On Apr 10, 2007, at 23:14, Gert Doering wrote:
While I read your words, and understand the situation, I actually fail to understand the IPv6 situation. Adapting the description above to IPv6 would mean something like this: - as soon as a program calls listen() to setup a socket for incomingIPv6 connections, the OS would notify the "firewall thing" that thesepackets should be let in- everything that has no process listening for it (or is not a response packet to an outgoing connection) is dropped by the "firewall thing"
That's the general idea. I can easily imagine some very sensible constraints on that, but you have the basic idea.
*If* you have a stateful IPv6 filter in the default gateway, and want to have it work without manual configuration for incoming connections, then indeed, you need something like "PMP IPv6".OTOH I'm not sure what the benefit of an IPv6 filter in this scenario is,if it is auto-deactivated for all interesting traffic anyway...
The phrase I keep hearing from the security experts is a "multi- layered barrier" system.
(Yes, I know. People will yell at you if you don't have "IPv6 firewall!!" on the product's data sheet. But some half-informed people will yell at you anyway... :( )
Do *NOT* underestimate the power of those people. When the U.S. Department of Homeland Security issues a CyberAlert, and when a Google News search on "ipv6 airport" returns fifty technical publications announcing that you have shipped a product that exposes networked computers to remote attack over IPv6, and you have senior vice presidents demanding a prompt response to all these security advisories that have put the trade press into a frenzy, then I'd like to see how far *you* get explaining that "some half-informed people will yell" but they should just be ignored.
I tried that. (Yes, I'm that stupid.) It didn't work. Now, I'm trying to find a way to make IPv6 at least as useful as IPv4/NAT. I'm hoping to find some help with that here in the V6OPS working group.
-- j h woodyatt <jhw@apple.com>