> Not surprisingly, this reminds me of our discussion of "Default Address > Selection". :-) Obviously, an application or device must have *some* > "out of the box" configuration. > > Unfortunately there is a trade-off between security & usability. One can > imagine several possible "out of the box" configurations. The first > would be no security, the app/device is accessible by all. From past > history & human nature we know that far too many users will fail to > configure the app/device. So this is not a good default configuration. > Another possibility is complete security - in other words, the > app/device is not functional until it is configured. The problem here is > that the annoyed user is most likely to "fix" the problem by disabling > security.
I don't buy this argument, for several reasons. I don't buy that having the vendor guess what works for the user and the user's network will be more secure overall than asking the user what the security policy should be. Perhaps more importantly, I don't buy the argument that *any* set of addresses should be considered trustworthy, by default or otherwise. Addresses are simply not sufficient as an authentication mechanism. This is not a practice that IETF standards should endorse or encourage. The only exception that I can see is a device that has no keyboard or display, and which must be configured over the net. In those cases I think it makes sense to allow the device to be configured from another host on the same link - so the device would accept connections to its linklocal or maybe site-local address until it was configured. But it should still require explicit configuration before allowing normal use if it has valuable resources to protect. So if you are asking the question about which set of addresses should be trusted by default, I claim you are asking the wrong question. > First, site-locals offer better security than a single firewall, because > typically there will be multiple routers on the path between an attacker > and a customer site, all filtering site-locals. it doesn't follow, because you are only considering one kind of threat, and you aren't considering other arguably more important aspects of security - such as the ability to detect breakins and attacks. > Second, I agree that > strong security is great and we should work towards it. But "defense in > depth" argues for having multiple security mechanisms, so even with > strong security I think site-locals and firewalls have a place. actually, site-locals seem to make defense in depth more difficult. Keith -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------