[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [BEHAVE] Re: CPE equipments and stateful filters

To: IPv6 Operations <v6ops@ops.ietf.org>, Behave WG <behave@ietf.org>
Subject: Re: [BEHAVE] Re: CPE equipments and stateful filters
From: james woodyatt <jhw@apple.com>
Date: Tue, 31 Jul 2007 20:01:49 -0700
In-reply-to: <70C6EFCDFC8AAD418EF7063CD132D0640547EE7A@WIN-MSG-21.wingroup.windeploy.ntdev.microsoft.com>
References: <85404457-04A1-4EBB-99F1-38F7965C2DD3@apple.com> <07cc01c7d39a$c084c720$c5f0200a@amer.cisco.com> <70C6EFCDFC8AAD418EF7063CD132D0640547EE7A@WIN-MSG-21.wingroup.windeploy.ntdev.microsoft.com>

On Jul 31, 2007, at 18:01, Christian Huitema wrote:

It makes a ton of sense to just leave the IKE port (UDP 500) open.

I agree. I think <draft-ietf-v6ops-cpe-simple-security> says to dothis. If it doesn't, then the next revision (coming soon) will say it.

The argument against doing this, which I've heard at least one WGChairman offer me, is that leaving any port or protocol open to allinbound traffic exposes the interior network to denial of bandwidthattacks (along with potentially draining the batteries of portablesin power-save mode).

The more I've thought about that problem, the more I've come tobelieve that using stateful filtering middleboxes to counter thethreat is like responding to the possibility of your house eventuallybeing attacked by a swarm of mosquitos by always keeping your livingroom filled with carbon monoxide. Yes, you've prevented themosquitos, but you've also denied yourself access to your living room.

The traditional way you control mosquito populations is with taxpayer-funded pest control services going through the neighborhood, sprayinginsecticide into all the standing water collectors to keep them frombreeding. Something similar to that, I think, is the proper way toengineer an Internet pest control program.

If I ruled the world with an iron fist, operating a zombie-- evenunknowingly-- would get your IP dial-tone terminated at yourdemarcation point, and you'd have to submit to an audit to get itturned back on again. Carriers who didn't do this would see theirpeering jeopardized, then degraded, and finally dumped, with theircontracts thrown into liquidated damages. Failure to police yourpeering points would be grounds for operators in the DFZ to applyfilters, limiters and/or delays on your prefixes in the globalrouting tables. Operators who didn't like this could complain totheir governments, which would then decide whether and how to go tothe World Trade Organization.

When the zombie apocalypse hits, I want all the walking dead to benuked from space. It's the only way to be sure. Alas, I don't rulethe world. We'll probably be stuck with a solution much morejackbooted and less effective. Like stateful filtering middleboxesthat have to be told to open pinholes for the IKE port.


--
james woodyatt <jhw@apple.com>
member of technical staff, communications engineering

References:
- Re: [BEHAVE] Re: CPE equipments and stateful filters
  - From: james woodyatt <jhw@apple.com>
- RE: [BEHAVE] Re: CPE equipments and stateful filters
  - From: "Dan Wing" <dwing@cisco.com>
- RE: [BEHAVE] Re: CPE equipments and stateful filters
  - From: Christian Huitema <huitema@windows.microsoft.com>

Prev by Date: RE: [BEHAVE] Re: CPE equipments and stateful filters
Next by Date: RE: [BEHAVE] Re: CPE equipments and stateful filters
Previous by thread: RE: [BEHAVE] Re: CPE equipments and stateful filters
Next by thread: RE: [BEHAVE] Re: CPE equipments and stateful filters
Index(es):
- Date
- Thread