[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CPEs



Le Tuesday 08 January 2008 18:44:03 Iljitsch van Beijnum, vous avez écrit :
> Hm, doesn't this protocol have a worse-than-average track record
> security-wise? I even remember having to update my computer because of
> this fairly recently...

As much as I am NOT a fan of UPnP, I believe the security issues are either:
- implementation errors,
- limits of the on-link trust model.

I would not consider security as the main disadvantage of UPnP. Of course, we 
can do better, for instance using a challenge-response scheme to validate the 
address ownership. And we may want to support learning of the firewall 
gateway address using DHCPv6 so that it can be used in network topology (I am 
thinking about wide area radio networks in particular) without multicast.

> The IETF has some experience in designing middlebox management
> protocols

But the track record is deployment-wise worse than that of UPnP IGD.

I would much rather have an IETF protocol à la ALD for IPv6 firewall control, 
than UPnP IGD 2.0. But I'd also rather have IGD 2.0 than nothing, if vendors 
decide to go for IGD 2.0. I guess that's what James meant as well.

> and IPv6 is a core IETF 
> Does it make sense to outsource something like this?

We cannot ban other entities from doing it, can we?

-- 
Rémi Denis-Courmont
http://www.remlab.net/