User: Password:
|
|
Subscribe / Log in / New account

Schaller: The long journey towards good free video conferencing

Schaller: The long journey towards good free video conferencing

Posted Oct 15, 2012 18:49 UTC (Mon) by janfrode (subscriber, #244)
In reply to: Schaller: The long journey towards good free video conferencing by jpnp
Parent article: Schaller: The long journey towards good free video conferencing

Your TV, fridge, printer, picture viewer, etc.. will be hiding on one of your residential 2^(128-56) = 4722366482869645213696 ipv6 addresses, so they woun't be that easy to find for an attacker..

> I think border firewalls on home routers are here to stay regardless of IPv6.

I hope not..


(Log in to post comments)

Schaller: The long journey towards good free video conferencing

Posted Oct 15, 2012 19:00 UTC (Mon) by drag (subscriber, #31333) [Link]

> Your TV, fridge, printer, picture viewer, etc.. will be hiding on one of your residential 2^(128-56) = 4722366482869645213696 ipv6 addresses, so they woun't be that easy to find for an attacker..

They will be announcing themselves over discovery protocols. Otherwise it makes it impossible to find them and thus defeat the purpose of having them connected in the first place.

> I hope not..

It won't.

This is why we have things like uPNP and why things like uPNP won't go away.

Schaller: The long journey towards good free video conferencing

Posted Oct 15, 2012 19:59 UTC (Mon) by janfrode (subscriber, #244) [Link]

> They will be announcing themselves over discovery protocols. Otherwise it makes it impossible to find them and thus defeat the purpose of having them connected in the first place.

Yes, they will be announcing on the local network. Not to the outside world. But yes, maybe we need to keep critical infrastructure (fridge) on separate subnets that are firewalled off, and real computers on open subnets.

BTW, nice perspective quote from rfc4864:

"At full-rate full-duplex 40 Gbps (400 times the typical 100
Mbps LAN, and 13,000 times the typical DSL/cable access link), it
takes over 5,000 years to scan the entirety of a single 64-bit
subnet."

As far as I've heard, the current IPv6 providers are divided on this issue. Some give their customers stateful firewall by default, others offer but don't enable by default. RFC6092 suggest that it's OK to have the CPE firewall default off/transparent.

Schaller: The long journey towards good free video conferencing

Posted Oct 15, 2012 20:48 UTC (Mon) by raven667 (subscriber, #5198) [Link]

>> They will be announcing themselves over discovery protocols. Otherwise it makes it impossible to find them and thus defeat the purpose of having them connected in the first place.
>Yes, they will be announcing on the local network. Not to the outside world. But yes, maybe we need to keep critical infrastructure (fridge) on separate subnets that are firewalled off, and real computers on open subnets.

In fact they could operate with fe80::/16 addresses only if it truly was a local-only service.

Home firewall/routers could also make it easy to whitelist particular hosts, similar to the "Server IP" feature in most contemporary devices, except valid for more than one device, while leaving a default policy of outbound flows only.

> "...5,000 years to scan the entirety of a single 64-bit
subnet.?

There are probably ways to optimize this greatly by choosing which ranges to scan in what order based on likely MAC addresses, or by stealing web server logs or other data to find lists of in-use addresses.

Schaller: The long journey towards good free video conferencing

Posted Oct 15, 2012 20:57 UTC (Mon) by dlang (subscriber, #313) [Link]

except that none of these systems are really local-only services.

If nothing else, I'll bet that every single one of them is going to want to do NTP lookups to set their clock. That will require hitting the Internet.

Schaller: The long journey towards good free video conferencing

Posted Oct 15, 2012 21:49 UTC (Mon) by martinfick (subscriber, #4455) [Link]

True! It would be nice if all these nifty too powerfull, bufferbloat producing, home gateway routers could server ntp by default to internal networks. And that if only there were a default protocol (perhaps DHCP?) that would point these device to our internal NTP gateway, and if only our new devices would do this by default for us if the gateway advertises this, instead of always relying on an outbound connection! Anyone device vendors working on standardising this one yet?

Schaller: The long journey towards good free video conferencing

Posted Oct 15, 2012 21:57 UTC (Mon) by dlang (subscriber, #313) [Link]

If you use DHCP to allocate IPv6 addresses, this is possible, but the link-local addresses are defined as being created independantly of any DHCP server.

and once you get an IP address from the DHCP server, you now have a real IPv6 address that is accessible from anywhere on the Internet (unless you have a firewall or NAT device in place)

Schaller: The long journey towards good free video conferencing

Posted Oct 16, 2012 2:35 UTC (Tue) by elanthis (guest, #6227) [Link]

Link local addresses can still use service discovery on the local network to find things like an NTP server. Link local addresses basically depend on service discovery to even be useful.

Also, a DHCP server does not guarantee a binary option between public Internet connectivity or the use of a firewall/NAT. There's nothing in the world that says a DHCP server can't assign local addresses (fc00::/7) that don't route over the 'Net. You'd need a truly bad ISP for attackers to even be able to send you packets to those addresses, or receive packets from those addresses.

Schaller: The long journey towards good free video conferencing

Posted Oct 16, 2012 2:36 UTC (Tue) by kevinm (guest, #69913) [Link]

There is already a DHCP option defined for specifying NTP server addresses, and NTP also supports broadcasting a query on the local subnet. It would make sense for home routers to listen on the local subnet for NTP broadcast requests and reply to them.

Schaller: The long journey towards good free video conferencing

Posted Oct 15, 2012 22:01 UTC (Mon) by raven667 (subscriber, #5198) [Link]

I understand that there is a reason these devices are being connected to the Internet so a truly local-only device is probably rare. One added point though is that the device could use is public address for client connections (NTP, download updates, DNS, etc.) and advertise its fe80:: address for management and local-only services using multicast-DNS as is standard now-a-days. That's very simple to implement and greatly reduces the attack surface for services that shouldn't be remotely accessible.

Schaller: The long journey towards good free video conferencing

Posted Oct 16, 2012 11:40 UTC (Tue) by nim-nim (subscriber, #34454) [Link]

The perimeter defence will honour things like uPNP as long as no device does something stupid with it. Given how consumer gadgets are cobbled together that probably means never (I'd like to be proven wrong, but I think I have a pretty good idea of the measures taken by gadget producers to make sure the local intern does not take shortcuts while customizing the local android clone for their fridge)

If there was a way to make sure random third-party developers do not demand over-broad accesses just because they can, it avoids work and no one's looking android apps would install automatically without any 'do you really want to let the app do that' phase.

Schaller: The long journey towards good free video conferencing

Posted Oct 15, 2012 19:06 UTC (Mon) by dlang (subscriber, #313) [Link]

having things only show up on link-local addresses doesn't work.

What if you have a wired and wireless network that are separate? If you only get link-local addresses, you can't see the device from the other network.

If you do get an address other than the link-local address, you will be exposed to the entire Internet unless you have a border router blocking you.

The days of unrestricted end-to-end traffic are gone, and won't be back.

The most that we can hope for is that end-to-end traffic is an option controlled by the local router/firewall administrator, rather than the current situation where many/most ISPs block the access.

Schaller: The long journey towards good free video conferencing

Posted Oct 15, 2012 19:09 UTC (Mon) by dlang (subscriber, #313) [Link]

Oh yes, another reason those devices won't be limited to the link-local addresses is that they will want to talk to the Internet.

for some strange reason, people think that a smart fridge needs to show you the local weather report, so it 'needs' to talk to the Internet.

your TV has an actual need to be able to find out what programs are airing and when they get rescheduled, so it will be talking to the Internet.

So these devices are not going to be limited to the local network.

Schaller: The long journey towards good free video conferencing

Posted Oct 15, 2012 22:41 UTC (Mon) by tpo (subscriber, #25713) [Link]

> for some strange reason, people think that a smart fridge needs to
> show you the local weather report, so it 'needs' to talk to the Internet.

Once we'll get serious about saving energy, the fridge will possibly want to know whether it needs to fill up its coldness reservoir in advance, because tomorrow will be a warm day and it won't be able to rely on cold outside air to help it cool its contents :-)
*t

Schaller: The long journey towards good free video conferencing

Posted Oct 15, 2012 21:36 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link]

Days of restricted end-to-end _might_ soon get back.

I absolutely loathe the model of "soft center, hard perimeter" - it's broken beyond belief right now, so in lots of cases right now relation "being accessible" is equal to "being authorized to use".

We should probably evolve towards "no perimeter, everything is hardened" model. For example, by using IPSec to create authenticated overlays over the IPv6 network.

Schaller: The long journey towards good free video conferencing

Posted Oct 15, 2012 21:44 UTC (Mon) by dlang (subscriber, #313) [Link]

you may loath the 'soft center, hard permieter' model, but as long as it works, there's really no incentive for it to change.

defining how to setup IPv6 IPSec on your TV, DVR, Washing Machine, Fridge, etc is not trivial (for that matter, setting it up securely on your full blown computers is not trivial, even for experienced admins)

As long as devices can be shipped and 'just work' without some complicated setup, manufacturers will continue to have that as the default.

Any completely automated IPSec setup process is not going to be any more secure, as the rogue equipment will be able to automate joining the network just like any legitimate equipment.

Now that you have a 'soft center', the only remaining question is if you opt to expose this out to the Internet, or if you try to get some protection by putting a 'hard shell' around it.

and arguments for ubiquitous IPSec or SSL can actually reduce the overall security if they make it impossible for the devices at the edge of the network to protect devices inside the network.

Schaller: The long journey towards good free video conferencing

Posted Oct 15, 2012 21:57 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link]

Right now "soft center" doesn't work, it only pretends to do it. Admins of large companies are already feeling the heat with all those CEOs' iPhones that just MUST be connected to the internal network.

>Any completely automated IPSec setup process is not going to be any more secure, as the rogue equipment will be able to automate joining the network just like any legitimate equipment.

Right now IPSec is impossible to use, but that's because nobody has yet started to "humanize" it.

Schaller: The long journey towards good free video conferencing

Posted Oct 15, 2012 22:05 UTC (Mon) by raven667 (subscriber, #5198) [Link]

> Right now IPSec is impossible to use, but that's because nobody has yet started to "humanize" it.

True and unfortunate. There should be no need for SSL because IPSec should cover that use case but Opportunistic Encryption just didn't work well enough in the real world and ESP doesn't work well with NAT. IPSec represents the bad kind of multi-vendor consensus design that tries to be everything and ends up being nothing.

Schaller: The long journey towards good free video conferencing

Posted Oct 15, 2012 22:29 UTC (Mon) by dlang (subscriber, #313) [Link]

> Right now "soft center" doesn't work, it only pretends to do it.

right now nothing 'works' (for some definition of 'works')

Every large organization that has tried to get rid of the hard shell and harden everything has been broken into. But at the same time, every large organization that has tried to have a 'hard shell' and a free-for all inside has also been broken into.

'hard shell' by itself only works if you can control the communication out of the network

'harden everything' only works if you actually control every device on your network and have a sane way of administering the result.

The 'current' model of allowing everyone to have their own personally owned equipment that the company has no control over, and letting them connect it to the network (either directly, or via USB to the company computers) is a situation that gives you no control over your external communication, and no control over anything running inside.

Schaller: The long journey towards good free video conferencing

Posted Oct 16, 2012 22:31 UTC (Tue) by sorpigal (subscriber, #36106) [Link]

> 'harden everything' only works if you actually control every device on your network and have a sane way of administering the result.
I'll go one further: Harden everything only works if it's 99.99% automatic. Once you increase the number of devices hardening becomes so insanely time consuming that it just won't be done. The only sane way for one man to secure just 1000 devices is for him not to have to; in the ipv6 future 1000 will be a number that's easy for an individual to hit.

My prediction is that security through "the thieves haven't broken in to my house YET" will be the rule of the day. We're almost there now, but it will just get worse. Those users who notice that their toasters have been rooted, are stealing credit card numbers and forwarding them overseas will simply throw the toasters out and buy new ones, not attempt to secure them.

Schaller: The long journey towards good free video conferencing

Posted Oct 16, 2012 23:38 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link]

Hardening doesn't need to be complicated. Just imagine that you touch your phone to your refrigerator and it is automatically authorized to connect to your logical home network (by enrolling it into IPSec overlay).

Schaller: The long journey towards good free video conferencing

Posted Oct 16, 2012 23:51 UTC (Tue) by dlang (subscriber, #313) [Link]

sure, then you have a party and a guest bumps up against the fridge with a phone in their pocket (or backpack) and now your fridge in connected to their network.

even assuming that someone takes the time to engineer your solution, and all the different manufacturers manage to agree on a common spec for how it would work, and going even further, manage to implement it in a compatible way.

Schaller: The long journey towards good free video conferencing

Posted Oct 17, 2012 0:20 UTC (Wed) by Cyberax (✭ supporter ✭, #52523) [Link]

You'll need to add some interaction, like a simple "Confirm" button on fridge's touchscreen.

And most of components are already here. NFC is available on most phones and NFC readers are dirt-cheap.

Schaller: The long journey towards good free video conferencing

Posted Oct 17, 2012 0:22 UTC (Wed) by dlang (subscriber, #313) [Link]

> NFC is available on most phones

with the notable exception of Apple devices. how many companies are going to make a fridge that cannot be configured by any Apple customers?

Schaller: The long journey towards good free video conferencing

Posted Oct 17, 2012 0:28 UTC (Wed) by Cyberax (✭ supporter ✭, #52523) [Link]

You assume that it's a permanent situation. iPhones will probably get NFC as soon as Apple feels like inventing it.

Schaller: The long journey towards good free video conferencing

Posted Oct 17, 2012 15:33 UTC (Wed) by sorpigal (subscriber, #36106) [Link]

If you could achieve this I think it's fair to say that this is approaching 99% automatic.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds