On Jun 30, 2011, at 12:14 PM, Martin Rex wrote: > Keith Moore wrote: >> >> Perimeter security of some kind is probably appropriate. > > Not just appropriate, it is an indispensible prerequisite. I could take some issue with the indispensable part, because I also think that PCs are dinosaurs. For a sufficiently small home network, there's a point where a firewall could provide very little marginal gain in exchange for the complexity and fragility that come with it. I do think that some sort of perimeter security should be part of a home network architecture, but I'd strongly object to the idea that hosts and appliances don't need to be secure because they can expect a firewall to provide their security for them. >> That doesn't mean that it has to look like firewalls do today. > > Not necessarily. But any sensible security requirements and > primarily the requirement of the smallest possible attack surface > amount to it. The mostly commonly kinds of firewalls used today do anything but that. >> For one thing, users shouldn't have to muck with the details of >> which ports to allow. > > _Unless_ they want to make a service accessible to the internet > with software produced by folks or companys which prioritize > features and merchantability far over security, quality and robustness > -- which is to say 99.999% of the available software. a. Maybe part of what HOMENET should do is establish security expectations for appliances and applications intended to provide services from such an environment. b. Get out of the habit of thinking that using IP addresses and port numbers as authentication tokens is in any way sane or secure. >> And the idea that every application server on a home network needs >> to negotiate access through some application-specific external server >> (as is generally the case with NATs today) is also ridiculous. > > No, it is a simple technical problem that can be solved with a few > lines of extra code for those few applications where it acutally matters. That's a completely incorrect and ridiculous statement. > Home networks should ALWAYS be NATed to the internet, so that it is > not possible to provide a simple policy switch to make everything on > the home network fully accessible from the internet, because any > such switch will inevitably be abused much more often by the bad, > poor novices and ignorant than sensibly employed by the needy and > security conscious. Another completely ridiculous statement. You're trying to cripple home networks. More generally, you're arguing for the perpetuation of hacks that never did work very well, instead of leaving room for better mechanisms to be developed. > Anything else than whitelisting is irresponsible security-wise. > And dynamic whitelisting (the motivation behind NAT-PMP) is even better. Whitelisting might be fine. Basing that whitelist on port numbers and IP addresses is insane. And users need better ways to manage the whitelist than typing in arcane information that they don't understand anyway for each service that they want to permit. > Privacy is another issue. The current custom here in Germany is that > the external IP-Address on your home gateway is dynamically assigned, > it changes on every new assignment, i.e. when the DSL connection > is reestablished after a carrier loss or cable disconnect, > whenever you ask your DSL router for it, and at least once > every 24 hours. > > While this does not provide perfect privacy protection, it is a > good start. For many internet usage scenarios, the use of a > longterm static IP-Address for home users would be completely > irresponsible with respect to data privacy, and would likely make > any logging of client IP-Addresses on servers unconditionally > illegal in European countries. Dynamically assigned addresses don't provide any privacy protection if there's some service (like Dynamic DNS) that always points to the current address. Again, you're trying to perpetuate brain damage. > With respect to privacy, anything besides striclty voluntary, > well-informed opt-in and anytime easy opt-out again, is a non-starter. That much I agree with. We disagree about the mechanisms. > No application, unless it absolutely, positively and unavoidably needs > to should use a fixed/static address without the affected folks > having provided conscious and clear consent. Ridiculous. Keith _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf