[120261] in North American Network Operators' Group
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
daemon@ATHENA.MIT.EDU (Mohacsi Janos)
Mon Dec 14 15:21:57 2009
Date: Mon, 14 Dec 2009 21:21:08 +0100 (CET)
From: Mohacsi Janos <mohacsi@niif.hu>
To: Owen DeLong <owen@delong.com>
In-Reply-To: <9B702073-059F-4653-A4CA-1DA963164C9A@delong.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Mon, 14 Dec 2009, Owen DeLong wrote:
>>> UPnP is a bad idea that (fortunately) doesn't apply to IPv6 anyway.
>>>
>>> You don't need UPnP if you'r not doing NAT.
>>
>> wishful thinking.
>>
>> you're likely to still have a stateful firewall and in the consumer space
>> someone is likely to want to punch holes in it.
>
> Yes, SI will still be needed. However, UPnP is, at it's heart a way to allow
> arbitrary unauthenticated applications the power to amend your security
> policy to their will. Can you possibly explain any way in which such a
> thing is at all superior to no firewall at all?
Because of the least surprise principle: Users get used to have NAT ~>
they expect similar stateful firewall in IPv6. They get used to use UPnP
in IPv4 ~> they expect something similar in IPv6.
I don't think this is good, but bad engineering decision of UPnP cannot
replaced with better ones overnight.
Best Regards,
Janos Mohacsi
