[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: CPE equipments and stateful filters
> > i do not disagree with "we need stateful filter implementations".
> > but i suggest that we need to be REAL careful about the default
> > settings.
>
> I agree. But the market reality (and we heard it explicitly from a
> well known CPE vendor at the microphone) is that they will not sell
> $50 consumer gateways that allow incoming unsolicited SYN or UDP
> by default. We need to make realistic recommendations in that context.
Well, look then at what will happen. Application providers will deploy infrastructure that mixes Teredo, STUN, ICE and what have you to ensure that stations beyond the CPE can indeed receive unsolicited SYN and UDP packets. So, instead of doing the simple thing, i.e. turn off the damn filters by default, we will get an arms race that results in exactly the same security posture, but simply costs a lot more. Predicting the arms race is maybe more realistic than trying to avoid it, but it certainly is not better engineering.
-- Christian Huitema