[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: comment on: draft-ietf-v6ops-unman-scenarios-00.txt

To: Alain Durand <Alain.Durand@Sun.COM>
Subject: Re: comment on: draft-ietf-v6ops-unman-scenarios-00.txt
From: Brian E Carpenter <brian@hursley.ibm.com>
Date: Sat, 18 Jan 2003 16:13:47 +0100
Cc: v6ops@ops.ietf.org, Christian Huitema <huitema@windows.microsoft.com>
Organization: IBM
References: <6FD36B5E-29BE-11D7-8691-00039376A6AA@sun.com>

Is there any reason why we can't recommend strongly that the router
for an unman network should incorporate a firewall with most ports closed
by default, and opened manually on demand, as with most personal
firewall products?

There are some user interface design issues for such a solution, but
personal firewalls are a proof of concept.

   Brian

Alain Durand wrote:
> 
> I have several comments on draft-ietf-v6ops-unman-scenarios-00.txt.
> Some minor ones and a major one, let me start by the later:
> 
> Security.
> 
> In IPv4+NAT, incoming connections are blocked unless
> someone configured port forwarding. It means that a highly insecure
> host in the unmanaged network has some degree of protection from the
> outside.
> Not perfect, but at least it raises the bar a little. For example, I
> can have
> an unconfigured network printer that is fully open, or not worry
> too much about an potential security hole in the file server.
> 
> If IPv6 is turned on, in any of the described scenario A-D, all the
> sudden
> all port from all addresses become reachable from the outside.
> This is actually the benefit of IPv6, but it comes with a  price:
> My unsecure hosts become more vulnerable, as they are now directly
> exposed,
> and in my example, anybody can print on my network printer.
> Security through obscurity helps a little here, as the IPv6 address of
> my
> printer will be hard to guess. However, in the peer-to-peer example
> described in the draft, the IPv6 address of the host gets published
> so your peers can reach you. But what if there are services running
> on the same hosts that are, let's say, not as robust as they should?
> Maybe the peer-to-peer application is 'safe' but the 'backdoor' in the
> file server has not been properly fixed...
> 
> This problem has different repercussions depending on which scenario
> you're in:
> 
> In scenario A, tunneling IPv6 over UDP to bypass the NAT/Firewall
> creates a security breach. I understand this is the unmanaged case,
> but if those techniques are applied in the enterprise (managed or
> unmanaged),
> this can have serious consequences.
> 
> In scenario B, C & D, the CPE MUST implement an IPv6 firewall,
> and make this one easy to administer in this unmanaged scenario ;-)
> 
>         - Alain.

-- 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Brian E Carpenter 
Distinguished Engineer, Internet Standards & Technology, IBM 
On assignment at the IBM Zurich Laboratory, Switzerland

Follow-Ups:
- Re: comment on: draft-ietf-v6ops-unman-scenarios-00.txt
  - From: Keith Moore <moore@cs.utk.edu>

References:
- comment on: draft-ietf-v6ops-unman-scenarios-00.txt
  - From: Alain Durand <Alain.Durand@Sun.COM>

Prev by Date: RE: An alternative to 6to4 and teredo
Next by Date: Re: comment on: draft-ietf-v6ops-unman-scenarios-00.txt
Previous by thread: comment on: draft-ietf-v6ops-unman-scenarios-00.txt
Next by thread: Re: comment on: draft-ietf-v6ops-unman-scenarios-00.txt
Index(es):
- Date
- Thread