[120256] in North American Network Operators' Group
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
daemon@ATHENA.MIT.EDU (Owen DeLong)
Mon Dec 14 13:08:49 2009
From: Owen DeLong <owen@delong.com>
In-Reply-To: <4B2521B1.7080603@bogus.com>
Date: Mon, 14 Dec 2009 00:58:45 -0800
To: Joel Jaeggli <joelja@bogus.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
>> UPnP is a bad idea that (fortunately) doesn't apply to IPv6 anyway.
>>
>> You don't need UPnP if you'r not doing NAT.
>
> wishful thinking.
>
> you're likely to still have a staeful firewall and in the consumer
> space
> someone is likely to want to punch holes in it.
Yes, SI will still be needed. However, UPnP is, at it's heart a way
to allow
arbitrary unauthenticated applications the power to amend your security
policy to their will. Can you possibly explain any way in which such a
thing is at all superior to no firewall at all?
I would argue that a firewall that can be reconfigured by any applet a
user
clicks on (whether they know it or not) is actually less useful than no
firewall because it creates the illusion in the users mind that there
is a
firewall protecting them.
Owen
