by the way, link local addresses are not going to be used for these devices,
because they will all have some 'cloud' feature that will require they have a
way to phone home.
David Lang
On Fri, 18 Jul 2014, David Lang wrote:
Every IPv4 home router I have seen defaults to 'block all incoming, unless
something on the inside opens it'
If IPv6 routers end up being wide open, then we are going to start seeing
people getting compromized and the analysis being that it was through IPv6
and it will get an (undeserved) reputation of being less secure than IPv4
just because stupid vendors are going to have their stuff exposed.
We've seen worms specifically targeting printers in the past, what makes you
think we aren't going to see things like that exploiting NAS devices, DNLA
servers, thermostats, etc?
You would be horrified to see what passes for security in the Internet of
Things. A lot of that software makes me think of stuff from the '70s and
early '80s. I've seen devices manufactured in 2012 that used 4 bits for the
year (with the epoc being Jan 1 2010)!!
The horror stories that you have heard about how insecure SCADA and other
industrial devices are are not exaggerations, if anything they understate the
problems.
think about the early Internet protocols (SNMP and tFTP), and think about
systems that make them look sane and perfectly reasonable.
Exposing these systems to inbound connections from anywhere on the Internet
is irresponsible.
Now, if these devices make a connection out to phone home, allowing that home
to reach back is reasonable, and supporting things like upnp to allow devices
to specifically open up inbound connections are reasonable. I'm not saying
that it needs to be as hard to configure as getting in through IPv4 NAT, but
it should NOT be the 'open end-to-end Internet the way $DIETY intended'
look at how easy it is to 'root' phones, where the company involved is at
least reasonable competent in writing software. For a lot of the IoT devices,
the Internet is a rushed, tacked on addition (they already needed a processor
to manage something, so spend a few cents more and now they can advertise
this mobile device app). Try using some of these apps and devices and see how
horrific the software is.
David Lang
cheers!
Yes, it would be ideal if every host was locked down so that it was safe
for them to be exposed.
But that's not the world we live in.
David Lang
On Wed, 16 Jul 2014, Lyme Marionette wrote:
----- Original Message -----
On Wednesday, July 16, 2014 2:10:53 PM "Gui Iribarren"
<g...@altermundi.net> wrote:
Benjamin is giving some great examples of real-world scenarios where
an
default-open firewall simplifies administration,
and where a default-closed firewall would be not only unnecessary
(provides no benefits), but would indeed complicate setting up
things.
There have been many good arguments posted on this subject and to
throw my opinion in, it a question of effort and expectations.
I think everyone can agree that:
-It takes equal effort to turn a firewall on, as it does to turn one off.
-It takes equal effort to create a specific block list, as it does to
create a specific allow list.
-UPnP is not included by default for either the ipv4 or ipv6 stacks.
I would also go further to suggest that:
-Consistency is good, even if it consistent for superficial reasons.
We know that, for NAT reasons, that the ipv4 stack by default blocks
incoming connections:
-Because it doesn't know by default where to route them.
-ipv4 end-points have been traditionally insecure.
The two ways to get around this (for gaming, etc):
-Through setting firewall rules to route the traffic to an end-point.
-Through the use of UPnP (which is used by most games to host, and
gaming consoles).
With the adoption of ipv6 there is the opportunity to change this
behaviour such that instead of incoming traffic being restricted for
technical reasons, that incoming traffic is routed to the correct
end-point.
However, that begs the questions:
A) Is that consistent with what people would expect?
B) Are ipv6 end-points secure by design?
In regards to A, from the mindset of a non-technical user, would wager
that the answer is 'no'. Even though there is a change in technology
with ipv6, the ipv6 technology fulfills the same role as ipv4 and this
could be seen as opposing direction between the two. This would likely
catch many end-users by surprize unless they read the small print
regarding this.
As for B, given my view of software development, applications,
networks, etc (I've been in the IT business for over 25 years now) I
would wager that 80% of applications are secure, and that the 0ther
20% make the potential change in policy very risky.
IMO, which others may disagree with, would be to include UPnP by
default which would/should resolve most of the hosting issues.
Thanks.
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
