On Wed, Mar 14, 2012 at 12:41 PM, Brian E Carpenter <brian.e.carpen...@gmail.com> wrote: > On 2012-03-14 18:11, Cameron Byrne wrote: >> On Tue, Mar 13, 2012 at 8:29 PM, Ashok Narayanan <ash...@cisco.com> wrote: >>> On Mar 13, 2012, at 3/13 9:16 PM, Cameron Byrne wrote: >>> >>> >>>> That's reality, and much as I love the e2e principle I think the ordinary >>>> citizen is better off behind default-deny. >>>> >>> I am not trying to be dense, but why? >>> >>> What is the negative scenario of not having a homenet firewall on? Using >>> real examples from the last 5 years .... I would like to know how a cpe >>> firewall protects against real threats to modern software. >>> >>> It seems hard to predict a priori what a "real threat" is going to be. And >>> it seems unlikely that "modern software" is all that will be found in >>> average homes. For example, will the Android version on the refrigerator >>> display be updated? >>> >> >> Agreed about a priori. BUT! what else do we have to go on? I am >> asking for a baseline to justify why a CPE firewall is required. In >> fact, i have asked for it multiple times on this thread, and all i get >> back is anecdotal hand waving, not technical reasons. >> >> Putting the E back in IETF, let's see some data about why this >> function of the system must exist. >> >> My cursory research says you are not going to be able to present a >> convincing amount of data to support the fact that a stateful >> inspection firewall should be applied in a contemporary home >> environment. I believe the spirit of Homenet is moving the internet >> forward without being beholden to the Morris worm and X.25 > > Fred and I provided factual but local evidence of background radiation > of unwanted UDP packets. Actually there is a lot more systematic evidence > of this too. For example, this week at the PAM conference in Vienna > there's a paper "One-way traffic monitoring with iatmon" by Nevil Brownlee > that gives a detailed analysis of observed unwanted traffic, both UDP and TCP > SYN. > See http://www.caida.org/publications/papers/2012/one_way_traffic_iatmon/ > > Can you assert that all low-end homenet devices will be internally > protected against such traffic? >
"If a tree falls in a forest and no one is around to hear it, does it make a sound?" I can assert that if the low-end homenet device is not listening on TCP port 80, the TCP SYN to port 80 will cause no new harm, firewall or not. Now, if there is 80mb/s of TCP SYN coming in, maybe it is a DOS .... and the link is saturated, firewall or not. Alternatively, if there is 1 mb/s of TCP SYN coming in, and the firewall is doing SPI, the firewall will likely choke on session per second creation.... Thus the DOS is cheaper and easier to achieve. In my operational experience, session overloading and misconfiguration of firewalls has created more problems than hacks prevented by firewalls. If you are running a a 10 year old version of IIS, and you are hosting an internet web page, and you have port 80 open, that CPE firewall is not going to help at all. If the low level device should not be communicating with the internet, then a link-local or ULA address can be one layer of segmentation. Fred made a good assesment that the firewall is just protecting the LAN bandwidth from junk. I can buy that. But assuming LAN > WAN in capacity, and usually by an order of magnitude, it is still not justified IMHO. My main concerns is stateful inspection of every session, it is a terrible waste to import this legacy thinking into homenet. And, it effectively makes IPv6 the same experience as NAT44... everything over port 80. CB _______________________________________________ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
