[OpenWrt-Devel] IPv6 firewall and Port Control Protocol (Was: Barrier Breaker 14.07-rc1)

David Lang david at lang.hm
Fri Jul 18 15:10:06 EDT 2014

On Fri, 18 Jul 2014, Benjamin Cama wrote:

> Le jeudi 17 juillet 2014 à 17:03 -0700, David Lang a écrit :
>> But the reality is that hackers and worms have shown that leaving systems
>> exposed to the Internet is just a Bad Idea.
> Do you mean, all the hackers and worms we see today despite all these
> systems being behind blocking firewalls and NATs?

Yep, how much worse would they be if more systems were exposed?

> […]
>> link-local addressing isn't a good idea, because the average home will have
>> three separate links (wired plus two bands of wireless), these can get bridged
>> together, but that causes problems as well.
> For this, you have ULA. It is available in OpenWRT and recommanded by
> the RFCs cited earlier.

but these low quality devices will not be using local addresses (unless the 
router implements outbound NAT) because they will need to connect to "the cloud"

> […]
>> But do you really want to see the news stories about how anyone running openwrt
>> is vulnerable to $lastest_windows_exploit but people running stock firmware
>> aren't?
> This is nonsense, this will never happen as nobody cares about OpenWRT.

so we should just all go home since nobody cares what we do.

>> Yes, it would be ideal if every host was locked down so that it was safe for
>> them to be exposed.
> They are exposed anyway, by other means.

there are degrees of exposure, and while I agree that perimeter security by 
itself is not what we really want, throwing away perimeter security on the 
theory that every device is going to be secure, or that they are exposed anyway 
is just begging for trouble.

David Lang
-------------- next part --------------
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list