[arin-discuss] Trying to Understand IPV6

[Chris Boyd]

On Sep 14, 2010, at 7:56 PM, Joe Maimon wrote:

> SPI costs product development and support. SPI causes state table exhaustion issues for p2p and similar multitude of connections traffic. Port scanning through an SPI isnt any fun, as an example. SPI default deny creates support issues and product perception issues when end users believe or are told that they need to manually tune or turn it off.
> 
> Is it not possible that "Turn off the firewall on your router" wont become part of the standard support script?

SPI Default Deny saves frazzled IT staff lots of time and hair follicles when the end user calls software vendor support themselves instead of calling IT, they have local admin, and the support person says "turn off the firewall on your machine."  Yes, "turn off your home firewall _will_ become part of the standard support script for application support vendors (especially consumer apps) where the goal typically is to "fix the problem," not worrying about the other problems that it will create for other people down the line.  Some clever company will probably even write a little application that the customer can run that will go out and use uPNP or some similar method to do it for them.

NAT is ugly, but completely open access will be uglier for the rest of the Internet.  Worm writers will find ways to optimize scanning local and remote networks.  Phishers will entice people to click on the shiny thing and willingly infect their own box.  Default deny in can help mitigate the damage to those around them.

--Chris