Hi Joel, On 28.09.2011 22:39, Joel M. Halpern wrote: > Then use a good firewall to control what is and is not allowed to pass. > What I am objecting to is requiring an ALG, and using addressing to try > to create security.
Sure, ALGs are ugly, but usually you don't want any kind of unwanted traffic on safety critical internal devices (think of flooding, sending exploit packets etc.). Furthermore, I'm very pessimistic about end-system security. IMHO we will never see exploit-free implementations given the ever growing complexity of our systems. Allowing a direct end-to-end communication to internal devices IMHO increases attack possibilities. An ALG has the advantage that you have more possibilities for policing and that any not explicitly modeled communication cannot pass the ALG. Regards, Roland -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
