Re: Netflix banning HE tunnels

[Mark Andrews <marka () isc org>]

In message <28657BED-E262-452D-B218-7B39B17F36FE () delong com>, Owen DeLong writes:
> > On Jun 20, 2016, at 13:45 , Mark Andrews <marka () isc org> wrote:
> >
> >
> > In message <E67D028D-2A66-453C-9D8B-0AC8FEA88131 () delong com>, Owen DeLong writes:
> > > > On Jun 17, 2016, at 10:10 , Mark Milhollan <mlm () pixelgate net> wrote:
> > > >
> > > > On Tue, 14 Jun 2016, Owen DeLong wrote:
> > > > > On Jun 14, 2016, at 11:57 , Ricky Beam <jfbeam () gmail com> wrote:
> > > >
> > > > > > I've seen many "IPv6 Capable" CPEs that apply ZERO security to IPv6
> > > traffic.
> > > > > Those are by definition poorly designed CPE.
> > > >
> > > > This (open by default vs closed) has been discussed before, with
> > > > plenty of people on either side.
> > > >
> > > >
> > > > /mark
> > >
> > > I’m unaware of anyone advocating open inbound by default residential
> > > CPE.
> > >
> > > I’m not saying they don’t exist, but I can’t imagine how anyone could
> > > possibly defend that position rationally.
> > >
> > > I’m pretty much in favor of open by default in most things, but for
> > > inbound traffic to residential CPE? Even I find that hard to
> > > rationalize.
> > >
> > > Owen
> >
> > For a lot of homes it actually makes sense.  You laptops are safe
> > as they are designed to be connected directly to the Internet.  We
> > do this all the time.  Similarly phone and tablets are designed to
> > be directly connected to the Internet.  I know that lots of us do
> > this all the time.  Think about what happens at conferences.  There
> > is no firewall there to save you but we all regularly connect our
> > devices to the conference networks.
> >
> > Lots of other stuff is also designed to be directly connected to
> > the Internet.
> >
> > Finding ways to successfully attack a machine from outside is
> > actually hard and has been for many years now.
> >
> > There is lots of FUD being thrown around about IoT.  Some machines
> > will be compromised but as a class of devices there is no reason
> > to assume that manufactures haven't learn from what happened to
> > other Internet connected products.
>
> I dare you to purchase a Yamaha amplifier with an ethernet interface,
> connect it to a good set of speakers within range to make it loud in
> your bedroom and provide me with your timezone and the IP address
> of the Yamaha in its default configuration.

I don't want a Yamaha amplifier.  If you have one and if it is not
FIT FOR PURPOSE sent it back and demand your money back.  You should
be able to connect any equipement to a network and not have it be
owned.

> You can call it FUD all you want, but the average ethernet-connected
> printer is quite vulnerable. So are many of the smart media devices
> floating around out there.

The internet printers I have contain access controls.  They don't need
a CPE firewall.

> Same with many of the network-connected thermostats I have experimented
> with.

Well send them back and demand your money back saying why you are sending
the back. 

> For anyone who knows enough to understand the risk they are or are not
> taking by opening things up, it’s trivial to program in the desired
> exceptions or turn off the default deny.
>
> For everyone else, we should protect the internet from letting them
> shoot themselves in the head in such a way that we get hit with the
> back splatter.

And that comes with a significant future cost.  Every piece of
software that wants to accept connections from outside now needs
to be able to not only update the devices configuration but also
the firewalls configuration.

> > The thing you need from all manufactures is a commitment to release
> > fixes (no necessarially feature upgrades) for the devices they ship
> > for the real life the product and for users to upgrade the products.
>
> Certainly that helps, but it’s a fantasy in too many cases to act like
> it is a foregone conclusion or fait accompli.

Actually if we ship CPE devices with firewalls off, IoT manufactures
will tighten the security of their devices.  It will lead to better
products overall.

> > Software doesn't wear out.  Bugs just get found and design flaws
> > discovered.  The existing warranty policies are designed around
> > products that physically wear out.
>
> Sure, but until that is actually changed, a default permit policy on a
> home gateway remains one of the worst ideas I can imagine.

Actually it is one of the best things we can do.  Yes, there will
be a short term cost but it comes with benefits of a less complicated
network where everything works.

Firewalls should be filtering out spoofed traffic (both ways) and
that is about all they should be doing.

> Owen

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka () isc org