BBC News - 'Fresh proposals' planned over cyber-monitoring
fw at deneb.enyo.de
Tue May 14 20:38:31 BST 2013
* Ian Batten:
> On 13 May 2013, at 18:45, Florian Weimer <fw at deneb.enyo.de> wrote:
>> Similarly, I don't think we want our fridges to be reachable from the
>> public Internet at large, just because it happens to have an IPv4
>> address for our own (personal) use.
> I don't buy that argument. It's trivially easy for routers to have
> a default-block firewall rule with outbound state tracking, which
> mimics the security semantics of NAT.
And with such filtering, end-to-end reachability between arbitrary
devices who haven't got a previous relationship is just not possible.
>> pass out quick on ip.tun1 from any to any keep state
>> block in quick on ip.tun1 from any to any
> That does, however, permit those of us that do want access to our
> internal machines to do so as well.
True, but applications still have to work around filters. IPv6, when
eventually deployed, will not provide much simplification (except for
protocols which are actively hostile towards NAT, but upgrading them
to IPv6 will often be difficult, due to embedded addresses etc.).
More information about the ukcrypto