On Jun 30, 2011, at 12:14 PM, Martin Rex wrote:
Keith Moore wrote:
Perimeter security of some kind is probably appropriate.
Not just appropriate, it is an indispensible prerequisite.
I could take some issue with the indispensable part, because I also think that
PCs are dinosaurs. For a sufficiently small home network, there's a point
where a firewall could provide very little marginal gain in exchange for the
complexity and fragility that come with it.
I do think that some sort of perimeter security should be part of a home
network architecture, but I'd strongly object to the idea that hosts and
appliances don't need to be secure because they can expect a firewall to
provide their security for them.
That doesn't mean that it has to look like firewalls do today.
Not necessarily. But any sensible security requirements and
primarily the requirement of the smallest possible attack surface
amount to it.
The mostly commonly kinds of firewalls used today do anything but that.
For one thing, users shouldn't have to muck with the details of
which ports to allow.
_Unless_ they want to make a service accessible to the internet
with software produced by folks or companys which prioritize
features and merchantability far over security, quality and robustness
-- which is to say 99.999% of the available software.
a. Maybe part of what HOMENET should do is establish security expectations for
appliances and applications intended to provide services from such an
environment.
b. Get out of the habit of thinking that using IP addresses and port numbers
as authentication tokens is in any way sane or secure.
And the idea that every application server on a home network needs
to negotiate access through some application-specific external server
(as is generally the case with NATs today) is also ridiculous.
No, it is a simple technical problem that can be solved with a few
lines of extra code for those few applications where it acutally matters.
That's a completely incorrect and ridiculous statement.
Home networks should ALWAYS be NATed to the internet, so that it is
not possible to provide a simple policy switch to make everything on
the home network fully accessible from the internet, because any
such switch will inevitably be abused much more often by the bad,
poor novices and ignorant than sensibly employed by the needy and
security conscious.
Another completely ridiculous statement. You're trying to cripple home
networks. More generally, you're arguing for the perpetuation of hacks that
never did work very well, instead of leaving room for better mechanisms to be
developed.
Anything else than whitelisting is irresponsible security-wise.
And dynamic whitelisting (the motivation behind NAT-PMP) is even better.
Whitelisting might be fine. Basing that whitelist on port numbers and IP
addresses is insane. And users need better ways to manage the whitelist than
typing in arcane information that they don't understand anyway for each service
that they want to permit.
Privacy is another issue. The current custom here in Germany is that
the external IP-Address on your home gateway is dynamically assigned,
it changes on every new assignment, i.e. when the DSL connection
is reestablished after a carrier loss or cable disconnect,
whenever you ask your DSL router for it, and at least once
every 24 hours.
While this does not provide perfect privacy protection, it is a
good start. For many internet usage scenarios, the use of a
longterm static IP-Address for home users would be completely
irresponsible with respect to data privacy, and would likely make
any logging of client IP-Addresses on servers unconditionally
illegal in European countries.
Dynamically assigned addresses don't provide any privacy protection if there's
some service (like Dynamic DNS) that always points to the current address.
Again, you're trying to perpetuate brain damage.
With respect to privacy, anything besides striclty voluntary,
well-informed opt-in and anytime easy opt-out again, is a non-starter.
That much I agree with. We disagree about the mechanisms.
No application, unless it absolutely, positively and unavoidably needs
to should use a fixed/static address without the affected folks
having provided conscious and clear consent.
Ridiculous.
Keith
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf