Consumer Grade - IPV6 Enabled Router Firewalls.

Joel Jaeggli joelja at bogus.com
Mon Dec 14 22:47:52 CST 2009


Owen DeLong wrote:
>>> UPnP is a bad idea that (fortunately) doesn't apply to IPv6 anyway.
>>>
>>> You don't need UPnP if you'r not doing NAT.
>>
>> wishful thinking.
>>
>> you're likely to still have a staeful firewall and in the consumer space
>> someone is likely to want to punch holes in it.
> 
> Yes, SI will still be needed.  However, UPnP is, at it's heart a way to
> allow
> arbitrary unauthenticated applications the power to amend your security
> policy to their will.  Can you possibly explain any way in which such a
> thing is at all superior to no firewall at all?

I'm a consumer, I want to buy something, take it home, turn it on and
have it work. I don't have an IT department. How the manufacturers solve
that is their problem.

As a consumer my preferences for a security posture to the extent that I
have one are:

don't hose me

don't make my life any more complicated than necessary

> I would argue that a firewall that can be reconfigured by any applet a user
> clicks on (whether they know it or not) is actually less useful than no
> firewall because it creates the illusion in the users mind that there is a
> firewall protecting them.

Stable outgoing connections for p2p apps, messaging, gaming platforms
and foo website with java script based rpc mechanisms have similar
properties. I don't sleep soundly at night becasuse the $49 buffalo
router I bought off an endcap at frys uses iptables, I sleep soundly
because I don't care.

> Owen
> 




More information about the NANOG mailing list