Re: [homenet] About Ted's naming architecture presentation and document

Markus Stenberg <markus.stenberg@iki.fi> Tue, 22 November 2016 18:31 UTC

Return-Path: <markus.stenberg@iki.fi>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE52B129A9F for <homenet@ietfa.amsl.com>; Tue, 22 Nov 2016 10:31:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.821
X-Spam-Level:
X-Spam-Status: No, score=-1.821 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_NEUTRAL=0.779] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MeJ-Whb9Wc0f for <homenet@ietfa.amsl.com>; Tue, 22 Nov 2016 10:31:53 -0800 (PST)
Received: from julia1.inet.fi (mta-out1.inet.fi [62.71.2.231]) by ietfa.amsl.com (Postfix) with ESMTP id 55BA7129AC7 for <homenet@ietf.org>; Tue, 22 Nov 2016 10:31:31 -0800 (PST)
Received: from poro.lan (80.223.213.20) by julia1.inet.fi (9.0.002.03-2-gbe5d057) (authenticated as stenma-47) id 5782991C03F29F71; Tue, 22 Nov 2016 20:29:07 +0200
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 10.1 \(3251\))
From: Markus Stenberg <markus.stenberg@iki.fi>
In-Reply-To: <87zikrihl7.wl-jch@irif.fr>
Date: Tue, 22 Nov 2016 20:31:25 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <2EEB3CCD-3C25-4844-95B5-DDE31F982EA2@iki.fi>
References: <871syc54d1.wl-jch@pps.univ-paris-diderot.fr> <CAPt1N1=eXRBh6UqGGqUSK9cH_jY5MvPcE4MFZUPe2Z48LF7bkA@mail.gmail.com> <87lgwj504t.wl-jch@irif.fr> <CAPt1N1kDCMDBEpt7QYhHtPYjaMJAzw8G81=2y2f=y0ZProeCPA@mail.gmail.com> <13675.1479346312@dooku.sandelman.ca> <3B35AF68-4792-4B2A-8277-A7B49206581F@google.com> <74143607-B81E-4D4C-89D3-4754E0DA7DE1@jisc.ac.uk> <790beb67-a62e-b7dc-b64e-a3fcecfbdb12@mtcc.com> <87zikrihl7.wl-jch@irif.fr>
To: Juliusz Chroboczek <jch@irif.fr>
X-Mailer: Apple Mail (2.3251)
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/TG7nu01G18JLHQhI_2aec_bv1dU>
Cc: homenet@ietf.org, Michael Thomas <mike@mtcc.com>
Subject: Re: [homenet] About Ted's naming architecture presentation and document
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Nov 2016 18:31:58 -0000

On 22 Nov 2016, at 18.51, Juliusz Chroboczek <jch@irif.fr>; wrote:
>> I can put that controller into my own home and operate it
> Assuming that you can control the stateful firewall that's running on the
> edge routers.  Recall that the edge router is not necessarily on the local
> link, and that there can be multiple edge routers.
> 
> (I see that hnet-full in OpenWRT/LEDE installs a thing called
> "minimalist-pcproxy", but I have no idea what it does and whether it
> handles multiple edge routers correctly.)

It does. Downside with it is that it is based on essentially non-IETF stuff (my expired draft) for figuring who to forward the requests to. PCP WG wasn’t that keen about it, and then they disbanded. Perhaps someone should adopt it here if firewall hole punching is still on the agenda (as plain PCP proxy specified in the PCP WG is not up to the multiprefix part of the task, and is also overly complex).

> (In order to keep the discussion at the high intellectual level customary
> for this group, I suggest that all mentions of uPNP be banned.  PCP
> (formerly NAT-PMP) is the Standards Track protocol for punching holes in
> stateful firewalls and NAT boxes, and unlike uPNP it actually makes
> sense.)

Does it? Now that I have thought about it more, I do not control all devices in my home that well to start with (hello, embedded things that talk IP), and I am not that keen to allow them to punch holes in firewall. Obviously, they can do call-home anyway (if they are not on a restricted access subnet at any rate), but it is one less vulnerable externally visible protocol implementation to worry about if they can only call outside and not have port scanners hit them.

As an anecdote, I upgraded my home infra during the last month (hello, Turris Omnia), and essentially thought about ‘do I want this piece or not’.

What made the cut from homenet/friends:

- ohybridproxy (only really scalable and sensible IPv6 rdns source that I am aware of, given nodes talk mdns)

- shsp (joke draft, but my home automation stuff still runs DNCP-based distributed computation using it)

What didn’t:

- the rest (I have few subnets, but they have also different policies in regard to each other and outside world => autoconfiguration is not on the cards).

Manual configuration = win for most things, if you are security conscious, and I try to be. 

Cheers,

-Markus