Re: [Full-disclosure] IPv6 security myths

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



>>>>> "Fernando" == Fernando Gont <fernando@xxxxxxxxxxx> writes:
    >> For instance, a reason to create a new network "zone" is because we
    >> don't provide printers with decent access control lists (authorization),
    >> instead, we make them wide open and then throw WPA on the wireless so
    >> that it's "secure", and then assume if you've authenticated, you are
    >> authorized to print. 
    >> IPv6 would make that a new subnet, no additional layer of NAT, and do
    >> the authorization by IP address.

    Fernando> Huh? Why would one authorize access to a printer on a per-address basis?
    Fernando> Why should every user on the same computer have the same access rights
    Fernando> to the printer? -- This is probably a hint that, even if deployable,
    Fernando> IPsec may not be want you need/want.

Right now, everyone who knows the WPA2 key for the network can print.
I agree that the printer needs finer grained access controls.

IPsec, the specification, btw, has them, but they are not widely
implemented, and there has been no interest in the community towards any
kind of standard API for applications to be able to communicate with the
IPsec service about that. 

-- 
]       He who is tired of Weird Al is tired of life!           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@xxxxxxxxxxxxxxxxxxxxxx http://www.sandelman.ottawa.on.ca/ |device driver[
   Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE>
	               then sign the petition. 
_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]