Jun-ichiro itojun Hagino wrote: > on CPE equipments and stateful filters. [..] > i do not disagree with "we need stateful filter implementations". > but i suggest that we need to be REAL careful about the default > settings. otherwise your cellphone that have roamed into your home > network, and/or TiVo device, cannot be used from the outside. > (i dislike UPnP, yeah) I am actually starting to believe that we really need a secure protocol ala uPnP for requesting 'privileges' for sending packets over a network border, current NAT boxes/gateways. Lets say I am sitting behind my laptop, and I want to go to www.wikipedia.org (http over tcp, port 80) then my host should 'ask' a $device on the network if I am allowed to make a TCP connection to port 80 of www.wikipedia.org. $device in the network then gives me a tag saying 'here you go' and distributes this tag also to the firewalls that are in the network to allow traffic tagged with this through. All packets outbound will be tagged with this special tag. Then when packets come back from wikipedia, it can also add the same tag, the firewall then at least knows that this is related traffic, it can lookup the tag in its tables and sees that indeed my host was talking to wikipedia and that it is likely return traffic and pass it through. One can also request a tag for 'generic HTTP traffic (port 80/tcp) etc. Depending on how strict one would set these filters the tags could be more specific or not. Similarly, eg FTP, my host asks $device for port 21 access to ftp.heanet.ie, gets a tag, then inside the protocol the remote host needs to connect to me, thus my host asks for this access from $device. One really nice side effect of 'tagging' all the traffic, which is a bit overhead, but hey we still have a flowlabel, is that we have in $device a list what the traffic is actually for. When requesting the tag, the protocol that handles this can actually have information added to it like username, content, requesting program/pid/exe-location and a lot more. For network administrators, and especially people who are careful about virusses, it will be very nice as the logs will then give a bit more information detailing where traffic comes from. The flowlabel/tag can be src/dst specific, as such we have a src+dst+flowlabel combo. Even IPSec'd traffic can then also be accounted for, which will make accounting people really happy. Only the endhosts then need to know how the protocols actually work, the $device only needs to apply policy, which for a home network might be as simple as "allow everything" to a corporate "only port 80 to wikipedia" and only when the request is fully authenticated with kerberos. Having layers, thus different administrative realms, might get a bit tricky with this though, one would then have to forward the requests on to the other realms and possibly change the tag depending on in which realm the packet is at that moment. Greets, Jeroen
Attachment:
signature.asc
Description: OpenPGP digital signature