Re: [v6ops] Hmm. Interesting article...

[Fernando Gont <fgont@si6networks.com>]

On 02/02/2016 12:24 PM, Howard, Lee wrote:
> 
> On 2/2/16, 9:33 AM, "v6ops on behalf of Fernando Gont"
> <v6ops-bounces@ietf.org on behalf of fgont@si6networks.com> wrote:
> 
>> On 02/02/2016 10:20 AM, Owen DeLong wrote:
>>>
>>>> On Feb 1, 2016, at 23:56, Fernando Gont <fgont@si6networks.com> wrote:
>>>>
>>>> Maybe in that in IPv4 you typically have a NAT in front of your node,
>>>> where in IPv6 you don't necessarily have a fw?
>>>>
>>>
>>> If you're running a host without any sort of filter, that's really not
>>> a problem we should be solving at the network level. That's more of an
>>> educational problem.
>>
>> There's a reason for deploying network-based firewalls:
>> <https://tools.ietf.org/html/draft-gont-opsawg-firewalls-analysis-01>
>>
> 
> There is an unaddressed tension here.
> I think one view is that IPv6 should be deployed without firewalls so all
> hosts are reachable from arbitrary other hosts on the Internet.

The folk busted by the recent ICMPv6-based freebsd exploit has a good
example regarding why you don't want to be reachable by everyone when
you don't really need that.

"Need to know basis", "principle of least privilege"... i.e., you are
not allowed to do and something that you're not really required to do...


> I think the other view is that all/most/many hosts should be protected by
> a stateful firewall.
> 
> I don¹t know that we can resolve this tension in v6ops, but I want to make
> it explicit.

Folks aiming at end to end connectivity have traditionally assumed that
the "host" is some sort of computer (laptop, tablet, etc.) whereas
"host" really becomes any crappy device that becomes IPv6-enabled...
possibly with sloppy code, unmanaged, and possibly not even possible to
upgrade. -- No.. you don't want that stuff eachable from anyone in the
Internet.


-- 
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492