Consumer Grade - IPV6 Enabled Router Firewalls.

Mohacsi Janos mohacsi at niif.hu
Mon Dec 14 14:21:08 CST 2009



On Mon, 14 Dec 2009, Owen DeLong wrote:

>>> UPnP is a bad idea that (fortunately) doesn't apply to IPv6 anyway.
>>> 
>>> You don't need UPnP if you'r not doing NAT.
>> 
>> wishful thinking.
>> 
>> you're likely to still have a stateful firewall and in the consumer space
>> someone is likely to want to punch holes in it.
>
> Yes, SI will still be needed.  However, UPnP is, at it's heart a way to allow
> arbitrary unauthenticated applications the power to amend your security
> policy to their will.  Can you possibly explain any way in which such a
> thing is at all superior to no firewall at all?


Because of the least surprise principle: Users get used to have NAT ~> 
they expect similar stateful firewall in IPv6. They get used to use UPnP 
in IPv4 ~> they expect something similar in IPv6.

I don't think this is good, but bad engineering decision of UPnP cannot 
replaced with better ones overnight.

Best Regards,
 	Janos Mohacsi




More information about the NANOG mailing list