On 14-Jun-2007, at 18:27, Thomas Narten wrote:
I think you are missing my point.
I don't think so (though I may have been overly sarcastic in my
response). I understand that the default security policy/config is
"just say no".
OK, good then. Sorry for mischaracterising your reply.
I think there is a difference between firewalls which:
(a) are applied between private networks and the Internet, which
might reasonably be expected to have a default policy which says
"deny everything" and to have exceptions to that rule carefully
formulated according to known requirements;
(b) are applied in front of somewhat but not entirely public networks
like wifi hotspots, hotels in order to block known troublesome
traffic (common windows worm proliferation ports, tcp/25, ICMP, DNS,
and all kinds of other bad ideas);
(c) are applied in networks which provide internet access as their
primary business (some of which might be similar to (b) above);
(d) backbone routers, which in times of severe need might be
configured to drop known-bad traffic (e.g. DDoS mitigation, prolific
virus outbreaks, etc)
This is not an exhaustive taxonomy. It seems to me that what people
think of most commonly when they read the word "firewall" is the
meaning in (a) above, whereas we might reasonably concur that (a)'s
policy is fine as it is (if they want their users to be able to take
advantage of MIPv6, presumably they will modify their policy to
accommodate it). It seems to me that the main places we're anxious
that people don't get the wrong idea about RHn>0 is (b), (c), (d), etc.
My concern is fundamentally that if we give the appearance of being
dictatorial greybeards living in ivory towers ("the Internet should
be open! future technology must be accommodated! NAT is wrong!") then
we run the risk that the entire document will be ignored by those we
most hope to educate, who will instead consume soundbites and make
bad decisions ("IPv6 IS INSECURE!" "HAVE YOU BLOCKED ROUTING HEADERS?
IF NOT YOU MAY BE AT RISK!").
Perhaps this is a non-issue and I'm out of touch with reality.
Certainly, I don't hear anybody else sharing my concern, regardless
of how many times I try to explain it :-)
Joe
--------------------------------------------------------------------
IETF IPv6 working group mailing list
[email protected]
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
