Re: [v6ops] Hmm. Interesting article...
Ca By <cb.list6@gmail.com> Tue, 02 February 2016 16:09 UTC
Return-Path: <cb.list6@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CBAF71B2CDC for <v6ops@ietfa.amsl.com>; Tue, 2 Feb 2016 08:09:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.749
X-Spam-Level:
X-Spam-Status: No, score=-1.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iM-USzL0O2_S for <v6ops@ietfa.amsl.com>; Tue, 2 Feb 2016 08:09:17 -0800 (PST)
Received: from mail-wm0-x233.google.com (mail-wm0-x233.google.com [IPv6:2a00:1450:400c:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 131111B2CD8 for <v6ops@ietf.org>; Tue, 2 Feb 2016 08:09:10 -0800 (PST)
Received: by mail-wm0-x233.google.com with SMTP id l66so124271005wml.0 for <v6ops@ietf.org>; Tue, 02 Feb 2016 08:09:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=KZxA1IoWhaMAG645gCG/5PKoRyCPz8teaWOgWqv/KnU=; b=tgRz7FyPGHA8yOJwkIjYUi04r6CzkNjfmEhE7KAomneXYnilFkbJxoe7ylcUn7JprO Q7Pqeu0Z7vAkawTnJN4HXgOwcdSpKxvspMDu05zqfKX2qHw+rzRfwJ3yjgclpvzhRSbQ cntYT14aXOhuEJgxLE5ORN7RL34cz/wyWd16KjxO2cU/Sj+uH7vQPiNud1KEKOTx7s/4 VPv+CecpqnhKCehptGdir/0PncwqIR1zeCt9JR4KBiGparitA0PlCZuYoI4CRXYefazw oNmQn7M2KBNa6DCkTKbxG8SlyhTih6VHGO9iD1gz4zXpjJqqwQfOvo4ZDq/2L2NpopvJ 5I9A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=KZxA1IoWhaMAG645gCG/5PKoRyCPz8teaWOgWqv/KnU=; b=mhoJsQqpHn7z0/sIvw/54mMJg31K8UcNZB8/6/LExBqV0MnIHj3DfbRSrobawOQAvN LEpmkKeyTH8bnc8OLw/uIfaXJskt6EZcOloupxWGi5CDOiHLEI4UiOsBLKdXgyKSxdRL AeIAt1HIQz+fFrb6DQwsBU2p45UO5wvYwNfCaxe3nA+uMievVNmL0eId3/Q2GDIyvY9e sMhVXmlZ3Ijn/VaPis/HvrQrMCGMnnov6a1WCMNvGMUePJTaehb9cMSIFafMPeB9e2GX LwU/bXg20ooC405mZxSGhg1eKY2nOYDl7syq1FKitDi6CUYthaa3BuknGlmLH3VWB5pw otig==
X-Gm-Message-State: AG10YOSN1mmhP+WtFKNC6Pmhe8ySRhSUfgFxcvMuVbXntTMbP4Biqjwx/IRdew5hu9jp5a8hTfN24hcHgZoXdQ==
MIME-Version: 1.0
X-Received: by 10.194.76.144 with SMTP id k16mr28992796wjw.78.1454429348573; Tue, 02 Feb 2016 08:09:08 -0800 (PST)
Received: by 10.194.68.66 with HTTP; Tue, 2 Feb 2016 08:09:08 -0800 (PST)
In-Reply-To: <56B0CC7E.1000005@si6networks.com>
References: <165F7549-2A4C-44C3-9FBA-3AF69DE50110@cisco.com> <CAHw9_iLDjyZ6CKUjcyqUBe3-_EJxDekG7a1cPVLpF_U9tVvUgQ@mail.gmail.com> <56AFD626.1000802@bogus.com> <FBABBC18-CFFA-46C9-A63C-B86FE2CFFC94@cisco.com> <6EB29183-FA9A-4B94-BD68-115DB190FE65@delong.com> <56B06129.7090301@si6networks.com> <657448B4-4F56-445A-8862-8E0EB8D1A8B2@delong.com> <56B0BE2B.5050408@si6networks.com> <D2D633A9.D612D%Lee.Howard@twcable.com> <56B0CC7E.1000005@si6networks.com>
Date: Tue, 02 Feb 2016 08:09:08 -0800
Message-ID: <CAD6AjGTp61hNf23vZT2CNXr9VOrsDckQ_dH7CvYnN_tRiaXrcA@mail.gmail.com>
From: Ca By <cb.list6@gmail.com>
To: Fernando Gont <fgont@si6networks.com>
Content-Type: multipart/alternative; boundary="047d7bfceebcac3d1d052acbb854"
Archived-At: <http://mailarchive.ietf.org/arch/msg/v6ops/gsllYFoP6c_bDKGpza1h05gZ8FQ>
Cc: "v6ops@ietf.org" <v6ops@ietf.org>
Subject: Re: [v6ops] Hmm. Interesting article...
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Feb 2016 16:09:19 -0000
On Tue, Feb 2, 2016 at 7:34 AM, Fernando Gont <fgont@si6networks.com> wrote: > On 02/02/2016 12:24 PM, Howard, Lee wrote: > > > > On 2/2/16, 9:33 AM, "v6ops on behalf of Fernando Gont" > > <v6ops-bounces@ietf.org on behalf of fgont@si6networks.com> wrote: > > > >> On 02/02/2016 10:20 AM, Owen DeLong wrote: > >>> > >>>> On Feb 1, 2016, at 23:56, Fernando Gont <fgont@si6networks.com> > wrote: > >>>> > >>>> Maybe in that in IPv4 you typically have a NAT in front of your node, > >>>> where in IPv6 you don't necessarily have a fw? > >>>> > >>> > >>> If you're running a host without any sort of filter, that's really not > >>> a problem we should be solving at the network level. That's more of an > >>> educational problem. > >> > >> There's a reason for deploying network-based firewalls: > >> <https://tools.ietf.org/html/draft-gont-opsawg-firewalls-analysis-01> > >> > > > > There is an unaddressed tension here. > > I think one view is that IPv6 should be deployed without firewalls so all > > hosts are reachable from arbitrary other hosts on the Internet. > > The folk busted by the recent ICMPv6-based freebsd exploit has a good > example regarding why you don't want to be reachable by everyone when > you don't really need that. > > Except for everyone with a FreeBSD based network based firewalls. In my experience, firewalls are a single point of failure that are generally more prone to attacks (state exhaustion, ALG mishandling bugs and associated platform crashes, ...) than anything else. A firewall is a host, so it has all those same host issues you speak of. The biggest sources of network based DDoS today that is crushing the internet daily ....is generally labeled a "home firewall" ...these firewalls seem to expose UDP 1900, Chargen, NTP, and others.... The label says firewall. So, excuse me if i don't think firewalls do what you think they do in the real world. In my experience, they are the vector of the worst attacks and concentrate the risk of a site going off-line into a single box that is more vulnerable (since it is running exotic ALGs, UPNP, PCP ...) than any other box CB > "Need to know basis", "principle of least privilege"... i.e., you are > not allowed to do and something that you're not really required to do... > > > > I think the other view is that all/most/many hosts should be protected by > > a stateful firewall. > > > > I don¹t know that we can resolve this tension in v6ops, but I want to > make > > it explicit. > > Folks aiming at end to end connectivity have traditionally assumed that > the "host" is some sort of computer (laptop, tablet, etc.) whereas > "host" really becomes any crappy device that becomes IPv6-enabled... > possibly with sloppy code, unmanaged, and possibly not even possible to > upgrade. -- No.. you don't want that stuff eachable from anyone in the > Internet. > > > -- > Fernando Gont > SI6 Networks > e-mail: fgont@si6networks.com > PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 > > > > > _______________________________________________ > v6ops mailing list > v6ops@ietf.org > https://www.ietf.org/mailman/listinfo/v6ops >
- [v6ops] Hmm. Interesting article... Fred Baker (fred)
- Re: [v6ops] Hmm. Interesting article... Warren Kumari
- Re: [v6ops] Hmm. Interesting article... Fred Baker (fred)
- Re: [v6ops] Hmm. Interesting article... Owen DeLong
- Re: [v6ops] Hmm. Interesting article... joel jaeggli
- Re: [v6ops] Hmm. Interesting article... Fred Baker (fred)
- Re: [v6ops] Hmm. Interesting article... Ted Lemon
- Re: [v6ops] Hmm. Interesting article... joel jaeggli
- Re: [v6ops] Hmm. Interesting article... Ca By
- Re: [v6ops] Hmm. Interesting article... Fernando Gont
- Re: [v6ops] Hmm. Interesting article... Fernando Gont
- Re: [v6ops] Hmm. Interesting article... Fernando Gont
- Re: [v6ops] Hmm. Interesting article... Fernando Gont
- Re: [v6ops] Hmm. Interesting article... Fernando Gont
- Re: [v6ops] Hmm. Interesting article... Mark Smith
- Re: [v6ops] Hmm. Interesting article... Ray Hunter (v6ops)
- Re: [v6ops] Hmm. Interesting article... Fernando Gont
- Re: [v6ops] Hmm. Interesting article... Ray Hunter (v6ops)
- Re: [v6ops] Hmm. Interesting article... Fernando Gont
- Re: [v6ops] Hmm. Interesting article... Fred Baker (fred)
- Re: [v6ops] Hmm. Interesting article... Fred Baker (fred)
- Re: [v6ops] Hmm. Interesting article... Fernando Gont
- Re: [v6ops] Hmm. Interesting article... Owen DeLong
- Re: [v6ops] Hmm. Interesting article... Enno Rey
- Re: [v6ops] Hmm. Interesting article... Fernando Gont
- Re: [v6ops] Hmm. Interesting article... Fernando Gont
- Re: [v6ops] Hmm. Interesting article... Howard, Lee
- Re: [v6ops] Hmm. Interesting article... Fernando Gont
- Re: [v6ops] Hmm. Interesting article... Ca By
- Re: [v6ops] Hmm. Interesting article... Ca By
- Re: [v6ops] Hmm. Interesting article... Owen DeLong
- Re: [v6ops] Hmm. Interesting article... Owen DeLong
- Re: [v6ops] Hmm. Interesting article... Owen DeLong
- Re: [v6ops] Hmm. Interesting article... Tim Chown
- Re: [v6ops] Hmm. Interesting article... Fred Baker (fred)
- Re: [v6ops] Hmm. Interesting article... Mark Smith
- Re: [v6ops] Hmm. Interesting article... Mark Smith
- Re: [v6ops] Hmm. Interesting article... Enno Rey
- Re: [v6ops] Hmm. Interesting article... Mark Smith
- Re: [v6ops] Hmm. Interesting article... Joe Touch
- Re: [v6ops] Hmm. Interesting article... Owen DeLong
- Re: [v6ops] Hmm. Interesting article... Joe Touch
- Re: [v6ops] Hmm. Interesting article... 🔓Dan Wing
- Re: [v6ops] Hmm. Interesting article... Owen DeLong
- Re: [v6ops] Hmm. Interesting article... Mark Smith
- Re: [v6ops] Hmm. Interesting article... Joe Touch
- Re: [v6ops] Hmm. Interesting article... Tom Herbert
- Re: [v6ops] Hmm. Interesting article... Ca By
- Re: [v6ops] Hmm. Interesting article... Nick Hilliard
- Re: [v6ops] Hmm. Interesting article... Owen DeLong
- Re: [v6ops] Hmm. Interesting article... Owen DeLong
- Re: [v6ops] Hmm. Interesting article... Mark Smith
- Re: [v6ops] Hmm. Interesting article... Owen DeLong
- Re: [v6ops] Hmm. Interesting article... Joe Touch
- Re: [v6ops] Hmm. Interesting article... Owen DeLong
- Re: [v6ops] Hmm. Interesting article... Fernando Gont
- Re: [v6ops] Hmm. Interesting article... Fernando Gont
- Re: [v6ops] Hmm. Interesting article... Fernando Gont
- Re: [v6ops] Hmm. Interesting article... Fernando Gont
- Re: [v6ops] Hmm. Interesting article... Tim Chown
- Re: [v6ops] Hmm. Interesting article... Owen DeLong
- Re: [v6ops] Hmm. Interesting article... Fernando Gont