Is that not RFC6092? iirc, that supports e2e IKE+IPSec, for example.
Tim > On 12 Dec 2017, at 15:03, Kristian McColm <[email protected]> > wrote: > > Is it not feasible just as it is for CPE to come with a firewall with a sane > set of defaults, that the device manufacturer would sell it with a similar > set of defaults? Perhaps we can go as far as writing this into an RFC or > expanding upon RFC 7721? > > From: [email protected] > <[email protected]> on behalf > of Jan Pedro Tumusok <[email protected]> > Sent: Tuesday, December 12, 2017 9:45:17 AM > To: [email protected] > Subject: Re: UPnP/IPv6 support in home routers? > > Hi, > > What about alle the people that are not able to setup their own filters and > other security mechanisms? Most people got this computer stuff for usage and > not to thinker with or spend ours figuring out the best type of configuration. > How do we give them a bit more security than wide open devices? > > Pedro > > On Mon, Dec 11, 2017 at 10:12 PM, Kristian McColm > <[email protected]> wrote: > Fernando, sorry but we’ll have to agree to disagree. I personally see > stateful firewalls as a pain point. They don’t do a very good job of tracking > socket states and often cause packet loss for this reason, they are not well > aware of the true socket state, they just try to replicate it based on > sniffing, which doesn’t work very well for stateless protocols I might add. > Of course all this sniffing is something the forefathers of the internet > never intended us to need to do. I would suggest you can always implement > filters and other security mechanisms on your own devices, which should be > done as a matter of best practice regardless. I certainly wouldn’t want to > rely on some ‘crap’ CPE given to me by my service provider to protect my end > devices from all the other ‘crap’ out there 😊 > > From: [email protected] > <[email protected]> on behalf of Fernando Gont > <[email protected]> > Sent: Monday, December 11, 2017 4:00:17 PM > To: Kristian McColm > Cc: [email protected]; Fernando Gont > Subject: Re: UPnP/IPv6 support in home routers? > > The crap doesn't get fixed because that's the software development we are > used to. Windows 10 was Windows '95 in the '90s. So give the IoT stuff 15-20 > years to get to a sensible quality/state/security and/or enough widespread > trouble/exploitation. > > Pragmatically speaking, people will connect that crap to the 'net... and the > "less connected" such devices are, the better. > So, please, don't remove FWs. :-) > > Cheers, > Fernando > > > > > > On Mon, Dec 11, 2017 at 5:50 PM, Kristian McColm > <[email protected]> wrote: > And therein lies the root of the problem.. the ‘crap’ never gets fixed > because it has the firewall isolating it, but this causes problems for > devices and applications which are not ‘crap.’ I realize this is more > idealistic than pragmatic, but we will have much smoother network integration > if we don’t have to deal with the many problems that so called stateful > firewalls bring along with them. Now that IPv6 is set to do away with > (P/N)AT, we’re halfway there. > > From: [email protected] > <[email protected]> on behalf of Fernando Gont > <[email protected]> > Sent: Monday, December 11, 2017 3:43:27 PM > To: Kristian McColm > Cc: [email protected]; Fernando Gont > > Subject: Re: UPnP/IPv6 support in home routers? > > Kristian, > > I see no reason for which they should disappear. Actually, quite the > opposite; we keep connecting more and more crap to the net (the so called > IoT), which clearly cannot defend itself. > > The "principle of least privilege" applies to connectivity, too. > > Thanks! > Fernando > > > > > > > On Mon, Dec 11, 2017 at 12:28 PM, Kristian McColm > <[email protected]> wrote: > Corporate and/or specific network requirements notwithstanding, in my opinion > this is just another example of why in IPv6, firewalls in general > could/should be retired. If the end user device is required to be responsible > for it’s own security, it can open the necessary ports via whatever firewall > API it provides to applications running on it. > > > From: [email protected] > <[email protected]> on behalf > of Doug McIntyre <[email protected]> > Sent: Monday, December 11, 2017 10:22:39 AM > To: [email protected] > Subject: Re: UPnP/IPv6 support in home routers? > > On Mon, Dec 11, 2017 at 04:03:27PM +0100, Gert Doering wrote: > > On Mon, Dec 11, 2017 at 11:54:15AM +0000, Tom Hill wrote: > > > "Dear Gateway, I am definitely not a compromised host, please open all > > > ports toward me." > > > > But that's the whole idea of UPnP or IGD. Whether you open one port or > > all of them, on request of a possibly-compromised host, is of no relevance. > > > I think the thinking is that since most IPv4 "home" protocols (which > is really only where UPnP exists, since Enterprise class firewalls > almost never want to have anything to do with it), is that most of the > "home" protocols (eg. games, streaming, etc) have mostly converged to > a model not expecting end-to-end connectivity, and hidden behind a NAT > thing, that anything now transitioning to IPv6 will follow suit when > they add that support to whatever needs to punch holes in things, > instead checking in constantly with the "central server" instead of > assuming end-to-end connectivity. > > That said, I think the IPv6 firewalls need better home connectivity > support as well. I once put in a ticket to Fortinet to ask if there > could be made an ACL object that tracked the prefix mask delivered via > DHCP6_PD, such that we could write policies such as > allow remote_ipv6_address ${PREFIX1}::1f5d:50 22 > > But that couldn't be impressed on the first tiers of support > what-so-ever. That totally confused them to no end. Unlike my IPv4 > address which almost never changes at Comcast, the IPv6 prefixes I get > change on every connection. > > > > > > This communication is confidential. We only send and receive email on the > basis of the terms set out at www.rogers.com/web/content/emailnotice > > > > Ce message est confidentiel. Notre transmission et réception de courriels se > fait strictement suivant les modalités énoncées dans l’avis publié > àwww.rogers.com/aviscourriel > > > > -- > Fernando Gont > e-mail: [email protected] || [email protected] > PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 > > > > > This communication is confidential. We only send and receive email on the > basis of the terms set out at www.rogers.com/web/content/emailnotice > > > > Ce message est confidentiel. Notre transmission et réception de courriels se > fait strictement suivant les modalités énoncées dans l’avis publié > àwww.rogers.com/aviscourriel > > > > -- > Fernando Gont > e-mail: [email protected] || [email protected] > PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 > > > > > This communication is confidential. We only send and receive email on the > basis of the terms set out at www.rogers.com/web/content/emailnotice > > > > Ce message est confidentiel. Notre transmission et réception de courriels se > fait strictement suivant les modalités énoncées dans l’avis publié > àwww.rogers.com/aviscourriel > > > > -- > Jan Pedro Tumusok > CEO > Eye Networks AS > Skype: jpedrot | Office phone: +47 22 82 08 80 > https://eyenetworks.no | https://eyesaas.com > > > > > This communication is confidential. We only send and receive email on the > basis of the terms set out at www.rogers.com/web/content/emailnotice > > > > Ce message est confidentiel. Notre transmission et réception de courriels se > fait strictement suivant les modalités énoncées dans l’avis publié > àwww.rogers.com/aviscourriel
