This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[ipv6-wg] Request for feedback on IETF I-D draft-v6ops-vyncke-balanced-ipv6-security
- Previous message (by thread): [ipv6-wg] Request for feedback on IETF I-D draft-v6ops-vyncke-balanced-ipv6-security
- Next message (by thread): [ipv6-wg] 96 more bits... time for some magic after all?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Sebastian Wiesinger
ripe.ipv6-wg at ml.karotte.org
Tue Oct 22 10:58:43 CEST 2013
* Anfinsen, Ragnar <Ragnar.Anfinsen at altibox.no> [2013-10-16 16:30]: > Dear all, > > The authors would like to invite the community to review and comment on > IETF I-D draft-v6ops-vyncke-balanced-ipv6-security. > > <snip> > Abstract > > This document describes how an IPv6 residential Customer Premise > Equipment (CPE) can have a balanced security policy that allows for a > mostly end-to-end connectivity while keeping the major threats > outside of the home. It is based on an actual IPv6 deployment by > Swisscom and proposes to allow all packets inbound/outbound EXCEPT > for some layer-4 ports where attacks and vulnerabilities (such as > weak passwords) are well-known. > </snip> > > http://tools.ietf.org/html/draft-v6ops-vyncke-balanced-ipv6-security > > We have received feedback from the IETF community that there should not be > any explicit list of ports to be blocked in the document. The authors > feels that this list should be maintained by a neutral internet body, > however we need suggestions from the community on who this could be solved. Hello, I can see the advantage in having a mostly-open end-to-end connectivity by default but I don't think it's feasible. Such a list would require a tremendous efford to keep up-to-date and I don't think people would do that. I'm more with the "block inbound by default" crowd. One of the reasons for IPv6 was to have every "smart thing" in the home connect to the Internet. Who wants to gather every vulnerability for every dishwasher and TV that's connecting to the internet? Having said that, I'm bothered by the word "should" in connection with the ability of the enduser to change this list. I would strongly suggest to change that to a MUST everywhere in the document. If I ever get a CPE that doesn't let me choose which ports to open inbound I will go ballistic. Regards Sebastian -- GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant
- Previous message (by thread): [ipv6-wg] Request for feedback on IETF I-D draft-v6ops-vyncke-balanced-ipv6-security
- Next message (by thread): [ipv6-wg] 96 more bits... time for some magic after all?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ ipv6-wg Archives ]