Netflix banning HE tunnels

Tue Jun 21 00:35:19 UTC 2016

Wait, is this April Fools? The way to make device manufacturers tighten up
their security holes is to stick them on the public Internet? That's a hoot.
On Jun 20, 2016 6:57 PM, "Mark Andrews" <marka at isc.org> wrote:

>
> In message <28657BED-E262-452D-B218-7B39B17F36FE at delong.com>, Owen DeLong
> writes:
> >
> > > On Jun 20, 2016, at 13:45 , Mark Andrews <marka at isc.org> wrote:
> > >
> > >
> > > In message <E67D028D-2A66-453C-9D8B-0AC8FEA88131 at delong.com>, Owen
> DeLong writes:
> > >>
> > >>> On Jun 17, 2016, at 10:10 , Mark Milhollan <mlm at pixelgate.net>
> wrote:
> > >>>
> > >>> On Tue, 14 Jun 2016, Owen DeLong wrote:
> > >>>> On Jun 14, 2016, at 11:57 , Ricky Beam <jfbeam at gmail.com> wrote:
> > >>>
> > >>>>> I've seen many "IPv6 Capable" CPEs that apply ZERO security to IPv6
> > >> traffic.
> > >>>>
> > >>>> Those are by definition poorly designed CPE.
> > >>>
> > >>> This (open by default vs closed) has been discussed before, with
> > >>> plenty of people on either side.
> > >>>
> > >>>
> > >>> /mark
> > >>
> > >> I’m unaware of anyone advocating open inbound by default residential
> > >> CPE.
> > >>
> > >> I’m not saying they don’t exist, but I can’t imagine how anyone could
> > >> possibly defend that position rationally.
> > >>
> > >> I’m pretty much in favor of open by default in most things, but for
> > >> inbound traffic to residential CPE? Even I find that hard to
> > >> rationalize.
> > >>
> > >> Owen
> > >>
> > >
> > > For a lot of homes it actually makes sense.  You laptops are safe
> > > as they are designed to be connected directly to the Internet.  We
> > > do this all the time.  Similarly phone and tablets are designed to
> > > be directly connected to the Internet.  I know that lots of us do
> > > this all the time.  Think about what happens at conferences.  There
> > > is no firewall there to save you but we all regularly connect our
> > > devices to the conference networks.
> > >
> > > Lots of other stuff is also designed to be directly connected to
> > > the Internet.
> > >
> > > Finding ways to successfully attack a machine from outside is
> > > actually hard and has been for many years now.
> > >
> > > There is lots of FUD being thrown around about IoT.  Some machines
> > > will be compromised but as a class of devices there is no reason
> > > to assume that manufactures haven't learn from what happened to
> > > other Internet connected products.
> >
> > I dare you to purchase a Yamaha amplifier with an ethernet interface,
> > connect it to a good set of speakers within range to make it loud in
> > your bedroom and provide me with your timezone and the IP address
> > of the Yamaha in its default configuration.
>
> I don't want a Yamaha amplifier.  If you have one and if it is not
> FIT FOR PURPOSE sent it back and demand your money back.  You should
> be able to connect any equipement to a network and not have it be
> owned.
>
> > You can call it FUD all you want, but the average ethernet-connected
> > printer is quite vulnerable. So are many of the smart media devices
> > floating around out there.
>
> The internet printers I have contain access controls.  They don't need
> a CPE firewall.
>
> > Same with many of the network-connected thermostats I have experimented
> > with.
>
> Well send them back and demand your money back saying why you are sending
> the back.
>
> > For anyone who knows enough to understand the risk they are or are not
> > taking by opening things up, it’s trivial to program in the desired
> > exceptions or turn off the default deny.
> >
> > For everyone else, we should protect the internet from letting them
> > shoot themselves in the head in such a way that we get hit with the
> > back splatter.
>
> And that comes with a significant future cost.  Every piece of
> software that wants to accept connections from outside now needs
> to be able to not only update the devices configuration but also
> the firewalls configuration.
>
> > > The thing you need from all manufactures is a commitment to release
> > > fixes (no necessarially feature upgrades) for the devices they ship
> > > for the real life the product and for users to upgrade the products.
> >
> > Certainly that helps, but it’s a fantasy in too many cases to act like
> > it is a foregone conclusion or fait accompli.
>
> Actually if we ship CPE devices with firewalls off, IoT manufactures
> will tighten the security of their devices.  It will lead to better
> products overall.
>
> > > Software doesn't wear out.  Bugs just get found and design flaws
> > > discovered.  The existing warranty policies are designed around
> > > products that physically wear out.
> >
> > Sure, but until that is actually changed, a default permit policy on a
> > home gateway remains one of the worst ideas I can imagine.
>
> Actually it is one of the best things we can do.  Yes, there will
> be a short term cost but it comes with benefits of a less complicated
> network where everything works.
>
> Firewalls should be filtering out spoofed traffic (both ways) and
> that is about all they should be doing.
>
> > Owen
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
>