nanog mailing list archives
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
From: Joakim Aronius <joakim () aronius com>
Date: Wed, 16 Dec 2009 22:14:53 +0100
* Mark Newton (newton () internode com au) wrote:
On 15/12/2009, at 11:19 PM, Joakim Aronius wrote:So what you are saying is that ease of use and service availability is priority one. Then what exactly are the responsibilities of the ISP and CPE manufacturer when it comes to security? CPEs with WiFi usually comes with the advice to change password etc. Is it ok to build an infrastructure relying on UPnP, write a disclaimer, and let the end user handle eventual problems? (I assume it is...)Hasn't essentially every ISP on the planet been doing that for years, only without the disclaimer? It's not like we're talking about creating UPnP from whole cloth. We're discussing a replacement of like-for-like, updating existing capabilities to support IPv6.
As was mentioned earlier the end-user is mostly clueless and 'just want things to work'(tm). They do not know/care enough to make wise decissions when it comes to security and they cant identify the absence of security features. Personally I only have rudimentary knowledge of UPnP and UPnP forum but there are real security issues with the protocol and no(?) effort to fix them, current security specs are from 2003. (and varying degree of implementation in products of the security features that actually are in the standard) In the last years the security problems in e.g. Microsoft products have gotten a lot of press and even Joe Sixpack has a hunch that he ought to get an anti-virus program. With the increasingly complex home network environment we will likely see more advanced attacks including UPnP. Then we have a situation with embedded devices with more and more functionality which are hard to patch, that run insecure protocols and it will end up in a real mess. I basically agree with you, adding IPv6 would be a like-for-like replacement. But one difference is that there is an increased attack vector with a higher degree of connectivity (no NAT) and more complex and less mature IP implementations in devices. UPnP might still be the the way to go as it is already there, 'it works' etc. But not working actively with the security issues in the standards is plain stupid. The standard and the functionality of the CPE is the responsibility of the CPE manufacturer. An I guess that the responsibility of the ISP is to provision its customers with as good and secure CPEs that the market provide (and if the s*** hits the fan, point at the CPE manufacturer). Regards, /Joakim
Current thread:
- Re: Consumer Grade - IPV6 Enabled Router Firewalls., (continued)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Michael Loftis (Dec 13)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Owen DeLong (Dec 14)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Owen DeLong (Dec 14)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. gordon b slater (Dec 14)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Chris Adams (Dec 14)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Mohacsi Janos (Dec 14)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Joel Jaeggli (Dec 14)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Steven Bellovin (Dec 14)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Joakim Aronius (Dec 15)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Mark Newton (Dec 15)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Joakim Aronius (Dec 16)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Owen DeLong (Dec 15)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Matthew Moyle-Croft (Dec 02)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Alexandru Petrescu (Dec 12)
- Re: Consumer Grade - IPV6 Enabled Router Firewalls. Mohacsi Janos (Dec 13)