[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CPE equipments and stateful filters
on CPE equipments and stateful filters.
first of all, here's my take on NAT and access controls at the border.
(i've posted this URL to ietf@ietf couple of days ago)
http://ipv6samurais.com/ipv6samurais/demystify/
NAT or stateful filters w/ ALG are not future proven (cannot accomodate
new protocols and people needs to upgrade forever).
because of this reason NAT-PT document is deprecated in v6ops.
now we are seeing the opposite action. weird.
i do not disagree with "we need stateful filter implementations".
but i suggest that we need to be REAL careful about the default
settings. otherwise your cellphone that have roamed into your home
network, and/or TiVo device, cannot be used from the outside.
(i dislike UPnP, yeah)
Fred raised concerns about DoS attack, but if you run secure OS
you do not have to worry about that. issues like DNS reflection attack
are being mitigated by protocol changes, and/or bind config changes.
tnx.
itojun
PS: i am a person who eat one's own dog food. i do not have any kind of
firewall in my home!