IETF Logo Mail Archive

Re: [homenet] Firewall hole punching [was: About Ted's naming architecture...]

Ca By <cb.list6@gmail.com> Wed, 23 November 2016 15:23 UTC

Return-Path: <cb.list6@gmail.com>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1FACD129A1E for <homenet@ietfa.amsl.com>; Wed, 23 Nov 2016 07:23:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.749
X-Spam-Level:
X-Spam-Status: No, score=-1.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kNOFYP7E8YZ8 for <homenet@ietfa.amsl.com>; Wed, 23 Nov 2016 07:23:33 -0800 (PST)
Received: from mail-wj0-x235.google.com (mail-wj0-x235.google.com [IPv6:2a00:1450:400c:c01::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6EF75129528 for <homenet@ietf.org>; Wed, 23 Nov 2016 07:23:33 -0800 (PST)
Received: by mail-wj0-x235.google.com with SMTP id xy5so11481323wjc.0 for <homenet@ietf.org>; Wed, 23 Nov 2016 07:23:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=XDFYf3QHWVIjXzs9mAttlYhnJSxqOpEPpZRl91AY9Y0=; b=MZpqXO/slRKseOE0aPxYoRhPNd3bBss99ne2ISRn40IUjX3Sdmy9+ZdkoRs0wzyfW+ 6di3BCQv63ezuHOtIbl+ugYLOrUYD1VSIkA/G69QmiEYlctqAx9fRK9ggcskQzGD62hV hfbXkxU/rmzPdKIHGfEUe3g0Mt8Mdc2omBES382rcGHPaBGQjCtasFCxElFOvINCYbY5 mmStXyr9Ei/D/RdKvVz715s2C2dCwKE19X7s0DwrmZB2+4fH9wZa6fm9g8mJZCdTzHWg Ski2/O8jydNSOoG2hsAT8VI0at3ToXORwRAKZIDhpNbOQpBvmf5nD4CK91H8jC5QPqa9 RXdQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=XDFYf3QHWVIjXzs9mAttlYhnJSxqOpEPpZRl91AY9Y0=; b=SOwmnLsGaDRhgxp1s5l2AgBTdXBtn3I1msKCUjwKFQvBmI2i1QhUWMj1iDHNyAtpue BKhUIP//l2xG7VGFZDSOLN0nH6Vf275m4xL5+9RCJVWVThaPFTBD6VRaYooRHLEwoNUM H6llDU2BURwp2NaGCr7Xd7zyjnihFe0Q5MftgfH/i4Hq2JwVqJgYK59CMaewO5khpq3w mXmXYN7YXRdn5+UMeafhkmkQAnB/M9l9ueECKZi73lFOcNAg9u0OrBa8I2NcQ9T9hwps hlrxbGZhkpxFlw3xhsyQhltv2gVhhA3Y/q/YpKDVYVosxcRdFpxoujjenXH2ImCyCus9 EkwQ==
X-Gm-Message-State: AKaTC01IwHPZAVOvAxz227oRnAr4JyDfCPzlL1hBG/i549CryDcSKRRAts3+69FwxovC8ps5Vcp0wdX9p/R7Hw==
X-Received: by 10.194.22.41 with SMTP id a9mr4314807wjf.30.1479914611930; Wed, 23 Nov 2016 07:23:31 -0800 (PST)
MIME-Version: 1.0
Received: by 10.28.36.194 with HTTP; Wed, 23 Nov 2016 07:23:31 -0800 (PST)
In-Reply-To: <F351E6DB-4829-4EE3-BACE-25DA543B21C5@iki.fi>
References: <871syc54d1.wl-jch@pps.univ-paris-diderot.fr> <CAPt1N1=eXRBh6UqGGqUSK9cH_jY5MvPcE4MFZUPe2Z48LF7bkA@mail.gmail.com> <87lgwj504t.wl-jch@irif.fr> <CAPt1N1kDCMDBEpt7QYhHtPYjaMJAzw8G81=2y2f=y0ZProeCPA@mail.gmail.com> <13675.1479346312@dooku.sandelman.ca> <3B35AF68-4792-4B2A-8277-A7B49206581F@google.com> <74143607-B81E-4D4C-89D3-4754E0DA7DE1@jisc.ac.uk> <790beb67-a62e-b7dc-b64e-a3fcecfbdb12@mtcc.com> <87zikrihl7.wl-jch@irif.fr> <2EEB3CCD-3C25-4844-95B5-DDE31F982EA2@iki.fi> <87oa17i9eq.wl-jch@irif.fr> <2DAA6FEB-8C87-42DA-9465-E740669C563A@iki.fi> <8C298ED7-DF92-4FB7-9D6A-C113E98CABE9@google.com> <F351E6DB-4829-4EE3-BACE-25DA543B21C5@iki.fi>
From: Ca By <cb.list6@gmail.com>
Date: Wed, 23 Nov 2016 07:23:31 -0800
Message-ID: <CAD6AjGSh_-MiqeNWD_b+xZpcG7p+WEUyBPgwpMr88oojMRnmyQ@mail.gmail.com>
To: Markus Stenberg <markus.stenberg@iki.fi>
Content-Type: multipart/alternative; boundary="047d7b5d8695bdff830541f97898"
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/M0nvJwxYgaPpNYQ7GBL7DldMYtQ>
Cc: james woodyatt <jhw@google.com>, HOMENET <homenet@ietf.org>
Subject: Re: [homenet] Firewall hole punching [was: About Ted's naming architecture...]
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Nov 2016 15:23:36 -0000

On Tue, Nov 22, 2016 at 11:07 PM, Markus Stenberg <markus.stenberg@iki.fi>
wrote:

> > On 23 Nov 2016, at 3.34, james woodyatt <jhw@google.com> wrote:
> > On Nov 22, 2016, at 14:39, Markus Stenberg <markus.stenberg@iki.fi>
> wrote:
> >>
> >> The recent IoT DDoS publicity is a good example; the devices that are
> the Mirai botnet are devices that had/have open ports facing the internet.
> > Not quite, c.f. <https://krebsonsecurity.com/2016/10/who-makes-the-iot-
> things-under-attack/>
> >
> > The vast majority of those devices were protected from receiving inbound
> flows over public Internet routes by the stateful filters of IPv4/NAT
> gateways.
>
> Interesting. I read somewhere elsewhere that upnp igd was part of the
> problem but not the main one.
>
> > p1. Those ports would not have been open and facing the Internet except
> they were also configured to use UPnP IGD to punch a hole through their
> firewall to expose their unsecured services.
>
> So the default opt-out policy of hole punching is broken.
>
> > p2. More importantly, they were also open and facing other compromised
> hosts on the same network, which were vulnerable not because they had open
> ports facing the Internet but because they were exposed to malware by
> legitimate requests to web servers at public Internet destinations.
>
> I did not read that in that article at least. I can believe infested
> Windows hosts can contaminate anything near them.
>
> > The calls [in both cases p1 and p2] were coming from inside the house.
>
> Default drop inbound policy would have worked in the p1 case; p2 case on
> the other hand, the moment you have someone inside the network, you are
> lost, given the modern software quality.
>
> >> It is all about reducing the attack surface.
> > What attack surfaces were reduced? None of them were turned on at all.
> And why? Because, strangely, the industry in which we work engineers so
> many of the systems, which ordinary people are expected to use, in a way
> that makes them unusable unless all the security mechanisms that reduce the
> attack surfaces are disabled or bypassed by default.
>
> At least based on my reading elsewhere, there is quite a bit of IoT
> hardware that actually has direct IPv4 address as well. And median time to
> infestation is minutes in the current IPv4 land. I also seem to recall that
> the ‘unpatched Windows - time to infestation’ benchmark also was minutes
> already ten years ago. (current Windows has saner default policies though,
> so I am not sure if that is applicable any more.)
>
> > It’s not about reducing attack surfaces. It’s about making systems that
> are safe for deployment in close proximity to humans.
>
> Sounds like an impossible dream then, given how prevalent the default
> username+password has been since 90s. Or buffer overflows. Or SQL injection
> attacks. All of that has been with us 20+ years and seems to be just more
> common, not less common, as the time goes by.
>
> > ... and this knowledge is not new. The conficker paper from 2009 found
> that "144,236 (78.9%) of the infected machines were behind a NAT, VPN,
> proxy, or firewall". We should know this by now :stateful firewalls do not
> protect against malware.
>
> There are also two other potential readings to this;
>
> - the nodes could also move and be infected elsewhere, or
>
> - they can make requests to the outside world with bad actor somewhere in
> the loop. At least earlier, the main _computer_ infection vector were
> essentially humans, who clicked ‘funny picture.exe’ and ignored security
> warnings.
>
> IoT land, there is no human in the loop, so there is bit more hope, given
> software quality is sufficient, as people do not have access to run the
> ‘funny picture.exe’ as root on the devices.
>
>
Yeh, we took the human out of the loop, but with UPnP and PCP, we gave the
malware an API to open the gate.

That said, given HOMENET's charter to be the ideal network we always wanted
without the technical debt, i suggest HOMENET take a strong stance and
reject "crunchy core, soft middle" security approach.  Meaning, assuming
that some other device is going to do security for you and you can leave a
default password telnet open.... that idea needs to die.

We need to make sure that HOMENET does not have a diagram that says
"security done here" with an arrow pointed at the gateway.  HOMENET needs
to specifically mandate all nodes have sane security, and part of that is
ripping off the band-aid / security blanket of "stateful firewall"... the
popular notion that stateful firewall does anything meaningful is very
damaging to ecosystem... mostly because it makes security the
responsibility of some other node.... which is not ok.

CB



> Cheers,
>
> -Markus
>
> _______________________________________________
> homenet mailing list
> homenet@ietf.org
> https://www.ietf.org/mailman/listinfo/homenet
>

v2.23.0 | Report a Bug | By Email