[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CPE equipments and stateful filters

To: v6ops@ops.ietf.org
Subject: Re: CPE equipments and stateful filters
From: itojun@itojun.org (Jun-ichiro itojun Hagino)
Date: Wed, 25 Jul 2007 01:44:01 +0900 (JST)
In-reply-to: Your message of "Tue, 24 Jul 2007 19:31:19 +0300" <200707241931.19400.rdenis@simphalempin.com>
References: <200707241931.19400.rdenis@simphalempin.com>

> There might be a misunderstanding here. As far as I can tell, UPnP, NAT-PMP 
> and ALD all allow (unauthenticated) requests coming from the inside, and 
> discard any requests coming from the outside. In the physical world, most 
> locks can be undone without key from the inside, and only need a key from the 
> inside.

	i mentioned about the following story:
	- machines inside of your organization gets infected by viruses, trojan
	  hoses or whatever and bad guys take control of the box.
	  this can be due to poorly-mangaged laptop with VPN reachability
	  towards inside of your organization, infected laptop goes into your
	  organization after a trip to chicago, whatever.
	- bad guys plays with UPnP and punch holes on your firewall

itojun

Follow-Ups:
- RE: CPE equipments and stateful filters
  - From: Christian Huitema <huitema@windows.microsoft.com>

References:
- Re: CPE equipments and stateful filters
  - From: Rémi Denis-Courmont <rdenis@simphalempin.com>

Prev by Date: Re: Distributing site-wide RFC 3484 policy
Next by Date: Re: Distributing site-wide RFC 3484 policy
Previous by thread: Re: CPE equipments and stateful filters
Next by thread: RE: CPE equipments and stateful filters
Index(es):
- Date
- Thread