This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/ipv6-wg@ripe.net/
[ipv6-wg] Request for feedback on IETF I-D draft-v6ops-vyncke-balanced-ipv6-security
- Previous message (by thread): [ipv6-wg] [training] RIPE NCC Webinars - new dates
- Next message (by thread): [ipv6-wg] Request for feedback on IETF I-D draft-v6ops-vyncke-balanced-ipv6-security
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Anfinsen, Ragnar
Ragnar.Anfinsen at altibox.no
Wed Oct 16 16:17:51 CEST 2013
Dear all, The authors would like to invite the community to review and comment on IETF I-D draft-v6ops-vyncke-balanced-ipv6-security. <snip> Abstract This document describes how an IPv6 residential Customer Premise Equipment (CPE) can have a balanced security policy that allows for a mostly end-to-end connectivity while keeping the major threats outside of the home. It is based on an actual IPv6 deployment by Swisscom and proposes to allow all packets inbound/outbound EXCEPT for some layer-4 ports where attacks and vulnerabilities (such as weak passwords) are well-known. </snip> http://tools.ietf.org/html/draft-v6ops-vyncke-balanced-ipv6-security We have received feedback from the IETF community that there should not be any explicit list of ports to be blocked in the document. The authors feels that this list should be maintained by a neutral internet body, however we need suggestions from the community on who this could be solved. So basically there are a few options on who the list could be managed; * Let the ISP/Vendor define and maintain the list by them selves. * Let the community maintain such list using consensus. * Ask a neutral internet body (insert favorite here) to manage the list based on the actual threat picture. Please keep in mind that this draft is not meant to define an IDS/IPS style of functionality. We are only looking for how to solve the IPv6 firewall default on/off problem. This draft only covers the default list provided when the customer is begin connected. The customer can, depending on the ISP's policy, fully administer the firewall rules. Best Regards The authors; Eric Vyncke, Cisco Martin Gysi, Swisscom Guillaume Leclanche, Swisscom Ragnar Anfinsen, Altibox
- Previous message (by thread): [ipv6-wg] [training] RIPE NCC Webinars - new dates
- Next message (by thread): [ipv6-wg] Request for feedback on IETF I-D draft-v6ops-vyncke-balanced-ipv6-security
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ ipv6-wg Archives ]