuration options).
regards,
RayH
Cameron Byrne wrote:
On Mar 13, 2012 5:38 PM, "Brian E Carpenter"
<[email protected] <mailto:[email protected]>> wrote:
>
> On 2012-03-14 11:25, Fred Baker wrote:
> ...
> > First is a personal experience. At my home, I have a standing load
of about 25 (plus or minus) packets per second that are discarded by
the firewall. I don't know what they are, and I don't honestly care.
They don't have my permission to be in my network, and I have to
assume that if they were to get into it, the hosts in my network would
have to deal with them.
>
> From time to time I look at TCPView to see what's going on. At this
> instant, to my knowledge, I'm doing nothing on my machine except typing
> this email. TCPView tells me I have 63 endpoints (sockets) open, with
> 18 established TCP connections, and 14 sockets listening. Admittedly
> some of these sockets are connected to the loopback address, but even
> so, it's scary. What are all those .exe files listening on a socket
> all day?
>
> Windows Firewall is dropping about 3 UDP packets per second, and that's
> behind our campus firewall.
>
> That's reality, and much as I love the e2e principle I think the
ordinary
> citizen is better off behind default-deny.
>
I am not trying to be dense, but why?
What is the negative scenario of not having a homenet firewall on?
Using real examples from the last 5 years .... I would like to know
how a cpe firewall protects against real threats to modern software.
> Personally I haven't run without an on-board firewall since I got my
> first wireless card (late 1999?). But we can't assume that applies to
> every home device.
>
Most PC software has shipped with a firewall on for the last ~10 years
Cb
> Brian
> _______________________________________________
> homenet mailing list
> [email protected] <mailto:[email protected]>
> https://www.ietf.org/mailman/listinfo/homenet
_______________________________________________
homenet mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/homenet