Re: [homenet] Firewall hole punching [was: About Ted's naming architecture...]
Markus Stenberg <markus.stenberg@iki.fi> Tue, 22 November 2016 22:39 UTC
Return-Path: <markus.stenberg@iki.fi>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C123C129BA9 for <homenet@ietfa.amsl.com>; Tue, 22 Nov 2016 14:39:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.821
X-Spam-Level:
X-Spam-Status: No, score=-1.821 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_NEUTRAL=0.779] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LgDNuYGHddnb for <homenet@ietfa.amsl.com>; Tue, 22 Nov 2016 14:39:52 -0800 (PST)
Received: from julia1.inet.fi (mta-out1.inet.fi [62.71.2.231]) by ietfa.amsl.com (Postfix) with ESMTP id 65D34129440 for <homenet@ietf.org>; Tue, 22 Nov 2016 14:39:52 -0800 (PST)
Received: from poro.lan (80.223.213.20) by julia1.inet.fi (9.0.002.03-2-gbe5d057) (authenticated as stenma-47) id 5782991C03F3E51D; Wed, 23 Nov 2016 00:37:31 +0200
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 10.1 \(3251\))
From: Markus Stenberg <markus.stenberg@iki.fi>
In-Reply-To: <87oa17i9eq.wl-jch@irif.fr>
Date: Wed, 23 Nov 2016 00:39:50 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <2DAA6FEB-8C87-42DA-9465-E740669C563A@iki.fi>
References: <871syc54d1.wl-jch@pps.univ-paris-diderot.fr> <CAPt1N1=eXRBh6UqGGqUSK9cH_jY5MvPcE4MFZUPe2Z48LF7bkA@mail.gmail.com> <87lgwj504t.wl-jch@irif.fr> <CAPt1N1kDCMDBEpt7QYhHtPYjaMJAzw8G81=2y2f=y0ZProeCPA@mail.gmail.com> <13675.1479346312@dooku.sandelman.ca> <3B35AF68-4792-4B2A-8277-A7B49206581F@google.com> <74143607-B81E-4D4C-89D3-4754E0DA7DE1@jisc.ac.uk> <790beb67-a62e-b7dc-b64e-a3fcecfbdb12@mtcc.com> <87zikrihl7.wl-jch@irif.fr> <2EEB3CCD-3C25-4844-95B5-DDE31F982EA2@iki.fi> <87oa17i9eq.wl-jch@irif.fr>
To: Juliusz Chroboczek <jch@irif.fr>
X-Mailer: Apple Mail (2.3251)
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/mQzVM3m25FqPxew0Ej-Oswa8o_k>
Cc: homenet@ietf.org
Subject: Re: [homenet] Firewall hole punching [was: About Ted's naming architecture...]
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Nov 2016 22:39:56 -0000
On 22 Nov 2016, at 21.47, Juliusz Chroboczek <jch@irif.fr> wrote: >> Now that I have thought about it more, I do not control all devices in >> my home that well to start with (hello, embedded things that talk IP), >> and I am not that keen to allow them to punch holes in >> firewall. Obviously, they can do call-home anyway > Uh-huh. I don't see how punching holes in the firewall is worse than > allowing access to the Global Internet. The recent IoT DDoS publicity is a good example; the devices that are the Mirai botnet are devices that had/have open ports facing the internet. They are not (as far as I know) contacting corrupted servers, nor is there active DNS attack ongoing, but instead IPv4 address range is being scanned and then the bad software being exploited. (Default username+password for most part in this case, but it could be equally well buffer overflow on the protocol implementation listening on that port that would be port scannable.) It is all about reducing the attack surface. (Obviously having no bad software would be even better.) >> - ohybridproxy (only really scalable and sensible IPv6 rdns source that >> I am aware of, given nodes talk mdns) > Noted, thanks for the opinion. I still don't understand how it works (who > gets port 53? how are data from multiple links merged?), but I intend to > do my homework. I give dnsmasq port 53, and then have it forward queries for .home (chuckle) and my IPv4/IPv6 reverses in .arpa-land to 127.0.0.1:54 where ohp listens on my routers. (xns-ch called and wants its port but I try to resist.) Cheers, -Markus
- [homenet] About Ted's naming architecture present… Juliusz Chroboczek
- Re: [homenet] About Ted's naming architecture pre… Ted Lemon
- Re: [homenet] About Ted's naming architecture pre… Ted Lemon
- Re: [homenet] About Ted's naming architecture pre… Juliusz Chroboczek
- Re: [homenet] About Ted's naming architecture pre… Michael Richardson
- Re: [homenet] About Ted's naming architecture pre… Ted Lemon
- Re: [homenet] About Ted's naming architecture pre… Michael Richardson
- Re: [homenet] About Ted's naming architecture pre… Ted Lemon
- Re: [homenet] About Ted's naming architecture pre… Juliusz Chroboczek
- Re: [homenet] About Ted's naming architecture pre… james woodyatt
- Re: [homenet] About Ted's naming architecture pre… Michael Thomas
- Re: [homenet] About Ted's naming architecture pre… james woodyatt
- Re: [homenet] About Ted's naming architecture pre… Ted Lemon
- Re: [homenet] About Ted's naming architecture pre… james woodyatt
- Re: [homenet] About Ted's naming architecture pre… Tim Chown
- Re: [homenet] About Ted's naming architecture pre… Juliusz Chroboczek
- Re: [homenet] About Ted's naming architecture pre… Michael Thomas
- Re: [homenet] About Ted's naming architecture pre… Juliusz Chroboczek
- Re: [homenet] About Ted's naming architecture pre… Markus Stenberg
- [homenet] Firewall hole punching [was: About Ted'… Juliusz Chroboczek
- Re: [homenet] Firewall hole punching [was: About … Markus Stenberg
- Re: [homenet] Firewall hole punching [was: About … james woodyatt
- Re: [homenet] Firewall hole punching [was: About … james woodyatt
- Re: [homenet] Firewall hole punching [was: About … Lorenzo Colitti
- Re: [homenet] Firewall hole punching [was: About … Markus Stenberg
- Re: [homenet] Firewall hole punching [was: About … Ca By
- Re: [homenet] Firewall hole punching [was: About … Michael Thomas
- Re: [homenet] Firewall hole punching [was: About … Tim Chown
- Re: [homenet] Firewall hole punching [was: About … Juliusz Chroboczek
- Re: [homenet] Firewall hole punching [was: About … Ray Bellis
- Re: [homenet] Firewall hole punching [was: About … Tim Coote
- Re: [homenet] Firewall hole punching [was: About … Gert Doering
- [homenet] Back to Ted's draft [was: Firewall hole… Juliusz Chroboczek
- [homenet] Understanding DNS-SD hybrid proxying [w… Juliusz Chroboczek
- Re: [homenet] Understanding DNS-SD hybrid proxyin… Markus Stenberg
- Re: [homenet] Understanding DNS-SD hybrid proxyin… Tim Chown
- Re: [homenet] Understanding DNS-SD hybrid proxyin… Juliusz Chroboczek
- Re: [homenet] Understanding DNS-SD hybrid proxyin… Juliusz Chroboczek
- Re: [homenet] Understanding DNS-SD hybrid proxyin… Markus Stenberg
- Re: [homenet] Understanding DNS-SD hybrid proxyin… Markus Stenberg
- Re: [homenet] Understanding DNS-SD hybrid proxyin… Juliusz Chroboczek
- Re: [homenet] Firewall hole punching [was: About … james woodyatt
- Re: [homenet] Firewall hole punching [was: About … Lorenzo Colitti
- Re: [homenet] About Ted's naming architecture pre… Ray Hunter (v6ops)
- Re: [homenet] About Ted's naming architecture pre… james woodyatt