IETF Logo Mail Archive

[v6ops] Re: Traffic control protocols (PCP and UPnP IGD)

Ted Lemon <mellon@fugue.com> Sat, 27 July 2024 23:56 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4053CC14F603 for <v6ops@ietfa.amsl.com>; Sat, 27 Jul 2024 16:56:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FrWvVzec10eo for <v6ops@ietfa.amsl.com>; Sat, 27 Jul 2024 16:56:56 -0700 (PDT)
Received: from mail-oa1-x2f.google.com (mail-oa1-x2f.google.com [IPv6:2001:4860:4864:20::2f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B79F8C14F602 for <v6ops@ietf.org>; Sat, 27 Jul 2024 16:56:56 -0700 (PDT)
Received: by mail-oa1-x2f.google.com with SMTP id 586e51a60fabf-25e397c51b2so1519608fac.3 for <v6ops@ietf.org>; Sat, 27 Jul 2024 16:56:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20230601.gappssmtp.com; s=20230601; t=1722124615; x=1722729415; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Pom4C+xfSgOw6On0hnjxzXNqP0HRpXGdP0T5bxGBS+w=; b=Z3PkyB+5xcdy4bM+79IcqUER87cVydCkkR6sQDAUCxmCwfI7h/nif/nQ6Vi0D3LlXI Kam9xtTlBeAEznAoWOS6NJ0Pz/JFUTvEKSlEEWpBwK1ZEIxQOeuCNn4+IuNBjXATeLY7 8AVKvDyFS6s2vlIsmTpIKkzkMgvVXft3zPnmUaMlI+Uk4Qg7Bbfagrm4mj4R+RjySHNJ sNFyvn9r4TVjGk8tLxgVn/j0DsO7UfDQRgEUqq4ZUZw8Glv5/oL8WpwxnJdQq+PEQg3s B8BjQa5+qgkqbaCd29YaT2EApyltZFsfLRLgnOkR5uc0ctZElM0xKP09D21sEwL9VUQU +5nA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722124615; x=1722729415; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Pom4C+xfSgOw6On0hnjxzXNqP0HRpXGdP0T5bxGBS+w=; b=tqDdsCo/i/DCptY4VQ7s7oaJmPSYNYlfg1N3OuqMMPyptm+5tmghFTkDO1dTKXMqjI v1Icqzd41du/xwOuUkrLm4XtJYMhIrD6x5QTJqF69vrxwYEPdqIr/9Zgyv/o2085AgUr yfLSNQC+LTaxsRrhAMyzKKe1ELBUeK7OOq1sGgLVkVa01cV+Zc+76TGXW98i9XJEGsjH nHr2fDozqGN96yVYdN5pP02Uad+CrsK7anORU+Oaos6iwUlbR2/8nim4dfUPFe9PcZMe AoJHdI9LEOlXB7jeQdw+WvEM41qx5tNoZNlghHoha9wrcdirVxv8NSdebEPPrKhxSpsc zA5g==
X-Forwarded-Encrypted: i=1; AJvYcCWVksKEBjiSUReLKUFyA7O8pT8e0KxICox0o0dOd/gYuMYy1BuzgMErPrL4Ry8/VmkWa4PsV/TWO6gcv/8w4Q==
X-Gm-Message-State: AOJu0YwvboO1tS58a+uZwnSw5aHlSp/hjHzmfFvf9yAX/nmtvW3dywYp vBv4U8Q6zrWBMlSFXjkqgQwlO0grWHKBA/nnXIflCjjiOGBqn2rPUtCAqhryP6sCwPWH0HASNo1 LaNhvEn/G8g9oCAkJVWqlpy/8b04ITA9NR3H3kw==
X-Google-Smtp-Source: AGHT+IFwXIt93Fgzmx1NRB9iMs0KGM7x7TzWZIOSW5ichZ0IwC6G5wp8Dud+J1+hGjiC5t3c8TzCG0671ed8xqBUzm8=
X-Received: by 2002:a05:6870:2247:b0:260:e2ea:e680 with SMTP id 586e51a60fabf-267d4d1666bmr4581038fac.10.1722124615137; Sat, 27 Jul 2024 16:56:55 -0700 (PDT)
MIME-Version: 1.0
References: <TYVPR01MB10750A78CA08E3D2EB6CCEB37D2AB2@TYVPR01MB10750.jpnprd01.prod.outlook.com> <CAPt1N1mhViWNxWw1XKQZyMwFWWdUQ3doh-u6pezYoFhpA8b8Qg@mail.gmail.com> <TYVPR01MB10750FB6A5FA4EB034F9B5B8AD2B42@TYVPR01MB10750.jpnprd01.prod.outlook.com> <CAPt1N1kA9KETiVsK744m5AaXvCnspsN8zkdqRR1OcMo-ftkNfA@mail.gmail.com> <TYVPR01MB10750B17554096318B8C49BACD2B42@TYVPR01MB10750.jpnprd01.prod.outlook.com> <BF9C2E26-E49C-4764-9CEA-8E7738801819@employees.org> <TYVPR01MB1075001C9D2EC290201284F66D2B42@TYVPR01MB10750.jpnprd01.prod.outlook.com> <CACyFTPH7XJ=fV9jW0h59UH-TDL7OGWw_ifehPvbFzzoH2Ln0Ng@mail.gmail.com> <ZqQDMjckkFr3_hsv@Space.Net> <CAPt1N1mhMYck7Y-SOgFfpA7OD6b0H8Y5gAjsYHWSZLFfzdiRzA@mail.gmail.com> <ZqVh5oFVFSjAYqcL@Space.Net>
In-Reply-To: <ZqVh5oFVFSjAYqcL@Space.Net>
From: Ted Lemon <mellon@fugue.com>
Date: Sat, 27 Jul 2024 16:56:44 -0700
Message-ID: <CAPt1N1=T+YYPuCJq64mffTqY-1Kp+Kv9hqt+TJa_5iMUh3QC4g@mail.gmail.com>
To: Gert Doering <gert@space.net>
Content-Type: multipart/alternative; boundary="000000000000f1df4f061e436103"
Message-ID-Hash: 2CS7BMGOKFZEDJIXSFY7MA2KAZZVYSPI
X-Message-ID-Hash: 2CS7BMGOKFZEDJIXSFY7MA2KAZZVYSPI
X-MailFrom: mellon@fugue.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-v6ops.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Daryll Swer <contact=40daryllswer.com@dmarc.ietf.org>, "Kawashima Masanobu(?????? ??????)" <kawashimam=40nec.com@dmarc.ietf.org>, Ole Troan <otroan=40employees.org@dmarc.ietf.org>, "v6ops@ietf.org" <v6ops@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [v6ops] Re: Traffic control protocols (PCP and UPnP IGD)
List-Id: v6ops discussion list <v6ops.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/vbN52kbBu_X_RWYPfOS6xm1JVPg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Owner: <mailto:v6ops-owner@ietf.org>
List-Post: <mailto:v6ops@ietf.org>
List-Subscribe: <mailto:v6ops-join@ietf.org>
List-Unsubscribe: <mailto:v6ops-leave@ietf.org>

Gert, this is /precisely/ what PCP is for: to tell the firewall which ports
to allow through. My speaker doesn’t tell PCP to allow anyone on the
outside to play music to my speakers because that wouldn’t make sense. My
ssh server isn’t very useful if I can’t get to it from the outside. But
only that one ssh server—there are other ssh servers on my network that
would not make sense to expose.

This is what PCP enables: fine-grained control over ingress.

Op za 27 jul 2024 om 14:08 schreef Gert Doering <gert@space.net>

> Hi,
>
> On Fri, Jul 26, 2024 at 01:41:30PM -0700, Ted Lemon wrote:
> > This makes perfect sense if your threat model is that services that
> aren't
> > intended to be reachable from the internet become automatically reachable
> > from the Internet. E.g., I don't want some rando in Liechtenstein
> suddenly
> > playing Scriábin on my Homepod stereo pair (well, unless it's really
> good,
> > i guess). But I do want to be able to ssh in to my desktop machine. I
> don't
> > want my ISP to be able to block that because there's a firewall in the
> > cable modem that can't be configured.
>
> So how do you tell your can't-be-configured firewall that the Homepod
> "play my song" port must not be talked to, while the SSH port is fine?
>
> The Homepod might not be configurable either, to tell it "DO NOT ASK!",
> and neither might be whatever you have on your machine that is not SSH but
> should not be talked to...
>
> Gert Doering
>         -- NetMaster
> --
> have you enabled IPv6 on something today...?
>
> SpaceNet AG                      Vorstand: Sebastian v. Bomhard, Ingo
> Lalla,
>                                            Karin Schuler, Sebastian Cler
> Joseph-Dollinger-Bogen 14        Aufsichtsratsvors.: A. Grundner-Culemann
> D-80807 Muenchen                 HRB: 136055 (AG Muenchen)
> Tel: +49 (0)89/32356-444         USt-IdNr.: DE813185279
>

v2.39.1 | Report a Bug | By Email | System Status