Rate of growth on IPv6 not fast enough?

• Previous message (by thread): Rate of growth on IPv6 not fast enough?
• Next message (by thread): Rate of growth on IPv6 not fast enough?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 20 Apr 2010 18:03:09 EDT, Simon Perreault said:
> This is the latest proposal. The Security Considerations section needs
> some love...

I may be the only one that finds that unintentionally hilarious.

In any case, to a first-order approximation, it doesn't even matter all that
much security wise.  I mean - let's be *honest* guys.  After XP SP2 got any
significant market penetration, pretty much everybody had a host-based firewall
that defaulted to default-deny, so the NAT-firewall was merely belt and
suspenders.

Pretty much all the attacks we've seen in the last few years have been things
like web drive-bys, trojaned torrents, and other stuff that sails right in
through open ports through the firewall (both host and standalone). And any
malware that's able to turn around and punch open a port on the host firewall
is just as easily able to go and use uPNP to send a "Pants Down!" command to
the standalone firewall.

(Yes, defense in depth is a Good Thing.  But that external firewall isn't
doing squat for your security if it actually accepts uPNP from inside.)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20100420/aa57bb9e/attachment.sig>

• Previous message (by thread): Rate of growth on IPv6 not fast enough?
• Next message (by thread): Rate of growth on IPv6 not fast enough?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]