Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-security WGLC

[Marc Lampo <marc.lampo.ietf@gmail.com>]

I as well would prefer that unsolicited traffic from the Internet is
stopped at the border of the network - like RFC 6092 recommends (though I
don't see a recommendation for incoming UDP traffic ?)

If a device in the network desires to communicate with the outside world,
it is probably/hopefully after an act of configuration (of its owner) on
that device.  That outgoing traffic could be the trigger to allow the rest
of the communication.
If, in some years, fridges have IPv6 connectivity, perhaps they might send
an inventory or shopping list to your mobile device (outgoing traffic)
But probably/hopefully that will only happen after it was configured with
some destination and authentication data so that the info arrives on your
mobile and does indeed come from your fridge.
But the fact that the fridge does have connectivity does not imply I would
allow my favorite shop to come and look, or some marketing firm, or the
fridge of a neighbor in search for eggs (s)he forgot ...


So, by default allow the first packet towards ports "considered harmless" ?

As Fred already pointed out, the listener on TCP port 80 might not be a
webserver;
and why would any port (lower or higher than 1024)  be harmless ?
After all, malware could chose any free port.
The number 1024 is only there because, on UNIX, it requires super user
privileges to bind to low ports.


Hence, in my opinion, the security (and privacy) of IPv6 users is best
served by keeping unsolicited traffic out.

Kind regards,


On Wed, Nov 13, 2013 at 3:34 AM, Mikael Abrahamsson <swmike@swm.pp.se>wrote:

> On Tue, 12 Nov 2013, Fred Baker (fred) wrote:
>
>  From my perspective, I think I would prefer that the firewall - if
>> implemented - blocked everything, and applications within the network
>> advised the firewall(s) of traffic that they are willing to receive. If a
>> potential session has no willing counterpart within my network, I don't see
>> the argument for letting the first packet in.
>>
>
> My biggest problem with this resoning, is that I am not aware of any
> firewall poking mechanism actively being in use for IPv6. This means that
> if we have a firewall with default-deny for incoming connections, then
> either hosts need an Internet based machine to coordinate a STUN type of
> behaviour to get the firewall to accept packets for sessions, or they need
> to implement a firewall poking mechanism that as far as I know, neither
> todays firewalls/CPEs nor hosts actually has.
>
> So today, implementing default-deny would mean a lot of the benefit of
> IPv6 wouldn't be seen immediately but would takes many years to realise.
> Right?
>
> Or am I mistaken and uPNP for IPv6 actually functional today? PCP I have
> never seen in home devices.
>
> --
> Mikael Abrahamsson    email: swmike@swm.pp.se
>
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
>