nanog mailing list archives
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
From: Michael Loftis <mloftis () wgops com>
Date: Sun, 13 Dec 2009 13:48:18 -0700
--On Sunday, December 13, 2009 9:17 AM -0800 Joel Jaeggli <joelja () bogus com> wrote:
UPnP is a bad idea that (fortunately) doesn't apply to IPv6 anyway. You don't need UPnP if you'r not doing NAT.wishful thinking. you're likely to still have a staeful firewall and in the consumer space someone is likely to want to punch holes in it.
Amen indeed. Consumers do not care if its a good idea or not. And honestly in a home network, well, its not as frightening. In a business of any kind (including home based) it is bad. You should have a DMZ with carefully controlled open ports lists. But that's preaching to the choir here.
IPv6 doesn't magically negate the need for UPnP, UPnP is not tied to NAT. It's a way for applications to ask the firewall to selectively open ports up to them. Intelligent stateful firewalls can do that for limited applications, perhaps with some sort of policy control even. Though Joe/Jill Gamer (which is what UPnP is for) won't know anything about any of that. They define a gateway as functioning or not.
I really am honestly sick of people thinking IPv6 is a panacea. It isn't. UPnP is rather a bit of a hack for sure, protocols should be better designed, but in this modern age of Peer To Peer you need a way for applications to ask the firewall to selectively open incoming ports.
Current thread:
- Re: Consumer Grade - IPV6 Enabled Router Firewalls., (continued)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Simon Perreault (Dec 11)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Mark Newton (Dec 11)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Simon Perreault (Dec 12)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Joe Greco (Dec 11)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Simon Perreault (Dec 11)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Mikael Abrahamsson (Dec 11)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Mark Newton (Dec 11)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Chris Adams (Dec 11)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Joe Greco (Dec 11)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Joel Jaeggli (Dec 13)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Michael Loftis (Dec 13)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Owen DeLong (Dec 14)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Owen DeLong (Dec 14)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. gordon b slater (Dec 14)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Chris Adams (Dec 14)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Mohacsi Janos (Dec 14)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Joel Jaeggli (Dec 14)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Steven Bellovin (Dec 14)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Joakim Aronius (Dec 15)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Mark Newton (Dec 15)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Joakim Aronius (Dec 16)