Consumer Grade - IPV6 Enabled Router Firewalls.

Owen DeLong owen at delong.com
Mon Dec 14 08:58:45 UTC 2009


>> UPnP is a bad idea that (fortunately) doesn't apply to IPv6 anyway.
>>
>> You don't need UPnP if you'r not doing NAT.
>
> wishful thinking.
>
> you're likely to still have a staeful firewall and in the consumer  
> space
> someone is likely to want to punch holes in it.

Yes, SI will still be needed.  However, UPnP is, at it's heart a way  
to allow
arbitrary unauthenticated applications the power to amend your security
policy to their will.  Can you possibly explain any way in which such a
thing is at all superior to no firewall at all?

I would argue that a firewall that can be reconfigured by any applet a  
user
clicks on (whether they know it or not) is actually less useful than no
firewall because it creates the illusion in the users mind that there  
is a
firewall protecting them.

Owen





More information about the NANOG mailing list