Hi Bill, Le mercredi 16 juillet 2014 à 12:21 -0700, Bill Moffitt a écrit : > All these routers today, of course, necessarily come NATted, meaning no > ports are open to the Internet. Users are accustomed to being able to > connect their computers to the router's network and be shielded from > unwanted intrusions from outside by the NAT "firewall."
No. Users are used to thing “just working”. They don't know what NAT or a firewall is. They think they are secured because the vendor of their devices did his job well. Their Skype phone work because it uses some kludge that make it look like a malware from a network security point-of-view. It is kind of secure because you have allowed only one overlord (Microsoft) to access your machine and your network. You have to trust Microsoft: no layer of firewall or anything (apart from cutting yourself completely from the Internet) will stop your computer from being tied to the Skype network. So you have to trust them. If you didn't want to be reachable by Skype, just don't use it, and you won't be reachable, even with no firewall at all on your router. Your game console “just work” because it uses a supplementary protocol (UPnP) that make incoming connections to your console possible. This doesn't render your console more secure: it would have been the same if you had global reachability and no firewall. It is just a supplementary layer that has only one advantage: software not implementing it can't be globally reachable. So, every software that wants to be reachable has to do so, or they just die as of yesterday. Every software that does not just can stay as is; with IPv6, they just could have bound to some link-local address: the one bound to a global address would have gotten global reachability “magically”. […] > 1.) In the IPv6 world, the firewall should rightfully migrate from the > router to the device, but that transition won't be simultaneous with the > availability of v6. For some transitional time, we'll have legacy > devices on the network that are v6-capable but not necessarily v6-safe - > and consumer-grade users will probably not realize it. At the least, > users won't be accustomed to having their printer "visible" to the whole > world and will need time to understand that they need to have strong > passwords on their printers, cameras, thermostats, dog feeders, etc. (or > explicitly block them) If the use of such device is meant to be by default “local”, the manufacturer should somehow restrict its use by default. But printers may have reason to be globally reachable, if one wants to share it between several networks. You can configure it (or your firewall) to restrict its access once you have decided to make it global (as I suggested, I don't think this would be a good default; I hope the manufacturers get it…). > 2.) I believe that the transition to v6 in the U.S. and Europe is not > going to be slow and orderly, but will be sudden and chaotic, driven by > emergent demand for some service that arises in a manner that > necessitates v6 access. The demande has been their for decades (IP phones for everybody, anyone?). But I agree that it may be chaotic anyway. > For that reason, I think that maintaining > behavior similar to what consumers see today will be critical in user > satisfaction. The “behavior” casual people are “seeing” today has nothing to do with their device having global IPv6 reachability or not: they just want things to work. One way of having IP phones everywhere is to find more kludges to get through firewalls and praying for nice intermediaries not to mess with your communications (like MS cited above), the other one is to have it basically done at the IP level, with IPv6 and global reachability by default. > I expect that, over time, users will become accustomed to the > "end-to-end" nature of the v6 Internet and may demand that the firewall > be "open" by default, No normal people ask for their firewall to be open by default: only geeks do. > and I would certainly propose that we have a > simple checkbox in LUCI that allows the firewall to be changed from "all > closed except explicitly open ports" to "all open" in one action. At > some point we would probably change the default behavior from "all > closed" to "all open." “At some point” being too late. -- benjamin _______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
