Le mercredi 5 août 2009 20:01:33 Mark Baugher, vous avez écrit :
I expect to see more providers and vendors
ship their wi-fi products with privacy turn on by default, and who
therefore expect their customers to authenticate to a wi-fi/router as
part of the process. So I think your statement above is shortsighted
for at least this reason.
If the host operating system is authenticated to the CPE at layer-2,
why the
heck should it re-authenticate at layer-3? To me the big problem
_specifically_ with UPnP is that any random application can use it and
complete non-sense stuff with it like redirect any port to any IP
and port.
As a counter-example, if I recall correctly, ALD can only redirect
ports to
the host that request it, and requires system privileges on the host
(as it
runson ICMPv6).
There is innovation taking place in home network access controls -
WPS
is one attempt by vendors to provide usable security in an unmanaged
environment. I know of a few other organizations that are designing
security into their home networking services and not interpreting
"unmanaged" as meaning "insecure". It would be shortsighted to
design
a firewall control protocol that does not at least have access
control
as an option.
I already said I am all for having authentication as an option. But
reallistically, I doubt it can nor should be enabled by *default* on
*unmanaged* networks.
--
Rémi Denis-Courmont
http://www.remlab.net/