Netflix banning HE tunnels

Owen DeLong owen at delong.com
Tue Jun 21 05:01:06 UTC 2016


>> 
>> I dare you to purchase a Yamaha amplifier with an ethernet interface,
>> connect it to a good set of speakers within range to make it loud in
>> your bedroom and provide me with your timezone and the IP address
>> of the Yamaha in its default configuration.
> 
> I don't want a Yamaha amplifier.  If you have one and if it is not
> FIT FOR PURPOSE sent it back and demand your money back.  You should
> be able to connect any equipement to a network and not have it be
> owned.

It’s quite FIT FOR PURPOSE. It has some things I don’t like (such as the
inability to leave it unattended on the internet without something protecting
it in front).

It doesn’t get owned so much as it can be controlled by anyone with access.

It won’t take a firmware update or something like that from a remote person,
but it has no authentications on it’s web control interface because it was
built with the stupid assumption that all the world is NAT.

Unfortunately, it is just one example of a vast number of appliances which are
built that way and are present in a variety of homes with less sophisticated
users than you or I.

Do you _REALLY_ think that the average consumer asks the 1d10t at the local
Best Buy “So, I know it sounds good and all, but what kind of firewall
configuration capabilities does this amplifier have?”

If you want to build routers for your idillic fantasy world, that’s fine.
I’m talking about equipment that gets deployed in the real world as it
exists today and likely will exist for several years hence.

Do I agree with you about how things should be? Of course I do, but it’s
nearly the definition of insanity to act as if that is how things are to
the point that you allow actual harm to occur simply because so little
reality matches your fantasy.

> 
>> You can call it FUD all you want, but the average ethernet-connected
>> printer is quite vulnerable. So are many of the smart media devices
>> floating around out there.
> 
> The internet printers I have contain access controls.  They don't need
> a CPE firewall.

Good for you. You bought the correct 1.5% of the products that are out there
and you payed way more than most people do for a printer in their homes.

>> Same with many of the network-connected thermostats I have experimented
>> with.
> 
> Well send them back and demand your money back saying why you are sending
> the back. 

In some cases, I did. In other cases, it wasn’t worth the effort. However,
what I do has nothing to do with what happens in thousands or millions of
other homes where the user wouldn’t even know how to check whether or not
their thermostat has that capability and frankly doesn’t likely even know
enough to know that they should check it.

Step back from your fantasy of how the world should be (which I agree would
be a fine world if we can get there) and face the fact that some of us have
to deal with the world as it is, not as you would like it to be.

>> For anyone who knows enough to understand the risk they are or are not
>> taking by opening things up, it’s trivial to program in the desired
>> exceptions or turn off the default deny.
>> 
>> For everyone else, we should protect the internet from letting them
>> shoot themselves in the head in such a way that we get hit with the
>> back splatter.
> 
> And that comes with a significant future cost.  Every piece of
> software that wants to accept connections from outside now needs
> to be able to not only update the devices configuration but also
> the firewalls configuration.

Nope… Every user who wants to permit those accesses needs to know how
to update the devices configuration at least once. If you know enough to
care, you should know enough to turn off the protections. I’m just saying
they should be on by default.

I find it very hard to justify that the equivalent of flipping a light switch
once is truly a “significant future cost”.

> 
>>> The thing you need from all manufactures is a commitment to release
>>> fixes (no necessarially feature upgrades) for the devices they ship
>>> for the real life the product and for users to upgrade the products.
>> 
>> Certainly that helps, but it’s a fantasy in too many cases to act like
>> it is a foregone conclusion or fait accompli.
> 
> Actually if we ship CPE devices with firewalls off, IoT manufactures
> will tighten the security of their devices.  It will lead to better
> products overall.

Right… Because that strategy has clearly worked so well thus far.

Please return to earth and re-evaluate your theory.

>>> Software doesn't wear out.  Bugs just get found and design flaws
>>> discovered.  The existing warranty policies are designed around
>>> products that physically wear out.
>> 
>> Sure, but until that is actually changed, a default permit policy on a
>> home gateway remains one of the worst ideas I can imagine.
> 
> Actually it is one of the best things we can do.  Yes, there will
> be a short term cost but it comes with benefits of a less complicated
> network where everything works.

No, it doesn’t. Your vision of how people should behave bears no resemblance
whatsoever to how they will behave. Your vision of what device manufacturers
will do in this environment is likewise delusional.

> Firewalls should be filtering out spoofed traffic (both ways) and
> that is about all they should be doing.

In the words of Randy Bush (who I can’t believe I’m quoting here),
I encourage you to try that on any network where you are responsible
for the network security, but cannot control the choice of devices
that users place on said network.

Owen




More information about the NANOG mailing list