quietly....

Thu Feb 3 05:53:30 UTC 2011

On Thu, Feb 03, 2011 at 12:23:54AM -0500, Jay Ashworth wrote:
> ----- Original Message -----
> > From: "Matthew Palmer" <mpalmer at hezmatt.org>
> > Now, if you decide that none of those applications are important to
> > you,
> > sure, you can firewall them off as appropriate. But the pervasive
> > deployment of NAT means that the set of problems that can be solved is
> > constrained, and of the problems that *can* be solved, the solutions
> > tend to
> > be more complicated, harder to implement, understand, and so on, which
> > has a
> > cost to the community (higher prices, less solved problems, whatever
> > your
> > desired metric may be). I think that's what Blake is getting at with
> > his TotC.
> 
> Perhaps.  I'm not sure that the collective importance of that difficulty
> outweighs the collective danger of making all nodes of the Internet *as it
> presently exists* publicly routable.

Well, technically, nodes aren't routable, addresses are... and I don't even
see any danger in the mere existence of a valid route to a host.  The danger
exists when that host is not sufficiently secured (be it via firewall,
sensible configuration, whatever).

> I don't know whether it's occurred to people that if you make every node
> on the present day Internet routable, then *you've made every node on the
> present day Internet routable*; the number of machines subject to 
> more or less direct attack goes up (by a jackleg estimate I've just now
> made up) by between 3 and 5 orders of magnitude.
> 
> I make jackleg estimates all the time; I don't believe I've ever had to 
> say "5 orders of magnitude".

I'm willing to bet you're being deeply optimistic (pessimistic?) with that
estimate; if your estimate were accurate, it would mean that for every
publically addressed device there are between 1,000 and 100,000 privately
addressed nodes.  I *really* don't think that's plausible.

At any rate, I think the days of severely broken IP stacks and
"spectacularly insecure by default" OS installations are largely behind us;
the security battle for the "client endpoint" has moved to client-initiated
attacks, which are unhindered by NAT, firewalling, or any other
"layer-respecting" network security device.

> > Of course, I'm a tiny bit of a skeptic, as I really can't see how a
> > stateful
> > firewall can know which other connections / packets are related
> > without a
> > lot of the same dodgy shenanigans that goes on now, but at least if
> > you've
> > gotten rid of the 1-to-N address mangling a fundamental stumbling
> > block is
> > removed and people can get on and solve the remaining (tractable)
> > problems.
> 
> That is problematic as well, isn't it?

It is, but at least it's a problem that has a hope of being solved.

> It speaks directly to the attack-surface comment I just made in another reply.

I can't see how.

- Matt

-- 
"For once, Microsoft wasn't exaggerating when they named it the 'Jet Engine'
-- your data's the seagull."
		-- Chris Adams