Re: [homenet] Firewall hole punching [was: About Ted's naming architecture...]
james woodyatt <jhw@google.com> Wed, 23 November 2016 01:35 UTC
Return-Path: <jhw@google.com>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 279E312967D for <homenet@ietfa.amsl.com>; Tue, 22 Nov 2016 17:35:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.497
X-Spam-Level:
X-Spam-Status: No, score=-3.497 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-1.497, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id olhk9WZYBrBG for <homenet@ietfa.amsl.com>; Tue, 22 Nov 2016 17:35:02 -0800 (PST)
Received: from mail-pg0-x229.google.com (mail-pg0-x229.google.com [IPv6:2607:f8b0:400e:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE6F4129409 for <homenet@ietf.org>; Tue, 22 Nov 2016 17:34:59 -0800 (PST)
Received: by mail-pg0-x229.google.com with SMTP id p66so13455852pga.2 for <homenet@ietf.org>; Tue, 22 Nov 2016 17:34:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=from:message-id:mime-version:subject:date:references:to:in-reply-to; bh=nN4cWjghnEVW6GMtURLj2Rb9G1+LYKNP6veHZ2bKaXY=; b=PYuoPWcfNWrtyLR0AG6vKIBqrd9bVdVFw9Rb2NjfUBeF+RWeiZfqM5tAscNBsHNHCU E/hY3vcFpPR1vOo+PJDmvbRj+vAP0WK5jssRdiDmEOWBSo/ZhYJrlClicGBJv7CzKB54 7dza/nuweI1DOnC7LsgPOelFyMcokaRr6+MbpNIsW88WYNkHWhgdDwf3gMojeGtaCUZ4 V7EzQftajErrobAtLE5uph6d+I1jwuCUzgr2frU/su4LSwELann9toFKVF1ilKkwtRZS IAfKS8ktHCbdmPhF8w/km5foFFsYWWFVxDy0kM4N+jRyeFh0MJQASYmfsRCtmoGwvbCK 3BdA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:message-id:mime-version:subject:date :references:to:in-reply-to; bh=nN4cWjghnEVW6GMtURLj2Rb9G1+LYKNP6veHZ2bKaXY=; b=nFDMzHqu/e8NdTfzIZxCn80vON5SjLnxRlwitIzG3ny4Dg/+kMwTkvBaDG31g/Mj/t eZu4hoGUzPZRpfNV+ZRWpj9oEnlzGs9bG2XLRpXUsgZSu4QmqdP3oPJkZoIQmToL8lKl i9cpJkxNaIL6tKWB6ByTf28BKZy0PdOBbW52+KTgQNDXghanu2Nf5+NpI2wl2URjUVu2 XPz0XTvt/afVDYQ4IJo/Zy1PI55iOifDfhkfQ3O7sY6Gu9qsvw9z8rpuDokywkQeoS2A IpTL4R79ep8N7K8KH1LrKE+8g+JIINUBfRXlctYzzOy1d1Es6drN15/xyYf98PUtYDT7 ZAvg==
X-Gm-Message-State: AKaTC03eF5Q3rCCIj0RjHeDOok67/w4XL8l645Q/GQ9Qc67YHc1x59svFeI+IKUY68L1QKMx
X-Received: by 10.84.171.228 with SMTP id l91mr1374254plb.4.1479864899128; Tue, 22 Nov 2016 17:34:59 -0800 (PST)
Received: from dhcp-100-99-230-134.pao.corp.google.com ([100.99.230.134]) by smtp.gmail.com with ESMTPSA id 65sm47855725pfn.12.2016.11.22.17.34.58 for <homenet@ietf.org> (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 22 Nov 2016 17:34:58 -0800 (PST)
From: james woodyatt <jhw@google.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_75412175-F4F7-4732-AA9A-5403C2A3C271"
Message-Id: <8C298ED7-DF92-4FB7-9D6A-C113E98CABE9@google.com>
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
Date: Tue, 22 Nov 2016 17:34:57 -0800
References: <871syc54d1.wl-jch@pps.univ-paris-diderot.fr> <CAPt1N1=eXRBh6UqGGqUSK9cH_jY5MvPcE4MFZUPe2Z48LF7bkA@mail.gmail.com> <87lgwj504t.wl-jch@irif.fr> <CAPt1N1kDCMDBEpt7QYhHtPYjaMJAzw8G81=2y2f=y0ZProeCPA@mail.gmail.com> <13675.1479346312@dooku.sandelman.ca> <3B35AF68-4792-4B2A-8277-A7B49206581F@google.com> <74143607-B81E-4D4C-89D3-4754E0DA7DE1@jisc.ac.uk> <790beb67-a62e-b7dc-b64e-a3fcecfbdb12@mtcc.com> <87zikrihl7.wl-jch@irif.fr> <2EEB3CCD-3C25-4844-95B5-DDE31F982EA2@iki.fi> <87oa17i9eq.wl-jch@irif.fr> <2DAA6FEB-8C87-42DA-9465-E740669C563A@iki.fi>
To: HOMENET <homenet@ietf.org>
In-Reply-To: <2DAA6FEB-8C87-42DA-9465-E740669C563A@iki.fi>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/vgTlVnewUY9sGks0TxCth-obPb0>
Subject: Re: [homenet] Firewall hole punching [was: About Ted's naming architecture...]
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Nov 2016 01:35:05 -0000
On Nov 22, 2016, at 14:39, Markus Stenberg <markus.stenberg@iki.fi> wrote: > > The recent IoT DDoS publicity is a good example; the devices that are the Mirai botnet are devices that had/have open ports facing the internet. Not quite, c.f. <https://krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack/ <https://krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack/>> The vast majority of those devices were protected from receiving inbound flows over public Internet routes by the stateful filters of IPv4/NAT gateways. p1. Those ports would not have been open and facing the Internet except they were also configured to use UPnP IGD to punch a hole through their firewall to expose their unsecured services. p2. More importantly, they were also open and facing other compromised hosts on the same network, which were vulnerable not because they had open ports facing the Internet but because they were exposed to malware by legitimate requests to web servers at public Internet destinations. The calls [in both cases p1 and p2] were coming from inside the house. > It is all about reducing the attack surface. What attack surfaces were reduced? None of them were turned on at all. And why? Because, strangely, the industry in which we work engineers so many of the systems, which ordinary people are expected to use, in a way that makes them unusable unless all the security mechanisms that reduce the attack surfaces are disabled or bypassed by default. It’s not about reducing attack surfaces. It’s about making systems that are safe for deployment in close proximity to humans. --james woodyatt <jhw@google.com <mailto:jhw@google.com>>
- [homenet] About Ted's naming architecture present… Juliusz Chroboczek
- Re: [homenet] About Ted's naming architecture pre… Ted Lemon
- Re: [homenet] About Ted's naming architecture pre… Ted Lemon
- Re: [homenet] About Ted's naming architecture pre… Juliusz Chroboczek
- Re: [homenet] About Ted's naming architecture pre… Michael Richardson
- Re: [homenet] About Ted's naming architecture pre… Ted Lemon
- Re: [homenet] About Ted's naming architecture pre… Michael Richardson
- Re: [homenet] About Ted's naming architecture pre… Ted Lemon
- Re: [homenet] About Ted's naming architecture pre… Juliusz Chroboczek
- Re: [homenet] About Ted's naming architecture pre… james woodyatt
- Re: [homenet] About Ted's naming architecture pre… Michael Thomas
- Re: [homenet] About Ted's naming architecture pre… james woodyatt
- Re: [homenet] About Ted's naming architecture pre… Ted Lemon
- Re: [homenet] About Ted's naming architecture pre… james woodyatt
- Re: [homenet] About Ted's naming architecture pre… Tim Chown
- Re: [homenet] About Ted's naming architecture pre… Juliusz Chroboczek
- Re: [homenet] About Ted's naming architecture pre… Michael Thomas
- Re: [homenet] About Ted's naming architecture pre… Juliusz Chroboczek
- Re: [homenet] About Ted's naming architecture pre… Markus Stenberg
- [homenet] Firewall hole punching [was: About Ted'… Juliusz Chroboczek
- Re: [homenet] Firewall hole punching [was: About … Markus Stenberg
- Re: [homenet] Firewall hole punching [was: About … james woodyatt
- Re: [homenet] Firewall hole punching [was: About … james woodyatt
- Re: [homenet] Firewall hole punching [was: About … Lorenzo Colitti
- Re: [homenet] Firewall hole punching [was: About … Markus Stenberg
- Re: [homenet] Firewall hole punching [was: About … Ca By
- Re: [homenet] Firewall hole punching [was: About … Michael Thomas
- Re: [homenet] Firewall hole punching [was: About … Tim Chown
- Re: [homenet] Firewall hole punching [was: About … Juliusz Chroboczek
- Re: [homenet] Firewall hole punching [was: About … Ray Bellis
- Re: [homenet] Firewall hole punching [was: About … Tim Coote
- Re: [homenet] Firewall hole punching [was: About … Gert Doering
- [homenet] Back to Ted's draft [was: Firewall hole… Juliusz Chroboczek
- [homenet] Understanding DNS-SD hybrid proxying [w… Juliusz Chroboczek
- Re: [homenet] Understanding DNS-SD hybrid proxyin… Markus Stenberg
- Re: [homenet] Understanding DNS-SD hybrid proxyin… Tim Chown
- Re: [homenet] Understanding DNS-SD hybrid proxyin… Juliusz Chroboczek
- Re: [homenet] Understanding DNS-SD hybrid proxyin… Juliusz Chroboczek
- Re: [homenet] Understanding DNS-SD hybrid proxyin… Markus Stenberg
- Re: [homenet] Understanding DNS-SD hybrid proxyin… Markus Stenberg
- Re: [homenet] Understanding DNS-SD hybrid proxyin… Juliusz Chroboczek
- Re: [homenet] Firewall hole punching [was: About … james woodyatt
- Re: [homenet] Firewall hole punching [was: About … Lorenzo Colitti
- Re: [homenet] About Ted's naming architecture pre… Ray Hunter (v6ops)
- Re: [homenet] About Ted's naming architecture pre… james woodyatt