IETF Logo Mail Archive

Re: [homenet] Firewall hole punching [was: About Ted's naming architecture...]

Tim Chown <Tim.Chown@jisc.ac.uk> Wed, 23 November 2016 15:49 UTC

Return-Path: <tim.chown@jisc.ac.uk>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB22D129E2D for <homenet@ietfa.amsl.com>; Wed, 23 Nov 2016 07:49:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.11
X-Spam-Level:
X-Spam-Status: No, score=-4.11 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=jisc365.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7ftTooH7WdbV for <homenet@ietfa.amsl.com>; Wed, 23 Nov 2016 07:49:38 -0800 (PST)
Received: from eu-smtp-delivery-189.mimecast.com (eu-smtp-delivery-189.mimecast.com [207.82.80.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 46046129A69 for <homenet@ietf.org>; Wed, 23 Nov 2016 07:49:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jisc365.onmicrosoft.com; s=selector1-jisc-ac-uk; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=p57fu0Ni92ufdGQ0bo3ygq4NOLozXj2E/Qdnxf3Zdbc=; b=hxej+MXeFq+CTGrOgrWedCqXXwXSIgp6pgASGSlFl0e7Zg70gfKgwAr2Jgw2GMgcUxGFhQicqz9DtdFC+ElLKedcGdH2n+K/g8rv8+SBCAk/YtGA7aZ50toptCwgSaxJ2alTi7Eu2q6ojnXtctYoSx/2hlhgMONg0IOcnbLNd/E=
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-he1eur01lp0212.outbound.protection.outlook.com [213.199.154.212]) (Using TLS) by eu-smtp-1.mimecast.com with ESMTP id uk-mta-102-1zmF6EHePamCXTk_M8p3lw-1; Wed, 23 Nov 2016 15:49:32 +0000
Received: from AM3PR07MB1140.eurprd07.prod.outlook.com (10.163.188.14) by AM3PR07MB1140.eurprd07.prod.outlook.com (10.163.188.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.734.2; Wed, 23 Nov 2016 15:49:30 +0000
Received: from AM3PR07MB1140.eurprd07.prod.outlook.com ([fe80::d9ee:f373:b37e:9c77]) by AM3PR07MB1140.eurprd07.prod.outlook.com ([fe80::d9ee:f373:b37e:9c77%15]) with mapi id 15.01.0734.007; Wed, 23 Nov 2016 15:49:30 +0000
From: Tim Chown <Tim.Chown@jisc.ac.uk>
To: HOMENET <homenet@ietf.org>
Thread-Topic: [homenet] Firewall hole punching [was: About Ted's naming architecture...]
Thread-Index: AQHSRRFfbJ4vuz27KEuHHVpdAVqX1KDlyXWAgABc4oCAAIqegIAAB0AA
Date: Wed, 23 Nov 2016 15:49:30 +0000
Message-ID: <E42B5AB7-26CD-48CD-92E1-9D40E5405B0C@jisc.ac.uk>
References: <871syc54d1.wl-jch@pps.univ-paris-diderot.fr> <CAPt1N1=eXRBh6UqGGqUSK9cH_jY5MvPcE4MFZUPe2Z48LF7bkA@mail.gmail.com> <87lgwj504t.wl-jch@irif.fr> <CAPt1N1kDCMDBEpt7QYhHtPYjaMJAzw8G81=2y2f=y0ZProeCPA@mail.gmail.com> <13675.1479346312@dooku.sandelman.ca> <3B35AF68-4792-4B2A-8277-A7B49206581F@google.com> <74143607-B81E-4D4C-89D3-4754E0DA7DE1@jisc.ac.uk> <790beb67-a62e-b7dc-b64e-a3fcecfbdb12@mtcc.com> <87zikrihl7.wl-jch@irif.fr> <2EEB3CCD-3C25-4844-95B5-DDE31F982EA2@iki.fi> <87oa17i9eq.wl-jch@irif.fr> <2DAA6FEB-8C87-42DA-9465-E740669C563A@iki.fi> <8C298ED7-DF92-4FB7-9D6A-C113E98CABE9@google.com> <F351E6DB-4829-4EE3-BACE-25DA543B21C5@iki.fi> <CAD6AjGSh_-MiqeNWD_b+xZpcG7p+WEUyBPgwpMr88oojMRnmyQ@mail.gmail.com>
In-Reply-To: <CAD6AjGSh_-MiqeNWD_b+xZpcG7p+WEUyBPgwpMr88oojMRnmyQ@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3251)
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [2001:a88:d510:1101:35ef:6bb7:c751:796]
x-microsoft-exchange-diagnostics: 1; AM3PR07MB1140; 7:leGGTq28pigCZJxy2zN8Sau8R4y3dMfEVHqQyQHxYEfkVdR9XWjmRRU0tTl/GX1sN7Z7SjmiafDMON8qEbBQnug1JsPnT7+bReibgFmnzFyyJuoY+e7aJI73OowxeE661TcqGRRXruWuCglrzww6VaiZVP6oEwdb9gr/D+dauvTmfDq54N8fvl7C9IvbF6JIFDDz4pDBoXrV7dAn9gX6KFBzp/yxggWfYKk6M1wUDirPJkfT0dP12nC5p1lXAWzN99K4SElOZtWZIckVVVoInuLxpuiuNCyWeEMyx4xhFBeLVuxSz5bxAhgU8qb7bggV28YUPOOFAQiuJ+LKx1l33rWB9OOzKswbTPAOokFyTBw=; 20:kndVEmYCaL0GpvcSgQvu2DfUERh82km9Z3OtnwnA55GsdAEzHnl8E3PUC1mDUqQF/It6DTuzY9Vti5Lx/E6CCY7dLXQ+D31C/uB9Vyqg0o51dKmaeRi9UhcVgufNgut7L/VLzTQgetehq6ufyHt+ru8p88G89xcwk9Stel5obtQ=
x-ms-office365-filtering-correlation-id: 7fa1f596-3dda-496a-adfd-08d413b8502c
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001);SRVR:AM3PR07MB1140;
x-microsoft-antispam-prvs: <AM3PR07MB1140D9E7BE7128881087652DD6B70@AM3PR07MB1140.eurprd07.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(192374486261705)(100405760836317);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6060326)(6040307)(6045199)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6041248)(6061324)(6072148)(6042181); SRVR:AM3PR07MB1140; BCL:0; PCL:0; RULEID:; SRVR:AM3PR07MB1140;
x-forefront-prvs: 013568035E
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(7916002)(199003)(189002)(24454002)(92566002)(93886004)(606004)(106116001)(5660300001)(6116002)(551544002)(81166006)(5250100002)(81156014)(83716003)(102836003)(2950100002)(2906002)(33656002)(97736004)(2900100001)(3280700002)(68736007)(106356001)(50226002)(110136003)(82746002)(8936002)(36756003)(450100001)(7846002)(7736002)(107886002)(7906003)(6916009)(76176999)(6512003)(189998001)(50986999)(42882006)(6506003)(3660700001)(74482002)(57306001)(101416001)(105586002)(86362001)(38730400001)(8676002)(229853002)(104396002); DIR:OUT; SFP:1101; SCL:1; SRVR:AM3PR07MB1140; H:AM3PR07MB1140.eurprd07.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
MIME-Version: 1.0
X-OriginatorOrg: jisc.ac.uk
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Nov 2016 15:49:30.3225 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 48f9394d-8a14-4d27-82a6-f35f12361205
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM3PR07MB1140
X-MC-Unique: 1zmF6EHePamCXTk_M8p3lw-1
Content-Type: multipart/alternative; boundary="_000_E42B5AB726CD48CD92E19D40E5405B0Cjiscacuk_"
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/nCNOXtrItMwSOTi8G2x7DN9CsQo>
Subject: Re: [homenet] Firewall hole punching [was: About Ted's naming architecture...]
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Nov 2016 15:49:46 -0000

On 23 Nov 2016, at 15:23, Ca By <cb.list6@gmail.com<mailto:cb.list6@gmail.com>> wrote:

<snip>

That said, given HOMENET's charter to be the ideal network we always wanted without the technical debt, i suggest HOMENET take a strong stance and reject "crunchy core, soft middle" security approach.  Meaning, assuming that some other device is going to do security for you and you can leave a default password telnet open.... that idea needs to die.

We need to make sure that HOMENET does not have a diagram that says "security done here" with an arrow pointed at the gateway.  HOMENET needs to specifically mandate all nodes have sane security, and part of that is ripping off the band-aid / security blanket of "stateful firewall"... the popular notion that stateful firewall does anything meaningful is very damaging to ecosystem... mostly because it makes security the responsibility of some other node.... which is not ok.

Part of the “problem” is that the Homenet security architecture is not yet documented. It was somewhat punted during the discussions towards RFC 7368, with Section 3.6 mentioning RFC 6092 and RFC 4864, without being prescriptive - https://tools.ietf.org/html/rfc7368#section-3.6.

I have my doubts that any attempt to flesh that out further now would reach consensus, but given we’ve now moved on quite a way, e.g. knowing we have HNCP, Babel, etc, and having witnessed Mirai, it might be worth a try. Something for the chairs…?

Tim

v2.23.0 | Report a Bug | By Email