[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: R41 in draft-ietf-v6ops-cpe-simple-security-07
On Tue, 04 Aug 2009 08:56:54 +0200
Rémi Denis-Courmont <remi@remlab.net> wrote:
>
> On Mon, 3 Aug 2009 21:02:43 -0700, Mark Baugher <mbaugher@cisco.com> wrote:
>
> > Manual config can at least be authenticated. Conficker reportedly
>
> > uses UPnP NAT traversal on IPv4 home networks and could have just as
>
> > easily used NAT-PMP. So we're recreating this issue in IPv6 unless we
>
> > authenticate such requests. How much worse off are we with no
>
> > firewall than with one where practically any piece of malware can open
>
> > it.
>
>
>
> That's just NOT TRUE. Typically the trust between your CPE and your
>
> computer comes ENTIRELY from the fact that the computer is behind the CPE.
>
> If you computer is already infected, then you are already screwed.
>
> Certainly the CPE should protect itself from the computer, but it cannot
>
> protect the rest of the internal network, especially not the already
>
> infected computer.
>
>
>
> As for UPnP-IGD and NAT-PMP... if Conficker is already behind the CPE, it
>
> can use UDP or make outbound connections anyway. The hole punching protocol
>
> just makes it more slightly more convenient for the worm.
>
>
Completely agree.
Looking at netbooks with wired, wifi, bluetooth, and 3G or Wimax
connectivity, or Smartphones with wifi, 3G or Wimax connectivity, the
only safe thing to do is to have each host protect itself, because at
any time there could be multiple candidate access methods for
Internet access (and IEEE 802.21 (described in the recent Internet
Protocol Journal) is trying to make which one is currently being used
transparent). Even better is to have the applications protect
themselves, like ssh does ("If you want something done properly, you
need to do it yourself").