On Sun, 24 Aug 2008 10:50:03 +0200 Dirk Meyer <[EMAIL PROTECTED]> wrote:
> Pedro Melo wrote: > > Hi, > > > > On Aug 23, 2008, at 5:21 PM, Dirk Meyer wrote: > >> UPnP is a working choice, but bad. Just google for it. Since it is > >> based on HTTP attackers found a way to open ports on your > >> router. > > > > Having a open TCP port is not necessarily a security risk. It only > > becomes a security risk if the server that listens to that port has > > security problems. > > > > Don't blame open TCP ports with mistakes of server programmers. > > The point is that app x can forward ports to app y. In my normal use > this is no problem and I'm fine with it. I only have ssh open. But my > parents use Windows and it has a lot of ports open with security > bugs. I can not blame TCP for it, but I am very happy that a bug in > Flash or something else can not open a forward on the router. So I > like the fact that a NAT is some sort of firewall for my parents. Of course it can open a connection, what's the difference in security between an explicit *portforward* and an implicit *tracked connection*? Sure it couldn't open ports for other apps (and this is a security bug in the router imho, possibly based on flawed specs) but it doesn't matter. It can forward the traffic itself if needed with no need to do portforwards. > > >> Besides that, I do not like the idea that every app can open > >> ports. > > > > Well, how are they supposed to accept connections? And please don't > > mention rfc2549 :). > > What is wrong with that? I live in the city, we have enough pidgins :) > > You are right, I would love to see it working that an app can open a > port for services. No NAT problem. That would be very userfriendly. > But to trust such thing for my parents I need to a way to make windows > secure. I guess that is my main problem. If this is the main problem, then it's not so bad ;). > > Really, I think you should get used to it. With IPv6 (and yes, I'm a > > believer :) ) you will (or at least I hope you will) lose that NAT > > security barrier that we all grown so fond of, and the > > responsibility of server software implementations will be much much > > greater. > > I'm also a believer. I have a /64 network at home with public > addresses. Very nice to have. But back to my parents: if they get IPv6 > I would install a firewall on the router to block most incoming > connections. Sure you would. But aren't the techniques to go through stateful firewalls you cannot configure similar to those for NAT? And any "local admin" can allow specific ports with a suitable documentation. So if the c2c connections use a specific port (as configured in the client, we already did it for filetransfer), you can just enable it. A good router UI might possibly provide simple checkboxes like "Allow Direct XMPP" and similar. > > Personally, I think we will get user-level firewall APIs: you > > negotiate a Jingle session with your peer and then open the > > necessary ports with a source filter. > > Maybe use NAT-PMP and not UPnP. It only covers the forwarding and > already works on some router. UPnP IGD may be supported by more router > but IMHO NAT-PMP is the future. > > http://files.dns-sd.org/draft-cheshire-nat-pmp.txt > Thanks a lot. > > but getting back to our topic: you get to authenticate and check > > certificates on that open TCP connections. If you don't trust that, > > our protocol is flawed. > > Agreed. > > > Dirk > -- Web: http://www.pavlix.net/ Jabber & Mail: pavlix(at)pavlix.net OpenID: pavlix.net
