Re: [homenet] [homegate] HOMENET working group proposal
On Aug 7, 2011, at 5:15 PM, Mark Andrews wrote: One think I haven't seen mentions w.r.t. firewalls is protecting the rest of the world from compromised home machines. While ISP's should be doing BCP 38 filtering, CPE devices should also be filtering outgoing traffic that is not from a valid prefix. [...] Then I would direct your attention to Recommendation #5 in RFC 6092, which informs the implementers of residential firewalls thusly: REC-5: Outbound packets MUST NOT be forwarded if the source address in their outer IPv6 header does not have a unicast prefix configured for use by globally reachable nodes on the interior network. Does that about cover it? -- james woodyatt j...@apple.com member of technical staff, core os networking ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
Re: [homenet] [homegate] HOMENET working group proposal
In the context of the HOMENET working group, one imagines that restoring general end-to-end reachability is arguably a worthy goal. +1 +1 Sander ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
Re: [homenet] [homegate] HOMENET working group proposal
Looks obvious, but is it? In one hand, we want the capability to reach anywhere we're allowed to from home. OTOH, if anything in my home is reachable from anywhere, we are back to the firewall paradigm. There is an alternate model based on L3 overlays that was presented in various places under names such as route projection, community of interest or on-demand VPNs. That model forms dynamic overlays that act as L3 VLANs. Prefixes are no more injected in the main infrastructure but only projected within the overlay. This allows the model to scale with good mobility properties since an overlay separates the locator and the identifier, which BTW can be of different Address Families. I wanted to ask for a BOF in Taipei to discuss that model. Would anyone be interested? Pascal -Original Message- From: homenet-boun...@ietf.org [mailto:homenet-boun...@ietf.org] On Behalf Of Roger Jørgensen Sent: Sunday, August 07, 2011 2:58 PM To: james woodyatt Cc: homenet@ietf.org; Fernando Gont Subject: Re: [homenet] [homegate] HOMENET working group proposal On Sun, Aug 7, 2011 at 3:18 AM, james woodyatt j...@apple.com wrote: snip In the context of the HOMENET working group, one imagines that restoring general end-to-end reachability is arguably a worthy goal. snip +1 :-) -- Roger Jorgensen | rog...@gmail.com | - IPv6 is The Key! http://www.jorgensen.no | ro...@jorgensen.no ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
Re: [homenet] [homegate] HOMENET working group proposal
On Aug 7, 2011, at 9:16 AM, Pascal Thubert (pthubert) wrote: Looks obvious, but is it? Yes. In one hand, we want the capability to reach anywhere we're allowed to from home. OTOH, if anything in my home is reachable from anywhere, we are back to the firewall paradigm. Why? You are still back to all the security disadvantages of firewalls - soft chewy inside, etc. Reachability does not convey access authorization. Devices must either protect themselves directly or delegate that protection to a proxy of some sort (*not* necessarily a firewall). There is an alternate model based on L3 overlays that was presented in various places under names such as route projection, community of interest or on-demand VPNs. That model forms dynamic overlays that act as L3 VLANs. Prefixes are no more injected in the main infrastructure but only projected within the overlay. This allows the model to scale with good mobility properties since an overlay separates the locator and the identifier, which BTW can be of different Address Families. sounds pretty complicated - if it requires manual configuration it may b a non-starter. I wanted to ask for a BOF in Taipei to discuss that model. Would anyone be interested? Not enough data here to judge. Pascal -Original Message- From: homenet-boun...@ietf.org [mailto:homenet-boun...@ietf.org] On Behalf Of Roger Jørgensen Sent: Sunday, August 07, 2011 2:58 PM To: james woodyatt Cc: homenet@ietf.org; Fernando Gont Subject: Re: [homenet] [homegate] HOMENET working group proposal On Sun, Aug 7, 2011 at 3:18 AM, james woodyatt j...@apple.com wrote: snip In the context of the HOMENET working group, one imagines that restoring general end-to-end reachability is arguably a worthy goal. snip +1 :-) -- Roger Jorgensen | rog...@gmail.com | - IPv6 is The Key! http://www.jorgensen.no | ro...@jorgensen.no ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
Re: [homenet] [homegate] HOMENET working group proposal
In one hand, we want the capability to reach anywhere we're allowed to from home. OTOH, if anything in my home is reachable from anywhere, we are back to the firewall paradigm. Why? You are still back to all the security disadvantages of firewalls - soft chewy inside, etc. Reachability does not convey access authorization. Devices must either protect themselves directly or delegate that protection to a proxy of some sort (*not* necessarily a firewall). It seems like to me we're making things very complex (?)... In any given network, there needs to be some amount of policy. Some of that policy is best centralized, some of it is best distributed. And more than one layer of defense is always better than only one layer of defense (though you can go overboard in the other direction). Take a house for instance... You have locked doors, and yet you still have passwords. You have passwords and safes, yet you still have locked doors... It's always a question of where the most efficient spot is to implement any bit of policy/security, not whether or not that policy/security is needed. Whether the policy that's needed is on something called a firewall, or a bridge between multiple control planes, or... It doesn't matter. Policy is policy. Or maybe I don't understand the question... :-) Russ ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet