Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-security WGLC

Do I understand this is an argument against the "mostly open policy" of the
draft ?

(although the draft proposes to keep tcp port 80 closed and this particular
vulnerability seems to be against port 80)

On Mon, Nov 18, 2013 at 11:37 AM, de Brün, Markus <
markus.debruen@bsi.bund.de> wrote:

> > >[...], but does this mean accessible from anywhere on the Internet ?
>
> > Actually, I think you're probably going to want your refrigerator to be
> > able to access the Internet, [...]
>
> "Access to the internet" and "accessible from the internet" are two
> seperate
> things.Perhaps I want my fridge to access the internet but not the other
> way
> around.
>
> There was a vulnerability in some heating-systems a few month ago [1]. An
> attacker could remotely shut down the heating. This is the kind of thing
> one
> does not want to happen.
>
> Regards,
> Markus
>
> [1]
>
> http://www.heise.de/security/meldung/Vaillant-Heizungen-mit-Sicherheits-Leck-1840919.html
>
>
>
> __________ ursprüngliche Nachricht __________
>
> Von:            Mark ZZZ Smith <markzzzsmith@yahoo.com.au>
> Datum:  Samstag, 16. November 2013, 07:30:13
> An:             Marc Lampo <marc.lampo.ietf@gmail.com>, Mikael Abrahamsson
> <swmike@swm.pp.se>
> Kopie:  "v6ops@ietf.org WG" <v6ops@ietf.org>
> Betr.:  Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-security WGLC
>
> > >________________________________
> > > From: Marc Lampo <marc.lampo.ietf@gmail.com>
> > >To: Mikael Abrahamsson <swmike@swm.pp.se>
> > >Cc: "v6ops@ietf.org WG" <v6ops@ietf.org>
> > >Sent: Thursday, 14 November 2013 9:50 PM
> > >Subject: Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-security WGLC
> > >
> > >
> > >
> > >I realise now that "unsolicited" is a word allowing multiple
> > > interpretations (but also used in RFC 6092).  But we seem to have got
> it
> > > right.
> > >
> > >Anyway, the fact that some service, on an internal device, is willing to
> > > accept connections on port XYZ, does not, in my opinion, imply that
> those
> > > connections may also come from the outside Internet. Back to the
> example
> > > with the refrigerator :
> > >suppose it has a service (port XYZ) that allows it to be queried for its
> > > contents.
> > >
> > >Probably great when one is at home, but does this mean accessible from
> > > anywhere on the Internet ?
> > >
> > >In my opinion : not before the owner has explicitly instructed his CPE
> to
> > > allow incoming connections (RFC 6092, REC-48).
> >
> > Actually, I think you're probably going to want your refrigerator to be
> > able to access the Internet, as well as your toaster, answering machine,
> > rice cooker, washing machine etc.
> >
> > I think appliances, if they aren't already, are going to become
> computers,
> > with as much done via software/firmware as possible, instead of hardware,
> > because hardware is much harder and more expensive to change, both during
> > development and after it is sold to the customer.
> >
> > However, software/firmware is still hard to change if the customer has to
> > either take it back to the manufacturer, or plug a PC or USB stick into
> it
> > to update the software/firmware. Having the device be able to update
> itself
> > over the Internet will be both much more user/customer friendly and much
> > cheaper for the manufacturer.
> >
> > So manufacturers have an incentive to make their appliances be able to
> > attach to the Internet, and their customers have an incentive to attach
> > them. As with tablets and smartphones, the manufacturer won't be able to
> > vouch for the existence of any upstream network "firewalls", nor will
> they
> > successfully be able to ask the customer of their existence, so the
> > manufacturer will have to assume the worst, and therefore harden the
> > appliance against publicly addressed unfettered Internet access.
> >
> > Regards,
> > Mark.
> >
> > _______________________________________________
> > v6ops mailing list
> > v6ops@ietf.org
> > https://www.ietf.org/mailman/listinfo/v6ops
>