IETF Logo Mail Archive

Re: [v6ops] Hmm. Interesting article...

Ca By <cb.list6@gmail.com> Tue, 02 February 2016 16:09 UTC

Return-Path: <cb.list6@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CBAF71B2CDC for <v6ops@ietfa.amsl.com>; Tue, 2 Feb 2016 08:09:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.749
X-Spam-Level:
X-Spam-Status: No, score=-1.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iM-USzL0O2_S for <v6ops@ietfa.amsl.com>; Tue, 2 Feb 2016 08:09:17 -0800 (PST)
Received: from mail-wm0-x233.google.com (mail-wm0-x233.google.com [IPv6:2a00:1450:400c:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 131111B2CD8 for <v6ops@ietf.org>; Tue, 2 Feb 2016 08:09:10 -0800 (PST)
Received: by mail-wm0-x233.google.com with SMTP id l66so124271005wml.0 for <v6ops@ietf.org>; Tue, 02 Feb 2016 08:09:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=KZxA1IoWhaMAG645gCG/5PKoRyCPz8teaWOgWqv/KnU=; b=tgRz7FyPGHA8yOJwkIjYUi04r6CzkNjfmEhE7KAomneXYnilFkbJxoe7ylcUn7JprO Q7Pqeu0Z7vAkawTnJN4HXgOwcdSpKxvspMDu05zqfKX2qHw+rzRfwJ3yjgclpvzhRSbQ cntYT14aXOhuEJgxLE5ORN7RL34cz/wyWd16KjxO2cU/Sj+uH7vQPiNud1KEKOTx7s/4 VPv+CecpqnhKCehptGdir/0PncwqIR1zeCt9JR4KBiGparitA0PlCZuYoI4CRXYefazw oNmQn7M2KBNa6DCkTKbxG8SlyhTih6VHGO9iD1gz4zXpjJqqwQfOvo4ZDq/2L2NpopvJ 5I9A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=KZxA1IoWhaMAG645gCG/5PKoRyCPz8teaWOgWqv/KnU=; b=mhoJsQqpHn7z0/sIvw/54mMJg31K8UcNZB8/6/LExBqV0MnIHj3DfbRSrobawOQAvN LEpmkKeyTH8bnc8OLw/uIfaXJskt6EZcOloupxWGi5CDOiHLEI4UiOsBLKdXgyKSxdRL AeIAt1HIQz+fFrb6DQwsBU2p45UO5wvYwNfCaxe3nA+uMievVNmL0eId3/Q2GDIyvY9e sMhVXmlZ3Ijn/VaPis/HvrQrMCGMnnov6a1WCMNvGMUePJTaehb9cMSIFafMPeB9e2GX LwU/bXg20ooC405mZxSGhg1eKY2nOYDl7syq1FKitDi6CUYthaa3BuknGlmLH3VWB5pw otig==
X-Gm-Message-State: AG10YOSN1mmhP+WtFKNC6Pmhe8ySRhSUfgFxcvMuVbXntTMbP4Biqjwx/IRdew5hu9jp5a8hTfN24hcHgZoXdQ==
MIME-Version: 1.0
X-Received: by 10.194.76.144 with SMTP id k16mr28992796wjw.78.1454429348573; Tue, 02 Feb 2016 08:09:08 -0800 (PST)
Received: by 10.194.68.66 with HTTP; Tue, 2 Feb 2016 08:09:08 -0800 (PST)
In-Reply-To: <56B0CC7E.1000005@si6networks.com>
References: <165F7549-2A4C-44C3-9FBA-3AF69DE50110@cisco.com> <CAHw9_iLDjyZ6CKUjcyqUBe3-_EJxDekG7a1cPVLpF_U9tVvUgQ@mail.gmail.com> <56AFD626.1000802@bogus.com> <FBABBC18-CFFA-46C9-A63C-B86FE2CFFC94@cisco.com> <6EB29183-FA9A-4B94-BD68-115DB190FE65@delong.com> <56B06129.7090301@si6networks.com> <657448B4-4F56-445A-8862-8E0EB8D1A8B2@delong.com> <56B0BE2B.5050408@si6networks.com> <D2D633A9.D612D%Lee.Howard@twcable.com> <56B0CC7E.1000005@si6networks.com>
Date: Tue, 02 Feb 2016 08:09:08 -0800
Message-ID: <CAD6AjGTp61hNf23vZT2CNXr9VOrsDckQ_dH7CvYnN_tRiaXrcA@mail.gmail.com>
From: Ca By <cb.list6@gmail.com>
To: Fernando Gont <fgont@si6networks.com>
Content-Type: multipart/alternative; boundary="047d7bfceebcac3d1d052acbb854"
Archived-At: <http://mailarchive.ietf.org/arch/msg/v6ops/gsllYFoP6c_bDKGpza1h05gZ8FQ>
Cc: "v6ops@ietf.org" <v6ops@ietf.org>
Subject: Re: [v6ops] Hmm. Interesting article...
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Feb 2016 16:09:19 -0000

On Tue, Feb 2, 2016 at 7:34 AM, Fernando Gont <fgont@si6networks.com> wrote:

> On 02/02/2016 12:24 PM, Howard, Lee wrote:
> >
> > On 2/2/16, 9:33 AM, "v6ops on behalf of Fernando Gont"
> > <v6ops-bounces@ietf.org on behalf of fgont@si6networks.com> wrote:
> >
> >> On 02/02/2016 10:20 AM, Owen DeLong wrote:
> >>>
> >>>> On Feb 1, 2016, at 23:56, Fernando Gont <fgont@si6networks.com>
> wrote:
> >>>>
> >>>> Maybe in that in IPv4 you typically have a NAT in front of your node,
> >>>> where in IPv6 you don't necessarily have a fw?
> >>>>
> >>>
> >>> If you're running a host without any sort of filter, that's really not
> >>> a problem we should be solving at the network level. That's more of an
> >>> educational problem.
> >>
> >> There's a reason for deploying network-based firewalls:
> >> <https://tools.ietf.org/html/draft-gont-opsawg-firewalls-analysis-01>
> >>
> >
> > There is an unaddressed tension here.
> > I think one view is that IPv6 should be deployed without firewalls so all
> > hosts are reachable from arbitrary other hosts on the Internet.
>
> The folk busted by the recent ICMPv6-based freebsd exploit has a good
> example regarding why you don't want to be reachable by everyone when
> you don't really need that.
>
>
Except for everyone with a FreeBSD based network based firewalls.

In my experience, firewalls are a single point of failure that are
generally more prone to attacks (state exhaustion, ALG mishandling bugs and
associated platform crashes, ...) than anything else.  A firewall is a
host, so it has all those same host issues you speak of.

The biggest sources of network based DDoS today that is crushing the
internet daily ....is generally labeled a "home firewall" ...these
firewalls seem to expose UDP 1900, Chargen, NTP, and others.... The label
says firewall.

So, excuse me if i don't think firewalls do what you think they do in the
real world.  In my experience, they are the vector of the worst attacks and
concentrate the risk of a site going off-line into a single box that is
more vulnerable (since it is running exotic ALGs, UPNP, PCP ...)  than any
other box

CB


> "Need to know basis", "principle of least privilege"... i.e., you are
> not allowed to do and something that you're not really required to do...
>
>
> > I think the other view is that all/most/many hosts should be protected by
> > a stateful firewall.
> >
> > I don¹t know that we can resolve this tension in v6ops, but I want to
> make
> > it explicit.
>
> Folks aiming at end to end connectivity have traditionally assumed that
> the "host" is some sort of computer (laptop, tablet, etc.) whereas
> "host" really becomes any crappy device that becomes IPv6-enabled...
> possibly with sloppy code, unmanaged, and possibly not even possible to
> upgrade. -- No.. you don't want that stuff eachable from anyone in the
> Internet.
>
>
> --
> Fernando Gont
> SI6 Networks
> e-mail: fgont@si6networks.com
> PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
>
>
>
>
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
>

v2.23.0 | Report a Bug | By Email