[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CPE equipments and stateful filters

To: Fred Baker <fred@cisco.com>
Subject: Re: CPE equipments and stateful filters
From: Jun-ichiro itojun Hagino <itojun@itojun.org>
Date: Wed, 25 Jul 2007 01:10:30 +0900
Cc: v6ops@ops.ietf.org
In-reply-to: fred's message of Tue, 24 Jul 2007 11:00:52 EST. <997A90F7-2AC9-4E31-96DF-E5E2067CC668@cisco.com>

>On Jul 24, 2007, at 10:46 AM, Jun-ichiro itojun Hagino wrote:
>> as far as i understand, UPnP has no authentication whatsoever (if  
>> there is, you would face a bootstrap problem for secret sharing).  
>> so, once your UPnP-client box gets hijacked, bad guys can open up  
>> any TCP/UDP ports in your network.  i'd rather have no UPnP on my  
>> router. UPnP adds more complexity onto the complexity of NAT/ 
>> firewall, so what would you expect? :-)
>
>To be honest, I don't know much about UPnP. What you say is  
>consistent with what I have heard, and not consistent with what I  
>said a few moments ago.
>
>That doesn't make the AAA issue wrong.

	let us hear from jhw, who should have done a lot of homework on UPnP
	matter.

>> what i've been repeatedly trying to deliver is that, (it is more of  
>> IAB stuff) access controls at organization borders and/or based on  
>> address has to stop now. if you wish to be sure you are  
>> communicating with murai-san you have to check his identity using  
>> crypto signature.
>
>I understand that point. I am saying that I disagree with it. For one  
>thing, the same key sharing issue applies. Basing identity on address  
>is, as you say, whacked; it has to be based on something much more  
>relevant. But IMHO, that is about identification and authentication.  
>I am saying that authorization, which is something different, is not  
>a given and should not be a given. Authorization is something I grant  
>to a subset of those I encounter, and only to those that I can  
>identify with some appropriate level of strength.

	i noticed you have PGP signature to ensure you identity :-)

	here i'm mixing up authentication, authorization and identification a
	little bit.  but in essense, they are all the same in the way that they
	are tied with key exchange problems.

	key distribution is a tough problem.  many people are trying hard,
	such as:
	- to make authentication optimistic when you try for the first time
	  (ssh)
	- to make keys available worldwide via DNS (opportunitistic IPsec)
	- make a hierarchy of "trust" and install root key in applications
	  (https/X509, DNSSEC)
	- use ssh/scp as a bootstrap and copy X509 keys, then exchange session
	  keys (IKE)
	some of them are deployable, some may not.

itojun

References:
- Re: CPE equipments and stateful filters
  - From: Fred Baker <fred@cisco.com>

Prev by Date: Re: Distributing site-wide RFC 3484 policy
Next by Date: Re: Comments on addr-select-sol
Previous by thread: Re: CPE equipments and stateful filters
Next by thread: Re: CPE equipments and stateful filters
Index(es):
- Date
- Thread