Re: Rate of growth on IPv6 not fast enough?

[Valdis.Kletnieks () vt edu]

On Tue, 20 Apr 2010 18:03:09 EDT, Simon Perreault said:
> This is the latest proposal. The Security Considerations section needs
> some love...

I may be the only one that finds that unintentionally hilarious.

In any case, to a first-order approximation, it doesn't even matter all that
much security wise.  I mean - let's be *honest* guys.  After XP SP2 got any
significant market penetration, pretty much everybody had a host-based firewall
that defaulted to default-deny, so the NAT-firewall was merely belt and
suspenders.

Pretty much all the attacks we've seen in the last few years have been things
like web drive-bys, trojaned torrents, and other stuff that sails right in
through open ports through the firewall (both host and standalone). And any
malware that's able to turn around and punch open a port on the host firewall
is just as easily able to go and use uPNP to send a "Pants Down!" command to
the standalone firewall.

(Yes, defense in depth is a Good Thing.  But that external firewall isn't
doing squat for your security if it actually accepts uPNP from inside.)

Attachment: _bin
Description: