On 06/30/2011 02:26 AM, Keith Moore wrote:
Rather than having another of an endless series of discussions about
the merits of NAT or lack thereof, can we just agree that it should
not be pre-ordained that this WG should assume NAT as a solution?
I was originally arguing, at the very least, in favour of a stateful
firewall at the border.
Please correct me if I'm wrong, but this is what the IETF has already
proposed (output of v6ops) for v6.
I don't think you want your home network to be owned as a result of last
"patch Tuesday" set of vulnerabilities... or that you want a brittle
printer or fridge possibly impossible to patch) to be DoSed/owned just
because it was cool to have it available on the Internet. (nor should we
expect them to run a "host-based" firewall).
Many/most networks are there to provide a specific service to their
users (not for us to experiment with) -- whether we like it or not. As
long as they are able to provide that service, I don't find a compelling
reason for them to increase risk through unnecessary increased exposure.
(Yes, in those cases in which you *need* increased exposure, you open
your network -- i.e., "default deny")
Thanks,
--
Fernando Gont
e-mail: fernando(_at_)gont(_dot_)com(_dot_)ar || fgont(_at_)acm(_dot_)org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf