On Thu, 14 Jun 2007, Joe Abley wrote:
> I think you are missing my point.
I don't think so (though I may have been overly sarcastic in my
response). I understand that the default security policy/config is
"just say no".
OK, good then. Sorry for mischaracterising your reply.
I think there is a difference between firewalls which:
...
I'm not sure if the document needs to say much at all about firewalls.
draft-ietf-v6ops-security-overview-06.txt has already said a lot about
this (now in RFC-ed queue) and there was significant IESG debate.
RFC 4890 may also be an interesting precedent here. Both are
Informational documents.
But if this document said something, perhaps the best would be to
recommend operators don't try to filter RH0 in any ACLs or firewalls.
(a) class of networks already de-facto filter it (all RH) so nothing
is changed. The rest shouldn't bother because 1) hosts will get
updated, and 2) ingress filtering will block most of the abuse.
IMHO, it's pointless to try to block RH0 in any firewalls except in
very well-managed networks. The more configuration we recommend
venders to build in or operators to deploy, the more likely it is that
it breaks something especially given that most firewall/ACL
implementations have restrictions on which RHs it can see.
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
--------------------------------------------------------------------
IETF IPv6 working group mailing list
[email protected]
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
