The crap doesn't get fixed because that's the software development we are used to. Windows 10 was Windows '95 in the '90s. So give the IoT stuff 15-20 years to get to a sensible quality/state/security and/or enough widespread trouble/exploitation.
Pragmatically speaking, people will connect that crap to the 'net... and the "less connected" such devices are, the better. So, please, don't remove FWs. :-) Cheers, Fernando On Mon, Dec 11, 2017 at 5:50 PM, Kristian McColm < [email protected]> wrote: > And therein lies the root of the problem.. the ‘crap’ never gets fixed > because it has the firewall isolating it, but this causes problems for > devices and applications which are not ‘crap.’ I realize this is more > idealistic than pragmatic, but we will have much smoother network > integration if we don’t have to deal with the many problems that so called > stateful firewalls bring along with them. Now that IPv6 is set to do away > with (P/N)AT, we’re halfway there. > > > ------------------------------ > *From:* [email protected] <fernando.gont.netbook.win@ > gmail.com> on behalf of Fernando Gont <[email protected]> > *Sent:* Monday, December 11, 2017 3:43:27 PM > *To:* Kristian McColm > *Cc:* [email protected]; Fernando Gont > > *Subject:* Re: UPnP/IPv6 support in home routers? > > Kristian, > > I see no reason for which they should disappear. Actually, quite the > opposite; we keep connecting more and more crap to the net (the so called > IoT), which clearly cannot defend itself. > > The "principle of least privilege" applies to connectivity, too. > > Thanks! > Fernando > > > > > > > On Mon, Dec 11, 2017 at 12:28 PM, Kristian McColm < > [email protected]> wrote: > >> Corporate and/or specific network requirements notwithstanding, in my >> opinion this is just another example of why in IPv6, firewalls in general >> could/should be retired. If the end user device is required to be >> responsible for it’s own security, it can open the necessary ports via >> whatever firewall API it provides to applications running on it. >> >> >> ------------------------------ >> *From:* [email protected] >> <[email protected]> on >> behalf of Doug McIntyre <[email protected]> >> *Sent:* Monday, December 11, 2017 10:22:39 AM >> *To:* [email protected] >> *Subject:* Re: UPnP/IPv6 support in home routers? >> >> On Mon, Dec 11, 2017 at 04:03:27PM +0100, Gert Doering wrote: >> > On Mon, Dec 11, 2017 at 11:54:15AM +0000, Tom Hill wrote: >> > > "Dear Gateway, I am definitely not a compromised host, please open all >> > > ports toward me." >> > >> > But that's the whole idea of UPnP or IGD. Whether you open one port or >> > all of them, on request of a possibly-compromised host, is of no >> relevance. >> >> >> I think the thinking is that since most IPv4 "home" protocols (which >> is really only where UPnP exists, since Enterprise class firewalls >> almost never want to have anything to do with it), is that most of the >> "home" protocols (eg. games, streaming, etc) have mostly converged to >> a model not expecting end-to-end connectivity, and hidden behind a NAT >> thing, that anything now transitioning to IPv6 will follow suit when >> they add that support to whatever needs to punch holes in things, >> instead checking in constantly with the "central server" instead of >> assuming end-to-end connectivity. >> >> That said, I think the IPv6 firewalls need better home connectivity >> support as well. I once put in a ticket to Fortinet to ask if there >> could be made an ACL object that tracked the prefix mask delivered via >> DHCP6_PD, such that we could write policies such as >> allow remote_ipv6_address ${PREFIX1}::1f5d:50 22 >> >> But that couldn't be impressed on the first tiers of support >> what-so-ever. That totally confused them to no end. Unlike my IPv4 >> address which almost never changes at Comcast, the IPv6 prefixes I get >> change on every connection. >> >> >> >> >> >> ------------------------------ >> This communication is confidential. We only send and receive email on the >> basis of the terms set out at www.rogers.com/web/content/emailnotice >> >> >> >> Ce message est confidentiel. Notre transmission et réception de courriels >> se fait strictement suivant les modalités énoncées dans l’avis publié à >> www.rogers.com/aviscourriel >> >> ------------------------------ >> > > > > -- > Fernando Gont > e-mail: [email protected] || [email protected] > PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 > > > > > ------------------------------ > This communication is confidential. We only send and receive email on the > basis of the terms set out at www.rogers.com/web/content/emailnotice > > > > Ce message est confidentiel. Notre transmission et réception de courriels > se fait strictement suivant les modalités énoncées dans l’avis publié à > www.rogers.com/aviscourriel > > ------------------------------ > -- Fernando Gont e-mail: [email protected] || [email protected] PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
