Re: [homenet] Security goals
On Mar 12, 2012, at 7:27 PM, Howard, Lee wrote: http://tools.ietf.org/html/draft-baker-opsawg-firewalls On Firewalls in Internet Security, Fred Baker, 20-Jan-12 Any chance of having such a conversation in the Security Area WG? I mentioned the debate to Sean Turner (Security AD), and he thought it would be an excellent topic for security experts to discuss. However, since there had been no discussion on list, I did not get around to writing a draft, so I have nothing to submit for the agenda. I'm willing to enough to have the conversation there. I'd just like to have the conversation, as we seem to throw bats around regarding firewalls with ever really reaching a conclusion beyond they are a market requirement regardless of what anyone thinks about them technically. opsawg chairs, the issue is that homenet and opsawg conflict and I don't do a very good imitation of myself in a separate working group. ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
Re: [homenet] Name resolution in the homenet architecture document
On 11 Mar 2012, at 15:22, Fred Baker wrote: ICANN is now selling dotless names. A name without dots has a defined behavior in most DNS resolvers; they find a way to further qualify them. Do we want to humor ICANN, or solve this? AIUI, the problem is more that on some operating systems a dotless name is first looked up in non-DNS based name spaces (e.g. NetBIOS). Only if those fail is it considered by DNS, with an optional search suffix. Hence on any particular network one cannot guarantee that the dotless name won't already exist in some other name space that then masks the (very expensive) DNS-based version. Ray ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
Re: [homenet] Name resolution in the homenet architecture document
On Mar 13, 2012, at 12:16 PM 3/13/12, Ray Bellis wrote: On 11 Mar 2012, at 15:22, Fred Baker wrote: ICANN is now selling dotless names. A name without dots has a defined behavior in most DNS resolvers; they find a way to further qualify them. Do we want to humor ICANN, or solve this? AIUI, the problem is more that on some operating systems a dotless name is first looked up in non-DNS based name spaces (e.g. NetBIOS). Only if those fail is it considered by DNS, with an optional search suffix. dotless name == pay-for-play TLDs ??? - Ralph Hence on any particular network one cannot guarantee that the dotless name won't already exist in some other name space that then masks the (very expensive) DNS-based version. Ray ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
Re: [homenet] Name resolution in the homenet architecture document
On Mar 13, 2012, at 12:23 PM, Ralph Droms wrote: On Mar 13, 2012, at 12:16 PM 3/13/12, Ray Bellis wrote: On 11 Mar 2012, at 15:22, Fred Baker wrote: ICANN is now selling dotless names. A name without dots has a defined behavior in most DNS resolvers; they find a way to further qualify them. Do we want to humor ICANN, or solve this? AIUI, the problem is more that on some operating systems a dotless name is first looked up in non-DNS based name spaces (e.g. NetBIOS). Only if those fail is it considered by DNS, with an optional search suffix. dotless name == pay-for-play TLDs ??? Just remember to dot your I(cann)s and cross your t(LD)s. Sorry, couldn't resist... - Ralph Hence on any particular network one cannot guarantee that the dotless name won't already exist in some other name space that then masks the (very expensive) DNS-based version. Ray ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
Re: [homenet] Security goals
On Mar 12, 2012, at 2:44 AM, Roger Jørgensen wrote: About security for end-users, why should it be deny by default? It don't really rise the security level by much since virus/trojans get in through user initiated action, and out again just as easy in the background. From my perspective, there is a question of what is being defended and of defense in depth, and a question of market requirement. I agree that a firewall of any kind doesn't defend the host, since the vast majority of attacks come from behind the firewall. What a firewall defends is primarily the bandwidth within the defended domain - which would be best done if the firewall was at the ISP (before the typical bottleneck link). However, it does prevent certain kinds of messages from getting to a host that don't have a reason to get there. The net effect is to make the attack surface of the host smaller from the perspective of attacks from the outside - the attack has to thread two needles, not just one. The general argument against default deny is that it prevents legitimate traffic from reaching the host. I'll argue that this is exactly the right model for traffic that the host has no application to process - traffic that look legitimate but isn't because of the set of applications running on the host. Take, for example, a host that is prepared to operate as an http client but not a server; a packet directed to an http server on it is going to be refused by the host, and could be refused anywhere in the path. The problem with something that is literally default deny is that it needs a way to identify and apply rules like sending smtp to smtp.example.com is reasonable. I'll argue that protocols like PCP are reasonable ways to do that; default deny plus PCP does *not* prevent legitimate traffic from getting to the host, but it does prevent unwanted traffic from arriving at the host. You'll ask why I care. I care for two reasons. First is a personal experience. At my home, I have a standing load of about 25 (plus or minus) packets per second that are discarded by the firewall. I don't know what they are, and I don't honestly care. They don't have my permission to be in my network, and I have to assume that if they were to get into it, the hosts in my network would have to deal with them. Second and more importantly, this came up with James Woodyat was building the Airport Express IPv6 capability for Apple, and is the reason that he wrote what is now RFC 6092. He released a product that provided an IPv6 CPE router, and his marketing department came back and told him that a firewall capability was a market requirement for such a product - if you don't build it, we can't sell it. Now, you can argue that it *shouldn't* be a market requirement; I'll let you tilt at that windmill if you like. Cisco is building IPv6 firewalls as well, and various other folks are. The reason is not that we want to run out and sell folks on the idea. It's that people tell us that they won't buy our networks without them. ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
Re: [homenet] Security goals
On Mar 13, 2012 5:38 PM, Brian E Carpenter brian.e.carpen...@gmail.com wrote: On 2012-03-14 11:25, Fred Baker wrote: ... First is a personal experience. At my home, I have a standing load of about 25 (plus or minus) packets per second that are discarded by the firewall. I don't know what they are, and I don't honestly care. They don't have my permission to be in my network, and I have to assume that if they were to get into it, the hosts in my network would have to deal with them. From time to time I look at TCPView to see what's going on. At this instant, to my knowledge, I'm doing nothing on my machine except typing this email. TCPView tells me I have 63 endpoints (sockets) open, with 18 established TCP connections, and 14 sockets listening. Admittedly some of these sockets are connected to the loopback address, but even so, it's scary. What are all those .exe files listening on a socket all day? Windows Firewall is dropping about 3 UDP packets per second, and that's behind our campus firewall. That's reality, and much as I love the e2e principle I think the ordinary citizen is better off behind default-deny. I am not trying to be dense, but why? What is the negative scenario of not having a homenet firewall on? Using real examples from the last 5 years I would like to know how a cpe firewall protects against real threats to modern software. Personally I haven't run without an on-board firewall since I got my first wireless card (late 1999?). But we can't assume that applies to every home device. Most PC software has shipped with a firewall on for the last ~10 years Cb Brian ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
Re: [homenet] Security goals
On Mar 13, 2012, at 3/13 9:16 PM, Cameron Byrne wrote: That's reality, and much as I love the e2e principle I think the ordinary citizen is better off behind default-deny. I am not trying to be dense, but why? What is the negative scenario of not having a homenet firewall on? Using real examples from the last 5 years I would like to know how a cpe firewall protects against real threats to modern software. It seems hard to predict a priori what a real threat is going to be. And it seems unlikely that modern software is all that will be found in average homes. For example, will the Android version on the refrigerator display be updated? Personally I haven't run without an on-board firewall since I got my first wireless card (late 1999?). But we can't assume that applies to every home device. Most PC software has shipped with a firewall on for the last ~10 years And these have to be then managed, and the triggers for should this flow be allowed will then transition to the PC as opposed to the CPE. Did the system become any simpler, really? But the real issue to my mind is _non-PC_ software; the firmware on some power-line bridge written for the cheapest dollar by pulling together some version of Linux because the device had to sell for $25. Not only do all these devices now need firewalls (unlikely), they now need an easy way to manage these firewalls (next to impossible). -Ashok Cb Brian ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
Re: [homenet] Security goals
In message fa58a41b-5bf2-4ece-ae27-d58033957...@cisco.com, Ashok Narayanan wr ites: On Mar 13, 2012, at 3/13 9:16 PM, Cameron Byrne wrote: =20 That's reality, and much as I love the e2e principle I think the = ordinary citizen is better off behind default-deny. =20 I am not trying to be dense, but why? =20 What is the negative scenario of not having a homenet firewall on? = Using real examples from the last 5 years I would like to know how = a cpe firewall protects against real threats to modern software. =20 It seems hard to predict a priori what a real threat is going to be. = And it seems unlikely that modern software is all that will be found = in average homes. For example, will the Android version on the = refrigerator display be updated?=20 Personally I haven't run without an on-board firewall since I got my first wireless card (late 1999?). But we can't assume that applies = to every home device. =20 Most PC software has shipped with a firewall on for the last ~10 years =20 And these have to be then managed, and the triggers for should this = flow be allowed will then transition to the PC as opposed to the CPE. = Did the system become any simpler, really? But the real issue to my mind is _non-PC_ software; the firmware on some = power-line bridge written for the cheapest dollar by pulling together = some version of Linux because the device had to sell for $25. Not only = do all these devices now need firewalls (unlikely), they now need an = easy way to manage these firewalls (next to impossible). And for most of them drop !RA-ANNOUNCED(source) would be sufficient and achieves what a default drop at the CPE does. What would be really good would be to add a site prefix length to the RA prefix option. There is room in the option to do this. Knowing this would be useful for source/destination address selection. -Ashok Cb Brian ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
Re: [homenet] Security goals
On Tue, Mar 13, 2012 at 8:29 PM, Ashok Narayanan ash...@cisco.com wrote: On Mar 13, 2012, at 3/13 9:16 PM, Cameron Byrne wrote: That's reality, and much as I love the e2e principle I think the ordinary citizen is better off behind default-deny. I am not trying to be dense, but why? What is the negative scenario of not having a homenet firewall on? Using real examples from the last 5 years I would like to know how a cpe firewall protects against real threats to modern software. It seems hard to predict a priori what a real threat is going to be. And it seems unlikely that modern software is all that will be found in average homes. For example, will the Android version on the refrigerator display be updated? Agreed about a priori. BUT! what else do we have to go on? I am asking for a baseline to justify why a CPE firewall is required. In fact, i have asked for it multiple times on this thread, and all i get back is anecdotal hand waving, not technical reasons. Putting the E back in IETF, let's see some data about why this function of the system must exist. My cursory research says you are not going to be able to present a convincing amount of data to support the fact that a stateful inspection firewall should be applied in a contemporary home environment. I believe the spirit of Homenet is moving the internet forward without being beholden to the Morris worm and X.25 You mention Android running on the refrigerator, as if i am supposed to be concerned about that? Can you cite an example of an Android security flaw that a CPE firewall would have ever prevented? My guess is no, android does not listen on any ports (default non-root)... thus no inbound connections... thus... stateful firewall does not have a technical justification for obstructing e2e flows. If you want to talk about rooted devices running BIND 4.0, well... that person that is wise enough to manually do that i likely wise enough to allow the relevant firewall rules or PCP interactions to allow the bad guys in as well. Personally I haven't run without an on-board firewall since I got my first wireless card (late 1999?). But we can't assume that applies to every home device. Most PC software has shipped with a firewall on for the last ~10 years And these have to be then managed, and the triggers for should this flow be allowed will then transition to the PC as opposed to the CPE. Did the system become any simpler, really? I think there is some 3rd party off the shelf software that does these pop-ups but the PCs i run with native firewalls have never popped up to me like that. But, i agree... pop ups are not helpful. As an end user, i can proudly say i have a host based firewalls, but i have not once ever administered one (except sometimes i turn off the FW so i can ping my PC) But the real issue to my mind is _non-PC_ software; the firmware on some power-line bridge written for the cheapest dollar by pulling together some version of Linux because the device had to sell for $25. Not only do all these devices now need firewalls (unlikely), they now need an easy way to manage these firewalls (next to impossible). power-line bridge? Once again, please paint for me a realistic scenario of how a CPE firewall will protect this device? My first statement is that this device should not have a globally routable address, and therefore is not exposed to the internet, and does not need the CPE to filter for it. This is a good case for ULA in IPv6. Second, crappy software should not be tolerated or compensated for in Homenet. Setting the president that flawed software is acceptable is a slippery slope to somewhere bad. If it takes making application and host security requirements for endpoint, so be it. Passing the buck to the CPE/Firewall to give the illusion of security is not the right path. Tolerating broken software is also not the right path. Homenet is a unique opportunity to restore end to end ... or as some would say... the internet model.. Smart end points, dumb network. If we need a smart network, then lets make a real solid fact based exploration of threats and then we can select the appropriate compensating security controls. CB -Ashok Cb Brian ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
Re: [homenet] Security goals
You can have real e2e even with a middlebox performing some type of security, so e2e and CPE-firewall are not mutually exclusive. The CPE firewall (we really need to decide the functionality of what we're calling a firewall here) would be a way to centralize some amount of security policy for the home network. Having every device on the home network support a complete security solution is not realistic. Seems like the CPE will be involved for some aspects of security that are common to the home network, and then there would be devices on the home network that are also secured, possibly depending upon the application or functionality of the device. Consumers are not going to want to manage security policy in 20 different ways on the home network for 20 different devices. I think at a minimum, the ISP (or NSP) may want to offer a managed security service for the CPE to take over the burden of the average consumer having to know what the details of security policy. Randy On Mar 13, 2012, at 10:11 PM, Cameron Byrne wrote: On Tue, Mar 13, 2012 at 8:29 PM, Ashok Narayanan ash...@cisco.com wrote: On Mar 13, 2012, at 3/13 9:16 PM, Cameron Byrne wrote: That's reality, and much as I love the e2e principle I think the ordinary citizen is better off behind default-deny. I am not trying to be dense, but why? What is the negative scenario of not having a homenet firewall on? Using real examples from the last 5 years I would like to know how a cpe firewall protects against real threats to modern software. It seems hard to predict a priori what a real threat is going to be. And it seems unlikely that modern software is all that will be found in average homes. For example, will the Android version on the refrigerator display be updated? Agreed about a priori. BUT! what else do we have to go on? I am asking for a baseline to justify why a CPE firewall is required. In fact, i have asked for it multiple times on this thread, and all i get back is anecdotal hand waving, not technical reasons. Putting the E back in IETF, let's see some data about why this function of the system must exist. My cursory research says you are not going to be able to present a convincing amount of data to support the fact that a stateful inspection firewall should be applied in a contemporary home environment. I believe the spirit of Homenet is moving the internet forward without being beholden to the Morris worm and X.25 You mention Android running on the refrigerator, as if i am supposed to be concerned about that? Can you cite an example of an Android security flaw that a CPE firewall would have ever prevented? My guess is no, android does not listen on any ports (default non-root)... thus no inbound connections... thus... stateful firewall does not have a technical justification for obstructing e2e flows. If you want to talk about rooted devices running BIND 4.0, well... that person that is wise enough to manually do that i likely wise enough to allow the relevant firewall rules or PCP interactions to allow the bad guys in as well. Personally I haven't run without an on-board firewall since I got my first wireless card (late 1999?). But we can't assume that applies to every home device. Most PC software has shipped with a firewall on for the last ~10 years And these have to be then managed, and the triggers for should this flow be allowed will then transition to the PC as opposed to the CPE. Did the system become any simpler, really? I think there is some 3rd party off the shelf software that does these pop-ups but the PCs i run with native firewalls have never popped up to me like that. But, i agree... pop ups are not helpful. As an end user, i can proudly say i have a host based firewalls, but i have not once ever administered one (except sometimes i turn off the FW so i can ping my PC) But the real issue to my mind is _non-PC_ software; the firmware on some power-line bridge written for the cheapest dollar by pulling together some version of Linux because the device had to sell for $25. Not only do all these devices now need firewalls (unlikely), they now need an easy way to manage these firewalls (next to impossible). power-line bridge? Once again, please paint for me a realistic scenario of how a CPE firewall will protect this device? My first statement is that this device should not have a globally routable address, and therefore is not exposed to the internet, and does not need the CPE to filter for it. This is a good case for ULA in IPv6. Second, crappy software should not be tolerated or compensated for in Homenet. Setting the president that flawed software is acceptable is a slippery slope to somewhere bad. If it takes making application and host security requirements for endpoint, so be it. Passing the buck to the CPE/Firewall to give the illusion of security is not the right