IETF Logo Mail Archive

Re: Telnet and FTP to Historic

Christian Huitema <huitema@huitema.net> Thu, 03 December 2020 19:02 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A23213A0844 for <ietf@ietfa.amsl.com>; Thu, 3 Dec 2020 11:02:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.889
X-Spam-Level:
X-Spam-Status: No, score=-1.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P8JBdjpO5txA for <ietf@ietfa.amsl.com>; Thu, 3 Dec 2020 11:02:03 -0800 (PST)
Received: from mx43-out1.antispamcloud.com (mx43-out1.antispamcloud.com [138.201.61.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44C703A0AD8 for <ietf@ietf.org>; Thu, 3 Dec 2020 11:01:57 -0800 (PST)
Received: from xse18.mail2web.com ([66.113.196.18] helo=xse.mail2web.com) by mx36.antispamcloud.com with esmtp (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1kktr8-0008Js-OO for ietf@ietf.org; Thu, 03 Dec 2020 20:01:48 +0100
Received: from xsmtp21.mail2web.com (unknown [10.100.68.60]) by xse.mail2web.com (Postfix) with ESMTPS id 4Cn4kY1Qf7z5ZH4 for <ietf@ietf.org>; Thu, 3 Dec 2020 10:54:13 -0800 (PST)
Received: from [10.5.2.14] (helo=xmail04.myhosting.com) by xsmtp21.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1kktk5-0006Eu-2w for ietf@ietf.org; Thu, 03 Dec 2020 10:54:13 -0800
Received: (qmail 8807 invoked from network); 3 Dec 2020 18:54:12 -0000
Received: from unknown (HELO [192.168.1.106]) (Authenticated-user:_huitema@huitema.net@[172.58.43.42]) (envelope-sender <huitema@huitema.net>) by xmail04.myhosting.com (qmail-ldap-1.03) with ESMTPA for <cabo@tzi.org>; 3 Dec 2020 18:54:12 -0000
Subject: Re: Telnet and FTP to Historic
To: Joe Touch <touch@strayalpha.com>
Cc: Phillip Hallam-Baker <phill@hallambaker.com>, IETF Discussion Mailing List <ietf@ietf.org>, Michael Richardson <mcr+ietf@sandelman.ca>, "John C. Klensin" <john-ietf@jck.com>, Carsten Bormann <cabo@tzi.org>
References: <51d208a3-4cae-b69a-6ecc-d15f48c66b44@huitema.net> <06E7EB62-D6C2-4827-A241-8E276860C2B7@strayalpha.com>
From: Christian Huitema <huitema@huitema.net>
Message-ID: <6842e463-6fce-42e5-402c-acacabd9905b@huitema.net>
Date: Thu, 03 Dec 2020 10:54:11 -0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.5.0
MIME-Version: 1.0
In-Reply-To: <06E7EB62-D6C2-4827-A241-8E276860C2B7@strayalpha.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
X-Originating-IP: 66.113.196.18
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 66.113.196.18/32
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.196.18/32@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.15)
X-Recommended-Action: accept
X-Filter-ID: Mvzo4OR0dZXEDF/gcnlw0ecN11dQIc3aKzz9DU5dqGmpSDasLI4SayDByyq9LIhVUZbR67CQ7/vm /hHDJU4RXkTNWdUk1Ol2OGx3IfrIJKywOmJyM1qr8uRnWBrbSAGDAzc5Jb/eaE0k3pqeq35lKbgN zB/4Jkrw1eDLcif59fsOOOJAq5FzUBrAsP7mP/9fU7Tmz6iKnkQL9gqsxD347235Nhqq+/HvroPq 8GSPg+7KJix/R2qbtdH2ZflMjNgfX2XX9bIsGDSYq5OAASmskY6jSvfpO+1kZkomjtjB6X5Q5Q9f RUeIpTIC2ySfqvnqLwoxlgatmaBb0rBiK9xbkDrUqzcKIief90MVLZY9LbIZh9+IQ1oS9LBn3VIP 95Jz7ujRlJ9wSMlhvaudJXZ9EIBG/qaR+8r9SKFMmPJLf850OvZYsmoVQuOIhwKLK6IKBNB4LZ0v UHHKTzJX7b1JhLSQQ4vSj0QEim26t/Moy0UPX5E73H1QfrH/5kkrV/Cr0bm2vWdo8usP65i82q1C dZgGrpL44wdx9eXqjQjbvUopOMQJvQ/Ck3iiU+4DQAj3fuQgzT3K9JUHTNiGwfwAmxx/Wk8McinP JEkgAVrOMpYt4o3CgqJq+7GLH3LDcCCXyDpGyPkw18xx/5TqPnNcf9f40CdNA7VaBYxkHyg0UfH0 lSfuxANzRU5MAZzTOSGBZDYf5ObEMndrrAmRAfDcd/KY2AXNZGS5G93aGyH8MqMNONNOB63tZ91H 4Bn0Oix6zutEnV+m3Y4ETNoKFPxK7pxMPnetLBJMh51NiRRoHIAyHFpT/ysTVyd40Ld6FLIomiK7 x42VjdzChZMe6O/DiWiiIzuXMTE3l4bIsk+O50sbxwtwjrKJLx7eRcIzZWAy08QV3No+S2msRDep v5w/kkG0v17AmegcpQ0tml/sN9lmMy/o83jVXTcfb9k0nLWblJy7uxV6dw8jzlsaNZe6hynMJcjx DydxsJEju76A7X1QIVydqXpZ6MHhiKws9Iiut28r9wo4SqUIg8Yh9hAM0n3LLzx/F2gT3wl8JQJv Bho=
X-Report-Abuse-To: spam@quarantine11.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/1hWboP9AP42LJBAf8lbmbI18Lr4>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Dec 2020 19:02:13 -0000

On 12/3/2020 7:11 AM, Joe Touch wrote:
> N
>
>> On Dec 2, 2020, at 11:50 PM, Christian Huitema <huitema@huitema.net> wrote:
>>
>> 
>>> On 12/2/2020 11:22 PM, Joe Touch wrote:
>>>
>>>>> On Dec 2, 2020, at 10:47 PM, Christian Huitema <huitema@huitema.net> wrote:
>>>> Mark, you had me until "home network". Because most home networks are in fact *not* more secure than the open Internet
>>> Not that I like NATs, but they do afford protection beyond being on the open Internet simply by lacking incoming port mapping.
>> That's the firewall illusion. It is shattered if someone inside the wall falls for a phishing attack, or clicks on the wrong attachment, or downloads the wrong program. At which point all these unsafe programs that are used "only behind the firewall" become nice avenues for quickly spreading the attack much farther than the initial failure. See numerous examples of ransomware attacks against small businesses, schools, etc.
>>
>> -- Christian Huitema
> Sure, but you have to attack the machines behind a firewall some other way *first*.
>
> I didn’t say they were safe, just safe*er*.

I understand why you say that. Machines behind a NAT or a stateful 
firewall cannot be remotely probed for low level vulnerabilities, so you 
do get some reduction of the attack surface. My contention is that this 
reduction is far from being sufficient, because attackers have found 
many ways to project themselves through NATs or firewalls. If you allow 
for unsafe practices because the machines are behind a NAT or a 
firewall, these unsafe practices will result in catastrophic cascades of 
failures after a single breach happens.

-- Christian Huitema

v2.23.0 | Report a Bug | By Email