[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: R41 in draft-ietf-v6ops-cpe-simple-security-07

To: Mark Baugher <mbaugher@cisco.com>
Subject: Re: R41 in draft-ietf-v6ops-cpe-simple-security-07
From: Rémi Denis-Courmont <remi@remlab.net>
Date: Tue, 04 Aug 2009 08:56:54 +0200
Cc: Brian E Carpenter <brian.e.carpenter@gmail.com>, james woodyatt <jhw@apple.com>, IPv6 Operations <v6ops@ops.ietf.org>
In-reply-to: <3BF326F1-3AF5-4577-8409-6BE2D0D6D320@cisco.com>
Organization: Remlab.net
References: <20090727184501.933F83A6CE4@core3.amsl.com> <029CBD08-5A79-44C2-8490-E63AF783E3B7@muada.com> <7F9A6D26EB51614FBF9F81C0DA4CFEC80133E557C9BA@il-ex01.ad.checkpoint.com> <200907282136.55466.remi@remlab.net> <35FFC80F-07B3-4CE3-BF7A-453D6A64641B@apple.com> <114203F8-FFC7-474C-8764-4F87447AB810@cisco.com> <2C8F9109-C96D-422E-9EEB-6EF22D79EF62@apple.com> <AD7A13B1-C0F5-4C84-845C-CC6B5E3A29D1@mbaugher.com> <440B7E43-76B7-4C18-A93E-DF052280DC41@apple.com> <18034D4D7FE9AE48BF19AB1B0EF2729F3A7044EB32@NOK-EUMSG-01.mgdnok.nokia.com> <C79965AE-2C69-4A63-8EB7-F4E89542CEFE@apple.com> <18034D4D7FE9AE48BF19AB1B0EF2729F3A7044F238@NOK-EUMSG-01.mgdnok.nokia.com> <57D79623-D8A1-41E9-9FB8-B5FEBEE91729@apple.com> <190A532E-35DF-4E97-99D2-9167B9183316@cisco.com> <4A7776E8.4060706@gmail.com> <3BF326F1-3AF5-4577-8409-6BE2D0D6D320@cisco.com>
User-agent: RoundCube Webmail/0.1

On Mon, 3 Aug 2009 21:02:43 -0700, Mark Baugher <mbaugher@cisco.com> wrote:

> Manual config can at least be authenticated.  Conficker reportedly

> uses UPnP NAT traversal on IPv4 home networks and could have just as

> easily used NAT-PMP.  So we're recreating this issue in IPv6 unless we

> authenticate such requests.  How much worse off are we with no

> firewall than with one where practically any piece of malware can open

> it.

That's just NOT TRUE. Typically the trust between your CPE and your

computer comes ENTIRELY from the fact that the computer is behind the CPE.

If you computer is already infected, then you are already screwed.

Certainly the CPE should protect itself from the computer, but it cannot

protect the rest of the internal network, especially not the already

infected computer.

As for UPnP-IGD and NAT-PMP... if Conficker is already behind the CPE, it

can use UDP or make outbound connections anyway. The hole punching protocol

just makes it more slightly more convenient for the worm.

-- 

Rémi Denis-Courmont

Follow-Ups:
- Re: R41 in draft-ietf-v6ops-cpe-simple-security-07
  - From: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>

References:
- I-D Action:draft-ietf-v6ops-cpe-simple-security-07.txt
  - From: Internet-Drafts@ietf.org
- Re: R41 in draft-ietf-v6ops-cpe-simple-security-07
  - From: Iljitsch van Beijnum <iljitsch@muada.com>
- RE: R41 in draft-ietf-v6ops-cpe-simple-security-07
  - From: Yaron Sheffer <yaronf@checkpoint.com>
- Re: R41 in draft-ietf-v6ops-cpe-simple-security-07
  - From: "Rémi Denis-Courmont" <remi@remlab.net>
- Re: R41 in draft-ietf-v6ops-cpe-simple-security-07
  - From: james woodyatt <jhw@apple.com>
- Re: R41 in draft-ietf-v6ops-cpe-simple-security-07
  - From: Mark Baugher <mbaugher@cisco.com>
- Re: R41 in draft-ietf-v6ops-cpe-simple-security-07
  - From: james woodyatt <jhw@apple.com>
- Re: R41 in draft-ietf-v6ops-cpe-simple-security-07
  - From: james woodyatt <jhw@apple.com>
- RE: R41 in draft-ietf-v6ops-cpe-simple-security-07
  - From: <teemu.savolainen@nokia.com>
- Re: R41 in draft-ietf-v6ops-cpe-simple-security-07
  - From: james woodyatt <jhw@apple.com>
- RE: R41 in draft-ietf-v6ops-cpe-simple-security-07
  - From: <teemu.savolainen@nokia.com>
- Re: R41 in draft-ietf-v6ops-cpe-simple-security-07
  - From: james woodyatt <jhw@apple.com>
- Re: R41 in draft-ietf-v6ops-cpe-simple-security-07
  - From: Mark Baugher <mbaugher@cisco.com>
- Re: R41 in draft-ietf-v6ops-cpe-simple-security-07
  - From: Brian E Carpenter <brian.e.carpenter@gmail.com>
- Re: R41 in draft-ietf-v6ops-cpe-simple-security-07
  - From: Mark Baugher <mbaugher@cisco.com>

Prev by Date: Re: R41 in draft-ietf-v6ops-cpe-simple-security-07
Next by Date: Re: R41 in draft-ietf-v6ops-cpe-simple-security-07
Previous by thread: Re: R41 in draft-ietf-v6ops-cpe-simple-security-07
Next by thread: Re: R41 in draft-ietf-v6ops-cpe-simple-security-07
Index(es):
- Date
- Thread