Re: [homenet] Firewall hole punching [was: About Ted's naming architecture...]
Michael Thomas <mike@mtcc.com> Wed, 23 November 2016 15:31 UTC
Return-Path: <mike@mtcc.com>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E173129A14 for <homenet@ietfa.amsl.com>; Wed, 23 Nov 2016 07:31:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_ALL=0.8, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-1.497, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gTTC-8ZHceuX for <homenet@ietfa.amsl.com>; Wed, 23 Nov 2016 07:31:40 -0800 (PST)
Received: from takifugu.mtcc.com (mtcc.com [50.0.18.224]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5AE0C1299F6 for <homenet@ietf.org>; Wed, 23 Nov 2016 07:31:40 -0800 (PST)
Received: from takifugu.mtcc.com (takifugu.mtcc.com [50.0.18.224]) (authenticated bits=0) by takifugu.mtcc.com (8.15.2/8.14.7) with ESMTPSA id uANFVddb028032 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for <homenet@ietf.org>; Wed, 23 Nov 2016 07:31:40 -0800
To: homenet@ietf.org
References: <871syc54d1.wl-jch@pps.univ-paris-diderot.fr> <CAPt1N1=eXRBh6UqGGqUSK9cH_jY5MvPcE4MFZUPe2Z48LF7bkA@mail.gmail.com> <87lgwj504t.wl-jch@irif.fr> <CAPt1N1kDCMDBEpt7QYhHtPYjaMJAzw8G81=2y2f=y0ZProeCPA@mail.gmail.com> <13675.1479346312@dooku.sandelman.ca> <3B35AF68-4792-4B2A-8277-A7B49206581F@google.com> <74143607-B81E-4D4C-89D3-4754E0DA7DE1@jisc.ac.uk> <790beb67-a62e-b7dc-b64e-a3fcecfbdb12@mtcc.com> <87zikrihl7.wl-jch@irif.fr> <2EEB3CCD-3C25-4844-95B5-DDE31F982EA2@iki.fi> <87oa17i9eq.wl-jch@irif.fr> <2DAA6FEB-8C87-42DA-9465-E740669C563A@iki.fi> <8C298ED7-DF92-4FB7-9D6A-C113E98CABE9@google.com> <CAKD1Yr2uB6g6eOJgw10wARXedmLxT6NHXSknLUybUgK-J_eD6w@mail.gmail.com>
From: Michael Thomas <mike@mtcc.com>
Message-ID: <be8a0cd7-7269-da32-4514-823b78ad17b4@mtcc.com>
Date: Wed, 23 Nov 2016 07:31:39 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.0
MIME-Version: 1.0
In-Reply-To: <CAKD1Yr2uB6g6eOJgw10wARXedmLxT6NHXSknLUybUgK-J_eD6w@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------4BF9154A806B59ECA42116AB"
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/MsHp0w-FuJxIFTI8ajoLyLUQZdg>
Subject: Re: [homenet] Firewall hole punching [was: About Ted's naming architecture...]
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Nov 2016 15:31:42 -0000
On 11/22/2016 06:54 PM, Lorenzo Colitti wrote: > On Tue, Nov 22, 2016 at 5:34 PM, james woodyatt <jhw@google.com > <mailto:jhw@google.com>> wrote: > >> The recent IoT DDoS publicity is a good example; the devices that >> are the Mirai botnet are devices that had/have open ports facing >> the internet. > > Not quite, c.f. > <https://krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack/ > <https://krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack/>> > > The vast majority of those devices were protected from receiving > inbound flows over public Internet routes by the stateful filters > of IPv4/NAT gateways. > > > ... and this knowledge is not new. The conficker paper > <https://seclab.cs.ucsb.edu/media/uploads/papers/torpig.pdf> from 2009 > found that "144,236 (78.9%) of the infected machines were behind a > NAT, VPN, proxy, or firewall". We should know this by now :stateful > firewalls do not protect against malware. > > It’s not about reducing attack surfaces. It’s about making systems > that are safe for deployment in close proximity to humans. > > > +1 I'm glad I'm not the only one who is somewhat dubious of the importance of the All Mighty Maginot^H^H^H^H^H^HFirewall in this day and age. Trivial mobility (eg, phones, etc), for one, really launches big old rocks at a firewall's assumption of We and They. Is there some set of standards/bcp's that describe how, say, a light bulb controller can create a completely private network for the light bulbs that is specifically not routed to the Internet, where that the light bulb controller acts as an ALG to those bulbs? That seems more of what I want than where each individual light bulb has to hope that some firewall protects it from the mean old internets. Mike
- [homenet] About Ted's naming architecture present… Juliusz Chroboczek
- Re: [homenet] About Ted's naming architecture pre… Ted Lemon
- Re: [homenet] About Ted's naming architecture pre… Ted Lemon
- Re: [homenet] About Ted's naming architecture pre… Juliusz Chroboczek
- Re: [homenet] About Ted's naming architecture pre… Michael Richardson
- Re: [homenet] About Ted's naming architecture pre… Ted Lemon
- Re: [homenet] About Ted's naming architecture pre… Michael Richardson
- Re: [homenet] About Ted's naming architecture pre… Ted Lemon
- Re: [homenet] About Ted's naming architecture pre… Juliusz Chroboczek
- Re: [homenet] About Ted's naming architecture pre… james woodyatt
- Re: [homenet] About Ted's naming architecture pre… Michael Thomas
- Re: [homenet] About Ted's naming architecture pre… james woodyatt
- Re: [homenet] About Ted's naming architecture pre… Ted Lemon
- Re: [homenet] About Ted's naming architecture pre… james woodyatt
- Re: [homenet] About Ted's naming architecture pre… Tim Chown
- Re: [homenet] About Ted's naming architecture pre… Juliusz Chroboczek
- Re: [homenet] About Ted's naming architecture pre… Michael Thomas
- Re: [homenet] About Ted's naming architecture pre… Juliusz Chroboczek
- Re: [homenet] About Ted's naming architecture pre… Markus Stenberg
- [homenet] Firewall hole punching [was: About Ted'… Juliusz Chroboczek
- Re: [homenet] Firewall hole punching [was: About … Markus Stenberg
- Re: [homenet] Firewall hole punching [was: About … james woodyatt
- Re: [homenet] Firewall hole punching [was: About … james woodyatt
- Re: [homenet] Firewall hole punching [was: About … Lorenzo Colitti
- Re: [homenet] Firewall hole punching [was: About … Markus Stenberg
- Re: [homenet] Firewall hole punching [was: About … Ca By
- Re: [homenet] Firewall hole punching [was: About … Michael Thomas
- Re: [homenet] Firewall hole punching [was: About … Tim Chown
- Re: [homenet] Firewall hole punching [was: About … Juliusz Chroboczek
- Re: [homenet] Firewall hole punching [was: About … Ray Bellis
- Re: [homenet] Firewall hole punching [was: About … Tim Coote
- Re: [homenet] Firewall hole punching [was: About … Gert Doering
- [homenet] Back to Ted's draft [was: Firewall hole… Juliusz Chroboczek
- [homenet] Understanding DNS-SD hybrid proxying [w… Juliusz Chroboczek
- Re: [homenet] Understanding DNS-SD hybrid proxyin… Markus Stenberg
- Re: [homenet] Understanding DNS-SD hybrid proxyin… Tim Chown
- Re: [homenet] Understanding DNS-SD hybrid proxyin… Juliusz Chroboczek
- Re: [homenet] Understanding DNS-SD hybrid proxyin… Juliusz Chroboczek
- Re: [homenet] Understanding DNS-SD hybrid proxyin… Markus Stenberg
- Re: [homenet] Understanding DNS-SD hybrid proxyin… Markus Stenberg
- Re: [homenet] Understanding DNS-SD hybrid proxyin… Juliusz Chroboczek
- Re: [homenet] Firewall hole punching [was: About … james woodyatt
- Re: [homenet] Firewall hole punching [was: About … Lorenzo Colitti
- Re: [homenet] About Ted's naming architecture pre… Ray Hunter (v6ops)
- Re: [homenet] About Ted's naming architecture pre… james woodyatt