[125656] in North American Network Operators' Group
Re: Rate of growth on IPv6 not fast enough?
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Tue Apr 20 19:17:07 2010
To: Simon Perreault <simon.perreault@viagenie.ca>
In-Reply-To: Your message of "Tue, 20 Apr 2010 18:03:09 EDT."
<4BCE249D.7090805@viagenie.ca>
From: Valdis.Kletnieks@vt.edu
Date: Tue, 20 Apr 2010 19:15:48 -0400
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--==_Exmh_1271805348_5614P
Content-Type: text/plain; charset=us-ascii
On Tue, 20 Apr 2010 18:03:09 EDT, Simon Perreault said:
> This is the latest proposal. The Security Considerations section needs
> some love...
I may be the only one that finds that unintentionally hilarious.
In any case, to a first-order approximation, it doesn't even matter all that
much security wise. I mean - let's be *honest* guys. After XP SP2 got any
significant market penetration, pretty much everybody had a host-based firewall
that defaulted to default-deny, so the NAT-firewall was merely belt and
suspenders.
Pretty much all the attacks we've seen in the last few years have been things
like web drive-bys, trojaned torrents, and other stuff that sails right in
through open ports through the firewall (both host and standalone). And any
malware that's able to turn around and punch open a port on the host firewall
is just as easily able to go and use uPNP to send a "Pants Down!" command to
the standalone firewall.
(Yes, defense in depth is a Good Thing. But that external firewall isn't
doing squat for your security if it actually accepts uPNP from inside.)
--==_Exmh_1271805348_5614P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFLzjWkcC3lWbTT17ARAhLtAJ9Q9kdGf0x5G5jWnhg1W+Spa5+qCQCg05X7
TjwkHPf6+Y2TpF6/yEcjPuI=
=/syq
-----END PGP SIGNATURE-----
--==_Exmh_1271805348_5614P--
