IETF Logo Mail Archive

Re: I-D.ietf-v6ops-cpe-simple-security-09

Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org> Sun, 21 March 2010 01:55 UTC

Return-Path: <owner-v6ops@ops.ietf.org>
X-Original-To: ietfarch-v6ops-archive@core3.amsl.com
Delivered-To: ietfarch-v6ops-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 287AF3A6829 for <ietfarch-v6ops-archive@core3.amsl.com>; Sat, 20 Mar 2010 18:55:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.55
X-Spam-Level: *
X-Spam-Status: No, score=1.55 tagged_above=-999 required=5 tests=[AWL=-1.509, BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13, FH_RELAY_NODNS=1.451, HELO_EQ_AU=0.377, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k6nqJnpXHG7u for <ietfarch-v6ops-archive@core3.amsl.com>; Sat, 20 Mar 2010 18:55:39 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 28BF93A67B2 for <v6ops-archive@lists.ietf.org>; Sat, 20 Mar 2010 18:55:39 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.71 (FreeBSD)) (envelope-from <owner-v6ops@ops.ietf.org>) id 1NtAKg-0003Nl-It for v6ops-data0@psg.com; Sun, 21 Mar 2010 01:52:02 +0000
Received: from [202.136.110.251] (helo=smtp2.adam.net.au) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.71 (FreeBSD)) (envelope-from <ipng@69706e6720323030352d30312d31340a.nosense.org>) id 1NtAKe-0003NX-4Y for v6ops@ops.ietf.org; Sun, 21 Mar 2010 01:52:00 +0000
Received: from 219-90-253-216.ip.adam.com.au ([219.90.253.216] helo=opy.nosense.org) by smtp2.adam.net.au with esmtp (Exim 4.63) (envelope-from <ipng@69706e6720323030352d30312d31340a.nosense.org>) id 1NtAKY-0005H8-FV; Sun, 21 Mar 2010 12:21:54 +1030
Received: from opy.nosense.org (localhost.localdomain [IPv6:::1]) by opy.nosense.org (Postfix) with ESMTP id E4EDC4930C; Sun, 21 Mar 2010 12:21:53 +1030 (CST)
Date: Sun, 21 Mar 2010 12:21:53 +1030
From: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
Cc: Mark Townsley <townsley@cisco.com>, james woodyatt <jhw@apple.com>, IPv6 Operations <v6ops@ops.ietf.org>
Subject: Re: I-D.ietf-v6ops-cpe-simple-security-09
Message-ID: <20100321122153.0d6c219b@opy.nosense.org>
In-Reply-To: <4BA56626.20606@gmail.com>
References: <D6F5ACD2-EB43-477E-9F48-AC3EDB3F7EB4@apple.com> <4BA3BBCF.2090903@cisco.com> <4BA3D1B3.4010501@gmail.com> <4BA3DAAA.10000@cisco.com> <4BA40DD1.7080306@gmail.com> <6C168711-6A34-4487-9911-92766513183C@apple.com> <4BA522E8.7050504@cisco.com> <4BA56626.20606@gmail.com>
X-Mailer: Claws Mail 3.7.5 (GTK+ 2.18.7; x86_64-unknown-linux-gnu)
X-Location: Lower Mitcham, South Australia, 5062
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Sender: owner-v6ops@ops.ietf.org
Precedence: bulk
List-ID: <v6ops.ops.ietf.org>

On Sun, 21 Mar 2010 13:19:50 +1300
Brian E Carpenter <brian.e.carpenter@gmail.com> wrote:

> On 2010-03-21 08:32, Mark Townsley wrote:
> > 
> > On 3/20/10 1:32 AM, james woodyatt wrote:
> >> On Mar 19, 2010, at 16:50, Brian E Carpenter wrote:
> >>   
> >>> But I'm afraid that the simplicity of 'default deny' has long
> >>> ago won the hearts and minds of enterprise network managers.
> >>>      
> >> Sadly, enterprise network managers aren't the only people whose
> >> legitimate interests are at stake in the matter under discussion.
> >>    
> > This document is clearly scoped in the first sentence of the
> > Introduction to:
> > 
> > "gateway devices that enable delivery of Internet services in
> > residential and small office settings."
> > 
> > So, I'm not sure why we are even considering enterprise network managers
> > here.
> 
> Fair enough, but...
> > 
> > The networks themselves, the assets under protection, the types of
> > applications, are quite different
> > between and enterprise network and residential network.
> 
> Indeed. But ISPs that supply CPE to their customers are going to
> assume that their customers are running unpatched insecure operating
> systems at high risk of catching malware. So I think they are just as
> likely as enterprise IT departments to favour default deny approaches.
> 

I can't speak for all ISPs, however the ones I've worked at here in
Australia don't make that assumption universally. There will be a
percentage of customers who have that issue, however they'll be the
minority, and they'll have trouble pretty quickly because of it.

One other broader issue with making that assumption is boundaries of
responsibility / care. If ISPs universally assume that customers devices
are insecure, unmaintained and unpatched, and take active yet
limited measures to mitigate that, some customers might then believe
that the ISP is taking care of all their Internet security needs. If a
customer then suffers a security incident and has a financial loss
because if it, they might try to sue the ISP for the loss because they
believe the ISP is taking care of all their Internet security. 


Regards,
Mark.

v2.23.0 | Report a Bug | By Email