> > I think the vendor of one of > > these devices should have the freedom to determine the > device's "out > > of the box" configuration, based on expected usage patterns. > > Here I strongly disagree. It's simply not reasonable in > general for a vendor to make assumptions about the > distribution of threats in > a customer's network. For the very limited case of home > networks, it might be reasonable, but I have stong doubts > that either it's reasonable to define a 'home network' or to > have 'home network devices' as a special class that for which > it's declared okay to be insecure out of the box.
Not surprisingly, this reminds me of our discussion of "Default Address Selection". :-) Obviously, an application or device must have *some* "out of the box" configuration. Unfortunately there is a trade-off between security & usability. One can imagine several possible "out of the box" configurations. The first would be no security, the app/device is accessible by all. From past history & human nature we know that far too many users will fail to configure the app/device. So this is not a good default configuration. Another possibility is complete security - in other words, the app/device is not functional until it is configured. The problem here is that the annoyed user is most likely to "fix" the problem by disabling security. Finally, an "out of box" configuration that relies on site-locals offers some security with reasonable utility - not perfect on either dimension but pretty good for most environments. > I find this kind of thinking rather suspect. The > question in my mind shouldn't be "why global", but > "why not global". There seems to an underlying > assumption that site locals would give better > security properties due to their global > inaccessibility. I find that rather uncompelling > and misguided as this is just carrying forth the > broken assumption that barriers (firewalls, etc) > can do an adequate job of protecting > things. Anything which propogates that sort of > thinking is, IMO (and almost certainly not in my > employer's) bogus and needs to checked. We need > keep beating the strong auth/authz drum here. First, site-locals offer better security than a single firewall, because typically there will be multiple routers on the path between an attacker and a customer site, all filtering site-locals. Second, I agree that strong security is great and we should work towards it. But "defense in depth" argues for having multiple security mechanisms, so even with strong security I think site-locals and firewalls have a place. Rich -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------