Re: [homenet] naming drafts
Chris Box <chris.box.ietf@gmail.com> Tue, 22 June 2021 16:32 UTC
Return-Path: <chris.box.ietf@gmail.com>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C96103A0C1F for <homenet@ietfa.amsl.com>; Tue, 22 Jun 2021 09:32:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IozlXocMWygz for <homenet@ietfa.amsl.com>; Tue, 22 Jun 2021 09:31:59 -0700 (PDT)
Received: from mail-qt1-x833.google.com (mail-qt1-x833.google.com [IPv6:2607:f8b0:4864:20::833]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 69DA23A0C1D for <homenet@ietf.org>; Tue, 22 Jun 2021 09:31:59 -0700 (PDT)
Received: by mail-qt1-x833.google.com with SMTP id l2so13711658qtq.10 for <homenet@ietf.org>; Tue, 22 Jun 2021 09:31:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=BUdtckW068KtvLahZ65dik14asFrj3P3bunkKM5IiUE=; b=kLmHZpWi+oIcJjwHk6n/whaSNc++U5hyrX4Mf8Cil7KWwML1gi/JZGP/G7uShfH/FD xu0BW2FDqvV3bbMp0KgPu+KXYqIudm4VtPgY6hDyLLy6RIy8ITU62IWUZml1V9uVXmG2 Pun2R6DZeZrnkxPpodIV5r0JEbNt1Ne01odywKTeuK7gbbIBZMQhv3ZMe4wcrzpPvVyO F9DM2fbQohntdicomb6EqQyRHT/t2DNTVtiwaYNFnvvpO7Kzr2pY4VW6J4q8roZDazqY ZQshzKB/YU2TTe5NbFN4IUe9gRo/DzmKRdb1fL9gy9aXf0uGwFR2YIYDm0zXRPbkupkT yIAg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=BUdtckW068KtvLahZ65dik14asFrj3P3bunkKM5IiUE=; b=HddRvxH8P2mUtCfULzhpxDzAfuaTH42Bs7KwULRz1VWVou0ESUCMl6csQNqur6Sm8A HgBQ602HHocS3zn6XY24HHjdPWdSyIB1n3dexrj3ypHZu/HiAsWwY11H2lFr7Tc36csq DV+Tg2jEcZIPZ9zFv9xNPRDQldeGHgLyLn+O/8FNdd7cIgpNZ/8j7VAxqCgJ8I6pyfPg ELolJGkVt5lNEc72LO9bGGSL2LlkZi9o0c6pA3yKXzw3XiXxrNIYM+4iwe5GneVwWFCC d/5nFJYKTPv7StoNT7w12TnMOa8o8gMD5clkbiGXq3nWa3x5ApmIC4TpfNR1KabKF7Bo NTow==
X-Gm-Message-State: AOAM5331Pn47tFVruWb9IiT5grOvGqI0C26QlGUDmZ5FH8rySe3OfQAo soGxAhjPzCqGoaOAtfy8vhUIvLr57iXkmRCp0F4=
X-Google-Smtp-Source: ABdhPJxGyZ/uXChpZCRKYnkWWWopaBX3gRNrZOhjml9lT6YGVQhbDrmMl9x+9+uVOY31PNrij/0rlma6XYRPfearQGQ=
X-Received: by 2002:ac8:4e2e:: with SMTP id d14mr4157512qtw.205.1624379517723; Tue, 22 Jun 2021 09:31:57 -0700 (PDT)
MIME-Version: 1.0
References: <DM6PR02MB692445CDCA3FD587D20404A2C33B9@DM6PR02MB6924.namprd02.prod.outlook.com> <CACJ6M14zG+Be09+ZLNk651ieNCfR6-jvh706pVSRJU=rJyFwtQ@mail.gmail.com> <CADZyTknt7Fdc4peauBWPpowd38S_fp4vZcQtBWQTYGgtC9O84w@mail.gmail.com> <CACJ6M14Um0FJSGU80WQ-EcTp4UuU3V_eU=LqAeT_hxUhREia=A@mail.gmail.com> <CADZyTk=MR=xJBvNxJkHAvQTjxtd6=23c0_Eph0w5CjeJ=OpsPg@mail.gmail.com>
In-Reply-To: <CADZyTk=MR=xJBvNxJkHAvQTjxtd6=23c0_Eph0w5CjeJ=OpsPg@mail.gmail.com>
From: Chris Box <chris.box.ietf@gmail.com>
Date: Tue, 22 Jun 2021 17:31:46 +0100
Message-ID: <CACJ6M14ur1y_3mD0ohubcO+fHv=A0HoPVzmnpx8=HRF1iR=sGQ@mail.gmail.com>
To: Daniel Migault <mglt.ietf@gmail.com>
Cc: "homenet@ietf.org" <homenet@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000002267db05c55d54e4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/BXWpXJsB2afX1MF76SZQX_MKFss>
Subject: Re: [homenet] naming drafts
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Jun 2021 16:32:05 -0000
Daniel, On Wed, 16 Jun 2021 at 01:27, Daniel Migault <mglt.ietf@gmail.com> wrote: > >> The HNA SHOULD drop any packets arriving on the WAN interface that are >>> not issued from the DM. >>> >>> >>> Depending how the communications between the HNA and the DM are >>> secured, only packets associated to that protocol SHOULD be allowed. >>> >>> >> The separation looks good, but I'd like to tweak the second paragraph. By >> "only packets associated to that protocol" do you mean destination port >> filtering? >> > > To me IP and port filtering are implemented by the previous line. "only > packets associated with that protocol" to me means that only TLS packets > are allowed. The reason we are not mentioning TLS explicitly is that > other protocols may be used. > Ah, I see, so this is about the payload of the packets. But surely intelligent validation of the incoming packets is always going to happen? This is a key property of any security protocol. If the DM is listening on TCP 443, and the incoming packet is not a TLS Client Hello that it is happy with, it'll get ignored. If the DM is listening on UDP 500, and the incoming packet is not an IKE_SA_INIT that it is happy with, it'll get ignored. So I'm not disagreeing with you, I'm just questioning whether the sentence is needed. I don't really mind if it stays. > >> I'm not concerned about the additional round trip. I was more concerned >> that the DM could be implemented as a frontend/backend architecture. The >> FQDN would resolve to the front end, and this is likely to be a small list >> of addresses, or even a single address. But the backend servers would have >> distinct, different addresses. Connections from the DM to the HNA might be >> initiated from the backend. If the HNA only looked up the FQDN, it would >> drop legitimate connections. This suggests we need a way to inform the HNA >> of the set of legitimate source addresses. >> >> What did you think of this last point? Chris
- [homenet] naming drafts STARK, BARBARA H
- Re: [homenet] naming drafts Michael Richardson
- Re: [homenet] naming drafts Juliusz Chroboczek
- Re: [homenet] naming drafts Michael Richardson
- Re: [homenet] naming drafts Stephen Farrell
- Re: [homenet] naming drafts Michael Richardson
- Re: [homenet] naming drafts Ray Hunter (v6ops)
- Re: [homenet] naming drafts Stephen Farrell
- Re: [homenet] naming drafts Juliusz Chroboczek
- Re: [homenet] naming drafts Daniel Migault
- Re: [homenet] naming drafts Stephen Farrell
- Re: [homenet] naming drafts Michael Richardson
- Re: [homenet] naming drafts Daniel Migault
- Re: [homenet] naming drafts Michael Richardson
- Re: [homenet] naming drafts Chris Box
- Re: [homenet] naming drafts Daniel Migault
- Re: [homenet] naming drafts Chris Box
- Re: [homenet] naming drafts Daniel Migault
- Re: [homenet] naming drafts Chris Box
- Re: [homenet] naming drafts Daniel Migault
- Re: [homenet] naming drafts Eric Vyncke (evyncke)
- Re: [homenet] naming drafts Eric Vyncke (evyncke)
- Re: [homenet] naming drafts Daniel Migault
- Re: [homenet] naming drafts Michael Richardson
- Re: [homenet] naming drafts Kiran M
- Re: [homenet] naming drafts Daniel Migault