Re: [homenet] Firewall hole punching [was: About Ted's naming architecture...]
james woodyatt <jhw@google.com> Mon, 28 November 2016 20:11 UTC
Return-Path: <jhw@google.com>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 123D21296B7 for <homenet@ietfa.amsl.com>; Mon, 28 Nov 2016 12:11:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.497
X-Spam-Level:
X-Spam-Status: No, score=-3.497 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-1.497, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KXGA0lADl0Zr for <homenet@ietfa.amsl.com>; Mon, 28 Nov 2016 12:11:14 -0800 (PST)
Received: from mail-pg0-x22b.google.com (mail-pg0-x22b.google.com [IPv6:2607:f8b0:400e:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B0081295F6 for <homenet@ietf.org>; Mon, 28 Nov 2016 12:11:14 -0800 (PST)
Received: by mail-pg0-x22b.google.com with SMTP id f188so60075112pgc.3 for <homenet@ietf.org>; Mon, 28 Nov 2016 12:11:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:subject:from:in-reply-to:date:cc:message-id:references :to; bh=3rkk6bH5nfNmABzPdRRjOKOnto3qw56fwE7PlCn+96I=; b=kXY5tYXGT/TactdXt2Zunrm84BOFypEDpNRqywGPaz0OZV27Y4bH5t5DaH/mCec6BS ZfrwKP49/Wajhm65/Qbe6Vsm+mIXQlHeCJoTm9iODNPfKTBoeZ7o3xBeVybRsQ6g8y9b +IeDavBLV4r1VLdIfEWxA0nQ62JUGlVQs2rb9ieG1iSaBbJwpmSHQQHCU9fhaW0tOyOr tGEYdVgrfj+s7SXD3Vjm6NpX7VAHbWcrekLWnnXPYYfaBjHW67uEdkJpySmlgIkK3LRP 9k4P8ZrVZtjDvhf6/+7HPoajZutedSLnGlVyo9I0iFgSOmFKkm2vjzTHgSiiBHLV0pv0 q6Tw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=3rkk6bH5nfNmABzPdRRjOKOnto3qw56fwE7PlCn+96I=; b=PxAp642DjnVlPTSn5fV5IiXHoa71cvG4MCAQGynuW/tXM9q5fa80cfCCkt92sNOF9I IdplDQPKEpyWXr8/jXaVnFH0beFaVT7Bp4z2jxh0+lAE4r/glD9F161i+vG/euBDO1w+ qC0Jw2wyCygVDl9L0DRX24RsvTkXMBNPMieNOnD0xi5+h4z6cAr3+DzyIJAaCTy7H9cb Bq8BtTOnI0Y8CeCf1wTTaPiwHykz85D5zd0ShwRWxvRpN9+XNrLZdQH7ZFuv+WUM7eWy y7Cye8vFhiYOEyoFJ+mMoSobZlI8TnOVvERJVzKiLfPn1S+bT6XyBbO73l1eDWHDGa0u pjlA==
X-Gm-Message-State: AKaTC01TMPngfkIi1A65VhaN2+v6/YuSGNDUxeBMOT+D7VZyM4Zz7XXzl9Q4gWP1zQ+pHfzw
X-Received: by 10.99.109.6 with SMTP id i6mr42633192pgc.139.1480363873824; Mon, 28 Nov 2016 12:11:13 -0800 (PST)
Received: from ?IPv6:2620::10e7:10:80da:61e8:a93e:fe6e? ([2620:0:10e7:10:80da:61e8:a93e:fe6e]) by smtp.gmail.com with ESMTPSA id 89sm89122854pfi.70.2016.11.28.12.11.12 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 28 Nov 2016 12:11:13 -0800 (PST)
Content-Type: multipart/alternative; boundary="Apple-Mail=_8CF5B7C7-876A-40D6-96A7-F3B84E22906D"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: james woodyatt <jhw@google.com>
In-Reply-To: <d24d8feb-05a9-7c05-e8d6-eb9c31869d6f@bellis.me.uk>
Date: Mon, 28 Nov 2016 12:11:40 -0800
Message-Id: <0DCB18C1-709A-4C03-81DF-E029584CF23F@google.com>
References: <871syc54d1.wl-jch@pps.univ-paris-diderot.fr> <CAPt1N1=eXRBh6UqGGqUSK9cH_jY5MvPcE4MFZUPe2Z48LF7bkA@mail.gmail.com> <87lgwj504t.wl-jch@irif.fr> <CAPt1N1kDCMDBEpt7QYhHtPYjaMJAzw8G81=2y2f=y0ZProeCPA@mail.gmail.com> <13675.1479346312@dooku.sandelman.ca> <3B35AF68-4792-4B2A-8277-A7B49206581F@google.com> <74143607-B81E-4D4C-89D3-4754E0DA7DE1@jisc.ac.uk> <790beb67-a62e-b7dc-b64e-a3fcecfbdb12@mtcc.com> <87zikrihl7.wl-jch@irif.fr> <2EEB3CCD-3C25-4844-95B5-DDE31F982EA2@iki.fi> <87oa17i9eq.wl-jch@irif.fr> <2DAA6FEB-8C87-42DA-9465-E740669C563A@iki.fi> <8C298ED7-DF92-4FB7-9D6A-C113E98CABE9@google.com> <F351E6DB-4829-4EE3-BACE-25DA543B21C5@iki.fi> <CAD6AjGSh_-MiqeNWD_b+xZpcG7p+WEUyBPgwpMr88oojMRnmyQ@mail.gmail.com> <E42B5AB7-26CD-48CD-92E1-9D40E5405B0C@jisc.ac.uk> <d24d8feb-05a9-7c05-e8d6-eb9c31869d6f@bellis.me.uk>
To: Ray Bellis <ray@bellis.me.uk>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/OTCr-pU2El2WshImMsZ4_6PbZH8>
Cc: homenet@ietf.org
Subject: Re: [homenet] Firewall hole punching [was: About Ted's naming architecture...]
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Nov 2016 20:11:17 -0000
On Nov 23, 2016, at 08:05, Ray Bellis <ray@bellis.me.uk> wrote: > On 23/11/2016 15:49, Tim Chown wrote: >> >> I have my doubts that any attempt to flesh that out further now would reach consensus,[…] So do I, and these doubts were amplified by the recent discussion here following my objection to adopting I-D.lemon-homenet-naming-architecture on the grounds that we have no clear security architecture to provide for passive listeners on unmanaged networks receiving inbound flows from unauthenticated hosts over public Internet routes. [*] In fact, if we were to search for the consensus to write one, I suspect it would settle on strongly prohibiting all such communications. [**] >> Something for the chairs…? > > The Chairs think it would be a fine idea. > However we are short of volunteers to take on the work… “Prepare to waste a lot of time accomplishing nothing,” says the little voice in my head. Maybe if my forecast for reaching consensus on the security architecture seemed less gloomy. [*] To be pedantic, we *do* have a security architecture, but it’s far from clear and it's not recommended anywhere: RFC 6092 provides the distinguished inbound flow exception for IPsec and IKE. I doubt anyone believes that could be a feature of any security architecture that will be adopted by industrial policy, but if the chairs are interested in tilting at windmills, I might be able to find time to write a short draft to clarify how it would work. [**] Before anyone asks, the answer is "No, I will not write a security architecture draft for HOMENET that prohibits passive listeners on unmanaged networks receiving inbound flows from unauthenticated hosts over public Internet routes. If that’s how it should unfold, then I’m confident the working group will find somebody with the necessary moral flexibility." --james woodyatt <jhw@google.com <mailto:jhw@google.com>>
- [homenet] About Ted's naming architecture present… Juliusz Chroboczek
- Re: [homenet] About Ted's naming architecture pre… Ted Lemon
- Re: [homenet] About Ted's naming architecture pre… Ted Lemon
- Re: [homenet] About Ted's naming architecture pre… Juliusz Chroboczek
- Re: [homenet] About Ted's naming architecture pre… Michael Richardson
- Re: [homenet] About Ted's naming architecture pre… Ted Lemon
- Re: [homenet] About Ted's naming architecture pre… Michael Richardson
- Re: [homenet] About Ted's naming architecture pre… Ted Lemon
- Re: [homenet] About Ted's naming architecture pre… Juliusz Chroboczek
- Re: [homenet] About Ted's naming architecture pre… james woodyatt
- Re: [homenet] About Ted's naming architecture pre… Michael Thomas
- Re: [homenet] About Ted's naming architecture pre… james woodyatt
- Re: [homenet] About Ted's naming architecture pre… Ted Lemon
- Re: [homenet] About Ted's naming architecture pre… james woodyatt
- Re: [homenet] About Ted's naming architecture pre… Tim Chown
- Re: [homenet] About Ted's naming architecture pre… Juliusz Chroboczek
- Re: [homenet] About Ted's naming architecture pre… Michael Thomas
- Re: [homenet] About Ted's naming architecture pre… Juliusz Chroboczek
- Re: [homenet] About Ted's naming architecture pre… Markus Stenberg
- [homenet] Firewall hole punching [was: About Ted'… Juliusz Chroboczek
- Re: [homenet] Firewall hole punching [was: About … Markus Stenberg
- Re: [homenet] Firewall hole punching [was: About … james woodyatt
- Re: [homenet] Firewall hole punching [was: About … james woodyatt
- Re: [homenet] Firewall hole punching [was: About … Lorenzo Colitti
- Re: [homenet] Firewall hole punching [was: About … Markus Stenberg
- Re: [homenet] Firewall hole punching [was: About … Ca By
- Re: [homenet] Firewall hole punching [was: About … Michael Thomas
- Re: [homenet] Firewall hole punching [was: About … Tim Chown
- Re: [homenet] Firewall hole punching [was: About … Juliusz Chroboczek
- Re: [homenet] Firewall hole punching [was: About … Ray Bellis
- Re: [homenet] Firewall hole punching [was: About … Tim Coote
- Re: [homenet] Firewall hole punching [was: About … Gert Doering
- [homenet] Back to Ted's draft [was: Firewall hole… Juliusz Chroboczek
- [homenet] Understanding DNS-SD hybrid proxying [w… Juliusz Chroboczek
- Re: [homenet] Understanding DNS-SD hybrid proxyin… Markus Stenberg
- Re: [homenet] Understanding DNS-SD hybrid proxyin… Tim Chown
- Re: [homenet] Understanding DNS-SD hybrid proxyin… Juliusz Chroboczek
- Re: [homenet] Understanding DNS-SD hybrid proxyin… Juliusz Chroboczek
- Re: [homenet] Understanding DNS-SD hybrid proxyin… Markus Stenberg
- Re: [homenet] Understanding DNS-SD hybrid proxyin… Markus Stenberg
- Re: [homenet] Understanding DNS-SD hybrid proxyin… Juliusz Chroboczek
- Re: [homenet] Firewall hole punching [was: About … james woodyatt
- Re: [homenet] Firewall hole punching [was: About … Lorenzo Colitti
- Re: [homenet] About Ted's naming architecture pre… Ray Hunter (v6ops)
- Re: [homenet] About Ted's naming architecture pre… james woodyatt