Re: comment on: draft-ietf-v6ops-unman-scenarios-00.txt

[Pekka Savola <pekkas@netcore.fi>]

On Thu, 16 Jan 2003, Alain Durand wrote:
> In IPv4+NAT, incoming connections are blocked unless someone configured
> port forwarding. It means that a highly insecure host in the unmanaged
> network has some degree of protection from the outside. Not perfect, but
> at least it raises the bar a little. For example, I can have an
> unconfigured network printer that is fully open, or not worry too much
> about an potential security hole in the file server.
> 
> If IPv6 is turned on, in any of the described scenario A-D, all the
> sudden all port from all addresses become reachable from the outside.
[...]

I haven't read the latest draft yet, but there is a distict solution for 
this.

That is, *intentionally* do not provide any IPv6-Internet <-> 
IPv4-Unmanaged translation.  The security benefits or lack thereof are the 
same.

Only provide IPv6<->IPv4 translation _internally_ (if really required).

Then, make a requirement that devices which implement IPv6 and enable it
by default [in unmanaged networks scope at least] must have some security
mechanisms in place, like "personal firewalls".

Of course, we could try to strenghten the protections at the IPv6 router,
but that's probably a fight we could never win, only lose.

The best would of course be educating the folks about security of lack 
thereof provided by NAT and global addressing.

(Joe M. Arketeer could of course push IPv6 site-local addresses to solve
this particular problem, needless to say what I think of that..)

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings