Jun-ichiro itojun Hagino wrote: >> Jun-ichiro itojun Hagino wrote: >>> on CPE equipments and stateful filters. >> [..] >> >>> i do not disagree with "we need stateful filter implementations". >>> but i suggest that we need to be REAL careful about the default >>> settings. otherwise your cellphone that have roamed into your home >>> network, and/or TiVo device, cannot be used from the outside. >>> (i dislike UPnP, yeah) >> I am actually starting to believe that we really need a secure protocol >> ala uPnP for requesting 'privileges' for sending packets over a network >> border, current NAT boxes/gateways. > (snip) > > again, it is better to be raised in IAB plenary i guess. It is indeed a much more structural change of how "The Internet" would behave, but in combo with the changed usage of IP over the years, future assumptions, current ID/LOC proposals, the requirements for tracking things etc etc, I guess something like that whill one day be the way that it will have to go before it turns into a complete and total mess that we can't control at all anymore and rampant things like "blocking port 25" will become very extremely common place. > that is "signalling for everything" model, i.e. telco model.... > how can you identify which router between you and www.wikipedia.org > you need to contact for a permission to connect? Same way that eg uPnP does. One can always use mDNS or DNS+DNSSec to figure it out, get it through DHCP, a lot of other methods. In a big corp network one also already have to figure out what the authentication service is anyway at the moment, can use that too, one has to authenticate it anyway. It indeed because quite though when you have multiple layers of administration (read different firewall admins) between $src and $dst, one concept there would be forwarding the requests on to the next layer. (obligatory Shrek reference: onions have layers), thus in a home network: $user -> "jeroen wants to go to wikipedia" -> $homegate $homegate -> "customer X wants to go to" -> $isp which can lead into a policestate and most likely again a lot of protocols simply running over port 80 encapsulated in HTTP when certain things you expect to work would be blocked. At least in the above scenario $homegate would get back a "no you are not allowed to use port 25" message from the ISP with most likely a URL to the helpdesk page that explains it etc etc. Greets, Jeroen
Attachment:
signature.asc
Description: OpenPGP digital signature