In message <201106300425.p5U4PUmx029187@xxxxxxxxxxxxxxxxxxx>, Martin Rex writes : > Masataka Ohta wrote: > > > > Fernando Gont wrote: > > > > > > I personally consider this property of "end-to-end connectivity" as > > > "gone". > > It's gone for good. It doesn't have to be. > Didn't the internet start out as a Network of Network. > Then there was a time when it became popular to the general > public, and everyone was happy when he had one single PC > with a modem to connect to the internet. > > Today we're back to where it started, the internet > is a network of (local) networks, and it is important > to keep the networks properly seperated because of the > unbounded growth of features and bugs/vulnerabilities > in popular operating systems for the computer novice. Very little of which a standalone firewall helps with. > The average DSL home route does more than just NAT, > it is a DHCP server vor a private address space, > a DNS server that fakes locally assigned/claimed hostnames > into the DNS name resolution (and continues to work even > if the internet link is down). You really do not want > devices of everyones home network (e.g the admin web interface > of your DSL router, your NAS, your set-top-box, etc. > to becomme freely accessible from everywhere on the internet, > because it is likely close to impossible to preconfigure > new home&entertainment devices in a fashion that they're > securely accessible only to their rightful average > non-security-geek owners and nobody else, and it will > be entirely impossible to convert any of the existing > installed base of devices into such a fully-accessible-for-owner > and 100%-inaccessible-for-everybody-else configuration. Total utter garbage. For IPv4 DHCP tells you what is local and what isn't when the address is assigned. For IPv6 you know from the RA's what prefixes are local and what arn't. About the only thing you want the external router/firewall to do is to prevent spoofed traffic for internal addresses being delivered. Everything else should be wide open by default and let the host firewall deal with the rest. Too many of us come from a time when machines didn't have firewalls built into them and you needed a external firewall. It has warped our thinking about security. > If IPv6 does not offer the the same properties as the > current IPv4 internet subscription for the average home user > -- which implies NAT, private local network and smooth > local operation when the internet is down -- then > very few will want IPv6 to their homes (I certainly > wouldn't want it), and IPv6 adoption will continue to > drag along for several years. > > > > > > How do you think about P2P applications? > > NAT-PMP or IGD over UPnP come to mind. > > > -Martin > _______________________________________________ > Ietf mailing list > Ietf@xxxxxxxx > https://www.ietf.org/mailman/listinfo/ietf -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@xxxxxxx _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf