On Tue, Sep 28, 2021 at 4:18 PM Randy Bush <randy@psg.com> wrote:
>> the ietf did not give guidance to cpe vendors to protect toys inside
>> your LAN
> guidance aside... 'Time To Market' (or "Minimum Viable Product - MVP!) is
> likely to impact all of our security 'requirements'. :(

that point was made in the paper i cited

"This is a preview of subscription content, log in to check access."
  <paywall complaint goes here>

I can see a wierdo looking image with 'port scan data', which roughly seems to say:
  "Hey, turn on the firewall"
on all of their tested devices... and what look like 'cablelabs affiliates' mostly did
the right thing with that fw policy.
 
> I also thought 'homenet' (https://datatracker.ietf.org/wg/homenet) was
> supposed to have provided the guidance you seek here?

got a cite for the guidance?


sure, that's in the referenced architecture document from your link
(one of the other few things I can see is the references section):
  3. Chown, T., Arkko, J., Brandt, A., Troan, O., Weil, J.: IPv6 home networking
     architecture principles. RFC 7368, Internet Engineering Task Force (October 2014)
 
The points about NAT in v4 being 'helpful' are sort of right, but the attacks just
move up the stack[0] :( so I don't think it's particularly germaine to worry/not about nat
for 'security' purposes. 

-chris

0: https://us.norton.com/internetsecurity-malware-malvertising.html
    (NOTE: I'm not a fan of norton nor any AV really, but.. the article makes the
    'up the stack' point)