[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-ietf-v6ops-cpe-simple-security-06

To: Gert Doering <gert@space.net>
Subject: Re: draft-ietf-v6ops-cpe-simple-security-06
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Date: Sat, 27 Jun 2009 07:57:14 +0100
Cc: Rémi Després <remi.despres@free.fr>, james woodyatt <jhw@apple.com>, IPv6 Operations <v6ops@ops.ietf.org>
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; b=qpdGvkXS0xavVnwvx5CW1KrCN2n/R2dRqFzUz+VnkYQRZ3peJNdyXpQFsp9NIYGdtg eI4rjE9vnFBGAdc1EcW8B4AVZXRWjMBRIVqQOga6JWUJvYnygCE/H6cweyjS5YyXdW5a xPiVSOxa8nwY9g3hlJ+eNmAHLP0faF8zUBiVs=
In-reply-to: <20090626155029.GJ26102@Space.Net>
Organization: University of Auckland
References: <59336CC4-7B26-45A7-B712-847417BC4F52@apple.com> <3498D5E1-9975-4533-845A-5AAD45FC7D7E@free.fr> <20090626155029.GJ26102@Space.Net>
User-agent: Thunderbird 2.0.0.6 (Windows/20070728)

On 2009-06-26 16:50, Gert Doering wrote:
> Hi,
> 
> On Fri, Jun 26, 2009 at 04:08:47PM +0200, Rémi Després wrote:
>> - I had to open the Mac to incoming VNC connections from another  
>> computer of the site.
>> - If I had opened the VNC port in the Mac without disabling IPv6,  
>> this would have opened it also for connections from any host of the  
>> IPv6 global Internet.
> 
> I'd argue that this is something that should be improved in the 
> "host firewall" - instead of "completely closed" and "opened from 
> everywhere", there should be a third state "open for connections from the 
> local network"...

s/local network/trusted zone/ and this reflects the behaviour of at
least one very popular personal firewall. I think this is proven safe
practice, and actually means that with such a personal firewall
installed, the CPE can be wide open. Needless to say, this level
of on-board protection is essential for roaming anyway.

I'd certainly want my CPE to have an option to switch off all
firewall behaviour.

    Brian

Follow-Ups:
- Re: draft-ietf-v6ops-cpe-simple-security-06
  - From: Fred Baker <fred@cisco.com>
- Re: draft-ietf-v6ops-cpe-simple-security-06
  - From: Rémi Després <remi.despres@free.fr>

References:
- draft-ietf-v6ops-cpe-simple-security-06
  - From: james woodyatt <jhw@apple.com>
- Re: draft-ietf-v6ops-cpe-simple-security-06
  - From: Rémi Després <remi.despres@free.fr>
- Re: draft-ietf-v6ops-cpe-simple-security-06
  - From: Gert Doering <gert@space.net>

Prev by Date: I-D Action:draft-ietf-v6ops-v6inixp-00.txt
Next by Date: Re: draft-ietf-v6ops-cpe-simple-security-06
Previous by thread: Re: draft-ietf-v6ops-cpe-simple-security-06
Next by thread: Re: draft-ietf-v6ops-cpe-simple-security-06
Index(es):
- Date
- Thread