Hi,
On 12 October 2011 00:50, Russ White <ru...@riw.us> wrote:
>
> > We would like to get plenty of review and comment.
>
> Rather than dealing with individual edits, I'd rather start with a
> general philosophy question. I understand that the IETF thinks NATs are
> evil, but I also think there shouldn't be so much emphasis on "homenets
> are not NAT," in an architecture document. Can we sideline the entire
> discussion over NATs. They're going to be there no matter what.
>
> My second concern is that while I understand the "end-to-end principle,"
> I also know that it's not realistic in many situations --and the home is
> one place where it's probably not. I know, I know, this is all heresy,
> but hear me out for a second before you hit reply and tell me how stupid
> I am being.
>
> This one line illustrates the entire concept in a nutshell:
>
>
> > Security perimeters can of
> > course restrict the end-to-end communications, but it is
> > easier to block certain nodes from communicating than it is to re-
> > enable nodes to communicate if they have been hidden behind
> > address translation devices.
>
I think you are quoting from the "Transparent End-to-End Communications"
section on pages 14/15
which is to do with communications _within_ the home network.
> Is this really true? When I want to secure a physical space, I block off
> all access, then put in carefully thought out access control points. I
> don't pile all my goods in the middle of the street, and then actively
> monitor every person who walks by, hiring more people to do the
> monitoring as needed.
> ...
Generally speaking, I want open access within my home network,
but may add specific rules to stop e.g. guest wi-fi getting to certain
servers.
I don't want layers of NAT within my home network, which is what you can get
if you plug the WAN port of a IPv4 network device into the LAN port of
another device.
So, IMHO:
>
> 1. Stop the screed against NAT.
>
> 2. Set out positive requirements, rather than negative ones.
>
> 3. Be realistic about security --the default should be _nothing_ reaches
> into my home, and I should have an easily managable way to allow what I
> want to allow. The default should not be an open door to anyone from
> anyplace at any time, and then "we'll put in advanced monitoring to
> block activity."
>
See " Security, Borders, and the elimination of NAT" section on page 5.
---
[RFC6092] provides recommendations for an IPv6 firewall that
applies "limitations on end-to-end transparency where security
considerations are deemed important to promote local and Internet
security." The firewall operation is "simple" in that there is an
assumption that traffic which is to be blocked by default is
defined in the RFC and not expected to be updated by the user or
otherwise. The RFC also discusses an option for CPEs to have an
option to be put into a "transparent mode" of operation.
It is important to distinguish between addressability and
reachability; i.e. IPv6 through use of globally unique addressing
in the home makes all devices potentially reachable from anywhere.
Whether they are or not should depend on firewall or filtering
behaviour, and not the presence or use of NAT. ...
---
Does this address you concerns?
John
_______________________________________________
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet
