Re: Fwd: What to improve? BCP-38/SAC-004 anyone?
dave taht <dave@taht.net> Mon, 04 January 2016 18:24 UTC
Return-Path: <dave@taht.net>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 885521A9078 for <ietf@ietfa.amsl.com>; Mon, 4 Jan 2016 10:24:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.012
X-Spam-Level:
X-Spam-Status: No, score=-0.012 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yerWkyKWD8yM for <ietf@ietfa.amsl.com>; Mon, 4 Jan 2016 10:24:07 -0800 (PST)
Received: from mail.taht.net (mail.taht.net [IPv6:2a01:7e00::f03c:91ff:feae:7028]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C1E901A906C for <ietf@ietf.org>; Mon, 4 Jan 2016 10:23:56 -0800 (PST)
Received: from dair-871.lorna-side.hm.taht.net (c-73-252-201-217.hsd1.ca.comcast.net [73.252.201.217]) by mail.taht.net (Postfix) with ESMTPSA id B1DAA1F45B; Mon, 4 Jan 2016 18:23:53 +0000 (UTC)
Subject: Re: Fwd: What to improve? BCP-38/SAC-004 anyone?
References: <7664F94E-F7A6-4556-B1E6-2DE536A7B7FC@frobbit.se> <5684FCDB.7010009@mnt.se> <A074CA07-691E-41A7-B1D7-33F4ECBED5A9@puck.nether.net> <568579FB.6030702@gmail.com> <DE81772E-22BA-45CE-A1B8-9E1BB34C0460@puck.nether.net> <1DA0624A-E022-4DE8-A4B4-59213FAFC468@piuha.net> <CAGhGL2ByDY5wTHfpMAXWUwvtnzpPgwdU8EsHgF8MHCSsVj-gmQ@mail.gmail.com> <CAA93jw45n1c1984KTNcJfb+azSxAqLSnsaQ55YdMY3pwwiEW3A@mail.gmail.com>
To: Jari Arkko <jari.arkko@piuha.net>, Jari Arkko <jari.arkko@piuha.net>
From: dave taht <dave@taht.net>
Message-ID: <568AB955.1080008@taht.net>
Date: Mon, 04 Jan 2016 10:26:29 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:38.0) Gecko/20100101 Thunderbird/38.4.0
MIME-Version: 1.0
In-Reply-To: <CAA93jw45n1c1984KTNcJfb+azSxAqLSnsaQ55YdMY3pwwiEW3A@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/6QUtvm0_zSp3_-w6KFAamkoJgtY>
X-Mailman-Approved-At: Tue, 05 Jan 2016 08:18:14 -0800
Cc: Jared Mauch <jared@puck.nether.net>, Christian Huitema <huitema@huitema.net>, IETF discussion list <ietf@ietf.org>, Toke Høiland-Jørgensen <toke@toke.dk>, Patrik Fältström <paf@frobbit.se>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Jan 2016 18:24:10 -0000
I note that I am now off all ietf mailing lists - I am trying to focus on make-wifi-fast, and while I'd like help on that from any org willing, it leaves me with no time to spare on anything else for at least the next year. Please do feel free to cc me on items of interest, please note my new email address. I note also that I have also flipped all my email servers to encrypt via starttls *always*. Perhaps the ietf could consider that as a weak protest in the post-snowden, post CISA era. After 10+ years of "may" - It turned out that I had issues with email interchange with 3 out of 100 of my regular correspondents, which I emailed via a separate channel to notify them of the problem, and I am now down to 1 out of hundred that I cannot swap mail with - which is a small price to pay compared the total silence of the spams, thus far, AND getting a reliable message back when something fails to transfer (unlike silent dropping of messages which happens far too often these days) Anyway, moving on below. On Mon, Jan 4, 2016 at 10:37 AM, Jari Arkko <jari.arkko@piuha.net> wrote: >> >> Patrik wrote: >> >>> why not start with the single home customers. What about look at default configuration of CPEs and alike? What about...I just do not know. Something just must be done. > Certainly CeroWrt (Dave Taht's version of OpenWrt where much of the > bufferbloat work was done) implements BCP38. And a home router has to > know what address ranges it is responsible for routing; it makes sense > to delegate the home part of the problem to the home router. > > Dave may be able to comment as to whether BCP 38's requirements cause > any compute issues in a home router, given the processors/software on > those devices. It was implemented using the usual Linux packet > filtering mechanism. ... BCP38 on openwrt ... We implemented bcp38 with the powerful ipset mechanism built into linux. The package is now part of mainline openwrt, but it is not the default. Toke has had a writeup on how it worked that has long needed a venue to publish in (circleid? isoc? ). Technically, however, that package is an extension of bcp38 - not only does it prevent invalid real source addresses from being used from the router, it also stops rfc1918 addresses from escaping. Although the package contains a method to handle simple double-natted situations, (leveraging the dhcp supplied by upstream), we ran into enough places where it wouldn't work without manual intervention for it to not be the default for a customer supplied device. An ISP-supplied device could probably do it right. An example of this is that cable modems - even when presenting a real IP - have a fixed configuration IP address of 192 dot 168 dot X dot Y. (100.1? can't remember) which you can only get to if you allow that ip address through the router otherwise doing bcp38. (ipset is often used as a means to block bad actors also - for example, I am using it right now to block a botnet that insists on registering a mailman account of X+somenumber@gmail.com every few seconds. There are thus far 20+ different ips so flooding my mailman server alone, there must be hundreds or thousands more under attack - totally saturating the target accounts at gmail. I have no idea why this thing exists, I could be exceptionally paranoid and suspect that this is also a known plaintext attack along the starttls channel between me and gmail.) Dynamic and flexible responses to all sorts of attack vectors should get built into everything. ... Secondly, a lot of my involvement in the ietf was intended to push along those actors using other hardware and OSes besides Linux. There are plenty of commercial products out there that hopefully have similar methods, but I see a remarkable lack of public documentation on how to do it right: http://www.bcp38.info/index.php/HOWTO:Juniper for example. I miss the days when whois actually could get you a sysadmin responsible. Thirdly, I pushed source specific routing for ipv6 as a default so as to avoid the bcp38 problem in the future there - but of course, with attackers having 2^64 addresses to choose from or more, it's uglier there to start with, and I go back again, to automated, shared, distributed defenses. I would like to see far more 3 way handshakes in key protocols - like what rfc6013 promised for dns - in the future. > > The bigger headache is the previously unsolved problem: the very slow > uptake from upstream sources and brokenness of home router market. I > typically find a minimum of *four years* old firmware packages even on > *brand new *devices on the market, with little sign of security > software updates/fixes. > > Here, ISP's that provide home routers could have leverage; but only if > ISP's are willing to make it a hard requirement on purchasing > decisions they make, rather than the currently observed behavior of > buying from the lowest vendor the junk they typically buy today. The > technical side of the ISP's need to educate the business people that > they are encouraging a "race to the bottom" with possibly catastrophic > consequences; BCP 38 is the least of the problem. Other forms of DDOS attack exist, even with perfect bcp38 coverage, I doubt that linode's recent survival of a massive onslought over the holidays would have been made any easier. http://status.linode.com/ > I'll take ongoing > prompt security updates for the life of devices such as home routers > over BCP 38 any day, and if the devices continue insecure, BCP 38 is > moot, as an attacker will just take over the router first. Specifically on the CPE front, I agree with jim's position, that the edges have got to get hardened, and regularly updated, and bcp38 is the least of the problems there compared to the common wholesale takeovers possible. And even then, well, devices inside the firewall have rather major issues also: http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/ To me, bcp38 is something that ISPs should be doing to contain their problems inside their own networks - from their interchange points, to containing the edge (bras/dslam/cmtses) to just their allocations. The ipset facility already mentioned scales to 10s of thousands of ips/subnets on really cheap hardware. > As an industry, this is the bigger challenge. In the recent savewifi campaign, and the mandates laid out therein, we tried to raise the bar for the industry to build better - and maintainable, regularly updated stuff. Many of the good actors already come close to our suggestions. http://fqcodel.bufferbloat.net/~d/fcc_saner_software_practices.pdf We didn't go into legal things - like revising liability law, or bringing insurers into the equation that would help enforce those mandates, in that piece, but I'm pretty sure at this point that only legal/financial threats - like what has hit vw for cheating emissions standards - will make for ongoing technical investments in user safety, security, and privacy from those companies "responsible". In context with this, bcp38 compliance could be made a legal or insurer's requirement for an ISP to function. > For more information on the dysfunctional embedded market, see my > Berkman Center talk: > https://cyber.law.harvard.edu/events/luncheon/2014/06/gettys > > Jim
- What to improve? BCP-38/SAC-004 anyone? Patrik Fältström
- Re: What to improve? BCP-38/SAC-004 anyone? Leif Johansson
- Re: What to improve? BCP-38/SAC-004 anyone? tom p.
- Re: What to improve? BCP-38/SAC-004 anyone? Patrik Fältström
- Re: What to improve? BCP-38/SAC-004 anyone? Kathleen Moriarty
- Re: What to improve? BCP-38/SAC-004 anyone? Jared Mauch
- Re: What to improve? BCP-38/SAC-004 anyone? Leif Johansson
- Re: What to improve? BCP-38/SAC-004 anyone? Jared Mauch
- Re: What to improve? BCP-38/SAC-004 anyone? joel jaeggli
- Re: What to improve? BCP-38/SAC-004 anyone? Steve Crocker
- Re: What to improve? BCP-38/SAC-004 anyone? Brian E Carpenter
- Re: What to improve? BCP-38/SAC-004 anyone? joel jaeggli
- Re: What to improve? BCP-38/SAC-004 anyone? Jared Mauch
- Re: What to improve? BCP-38/SAC-004 anyone? John Levine
- Re: What to improve? BCP-38/SAC-004 anyone? Jared Mauch
- Re: What to improve? BCP-38/SAC-004 anyone? Michael Richardson
- Re: What to improve? BCP-38/SAC-004 anyone? Michael Richardson
- Re: What to improve? BCP-38/SAC-004 anyone? Michael Richardson
- Re: What to improve? BCP-38/SAC-004 anyone? Jared Mauch
- Re: What to improve? BCP-38/SAC-004 anyone? Jared Mauch
- Re: What to improve? BCP-38/SAC-004 anyone? Patrik Fältström
- Re: What to improve? BCP-38/SAC-004 anyone? Randy Bush
- Re: What to improve? BCP-38/SAC-004 anyone? Patrik Fältström
- RE: What to improve? BCP-38/SAC-004 anyone? Christian Huitema
- Re: What to improve? BCP-38/SAC-004 anyone? John Levine
- Re: What to improve? BCP-38/SAC-004 anyone? Jari Arkko
- Re: What to improve? BCP-38/SAC-004 anyone? Donald Eastlake
- Re: What to improve? BCP-38/SAC-004 anyone? Jim Gettys
- Re: Fwd: What to improve? BCP-38/SAC-004 anyone? dave taht
- Re: What to improve? BCP-38/SAC-004 anyone? George, Wes