Hello Benjamin, On July 17, 2014 7:45:10 PM CEST, Benjamin Cama <ben...@dolka.fr> wrote: >Le mercredi 16 juillet 2014 à 21:12 +0200, Sebastian Moeller a écrit : >> What is so wonderful about IPv6? Maleware surely will evolve quickly >> to take advantage of a dropped layer of defense… > >“Layer of defense”? To most, it will just translate to a brick wall >that >will have to be worked around by some other mean because nobody except >advanced user can configure their firewall.
I argue that people unable to change the router settings are better of with all unsolicited inbound traffic disabled. > >> For experts as you and Benjamin the default does not really matter >> that much you can easily change it to your liking; but think about >> non-experts. > >I totally do this for non-experts: non-experts won't ever touch their >default configuration. So, basically, they will have no inbound >connection possible, so manufacturer will find other mean to do >whatever >they can to allow for that to happen (as they are doing today with >IPv4). It will just be even less controllable by yourself (custom >protocols, etc). Even if PCP comes: imagine then that device configured >with PCP will be accessible from outside, and… will they be magically >immune to anything this way? They will have to be secured anyway. Note that I argue for a per device white list especially since I do not think that an automatic port opening method has the security guarantees I hope for. But note that with your proposal ALL devices need expert configuration. There is no magic immunity by ports closed by default' just a reduced attack surface... > >> I for one would be quite startled if the switch to IPv6 would expose >> parts of my device zoo that was never configured with that problem in >> mind…. > >Please, cite me any device today that can be dangerously exposed by an >IPv6 connectivity. While not from today: http://www.kb.cert.org/vuls/id/986425 looks pretty bad... Actually googling for IPv6 cve does seem to find quite a lot. At least enough to make port open by default look like a risky proposition. Now you could argue that all Linux CVEs will also affect the router... But assuming all ipv6 devices will stay safe and secure forever seems a bit to optimistic... > >A printer, for example, should be bound (to me) to a link-local address >by default. I don't know any manufacturer who does so (well, they don't >support IPv6 anyway…). > >-- >benjamin -- Sent from my Android device with K-9 Mail. Please excuse my brevity. _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel