Re: CPE equipments and stateful filters

[james woodyatt <jhw@apple.com>]

On Jul 24, 2007, at 11:31, Rémi Denis-Courmont wrote:
> To be fair, I was told UPnP does support authentication. Only  
> nobody uses it, very much like almost nobody uses authenticated DHCP.
I have not heard that before, but it doesn't surprise me.  I do know  
that UPnP IGD is typically used without any authentication and that  
Apple's support for it in mDNSResponder assumes that the  
unauthenticated mode of operation is all that's necessary.
> I am sure James could add some kind of authentication mechanism for  
> ALD, but I doubt it would see much real-life use. Unless people  
> feel it should be usable from the outside, much like you can open  
> your house outside door with the appropriate key.
In fact, the security considerations section in my current draft  
offers the opinion that IPsec and IKE are the appropriate ways to  
secure the ALD exchange between listeners and firewalls.  I don't  
feel confident that I have adequately explored the issue, but my  
hunch is that network layer security mechanisms ought to be used for  
securing network layer control messaging.  It's possible that ALD  
needs specific signaling in Firewall Advertisements to indicate that  
listeners must have an IPsec SA to be established if they expect  
their notifications to be processed.  However, I wouldn't expect this  
feature to be necessary in most residential / small-office CPE  
deployments.
> In any case, I think people advocating stateful firewalls on CPEs  
> should
> really get familiar with the work done in BEHAVE wg. I am very  
> sorry that the
> use and abuse of stateful firewalls in IPv4 world has lead to the  
> unusability
> of just about any IETF transport protocol but UDP (Christian  
> already hinted
> at this). If we are to require stateful firewalls for unmanaged  
> network, we
> REALLY REALLY REALLY need to clearly explain how TCP, SCTP, DCCP  
> and any
> other connection oriented protocol is expected to operate home-to- 
> home. Not
> doing that would be equivalent to stating that the only valid model  
> for
> unmanaged IPv6 is client at home and server in the server farm.
At this point, I'm beginning to believe that we are seeing the  
outlines of a very serious philosophical debate between two factions,  
most recently represented on this list by Itojun and Fred  
respectively, who have foundationally different views about the  
ethics of network security methodologies.  As a Rorty-ian neo- 
Pragmatist myself, I'm sensitive to the possibility that these two  
philosophical systems may not, in fact, have any objective principles  
in common, and that the best we might hope to do is try to get as  
much intersubjective agreement about our principles as we can muster,  
and proceed accordingly.  I believe there may be more overlap than  
most participants think.
I'm thinking about how to gather together the points where I think  
there might be some philosophical agreement.  I may have to write a  
draft.  Before I do that, I may have to spew random thoughts onto the  
mailing list and see what sticks.  Sorry about that.
Is there a tradition in IETF of writing philosophy essays as Internet  
drafts?
> By the way, to amend James's slideset, only UDP really works with  
> ICE (or any
> form of hole punching), while TCP works to a very-lesser extent, and
> everything else does not: DCCP, SCTP, IPsec...
I think I was careful to use "ICE-like" as the construction in my  
slides.  I was trying to hint at the various techniques in currency  
within the BEHAVE working group products for traversing the stateful  
filters in IPv4/NAT, e.g. TCP simultaneous open, relay services, etc.

--
james woodyatt <jhw@apple.com>
member of technical staff, communications engineering