[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: R41 in draft-ietf-v6ops-cpe-simple-security-07

To: Mark Baugher <mbaugher@cisco.com>
Subject: Re: R41 in draft-ietf-v6ops-cpe-simple-security-07
From: "Rémi Denis-Courmont" <remi@remlab.net>
Date: Wed, 5 Aug 2009 21:04:39 +0300
Cc: Yaron Sheffer <yaronf@checkpoint.com>, Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>, Brian E Carpenter <brian.e.carpenter@gmail.com>, james woodyatt <jhw@apple.com>, IPv6 Operations <v6ops@ops.ietf.org>
In-reply-to: <907C81FE-998E-4BE1-A9A0-C0410B450CE3@cisco.com>
Organization: Remlab.net
References: <3C35AAD7-D7F7-4E6D-A7E0-C6DA2CF95946@cisco.com> <df5d6a5df75e55a8ab919c146417b9a8@chewa.net> <907C81FE-998E-4BE1-A9A0-C0410B450CE3@cisco.com>
User-agent: KMail/1.11.4 (Linux/2.6.30.4; KDE/4.2.4; i686; ; )

Le mercredi 5 août 2009 20:01:33 Mark Baugher, vous avez écrit :
> I expect to see more providers and vendors
> ship their wi-fi products with privacy turn on by default, and who
> therefore expect their customers to authenticate to a wi-fi/router as
> part of the process.  So I think your statement above is shortsighted
> for at least this reason.

If the host operating system is authenticated to the CPE at layer-2, why the 
heck should it re-authenticate at layer-3? To me the big problem 
_specifically_ with UPnP is that any random application can use it and 
complete non-sense stuff with it like redirect any port to any IP and port.

As a counter-example, if I recall correctly, ALD can only redirect ports to 
the host that request it, and requires system privileges on the host (as it 
runson ICMPv6).

> There is innovation taking place in home network access controls - WPS
> is one attempt by vendors to provide usable security in an unmanaged
> environment.  I know of a few other organizations that are designing
> security into their home networking services and not interpreting
> "unmanaged" as meaning "insecure".  It would be shortsighted to design
> a firewall control protocol that does not at least have access control
> as an option.

I already said I am all for having authentication as an option. But 
reallistically, I doubt it can nor should be enabled by *default* on 
*unmanaged* networks.


-- 
Rémi Denis-Courmont
http://www.remlab.net/

Follow-Ups:
- Re: R41 in draft-ietf-v6ops-cpe-simple-security-07
  - From: Mark Baugher <mbaugher@cisco.com>

References:
- Re: R41 in draft-ietf-v6ops-cpe-simple-security-07
  - From: Mark Baugher <mbaugher@cisco.com>
- Re: R41 in draft-ietf-v6ops-cpe-simple-security-07
  - From: Rémi Denis-Courmont <remi@remlab.net>
- Re: R41 in draft-ietf-v6ops-cpe-simple-security-07
  - From: Mark Baugher <mbaugher@cisco.com>

Prev by Date: Re: R41 in draft-ietf-v6ops-cpe-simple-security-07
Next by Date: Re: R41 in draft-ietf-v6ops-cpe-simple-security-07
Previous by thread: Re: R41 in draft-ietf-v6ops-cpe-simple-security-07
Next by thread: Re: R41 in draft-ietf-v6ops-cpe-simple-security-07
Index(es):
- Date
- Thread