Re: simple security

[Hesham Soliman <hesham@elevatemobile.com>]

On 24/03/10 6:12 AM, "Rémi Denis-Courmont" <remi@remlab.net> wrote:

> 
> On Tue, 23 Mar 2010 11:14:00 -0700, Victor Kuarsingh
> 
> <victor.kuarsingh@gmail.com> wrote:
> 
>> I think that it's premature to assume the "home" network is ready for
> 
>> unrestricted connectivity.  The dynamics of the "home" networks are
> 
>> changing so fast, that the risks of this environment are not known.
> 
> 
> 
> I said we need a ***hole punching*** mechanism.
> 
> 
> 
> Without hole punching application programmers will be stuck with UDP for
> 
> peer-to-peer use cases. And that's not good (I'd expect the IETF Transport
> 
> Area not be very happy with that, but IANAAD). No connection semantics, no
> 
> error correction, no flow/congestion control. If my memory is not failing
> 
> too badly, James Woodyatt also had a companion draft for that purpose. But
> 
> it's now defunct a document.

=> FYI We tried this in:
http://tools.ietf.org/id/draft-soliman-firewall-control-01.txt

There might be other proposals but I belief the strength of this proposal is
the effective plug n play security feature of CGAs.

Hesham


> 
> 
> 
> Then there is the proven issue that battery powered devices cannot cope
> 
> with stateful firewalling too well, unless the timeouts are long and
> 
> _known_. Typically they are short (especially for UDP). And with stateful
> 
> firewalling they aren't known. If the timeouts are not known, the
> 
> application ends up making the most pessimistic assumption (i.e. less than
> 
> 30 seconds). That's not sustainable with the current battery technology,
> 
> and won't be for years to come if the experts of that domain are to be
> 
> trusted.
> 
>