IETF Logo Mail Archive

[v6ops] Re: Traffic control protocols (PCP and UPnP IGD)

Gert Doering <gert@space.net> Sun, 28 July 2024 10:04 UTC

Return-Path: <gert@space.net>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 97600C14F71C for <v6ops@ietfa.amsl.com>; Sun, 28 Jul 2024 03:04:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=space.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gz15pboCqzjy for <v6ops@ietfa.amsl.com>; Sun, 28 Jul 2024 03:03:57 -0700 (PDT)
Received: from gatekeeper1-relay.space.net (gatekeeper1-relay.space.net [IPv6:2001:608:3:85::38]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0609DC14F5F3 for <v6ops@ietf.org>; Sun, 28 Jul 2024 03:03:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=space.net; i=@space.net; q=dns/txt; s=esa; t=1722161037; x=1753697037; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=CCs7ZDzlV0orQllUX2yPvrVGC6kDhtFMzR+OnTAfTgg=; b=D8lQ5dG6HbDqaGlcJhbLK3ZT5j9NmhZa6yq2b5qOmyOSopm6Z0AbxY0V COABp/jPzWi1p6oIyB+LDtBA1LCA2yUXJCqZ/gVvgI82ihKapDMxER/6x kjilomrygAWlUKCGLW7atu3hGG4gSY3Xnt23LbkoDFqtNPuRPQyApeFeK O43Sjxak+ZDHL1J0ZKurRCBNj20LxJqD2nmGjZj6hrFUsI5CLC0XRK+Bn rjzetJqLFTl5KkOjAIdqSkaiW0J35ED8HztByopzsCDXdmiIGoYhXxrYN QGfZCUrOnrIywHOuD3X5ugmx+Ey18k3S6AP7jJv1zF7nsffmbtHl12hZa w==;
X-CSE-ConnectionGUID: urMxwfW4SE++CaxoCAVYzg==
X-CSE-MsgGUID: d3aVN79BQ4ap1mxzJYeiYg==
X-SpaceNet-SBRS: None
Received: from mobil.space.net ([195.30.115.67]) by gatekeeper1-relay.space.net with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 28 Jul 2024 12:03:53 +0200
X-Original-To: v6ops@ietf.org
Received: from mobil.space.net (localhost [IPv6:::1]) by mobil.space.net (Postfix) with ESMTP id 60127180368D for <v6ops@ietf.org>; Sun, 28 Jul 2024 12:03:53 +0200 (CEST)
X-SpaceNet-Relay: true
Received: from moebius4.space.net (moebius4.space.net [IPv6:2001:608:2:2::251]) by mobil.space.net (Postfix) with ESMTP id 1331D1803687; Sun, 28 Jul 2024 12:03:53 +0200 (CEST)
Received: by moebius4.space.net (Postfix, from userid 1007) id 0C2D73FBCD; Sun, 28 Jul 2024 12:03:53 +0200 (CEST)
Date: Sun, 28 Jul 2024 12:03:52 +0200
From: Gert Doering <gert@space.net>
To: Ted Lemon <mellon@fugue.com>
Message-ID: <ZqYXiBz0oFsafbwC@Space.Net>
References: <TYVPR01MB10750FB6A5FA4EB034F9B5B8AD2B42@TYVPR01MB10750.jpnprd01.prod.outlook.com> <CAPt1N1kA9KETiVsK744m5AaXvCnspsN8zkdqRR1OcMo-ftkNfA@mail.gmail.com> <TYVPR01MB10750B17554096318B8C49BACD2B42@TYVPR01MB10750.jpnprd01.prod.outlook.com> <BF9C2E26-E49C-4764-9CEA-8E7738801819@employees.org> <TYVPR01MB1075001C9D2EC290201284F66D2B42@TYVPR01MB10750.jpnprd01.prod.outlook.com> <CACyFTPH7XJ=fV9jW0h59UH-TDL7OGWw_ifehPvbFzzoH2Ln0Ng@mail.gmail.com> <ZqQDMjckkFr3_hsv@Space.Net> <CAPt1N1mhMYck7Y-SOgFfpA7OD6b0H8Y5gAjsYHWSZLFfzdiRzA@mail.gmail.com> <ZqVh5oFVFSjAYqcL@Space.Net> <CAPt1N1=T+YYPuCJq64mffTqY-1Kp+Kv9hqt+TJa_5iMUh3QC4g@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="2Ogsnw1zUSLuvOV3"
Content-Disposition: inline
In-Reply-To: <CAPt1N1=T+YYPuCJq64mffTqY-1Kp+Kv9hqt+TJa_5iMUh3QC4g@mail.gmail.com>
Message-ID-Hash: 2MFIYLVOIPWYEHWSLQFYOYG4JDSABUHN
X-Message-ID-Hash: 2MFIYLVOIPWYEHWSLQFYOYG4JDSABUHN
X-MailFrom: gert@space.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-v6ops.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Daryll Swer <contact=40daryllswer.com@dmarc.ietf.org>, "Kawashima Masanobu(?????? ??????)" <kawashimam=40nec.com@dmarc.ietf.org>, Ole Troan <otroan=40employees.org@dmarc.ietf.org>, "v6ops@ietf.org" <v6ops@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [v6ops] Re: Traffic control protocols (PCP and UPnP IGD)
List-Id: v6ops discussion list <v6ops.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/deAhfKba6KLsHjXsdexh_htXqsQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Owner: <mailto:v6ops-owner@ietf.org>
List-Post: <mailto:v6ops@ietf.org>
List-Subscribe: <mailto:v6ops-join@ietf.org>
List-Unsubscribe: <mailto:v6ops-leave@ietf.org>

Hi,

On Sat, Jul 27, 2024 at 04:56:44PM -0700, Ted Lemon wrote:
> Gert, this is /precisely/ what PCP is for: to tell the firewall which ports
> to allow through. My speaker doesn???t tell PCP to allow anyone on the
> outside to play music to my speakers because that wouldn???t make sense. My
> ssh server isn???t very useful if I can???t get to it from the outside. But
> only that one ssh server???there are other ssh servers on my network that
> would not make sense to expose.
> 
> This is what PCP enables: fine-grained control over ingress.

I totally understand the *idea* behind it.

Implementors of, say, "speakers" might not get that their device is not
supposed to be accessible by, say, their nice cloud service and still do
add PCP to their speakers.  Because someone thinks it's a good idea.

Which is exactly my point that you try to not see - PCP, as a protocol,
used for exactly those services that are a) intended to be reachable, and
b) securely so, is a nice tool.  PCP as a default action for "everything
that opens a listening socket" contradicts having a firewall by default.

I expect implementors to do "PCP as a default action for everything", 
because that's much easier than adding a config knob to let the informed
user do the right thing.

Also, of course, all software developers that add a listen socket will
assume that their software is the most important you run, will need to
be talked to, AND is totally secure.

Real life vs. protocol design.

Gert Doering
        -- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AG                      Vorstand: Sebastian v. Bomhard, Ingo Lalla,
                                           Karin Schuler, Sebastian Cler
Joseph-Dollinger-Bogen 14        Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                 HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444         USt-IdNr.: DE813185279

v2.39.1 | Report a Bug | By Email | System Status