[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CPE equipments and stateful filters

To: Brian E Carpenter <brian.e.carpenter@gmail.com>, Jun-ichiro itojun Hagino <itojun@itojun.org>
Subject: RE: CPE equipments and stateful filters
From: Christian Huitema <huitema@windows.microsoft.com>
Date: Mon, 23 Jul 2007 17:26:17 -0700
Cc: <v6ops@ops.ietf.org>
In-reply-to: <46A53E32.1010902@gmail.com>
References: <20070723193610.70736233CB@coconut.itojun.org> <46A53E32.1010902@gmail.com>

> > 	i do not disagree with "we need stateful filter implementations".
> > 	but i suggest that we need to be REAL careful about the default
> > 	settings.
> 
> I agree. But the market reality (and we heard it explicitly from a
> well known CPE vendor at the microphone) is that they will not sell
> $50 consumer gateways that allow incoming unsolicited SYN or UDP
> by default. We need to make realistic recommendations in that context.

Well, look then at what will happen. Application providers will deploy infrastructure that mixes Teredo, STUN, ICE and what have you to ensure that stations beyond the CPE can indeed receive unsolicited SYN and UDP packets. So, instead of doing the simple thing, i.e. turn off the damn filters by default, we will get an arms race that results in exactly the same security posture, but simply costs a lot more. Predicting the arms race is maybe more realistic than trying to avoid it, but it certainly is not better engineering.

-- Christian Huitema

References:
- CPE equipments and stateful filters
  - From: itojun@itojun.org (Jun-ichiro itojun Hagino)
- Re: CPE equipments and stateful filters
  - From: Brian E Carpenter <brian.e.carpenter@gmail.com>

Prev by Date: Re: CPE equipments and stateful filters
Next by Date: CPE Simple Security considered beneficial by RFC 4864
Previous by thread: Re: CPE equipments and stateful filters
Next by thread: Re: CPE equipments and stateful filters
Index(es):
- Date
- Thread