IETF Logo Mail Archive

Re: [homenet] Firewall hole punching [was: About Ted's naming architecture...]

Lorenzo Colitti <lorenzo@google.com> Wed, 23 November 2016 02:54 UTC

Return-Path: <lorenzo@google.com>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FC1912953B for <homenet@ietfa.amsl.com>; Tue, 22 Nov 2016 18:54:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.197
X-Spam-Level:
X-Spam-Status: No, score=-4.197 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.497, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JranW3eIt8SG for <homenet@ietfa.amsl.com>; Tue, 22 Nov 2016 18:54:26 -0800 (PST)
Received: from mail-io0-x22b.google.com (mail-io0-x22b.google.com [IPv6:2607:f8b0:4001:c06::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC7301294CD for <homenet@ietf.org>; Tue, 22 Nov 2016 18:54:26 -0800 (PST)
Received: by mail-io0-x22b.google.com with SMTP id c21so2094623ioj.1 for <homenet@ietf.org>; Tue, 22 Nov 2016 18:54:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Y1eLmBl6PQlsU2bkJj13gGl5OZgUdtvxopZZE4mRaQc=; b=iR3TbqFoDhCmum2QouLxrOZHBHu/eZQGMjYYwAW8b5ddv4aM+vq8kZNqExBJpITtpk 8njTGhkC9huWbhT/JzRCRRCWw5svq4eXjsXdkkrdO5w7R0I8nUInZFDuZJz1RXgSwmPC kAspF9I4TM75e5yeLgnAazyxey4iVsP5lPFEMvVp3ESAVY2lcaaK48ZxgYFGtbJaFUgU +L4GM+eZaVsPUAarD4UitUuyKnuxpW6pOb4OeudOuAtL10lxKYBaag39PcQ1zKrZZ0RK 6Foq6jUdlpbB6IlRy+1RTXPFFNvXIsAQ5dyqSmFMU/DNXdjlgM8/AGfxpiiN/p6jmyt6 tBRw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Y1eLmBl6PQlsU2bkJj13gGl5OZgUdtvxopZZE4mRaQc=; b=afYdpajXGRR+mtocmUSjWwIySBz8RyqLlcpGhApYDgcgoEkYWAaGsF2LS4mrMksSbo goddSZHc6TGIQ5F3wua/eJnRYaVBV96sHYGXMd2SU6/GNowNqdoUodgLy+25y4b1Px49 Bas07rZBCL50Gnq/ClklBcs673S+FWtnwFWbwXr3216h/KDumFIF5d4EoOxl3MP6Ao0f 8/2v1LXTmGb25ZbkC4t7lkSZgzLap+l2ANdzXf70tCQ6WPym4jEc2gPh7XgyYWscPCsi goj85ML5V/DoavzTcqbrvripw07+lvkRMFHuoPUP5ZB+Pi3wta09nFwjzmEwcYTShFSE 7Cnw==
X-Gm-Message-State: AKaTC01fgZdvjmPIT3KI51l9cnVDDGoBzvv2YOz9S/2pHAEUjYD25HPDa2dqVTwFAaeOd4cxv8dCG35MN1uAEPc1
X-Received: by 10.107.26.15 with SMTP id a15mr1223866ioa.103.1479869665656; Tue, 22 Nov 2016 18:54:25 -0800 (PST)
MIME-Version: 1.0
Received: by 10.107.18.160 with HTTP; Tue, 22 Nov 2016 18:54:05 -0800 (PST)
In-Reply-To: <8C298ED7-DF92-4FB7-9D6A-C113E98CABE9@google.com>
References: <871syc54d1.wl-jch@pps.univ-paris-diderot.fr> <CAPt1N1=eXRBh6UqGGqUSK9cH_jY5MvPcE4MFZUPe2Z48LF7bkA@mail.gmail.com> <87lgwj504t.wl-jch@irif.fr> <CAPt1N1kDCMDBEpt7QYhHtPYjaMJAzw8G81=2y2f=y0ZProeCPA@mail.gmail.com> <13675.1479346312@dooku.sandelman.ca> <3B35AF68-4792-4B2A-8277-A7B49206581F@google.com> <74143607-B81E-4D4C-89D3-4754E0DA7DE1@jisc.ac.uk> <790beb67-a62e-b7dc-b64e-a3fcecfbdb12@mtcc.com> <87zikrihl7.wl-jch@irif.fr> <2EEB3CCD-3C25-4844-95B5-DDE31F982EA2@iki.fi> <87oa17i9eq.wl-jch@irif.fr> <2DAA6FEB-8C87-42DA-9465-E740669C563A@iki.fi> <8C298ED7-DF92-4FB7-9D6A-C113E98CABE9@google.com>
From: Lorenzo Colitti <lorenzo@google.com>
Date: Tue, 22 Nov 2016 18:54:05 -0800
Message-ID: <CAKD1Yr2uB6g6eOJgw10wARXedmLxT6NHXSknLUybUgK-J_eD6w@mail.gmail.com>
To: james woodyatt <jhw@google.com>
Content-Type: multipart/alternative; boundary="001a113fd726bca08e0541ef011b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/4JLmocOTBmJQRdvfNG0r_DH74aU>
Cc: HOMENET <homenet@ietf.org>
Subject: Re: [homenet] Firewall hole punching [was: About Ted's naming architecture...]
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Nov 2016 02:54:28 -0000

On Tue, Nov 22, 2016 at 5:34 PM, james woodyatt <jhw@google.com> wrote:

> The recent IoT DDoS publicity is a good example; the devices that are the
> Mirai botnet are devices that had/have open ports facing the internet.
>
>
> Not quite, c.f. <https://krebsonsecurity.com/2016/10/who-makes-the-iot-
> things-under-attack/>
>
> The vast majority of those devices were protected from receiving inbound
> flows over public Internet routes by the stateful filters of IPv4/NAT
> gateways.
>

... and this knowledge is not new. The conficker paper
<https://seclab.cs.ucsb.edu/media/uploads/papers/torpig.pdf> from 2009
found that "144,236 (78.9%) of the infected machines were behind a NAT,
VPN, proxy, or firewall". We should know this by now :stateful firewalls do
not protect against malware.

It’s not about reducing attack surfaces. It’s about making systems that are
> safe for deployment in close proximity to humans.
>

+1

v2.23.0 | Report a Bug | By Email