IETF Logo Mail Archive

Re: [v6ops] Hmm. Interesting article...

Ca By <cb.list6@gmail.com> Tue, 02 February 2016 16:17 UTC

Return-Path: <cb.list6@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 163D21B2CE0 for <v6ops@ietfa.amsl.com>; Tue, 2 Feb 2016 08:17:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.749
X-Spam-Level:
X-Spam-Status: No, score=-1.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oLt3__PWJ_KK for <v6ops@ietfa.amsl.com>; Tue, 2 Feb 2016 08:17:34 -0800 (PST)
Received: from mail-wm0-x233.google.com (mail-wm0-x233.google.com [IPv6:2a00:1450:400c:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 943EA1ABD3F for <v6ops@ietf.org>; Tue, 2 Feb 2016 08:17:34 -0800 (PST)
Received: by mail-wm0-x233.google.com with SMTP id l66so124645001wml.0 for <v6ops@ietf.org>; Tue, 02 Feb 2016 08:17:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=J792942H65BjfvlKC/e5r0JpnW3XnkA2Pb3PkfzNVUE=; b=E1DCx8gNiL4+wrerne5hoHvCOP+pFABrGwB65srfQFHqpTvZZz5/IwWPPJRmDoJEe2 k05Wbo8VOm9u1GmKb+WKvStZiWddHKZ8A/WeTBAfKbgJo+AQbO3Ea4aDpguosFcwjMIE 9a2RuRnBJym2gbYuAFAHmUUl9aox52zqAlSdTzv8Qwbxm/zDNXX+uN25cDysrJoJvj1k Tgy8J9JRzBr48dLHRsQK0M/FITGr9lTS9OtEGCQdC3RORTSwv7yJZc/XuaTivGQLjpvn jnuM7CkedkK5yc2MIVvKFC5/TkNbNuY8h2yTVXmFVJOwhRCAYtmCgNdeGYK/RHQrC5hK 5qvQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=J792942H65BjfvlKC/e5r0JpnW3XnkA2Pb3PkfzNVUE=; b=RCRS3mHWUyMAI03Pl7OvxuXdiQW2h1CqNwoh8CrOJUSKNA7eF5cSZpQpiDrBPEZZgb mSFSvgpW0J4KJnPvodml/3krW/tWDUtPtyXrNDYGVhhOBIkv/o9cXOj8OLEthmhZSjS7 5vJKV7vtRWlkqiwaQ4fcYoYGVU2NAHK/vDAmx49ZL4RnXgiJ8qNz3x4hTe3vxB1lOH6r O0G8GujYg+7VAdeOH88g5x21fncd8CprK3JOVFeroCkgU6juPOz9g0f1n4KbzEourcBr FLca1dQVYx+gQaQA5cxYvO502zQ4FyVf8K8KyNneh82VC7DLx7A6v78W9GEuNtjKhzBy EUsQ==
X-Gm-Message-State: AG10YOScpnVK+0maFtnvoHupU/bwI8/z9bjZln/fh7h3mdORenZ4SMo5+DIu8eRLdQkDiP0EA5Bffhm82zu91A==
MIME-Version: 1.0
X-Received: by 10.28.11.73 with SMTP id 70mr18476248wml.40.1454429852934; Tue, 02 Feb 2016 08:17:32 -0800 (PST)
Received: by 10.194.68.66 with HTTP; Tue, 2 Feb 2016 08:17:32 -0800 (PST)
In-Reply-To: <CAD6AjGTp61hNf23vZT2CNXr9VOrsDckQ_dH7CvYnN_tRiaXrcA@mail.gmail.com>
References: <165F7549-2A4C-44C3-9FBA-3AF69DE50110@cisco.com> <CAHw9_iLDjyZ6CKUjcyqUBe3-_EJxDekG7a1cPVLpF_U9tVvUgQ@mail.gmail.com> <56AFD626.1000802@bogus.com> <FBABBC18-CFFA-46C9-A63C-B86FE2CFFC94@cisco.com> <6EB29183-FA9A-4B94-BD68-115DB190FE65@delong.com> <56B06129.7090301@si6networks.com> <657448B4-4F56-445A-8862-8E0EB8D1A8B2@delong.com> <56B0BE2B.5050408@si6networks.com> <D2D633A9.D612D%Lee.Howard@twcable.com> <56B0CC7E.1000005@si6networks.com> <CAD6AjGTp61hNf23vZT2CNXr9VOrsDckQ_dH7CvYnN_tRiaXrcA@mail.gmail.com>
Date: Tue, 02 Feb 2016 08:17:32 -0800
Message-ID: <CAD6AjGQrPiEhHCPHtbpxWsLF+Vppa7xNz6jXm4OVBWGvSPsQkA@mail.gmail.com>
From: Ca By <cb.list6@gmail.com>
To: Fernando Gont <fgont@si6networks.com>
Content-Type: multipart/alternative; boundary="001a11444c24bc29cd052acbd681"
Archived-At: <http://mailarchive.ietf.org/arch/msg/v6ops/GjYzxgfxMrAf-TS_enao33b00Nw>
Cc: "v6ops@ietf.org" <v6ops@ietf.org>
Subject: Re: [v6ops] Hmm. Interesting article...
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Feb 2016 16:17:37 -0000

On Tue, Feb 2, 2016 at 8:09 AM, Ca By <cb.list6@gmail.com> wrote:

>
>
> On Tue, Feb 2, 2016 at 7:34 AM, Fernando Gont <fgont@si6networks.com>
> wrote:
>
>> On 02/02/2016 12:24 PM, Howard, Lee wrote:
>> >
>> > On 2/2/16, 9:33 AM, "v6ops on behalf of Fernando Gont"
>> > <v6ops-bounces@ietf.org on behalf of fgont@si6networks.com> wrote:
>> >
>> >> On 02/02/2016 10:20 AM, Owen DeLong wrote:
>> >>>
>> >>>> On Feb 1, 2016, at 23:56, Fernando Gont <fgont@si6networks.com>
>> wrote:
>> >>>>
>> >>>> Maybe in that in IPv4 you typically have a NAT in front of your node,
>> >>>> where in IPv6 you don't necessarily have a fw?
>> >>>>
>> >>>
>> >>> If you're running a host without any sort of filter, that's really not
>> >>> a problem we should be solving at the network level. That's more of an
>> >>> educational problem.
>> >>
>> >> There's a reason for deploying network-based firewalls:
>> >> <https://tools.ietf.org/html/draft-gont-opsawg-firewalls-analysis-01>
>> >>
>> >
>> > There is an unaddressed tension here.
>> > I think one view is that IPv6 should be deployed without firewalls so
>> all
>> > hosts are reachable from arbitrary other hosts on the Internet.
>>
>> The folk busted by the recent ICMPv6-based freebsd exploit has a good
>> example regarding why you don't want to be reachable by everyone when
>> you don't really need that.
>>
>>
> Except for everyone with a FreeBSD based network based firewalls.
>
> In my experience, firewalls are a single point of failure that are
> generally more prone to attacks (state exhaustion, ALG mishandling bugs and
> associated platform crashes, ...) than anything else.  A firewall is a
> host, so it has all those same host issues you speak of.
>
> The biggest sources of network based DDoS today that is crushing the
> internet daily ....is generally labeled a "home firewall" ...these
> firewalls seem to expose UDP 1900, Chargen, NTP, and others.... The label
> says firewall.
>
> So, excuse me if i don't think firewalls do what you think they do in the
> real world.  In my experience, they are the vector of the worst attacks and
> concentrate the risk of a site going off-line into a single box that is
> more vulnerable (since it is running exotic ALGs, UPNP, PCP ...)  than any
> other box
>
> CB
>

Oh, and they also create really nice backdoors into something you call the
"trusted area"

http://arstechnica.com/security/2016/01/et-tu-fortinet-hard-coded-password-raises-new-backdoor-eavesdropping-fears/

Fortinet, Juniper, Nearly every home router....

So...tell me... where do you come up with this idea that firewalls help?

There is a lot of evidence they make things worse.  Firewalls have the
following *fundamental* architectural failings

0. Long history of being seriously owned, including recent backdoor issues.

1. They make users feel falsely secure so they make bad assumption about
the "secure network"

2. Commonly hit with state exhaustion attacks

3.  Architecturally they are generally deployed as a single door to the
network, so they are a single point of failure....even more hilarious is
when a vendor sells an high-availability pair and the state bug is reflect
from the HOT node to the standby node and they both crash

4.  They do advanced stateful packet fiddling, which is highly error prone
(UPNP, PCP, other ALGs)

I have been hit with evey one of the above.

CB

>
>
>> "Need to know basis", "principle of least privilege"... i.e., you are
>> not allowed to do and something that you're not really required to do...
>>
>>
>> > I think the other view is that all/most/many hosts should be protected
>> by
>> > a stateful firewall.
>> >
>> > I don¹t know that we can resolve this tension in v6ops, but I want to
>> make
>> > it explicit.
>>
>> Folks aiming at end to end connectivity have traditionally assumed that
>> the "host" is some sort of computer (laptop, tablet, etc.) whereas
>> "host" really becomes any crappy device that becomes IPv6-enabled...
>> possibly with sloppy code, unmanaged, and possibly not even possible to
>> upgrade. -- No.. you don't want that stuff eachable from anyone in the
>> Internet.
>>
>>
>> --
>> Fernando Gont
>> SI6 Networks
>> e-mail: fgont@si6networks.com
>> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
>>
>>
>>
>>
>> _______________________________________________
>> v6ops mailing list
>> v6ops@ietf.org
>> https://www.ietf.org/mailman/listinfo/v6ops
>>
>
>

v2.23.0 | Report a Bug | By Email