On 3/08/2009, at 4:46 PM, Brian E Carpenter wrote:
Manual config can at least be authenticated. Conficker reportedly uses UPnP NAT traversal on IPv4 home networks and could have just as easily used NAT-PMP. So we're recreating this issue in IPv6 unless we authenticate such requests. How much worse off are we with no firewall than with one where practically any piece of malware can open it. Besides that, I understand R15 and R27 to say that these shoulds would allow unsolicited inbound packets directed to an internal address, so long as the packets use TCP or UDP - if I'm reading them correctly. Finally, it's not clear to me who the intended audience is for R41. We don't want every vendor of a CPE to invent their own firewall control solution. It's something that the various standards developing organizations need to consider doing. I'm looking at James' draft as recommendations for CPE vendors, OSS developers, and skilled users. Mark |