On 23-jul-2007, at 18:48, Brian E Carpenter wrote:
but i suggest that we need to be REAL careful about the default settings.
I agree. But the market reality (and we heard it explicitly from a well known CPE vendor at the microphone) is that they will not sell $50 consumer gateways that allow incoming unsolicited SYN or UDP by default. We need to make realistic recommendations in that context.
Hm, but another vendor, better known for other stuff, but also selling fine CPEs, presented a draft, and he told us that one of the reasons they decided to flip their default from no filtering to rejecting incoming sessions is that the IETF has consensus that this is the best approach.
Personally, I would love to see firewalls and other devices that think they know better what's good for me than I do die a violent death, but then again, there is lots of stuff out there that can't handle being connected to the unfiltered internet and doing exactly that without 5 years or so of countering "you need a firewall" indoctrination and replacing it with "you need to run a safe-out-of- the-box OS" won't do us any favors.
At this point, it looks like the best option is to have an extremely light-weight protocol that allows OSes (applications?) to open up these filters that are going to be present in default configurations so that only hosts that feel they're secure get unfiltered access to the network while other stuff is prevented from shooting itself in the foot.