[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: R41 in draft-ietf-v6ops-cpe-simple-security-07

hi Yaron

On 4/08/2009, at 3:03 PM, Yaron Sheffer wrote:


Hi Mark,
My security reflexes tell me that authenticated is better than un-, and I agree that the protocol MUST support such a mode. But in practice, this protocol will be used by applications, which most likely will store the auth 
credentials somewhere.
Right. And the application can be running on a platform that has no malware problem, a small potential for malware problems, or very big malware problems. 


Malware can subvert the applications and/or get
directly at the credentials. At which point I'm not sure this is so secure 
any more.
On a platform that has very big malware problems, like we have today, the use of access controls raises the bar: For the malware to manipulate the firewall, it must get installed on a device that has a credential, and it 
must be a device from which it can obtain the credential and use it.  In
other words, just getting installed on a device is not enough; the malware 
needs to get installed on a device authorized to do firewall control.

Furthermore, I would not rule out advances in the state of the art, such
as devices that are not prone to malware or new authentication techniques that defeat malware. CAPTCHA is one such technique that is widely reputed 
to be broken.  But I would not rule out novel uses of old methods like
CAPTCHA, which might be harder to defeat when run from the network
gateway device.

Mark




Thanks,
	Yaron


-----Original Message-----
From: Mark Baugher [mailto:mbaugher@cisco.com]
Sent: Wednesday, August 05, 2009 0:55
To: Yaron Sheffer
Cc: Mark Smith; Rémi Denis-Courmont; Brian E Carpenter; james woodyatt; 
IPv6 Operations
Subject: Re: R41 in draft-ietf-v6ops-cpe-simple-security-07
References: <20090727184501.933F83A6CE4@core3.amsl.com> <029CBD08-5A79- 
44C2-8490-E63AF783E3B7@muada.com>
<7F9A6D26EB51614FBF9F81C0DA4CFEC80133E557C9BA@il-ex01.ad.checkpoint.com > 
<200907282136.55466.remi@remlab.net> <35FFC80F-07B3-4CE3-BF7A-
453D6A64641B@apple.com> <114203F8-FFC7-474C-8764-4F87447AB810@cisco.com > <2C8F9109-C96D-422E-9EEB-6EF22D79EF62@apple.com> <AD7A13B1- C0F5-4C84-845C- 
CC6B5E3A29D1@mbaugher.com> <440B7E43-76B7-4C18-A93E-
DF052280DC41@apple.com> <18034D4D7FE9AE48BF19AB1B0EF2729F3A7044EB32@NOK- 
EUMSG-01.mgdnok.nokia.com> <C79965AE-2C69-4A63-8EB7-
F4E89542CEFE@apple.com> <18034D4D7FE9AE48BF19AB1B0EF2729F3A7044F238@NOK- 
EUMSG-01.mgdnok.nokia.com> <57D79623-D8A1-41E9-9FB8-
B5FEBEE91729@apple.com> <190A532E-35DF-4E97-99D2-9167B9183316@cisco.com > 
<4A7776E8.4060706@gmail.com> <3BF326F1-3AF5-4577-8409-
6BE2D0D6D320@cisco.com> <a94dfda0ae501f376e7b24f0e7b7e70a@chewa.net>
<20090804202313.642d2942.ipng@69706e6720323030352d30312d31340a.nosense.org

<7F9A6D26EB51614FBF9F81C0DA4CF!

EC80133E557D28F@il-ex01.ad.checkpoint.com>
X-Mailer: Apple Mail (2.935.3)
Return-Path: mbaugher@cisco.com
X-OriginalArrivalTime: 04 Aug 2009 21:56:24.0954 (UTC)
FILETIME=[692B05A0:01CA154E]


On Aug 4, 2009, at 2:39 PM, Yaron Sheffer wrote:
And I'll second Remi's opinion, a firewall that can be manipulated by 
malware is better than no firewall at all.


If we're going to design firewall control for IPv6, whether it be
something new like ALD or an obvious extension to what's done for
IPv4, I think it should default to authenticated firewall control. In 
other words, I would not start with standardizing an unauthenticated
firewall control mechanisms and assume that others will figure out how to add access controls. Letting malware use UPnP NAT traversal or NAT- 
PMP as done today is a pretty low standard for a CPE interface that
IMHO we should not accept going forward.  We'd like the CPE to refuse
commands from malware.

Mark


Scanned by Check Point Total Security Gateway.