IETF Logo Mail Archive

Re: I-D.ietf-v6ops-cpe-simple-security-09

Mark Townsley <townsley@cisco.com> Sun, 21 March 2010 14:25 UTC

Return-Path: <owner-v6ops@ops.ietf.org>
X-Original-To: ietfarch-v6ops-archive@core3.amsl.com
Delivered-To: ietfarch-v6ops-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9E4CD3A67D4 for <ietfarch-v6ops-archive@core3.amsl.com>; Sun, 21 Mar 2010 07:25:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.525
X-Spam-Level:
X-Spam-Status: No, score=-6.525 tagged_above=-999 required=5 tests=[AWL=-1.760, BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_HI=-8, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J-QptELdhmHs for <ietfarch-v6ops-archive@core3.amsl.com>; Sun, 21 Mar 2010 07:25:08 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 654F83A6847 for <v6ops-archive@lists.ietf.org>; Sun, 21 Mar 2010 07:23:46 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.71 (FreeBSD)) (envelope-from <owner-v6ops@ops.ietf.org>) id 1NtM2d-000750-TE for v6ops-data0@psg.com; Sun, 21 Mar 2010 14:22:11 +0000
Received: from [144.254.224.140] (helo=ams-iport-1.cisco.com) by psg.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.71 (FreeBSD)) (envelope-from <townsley@cisco.com>) id 1NtM2a-00072P-5i for v6ops@ops.ietf.org; Sun, 21 Mar 2010 14:22:08 +0000
Authentication-Results: ams-iport-1.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-AV: E=Sophos;i="4.51,283,1267401600"; d="scan'208";a="58343187"
Received: from ams-core-1.cisco.com ([144.254.224.150]) by ams-iport-1.cisco.com with ESMTP; 21 Mar 2010 14:22:06 +0000
Received: from iwan-view3.cisco.com (iwan-view3.cisco.com [171.70.65.13]) by ams-core-1.cisco.com (8.13.8/8.14.3) with ESMTP id o2LEM54u028366; Sun, 21 Mar 2010 14:22:05 GMT
Received: from ams-townsley-8719.cisco.com (ams-townsley-8719.cisco.com [10.55.233.234]) by iwan-view3.cisco.com (8.11.2/CISCO.WS.1.2) with ESMTP id o2LEM2Y12220; Sun, 21 Mar 2010 07:22:02 -0700 (PDT)
Message-ID: <4BA62B89.6080604@cisco.com>
Date: Sun, 21 Mar 2010 15:22:01 +0100
From: Mark Townsley <townsley@cisco.com>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.8) Gecko/20100227 Thunderbird/3.0.3
MIME-Version: 1.0
To: Shane Amante <shane@castlepoint.net>
CC: Fred Baker <fred@cisco.com>, james woodyatt <jhw@apple.com>, IPv6 Operations <v6ops@ops.ietf.org>
Subject: Re: I-D.ietf-v6ops-cpe-simple-security-09
References: <D6F5ACD2-EB43-477E-9F48-AC3EDB3F7EB4@apple.com> <4BA3BBCF.2090903@cisco.com> <4BA3D1B3.4010501@gmail.com> <9EEBEB1D-8D88-45DB-9200-EBE2ED0D84CF@apple.com> <4BA524A8.9020201@cisco.com> <D6BE2A3C-57BD-486D-B9C6-382B42FA4A67@cisco.com> <4BA55147.601@cisco.com> <F0FDFF3D-F703-422A-9443-D6F723FB034C@cisco.com> <C9616B83-659D-4FA8-A4EF-361B5FD2DA9B@castlepoint.net>
In-Reply-To: <C9616B83-659D-4FA8-A4EF-361B5FD2DA9B@castlepoint.net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Sender: owner-v6ops@ops.ietf.org
Precedence: bulk
List-ID: <v6ops.ops.ietf.org>

On 3/21/10 12:59 AM, Shane Amante wrote:
> Mark, Fred,
>
> On Mar 20, 2010, at 16:55 MDT, Fred Baker wrote:
>    
>>>>> Rate-limiting unsolicited inbound connections rather than rejecting them provides greater end-to-end transparency while still providing protection against address and port scanning attacks as well as overloading of slow links or devices within the home.
>>>>>
>>>>>            
>>>> SIlly question. Why do you believe that? An address or port scanning attack is not intended to overload a network, it is intended to find an address port that can be used or attacked.
>>>>          
>>> The sentence is referencing two different things. One, the possibility that uninvited packets might overload some device or slow link (something I consider unlikely, but has been identified as a concern by some), the other is, indeed, designed to make blind port and address scanning less likely to succeed in a given amount of time.
>>>
>>> - Mark
>>>        
>>>> Making the scan take more time doesn't prevent it from reaching its target. In what way does rate limiting an address or port scan provide protection?
>>>>          
>> With all due respect, when I set up security for my home or office, and when Cisco InfoSec sets up security for its home offices (of which mine is one), they're not asking about making an attack take ten minutes vs five. They're asking about preventing an attack from succeeding. Now, we can discuss the logic of the notion that "the bad guys are out there and the good guys are in here", but given the assumption, we need to be rational about the threats we are trying to prevent from succeeding.
>>      
> Agreed.  This proposal seems like a poor half-measure.  IMHO, if a client/host wants real end-2-end transparency, then it should use something like NAT-PMP to explicitly signal to the upstream FW that the client is wise and mature enough to deploy it's own, onboard FW to protect itself.  Although some people may think that's a bad idea, because a malware-infected PC/device could signal an upstream FW to open up everything, I personally think that's a very poor argument.
>    
If you take most of these types of arguments to their logical end, I 
think you'll find that the only real defense here is keeping the 
end-devices secure. Particularly those that travel outside of the home 
and can be infected while away, etc. Given that there is little or no 
real data on whether IPv6 residential firewalls actually fend off 
hackers, we are responding to a lot of hypothetical analysis and 
conjecture. Much of it is to, in the end, make the user, ISP, or 
whomever is responsible "feel" more secure (insert analogies of airport 
security pat-downs here).

So, we're probably not going to get very far on technical arguments. 
What the rate-limiting does is ensure that "only a few per second" 
packets get on the inside. If you are a valid application trying to make 
a connection to a valid open port known in advance, then this is all you 
need. If you are a hacker without that information, you probably need to 
try a few more times.

This, importantly for whether someone "feels" safe, is to give a setting 
somewhere between "wide open" and "completely closed". I'd say a lot of 
users fall in that category.
> Namely, once a PC/device is infected, it's game-over, anyway.
And the attack vectors are often above L4 these days.
>    Specifically, remote attackers already have the ability to remotely control that PC and perform further reconnaissance and attacks both /inside/ and outside the LAN.  Second, if technically savvy people still don't like the idea of NAT-PMP operating on their FW, then they will be smart enough to disable it altogether on their (personal) FW's.
>    
I wish I could conjure up confidence that a single, interoperable, 
secure, ubiquitously available, FW control protocol will exist for IPv6. 
Given that we haven't been able to achieve that for IPv4, I find it hard 
to believe we will for IPv6. Assuming it will happen is little more than 
wishful thinking at this stage.

- Mark

> -shane
>

v2.23.0 | Report a Bug | By Email