IETF Logo Mail Archive

Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-security WGLC

Mark ZZZ Smith <markzzzsmith@yahoo.com.au> Tue, 19 November 2013 19:09 UTC

Return-Path: <markzzzsmith@yahoo.com.au>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF2A31AE171 for <v6ops@ietfa.amsl.com>; Tue, 19 Nov 2013 11:09:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.502
X-Spam-Level: *
X-Spam-Status: No, score=1.502 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ua4sgwX5CRBE for <v6ops@ietfa.amsl.com>; Tue, 19 Nov 2013 11:09:37 -0800 (PST)
Received: from nm46.bullet.mail.bf1.yahoo.com (nm46.bullet.mail.bf1.yahoo.com [216.109.114.62]) by ietfa.amsl.com (Postfix) with ESMTP id 33AC01AE137 for <v6ops@ietf.org>; Tue, 19 Nov 2013 11:09:37 -0800 (PST)
Received: from [98.139.215.140] by nm46.bullet.mail.bf1.yahoo.com with NNFMP; 19 Nov 2013 19:09:31 -0000
Received: from [98.139.212.209] by tm11.bullet.mail.bf1.yahoo.com with NNFMP; 19 Nov 2013 19:09:30 -0000
Received: from [127.0.0.1] by omp1018.mail.bf1.yahoo.com with NNFMP; 19 Nov 2013 19:09:30 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 756767.87643.bm@omp1018.mail.bf1.yahoo.com
Received: (qmail 31645 invoked by uid 60001); 19 Nov 2013 19:09:30 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com.au; s=s1024; t=1384888170; bh=nLuOp7eMaa0R70wuKWckQ+TLeMtQ/+czXKMBmeOiZpM=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=dz0J42PxunYds4wctIfseg8cpwXE5uVJPzoLpmP4XZlMWYIjeD1aBP3n3drga95yL3apXAJzpqBAP0sJ2vBoB1gYeggB2rJPooqi/jVoot9H6ZkWQcXX+ywoTD3Q0a0qdJfjF04xziBNdgvp587c3DiKes3/yuC9zGw5VBewWf8=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com.au; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=StoQ2Mg6YR/0OQdYGLmiWdbGBVrH2cQlRpb6/Tk4xHSLSRPVhpSd/NuzewdfDkc28rzOPAAR2qeW0tememFjLCZ8alXYsCeZaSGZ76XvsUHuB3C4tS1VNYPjnLuhPWtVjO1QNxshH0lz6eF9M8l6o+dmHQ/l2aRESKjnEJBXdH8=;
X-YMail-OSG: BJDxPtgVM1l1w2uKxQfE2YpAO1Wvo5ic5it7CfoHdo9EBuc 9QMeuI481h_ZJ9V1.q8M1vXq4mB.7aRjXupQdZaz3xV2GJcaJkItk050Ly6c RJhDPXGiG_RKeoMpFTBo1dfoeJzzSsJ8rQguHBm1BoAwQOJ_F20V680_h8m1 jkiwFCenDZWgk6vY0SIC7JloAGStZVFPn__IR400fpC5Kle4Xs54YWQTjSPG g0H8kYrG26xIpTLVFYeWblhXGwoAUVXUcKJ00.q1YUSb2MR73w4AoPja_uxk XZhFtj.vJ_VMyx0fhpKzvrLnfrfjkwGIzzFr0XVntD7AOZk_lvO8X9_VSbgS dUtOyXZ6vQFoNWEn.TZ1uejS5o.YEdmXi22TkiYRR.YQz0Hox6LhSYEjTutN VJ_ovJlKStANm.MqqYGR6Dzfrv2.zODhtfAaiIsBE8YnpSRj6CpQ3O65yuTE _uJmWx40pljrBpFkMbXMZ6v9UgcQq14FZN21k1TabbKs.BGDlk0dghp7H0Ju 2ajluAS00uzYF4KRQrT6_XmQaM7JKSivlRohzcM3ND2ee2.zXVw.5d6sUHvM fNyuk0R8ETDzuE5KBK1H0jY1llcEyVcIfZjTmjf8.fX8bBh9GiCkrI7w7.iH Uqnh_cxEV7gWEgv4dk3prZvWWG9IrxrgyO3ZblH98ymFhvdTmWGESaQGfhck PPKWnkBMZda9jVSW97wR.mEwQwNZrT_.OptTFwE.xP6qMxKiE_0Epq4BID0t Joz.H5ZYiyQpV8a.s9MLRoDea.loKaD9oOFl0KpX5Y4YqkME4zbSaN490HLS 6Kwan3ROhtRszmakTgqWRB_WDjFOzJna0rpHjQQwcuIy5DjfRaU34tIFOV4I .ElHyFvVikdHnpTRIOIC8JX69B0Bjfu2p2GoSpfPt
Received: from [150.101.221.237] by web142505.mail.bf1.yahoo.com via HTTP; Tue, 19 Nov 2013 11:09:30 PST
X-Rocket-MIMEInfo: 002.001, CgoKCi0tLS0tIE9yaWdpbmFsIE1lc3NhZ2UgLS0tLS0KPiBGcm9tOiAiZGUgQnLDvG4sIE1hcmt1cyIgPG1hcmt1cy5kZWJydWVuQGJzaS5idW5kLmRlPgo.IFRvOiB2Nm9wc0BpZXRmLm9yZzsgTWFyayBaWlogU21pdGggPG1hcmt6enpzbWl0aEB5YWhvby5jb20uYXU.Cj4gQ2M6IE1hcmMgTGFtcG8gPG1hcmMubGFtcG8uaWV0ZkBnbWFpbC5jb20.OyBNaWthZWwgQWJyYWhhbXNzb24gPHN3bWlrZUBzd20ucHAuc2U.Cj4gU2VudDogTW9uZGF5LCAxOCBOb3ZlbWJlciAyMDEzIDk6MzcgUE0KPiBTdWJqZWN0OiABMAEBAQE-
X-Mailer: YahooMailWebService/0.8.166.601
References: <201311101900.rAAJ0AR6025350@irp-view13.cisco.com> <CAB0C4xM_eN7x-4G6YYku+t=X_w3c7LiEU6AR1EDvhT6Kea_hqw@mail.gmail.com> <1384583413.2103.YahooMailNeo@web142501.mail.bf1.yahoo.com> <201311181137.21672.markus.debruen@bsi.bund.de>
Message-ID: <1384888170.31515.YahooMailNeo@web142505.mail.bf1.yahoo.com>
Date: Tue, 19 Nov 2013 11:09:30 -0800
From: Mark ZZZ Smith <markzzzsmith@yahoo.com.au>
To: "de Brün, Markus" <markus.debruen@bsi.bund.de>, "v6ops@ietf.org" <v6ops@ietf.org>
In-Reply-To: <201311181137.21672.markus.debruen@bsi.bund.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-security WGLC
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Mark ZZZ Smith <markzzzsmith@yahoo.com.au>
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Nov 2013 19:09:40 -0000




----- Original Message -----
> From: "de Brün, Markus" <markus.debruen@bsi.bund.de>
> To: v6ops@ietf.org; Mark ZZZ Smith <markzzzsmith@yahoo.com.au>
> Cc: Marc Lampo <marc.lampo.ietf@gmail.com>; Mikael Abrahamsson <swmike@swm.pp.se>
> Sent: Monday, 18 November 2013 9:37 PM
> Subject: Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-security WGLC
> 
>>  >[...], but does this mean accessible from anywhere on the Internet ?
> 
>>  Actually, I think you're probably going to want your refrigerator to be
>>  able to access the Internet, [...]
> 
> "Access to the internet" and "accessible from the internet" 
> are two seperate 
> things.Perhaps I want my fridge to access the internet but not the other way 
> around.
> 

It might depend on whether you want to find out what is in it when you're at the supermarket. It might be convenient to know if you need to buy milk when you're there.


> There was a vulnerability in some heating-systems a few month ago [1]. An 
> attacker could remotely shut down the heating. This is the kind of thing one 
> does not want to happen.
> 

True.

However, if you were the manufacturer of this heating system, how could you be sure your customers are not attaching the device directly to an unfettered Internet connection? You could try putting a warning on the box or in the manual saying "Don't plug into the Internet" or "There MUST be a firewall in front of this device." That might not confuse people like us, but I'm pretty sure it will confuse the majority of consumers.

The only way for a manufacturer to be sure of the security of the device is to assume the worst and have the device be totally self reliant for its Internet protection. If the manufacturer does that, then there are no warnings in the manual or on the box that may be ignored, or phone calls from confused customers. That was my experience with my "smart" Internet connected TV and Blu-ray player. I've 'nmap' scanned them, and they look as they they've been Internet hardened.

It is also worth keeping in mind that the CPE itself may not be perfectly secure, and may be a target itself. If it is compromised, then any protection it used to provide may now be gone. I'd forgotten about it, however the ISP I worked for in 2009 had quite a number of customers who's CPE was infected by this malware:

http://en.wikipedia.org/wiki/Psyb0t


IIRC, impacted customers numbered in the 100s, I suspect because the CPE model was quite old at that point (it was already being sold in 2005 when I started there), so many customers had replaced it. It would have remained unnoticed by both us and the customers if it hadn't caused customers' Internet connections to fail.

The Carna Botnet also leveraged insecure CPE to conduct the "Internet Census 2012", which I think is further evidence that there shouldn't be absolute faith in the security of CPE . (http://lists.ausnog.net/pipermail/ausnog/2013-September/020338.html)

So I think device manufacturers would be wise to make a device/appliance protect itself, even if they believe there commonly might be an upstream networking device perform some sort of firewalling function.


Regards,
Mark.

 

 




> Regards,
> Markus
> 
> [1] 
> http://www.heise.de/security/meldung/Vaillant-Heizungen-mit-Sicherheits-Leck-1840919.html
> 
> 
> 
> __________ ursprüngliche Nachricht __________
> 
> Von:        Mark ZZZ Smith <markzzzsmith@yahoo.com.au>
> Datum:    Samstag, 16. November 2013, 07:30:13
> An:        Marc Lampo <marc.lampo.ietf@gmail.com>, Mikael Abrahamsson 
> <swmike@swm.pp.se>
> Kopie:    "v6ops@ietf.org WG" <v6ops@ietf.org>
> Betr.:    Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-security WGLC
> 
>>  >________________________________
>>  > From: Marc Lampo <marc.lampo.ietf@gmail.com>
>>  >To: Mikael Abrahamsson <swmike@swm.pp.se>
>>  >Cc: "v6ops@ietf.org WG" <v6ops@ietf.org>
>>  >Sent: Thursday, 14 November 2013 9:50 PM
>>  >Subject: Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-security WGLC
>>  >
>>  >
>>  >
>>  >I realise now that "unsolicited" is a word allowing multiple
>>  > interpretations (but also used in RFC 6092).  But we seem to have got 
> it
>>  > right.
>>  >
>>  >Anyway, the fact that some service, on an internal device, is willing 
> to
>>  > accept connections on port XYZ, does not, in my opinion, imply that 
> those
>>  > connections may also come from the outside Internet. Back to the 
> example
>>  > with the refrigerator :
>>  >suppose it has a service (port XYZ) that allows it to be queried for 
> its
>>  > contents.
>>  >
>>  >Probably great when one is at home, but does this mean accessible from
>>  > anywhere on the Internet ?
>>  >
>>  >In my opinion : not before the owner has explicitly instructed his CPE 
> to
>>  > allow incoming connections (RFC 6092, REC-48).
>> 
>>  Actually, I think you're probably going to want your refrigerator to be
>>  able to access the Internet, as well as your toaster, answering machine,
>>  rice cooker, washing machine etc.
>> 
>>  I think appliances, if they aren't already, are going to become 
> computers,
>>  with as much done via software/firmware as possible, instead of hardware,
>>  because hardware is much harder and more expensive to change, both during
>>  development and after it is sold to the customer.
>> 
>>  However, software/firmware is still hard to change if the customer has to
>>  either take it back to the manufacturer, or plug a PC or USB stick into it
>>  to update the software/firmware. Having the device be able to update itself
>>  over the Internet will be both much more user/customer friendly and much
>>  cheaper for the manufacturer. 
>> 
>>  So manufacturers have an incentive to make their appliances be able to
>>  attach to the Internet, and their customers have an incentive to attach
>>  them. As with tablets and smartphones, the manufacturer won't be able 
> to
>>  vouch for the existence of any upstream network "firewalls", nor 
> will they
>>  successfully be able to ask the customer of their existence, so the
>>  manufacturer will have to assume the worst, and therefore harden the
>>  appliance against publicly addressed unfettered Internet access.
>> 
>>  Regards,
>>  Mark.
>> 
>>  _______________________________________________
>>  v6ops mailing list
> 
>>  v6ops@ietf.org
>>  https://www.ietf.org/mailman/listinfo/v6ops
>

v2.23.0 | Report a Bug | By Email