[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CPEs -- security

To: Christian Huitema <huitema@windows.microsoft.com>
Subject: Re: CPEs -- security
From: Iljitsch van Beijnum <iljitsch@muada.com>
Date: Sun, 6 Jan 2008 00:27:55 +0100
Cc: IPv6 Operations <v6ops@ops.ietf.org>
In-reply-to: <AFE0AC8DCDE68842B94E8EC69D5F21D635EB120092@NA-EXMSG-W602.wingroup.windeploy.ntdev.microsoft.com>
References: <58BFC685-DA33-418A-A37A-9075509987D4@muada.com> <AFE0AC8DCDE68842B94E8EC69D5F21D635EB120092@NA-EXMSG-W602.wingroup.windeploy.ntdev.microsoft.com>

On 4 jan 2008, at 19:28, Christian Huitema wrote:

2a) The decision to empower applications rightly belong to the user.The user should make a conscious arbitration between the benefitsderived from the application, and the exposure created by runningthat application. Whether the application uses its own code toachieve that or whether it is built using system components isirrelevant.

I don't think it's always irrelevant. For instance, I suggested at onepoint that a host would indicate its desire to be unfirewalled throughan neighbor discovery option. There is no reasonable way forapplications to use such a mechanism.

Also, it could be considered undesirable to have individualapplications do things like this without oversight from "the system".

In any case, the IETF should not be concerned with the internalarchitecture of end systems, and should not engage in a debate onthe split of functions between application, OS, libraries, hostfirewalls and other common services.

Well, obviously someone has to do it, because otherwise there is nostandard way for applications to ask for these services.

2b) The solutions that do work well in practice, like STUN andTeredo, are those that do not require any explicit signaling betweenthe end system and the gateways or firewalls. Explicit signaling hasa mediocre record of working when the system is directly connectedto the gateway -- UPNP, for example, ends up working in maybe twothirds of such deployments. Explicit signaling just does not workwhen the router is several hops away. If the problem is "how tocross stateful filtering routers", the solution has to be "createstate", probably by sending sacrificial packets along the path inorder to "open the filters".

You're basically saying that the situation where there is no need fora protocol because systems can trigger the desired action unilaterallyis preferable over the situation where two systems need to cooperateso there must be a protocol between them to accomplish this. That is atruism.

However, it doesn't apply here. There is simply no reasonable way toget traffic past a stateful firewall without the cooperation from thefirewall. Also, unlike the IPv4 situation, we actually do get to thinkabout this before there are millions of boxes from dozens of vendorsout there.

One was to allow IPSEC through by default, with the reasoning that ahost implementing IPSEC also has its own internal firewall.

My thinking here was that IPsec is specifically designed to rejectunknown traffic and IKE/ISAKMP is specifically designed to operate ina hostile environment, so no additional firewalling is required.

References:
- CPEs
  - From: Iljitsch van Beijnum <iljitsch@muada.com>
- RE: CPEs -- security
  - From: Christian Huitema <huitema@windows.microsoft.com>

Prev by Date: Re: Discussion of the Home/SOHO environment
Next by Date: Re: Teredo server selection
Previous by thread: RE: CPEs -- security
Next by thread: Re: CPEs
Index(es):
- Date
- Thread