No, setting up a new filter for each new app is obviously impractical. On the other hand, you cannot expect any odd app to be secure, just because it is part of the OS. So the best we can do is have the generic filter "closed" by default, and have applications open pinholes as necessary (when the app is started, or when the user configures it to accept incoming connections, or whatever). It's not as secure as I would have liked, but it's better than leaving everything wide open. And hopefully this doesn't have anything to do with net neutrality... Yaron > -----Original Message----- > From: Iljitsch van Beijnum [mailto:iljitsch@muada.com] > Sent: Thursday, July 30, 2009 17:38 > To: Yaron Sheffer > Cc: Gregory M. Lebovitz; Shane Amante; Pekka Savola; v6ops@ops.ietf.org > Subject: Re: Simple Security - Layered Filtering should be in the document > > On 30 jul 2009, at 16:53, Yaron Sheffer wrote: > > > For the sake of argument, if *all* the current <something>-in-IPv6 > > proposals > > are standardized, then presumably they *will* go into mainstream OSes. > > So whenever there's a new protocol there must be a new filter? > > Isn't it simpler for the hosts that don't want to receive certain > packets to not run the protocol? > > > Scanned by Check Point Total Security Gateway.
Attachment:
smime.p7s
Description: S/MIME cryptographic signature