Re: Time to move beyond the 32 bit Internet.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Jul 1, 2014, at 9:55 AM, Fred Baker (fred) <fred@xxxxxxxxx> wrote:

> 
> On Jul 1, 2014, at 3:45 AM, Fernando Gont <fernando@xxxxxxxxxxx> wrote:
> 
>> IPv6 with a diode-firewall on the perimiter would essentially face the
>> same challenge/problem. I seem to recall folks noting that that's hw
>> they deploy v6 to the home...
> 
> Well, sort of. A zone-based firewall (NAT or otherwise) primarily allows in responses to traffic it has sent out, and https://tools.ietf.org/html/rfc6092 is an example of that. However, just as NATs do, such firewalls usually allow for a firewall rule that will allow specified traffic to go to a specified address. That’s the purpose of PCP, for example. 
> 
> That is a place I have well and truly scratched my head regarding the firewall discussion in the IETF. There’s a set of people, including me, that think that firewalls have a certain levee of utility and in any event are a business requirement. There’s another set of people who “don’t want no stinkin’ firewalls”, and argue their case on the basis of the end to end principle. No aspersions here; I understand their point, and my daughter’s surveillance service would be a case in point of the kind of service they want to enable.
> 
> Where my head tips is this. I see three kinds of traffic across that divide. One is sessions originated from the network - I sent something to Netflix, Facebook, or whoever, and it replied. The vast majority of residential traffic, I would guess, falls in that category, and apart from electric mail and traffic to business services to customers, I would guess that the vast majority of legitimate enterprise traffic does as well. A second is sessions originated from outside the network to services that the network intends to offer - web access to www.example.com, incoming SMTP, my daughter’s surveillance service (which is a web access), and so on. The third is “everything else” - traffic that wasn’t invited and has no application, and perhaps no host, to respond to it.
> 
> The first works in almost any case - a firewall that prevents you from running an application you want to run isn’t going to last very long. The second is trivially allowed for by a firewall rule or PCP/UPnP exchange, and if there is an application (set-top box or whatever) in the home that wants to allow for such a service, it can fire off the request. The third - what is the argument for letting that into my home or enterprise network? 
> 
> And I tend to think that the conversation breaks down at that point. Everyone agrees on the first and second. When someone says “I want to block the third”, the response is “but I want to allow the second” without acknowledging or commenting on the third. And I just find myself shaking my head in disbelief. Wouldn’t it be nice of both speakers in the conversation would address the same subject?

I should have included one more aspect in the third set. That is traffic disallowed by policy. Current top-of-mind in security circles includes NTP attacks - someone sends a message with a spoofed source address to an NTP server, which now sends something to that address every mumble time units. In a home, the counterpart might be a media server - something I have and intend to be used by people in my home. In such cases, while the application and server it runs on exist, it is not intended for use by folks “outside”. So once again, traffic to it “from outside”  is uninvited and has no application, and perhaps no host, *intended* to respond to it.

And again I ask - sure, we all agree on category 1 and 2 - accesses to services from within and permitted access to services from without - but what’s the argument for allowing the third category into the network?

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]