Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-security WGLC
"de =?iso-8859-1?q?Br=FCn?=, Markus" <markus.debruen@bsi.bund.de> Mon, 18 November 2013 10:37 UTC
Return-Path: <markus.debruen@bsi.bund.de>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5B0011E8132 for <v6ops@ietfa.amsl.com>; Mon, 18 Nov 2013 02:37:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.489
X-Spam-Level:
X-Spam-Status: No, score=-7.489 tagged_above=-999 required=5 tests=[BAYES_20=-0.74, HELO_EQ_DE=0.35, J_CHICKENPOX_13=0.6, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-8, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LU7j8b9VyGtR for <v6ops@ietfa.amsl.com>; Mon, 18 Nov 2013 02:37:34 -0800 (PST)
Received: from m3-bn.bund.de (m3-bn.bund.de [77.87.228.75]) by ietfa.amsl.com (Postfix) with ESMTP id A471F11E80F6 for <v6ops@ietf.org>; Mon, 18 Nov 2013 02:37:33 -0800 (PST)
Received: from m3.mfw.bn.ivbb.bund.de (localhost.mfw.bn.ivbb.bund.de [127.0.0.1]) by m3-bn.bund.de (8.14.3/8.14.3) with ESMTP id rAIAbVFr030812 for <v6ops@ietf.org>; Mon, 18 Nov 2013 11:37:31 +0100 (CET)
Received: (from localhost) by m3.mfw.bn.ivbb.bund.de (MSCAN) id 5/m3.mfw.bn.ivbb.bund.de/smtp-gw/mscan; Mon Nov 18 11:37:31 2013
X-P350-Id: 144f6f2a54fd3e80
X-Virus-Scanned: by amavisd-new at bsi.bund.de
From: "de Brün, Markus" <markus.debruen@bsi.bund.de>
Organization: BSI Bonn
To: v6ops@ietf.org, Mark ZZZ Smith <markzzzsmith@yahoo.com.au>
Date: Mon, 18 Nov 2013 11:37:21 +0100
User-Agent: KMail/1.9.10 (enterprise35 20130923.8c03dfc)
References: <201311101900.rAAJ0AR6025350@irp-view13.cisco.com> <CAB0C4xM_eN7x-4G6YYku+t=X_w3c7LiEU6AR1EDvhT6Kea_hqw@mail.gmail.com> <1384583413.2103.YahooMailNeo@web142501.mail.bf1.yahoo.com>
In-Reply-To: <1384583413.2103.YahooMailNeo@web142501.mail.bf1.yahoo.com>
X-KMail-QuotePrefix: >
MIME-Version: 1.0
Content-Type: Text/Plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Message-ID: <201311181137.21672.markus.debruen@bsi.bund.de>
X-AntiVirus: checked by Avira MailGate (version: 3.2.1.26; AVE: 8.2.12.144; VDF: 7.11.114.48; host: sgasmtp2.bsi.de); id=15866-AJWI7j
Subject: Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-security WGLC
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Nov 2013 10:37:38 -0000
> >[...], but does this mean accessible from anywhere on the Internet ? > Actually, I think you're probably going to want your refrigerator to be > able to access the Internet, [...] "Access to the internet" and "accessible from the internet" are two seperate things.Perhaps I want my fridge to access the internet but not the other way around. There was a vulnerability in some heating-systems a few month ago [1]. An attacker could remotely shut down the heating. This is the kind of thing one does not want to happen. Regards, Markus [1] http://www.heise.de/security/meldung/Vaillant-Heizungen-mit-Sicherheits-Leck-1840919.html __________ ursprüngliche Nachricht __________ Von: Mark ZZZ Smith <markzzzsmith@yahoo.com.au> Datum: Samstag, 16. November 2013, 07:30:13 An: Marc Lampo <marc.lampo.ietf@gmail.com>, Mikael Abrahamsson <swmike@swm.pp.se> Kopie: "v6ops@ietf.org WG" <v6ops@ietf.org> Betr.: Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-security WGLC > >________________________________ > > From: Marc Lampo <marc.lampo.ietf@gmail.com> > >To: Mikael Abrahamsson <swmike@swm.pp.se> > >Cc: "v6ops@ietf.org WG" <v6ops@ietf.org> > >Sent: Thursday, 14 November 2013 9:50 PM > >Subject: Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-security WGLC > > > > > > > >I realise now that "unsolicited" is a word allowing multiple > > interpretations (but also used in RFC 6092). But we seem to have got it > > right. > > > >Anyway, the fact that some service, on an internal device, is willing to > > accept connections on port XYZ, does not, in my opinion, imply that those > > connections may also come from the outside Internet. Back to the example > > with the refrigerator : > >suppose it has a service (port XYZ) that allows it to be queried for its > > contents. > > > >Probably great when one is at home, but does this mean accessible from > > anywhere on the Internet ? > > > >In my opinion : not before the owner has explicitly instructed his CPE to > > allow incoming connections (RFC 6092, REC-48). > > Actually, I think you're probably going to want your refrigerator to be > able to access the Internet, as well as your toaster, answering machine, > rice cooker, washing machine etc. > > I think appliances, if they aren't already, are going to become computers, > with as much done via software/firmware as possible, instead of hardware, > because hardware is much harder and more expensive to change, both during > development and after it is sold to the customer. > > However, software/firmware is still hard to change if the customer has to > either take it back to the manufacturer, or plug a PC or USB stick into it > to update the software/firmware. Having the device be able to update itself > over the Internet will be both much more user/customer friendly and much > cheaper for the manufacturer. > > So manufacturers have an incentive to make their appliances be able to > attach to the Internet, and their customers have an incentive to attach > them. As with tablets and smartphones, the manufacturer won't be able to > vouch for the existence of any upstream network "firewalls", nor will they > successfully be able to ask the customer of their existence, so the > manufacturer will have to assume the worst, and therefore harden the > appliance against publicly addressed unfettered Internet access. > > Regards, > Mark. > > _______________________________________________ > v6ops mailing list > v6ops@ietf.org > https://www.ietf.org/mailman/listinfo/v6ops
- [v6ops] draft-ietf-v6ops-balanced-ipv6-security W… Fred Baker
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tarko Tikan
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Fred Baker (fred)
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Guillaume Leclanche
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Guillaume Leclanche
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… cb.list6
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ted Lemon
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… cb.list6
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tore Anderson
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tarko Tikan
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark ZZZ Smith
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ted Lemon
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tarko Tikan
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Fred Baker (fred)
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ted Lemon
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tarko Tikan
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Fred Baker (fred)
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark Andrews
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Brian E Carpenter
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Sander Steffann
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… joel jaeggli
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Fred Baker (fred)
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… joel jaeggli
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tassos Chatzithomaoglou
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Fred Baker (fred)
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… cb.list6
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Fred Baker (fred)
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark ZZZ Smith
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark ZZZ Smith
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tassos Chatzithomaoglou
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ray Hunter
- [v6ops] draft-ietf-v6ops-balanced-ipv6-security W… Fred Baker
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Joe Touch
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… de =?iso-8859-1?q?Br=FCn?=, Markus
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Lorenzo Colitti
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark ZZZ Smith
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Lorenzo Colitti
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ray Hunter
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Lorenzo Colitti
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ray Hunter
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Lorenzo Colitti
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Lorenzo Colitti
- [v6ops] RFC 6092 [was draft-ietf-v6ops-balanced-i… Brian E Carpenter
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark ZZZ Smith
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark ZZZ Smith
- Re: [v6ops] RFC 6092 [was draft-ietf-v6ops-balanc… Marc Lampo
- Re: [v6ops] RFC 6092 [was draft-ietf-v6ops-balanc… Lorenzo Colitti
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ray Hunter
- Re: [v6ops] RFC 6092 [was draft-ietf-v6ops-balanc… Brian E Carpenter
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ray Hunter
- Re: [v6ops] RFC 6092 [was draft-ietf-v6ops-balanc… cb.list6
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Brian E Carpenter