Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. nsp>
  3. ipv6: Page 2
1 2  View All
Re: UPnP/IPv6 support in home routers? [ In reply to ]
yiddie98 at comcast
Dec 13, 2017, 12:13 PM
Post #26 of 28 (1021 views)
Permalink
stop with these emails. If they continue you will be reported
> On December 12, 2017 at 10:24 AM Gert Doering <gert@space.net> wrote:
>
>
> Hi,
>
> On Tue, Dec 12, 2017 at 03:45:17PM +0100, Jan Pedro Tumusok wrote:
> > What about alle the people that are not able to setup their own filters and
> > other security mechanisms? Most people got this computer stuff for usage
> > and not to thinker with or spend ours figuring out the best type of
> > configuration.
> > How do we give them a bit more security than wide open devices?
>
> Besides the IoT crap, most devices nowadays have not been "wide open"
> in a long time.
>
> So either you assume the devices are vulnerable to network attacks - and
> in that case, they should not share a network with IoT and other crap.
>
> Or you assume the devices are indeed hardened properly (otherwise, I
> would not connect a laptop to a public wifi either...) - in which case a
> firewall mostly gets in the way of getting work done.
>
> Now, the IoT crap should just be moved to the garbage bin, and *that*
> would help.
>
> Gert Doering
> -- NetMaster
> --
> have you enabled IPv6 on something today...?
>
> SpaceNet AG Vorstand: Sebastian v. Bomhard
> Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
> D-80807 Muenchen HRB: 136055 (AG Muenchen)
> Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
Re: UPnP/IPv6 support in home routers? [ In reply to ]
tom at ninjabadger
Dec 18, 2017, 2:12 PM
Post #27 of 28 (1013 views)
Permalink
On 11/12/17 15:03, Gert Doering wrote:
> But that's the whole idea of UPnP or IGD. Whether you open one port or
> all of them, on request of a possibly-compromised host, is of no relevance.

I would disagree, on the purely theoretical basis of how it would be
presented to the user:

Situation 1: 'good' host has opened recognisable TCP port
Situation 2: 'bad' host has opened unrecognisable TCP port
Situation 3: 'good' host has opened all TCP/UDP ports to its addresses
Situation 4: 'bad' host has opened all TCP/UDP ports to its addresses

It is relatively trivial to identify or query malicious behaviour when
the possible situations in front of you are #1 and #2. When they are #3
and #4 it isn't as simple because you simply have less information about
what's going on.

If the standards were to theoretically permit the legitimate
'DFZ-enabling' in any such protocol, software creators will eventually
use it for legitimate (albeit probably stupid) reasons, and it'll become
common enough that even a relatively clued-up user would not be able to
recognise if a host is placing itself in a DFZ for legitimate or
illegitimate reasons.

I personally disable uPnP everywhere, but as we're stuck with it in the
wild, we should always be considering how changes could make the
situation even worse than the current situation, as opposed to saying
"this is all rubbish anyway". :)

--
Tom
Re: UPnP/IPv6 support in home routers? [ In reply to ]
gert at space
Dec 19, 2017, 7:45 AM
Post #28 of 28 (1009 views)
Permalink
Hi,

On Mon, Dec 18, 2017 at 10:12:42PM +0000, Tom Hill wrote:
> On 11/12/17 15:03, Gert Doering wrote:
> > But that's the whole idea of UPnP or IGD. Whether you open one port or
> > all of them, on request of a possibly-compromised host, is of no relevance.
>
> I would disagree, on the purely theoretical basis of how it would be
> presented to the user:
>
> Situation 1: 'good' host has opened recognisable TCP port
> Situation 2: 'bad' host has opened unrecognisable TCP port
> Situation 3: 'good' host has opened all TCP/UDP ports to its addresses
> Situation 4: 'bad' host has opened all TCP/UDP ports to its addresses
>
> It is relatively trivial to identify or query malicious behaviour when
> the possible situations in front of you are #1 and #2. When they are #3
> and #4 it isn't as simple because you simply have less information about
> what's going on.

This is assuming that the host #2 won't just open a standard TCP port
to do its thing. Why shouldn't it? It's bad, so lying about it's purpose
is straightforward... (and then, everything is HTTP anyway today).

> If the standards were to theoretically permit the legitimate
> 'DFZ-enabling' in any such protocol, software creators will eventually
> use it for legitimate (albeit probably stupid) reasons, and it'll become
> common enough that even a relatively clued-up user would not be able to
> recognise if a host is placing itself in a DFZ for legitimate or
> illegitimate reasons.

See?

> I personally disable uPnP everywhere, but as we're stuck with it in the
> wild, we should always be considering how changes could make the
> situation even worse than the current situation, as opposed to saying
> "this is all rubbish anyway". :)

"bad hosts can open back doors at their whim" is as bad as it can get,
there is no "more of that".

Gert Doering
-- NetMaster
--
have you enabled IPv6 on something today...?

SpaceNet AG Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
1 2  View All

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal