nanog mailing list archives

Re: IPv6 woes - RFC


From: Christopher Morrow <morrowc.lists () gmail com>
Date: Wed, 29 Sep 2021 10:27:27 -0400

On Tue, Sep 28, 2021 at 4:18 PM Randy Bush <randy () psg com> wrote:

the ietf did not give guidance to cpe vendors to protect toys inside
your LAN
guidance aside... 'Time To Market' (or "Minimum Viable Product - MVP!) is
likely to impact all of our security 'requirements'. :(

that point was made in the paper i cited


"This is a preview of subscription content, log in
<https://link.springer.com/signup-login?previousUrl=https%3A%2F%2Flink.springer.com%2Fchapter%2F10.1007%252F978-3-030-72582-2_22>
to
check access."
  <paywall complaint goes here>

I can see a wierdo looking image with 'port scan data', which roughly seems
to say:
  "Hey, turn on the firewall"
on all of their tested devices... and what look like 'cablelabs affiliates'
mostly did
the right thing with that fw policy.


I also thought 'homenet' (https://datatracker.ietf.org/wg/homenet) was
supposed to have provided the guidance you seek here?

got a cite for the guidance?


sure, that's in the referenced architecture document from your link
(one of the other few things I can see is the references section):
  3. Chown, T., Arkko, J., Brandt, A., Troan, O., Weil, J.: IPv6 home
networking
     architecture principles. RFC 7368, Internet Engineering Task Force
(October 2014)

The points about NAT in v4 being 'helpful' are sort of right, but the
attacks just
move up the stack[0] :( so I don't think it's particularly germaine to
worry/not about nat
for 'security' purposes.

-chris

0: https://us.norton.com/internetsecurity-malware-malvertising.html
    (NOTE: I'm not a fan of norton nor any AV really, but.. the article
makes the
    'up the stack' point)

Current thread: