Re: [v6ops] Hmm. Interesting article...

On 3 Feb 2016 3:09 AM, "Ca By" <cb.list6@gmail.com> wrote:
>
>
>
> On Tue, Feb 2, 2016 at 7:34 AM, Fernando Gont <fgont@si6networks.com>
wrote:
>>
>> On 02/02/2016 12:24 PM, Howard, Lee wrote:
>> >
>> > On 2/2/16, 9:33 AM, "v6ops on behalf of Fernando Gont"
>> > <v6ops-bounces@ietf.org on behalf of fgont@si6networks.com> wrote:
>> >
>> >> On 02/02/2016 10:20 AM, Owen DeLong wrote:
>> >>>
>> >>>> On Feb 1, 2016, at 23:56, Fernando Gont <fgont@si6networks.com>
wrote:
>> >>>>
>> >>>> Maybe in that in IPv4 you typically have a NAT in front of your
node,
>> >>>> where in IPv6 you don't necessarily have a fw?
>> >>>>
>> >>>
>> >>> If you're running a host without any sort of filter, that's really
not
>> >>> a problem we should be solving at the network level. That's more of
an
>> >>> educational problem.
>> >>
>> >> There's a reason for deploying network-based firewalls:
>> >> <https://tools.ietf.org/html/draft-gont-opsawg-firewalls-analysis-01>
>> >>
>> >
>> > There is an unaddressed tension here.
>> > I think one view is that IPv6 should be deployed without firewalls so
all
>> > hosts are reachable from arbitrary other hosts on the Internet.
>>
>> The folk busted by the recent ICMPv6-based freebsd exploit has a good
>> example regarding why you don't want to be reachable by everyone when
>> you don't really need that.
>>
>
> Except for everyone with a FreeBSD based network based firewalls.
>
> In my experience, firewalls are a single point of failure that are
generally more prone to attacks (state exhaustion, ALG mishandling bugs and
associated platform crashes, ...) than anything else.  A firewall is a
host, so it has all those same host issues you speak of.
>
> The biggest sources of network based DDoS today that is crushing the
internet daily ....is generally labeled a "home firewall" ...these
firewalls seem to expose UDP 1900, Chargen, NTP, and others.... The label
says firewall.
>
> So, excuse me if i don't think firewalls do what you think they do in the
real world.  In my experience, they are the vector of the worst attacks and
concentrate the risk of a site going off-line into a single box that is
more vulnerable (since it is running exotic ALGs, UPNP, PCP ...)  than any
other box
>

Which I think is evidence that host level security is now actually more
effective in many cases than CPE/firewall security. The attackers are going
after the weakest link.

Regards,
Mark.

> CB
>
>>
>> "Need to know basis", "principle of least privilege"... i.e., you are
>> not allowed to do and something that you're not really required to do...
>>
>>
>> > I think the other view is that all/most/many hosts should be protected
by
>> > a stateful firewall.
>> >
>> > I don¹t know that we can resolve this tension in v6ops, but I want to
make
>> > it explicit.
>>
>> Folks aiming at end to end connectivity have traditionally assumed that
>> the "host" is some sort of computer (laptop, tablet, etc.) whereas
>> "host" really becomes any crappy device that becomes IPv6-enabled...
>> possibly with sloppy code, unmanaged, and possibly not even possible to
>> upgrade. -- No.. you don't want that stuff eachable from anyone in the
>> Internet.
>>
>>
>> --
>> Fernando Gont
>> SI6 Networks
>> e-mail: fgont@si6networks.com
>> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
>>
>>
>>
>>
>> _______________________________________________
>> v6ops mailing list
>> v6ops@ietf.org
>> https://www.ietf.org/mailman/listinfo/v6ops
>
>
>
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
>