Redploying most of 127/8 as unicast public

• Previous message (by thread): Redploying most of 127/8 as unicast public
• Next message (by thread): Redploying most of 127/8 as unicast public
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Subject: Re: Redploying most of 127/8 as unicast public Date: Sat, Nov 20, 2021 at 09:15:24PM +0000 Quoting Matthew Walster (matthew at walster.org):

> > Why should we burden ourselves with this cumbersome and painful, useless
> > layer of abstraction that is "port forwarding", when the choice of
> > universal reachability is around the corner?
> 
> Because it's a REALLY bad idea to have unmanaged devices reachable from the
> open internet. Dial-out, not dial-in. You need a firewall. You need a way
> of punching holes in that firewall for services you explicitly allow, be
> that manually through an interface, or temporarily via an automated system
> like upnp/nat-pmp.
 
It's like you did not read the next part. 
 
> > If people can set a port forward up, they can click "allow" in a
> > routing-based firewall interface. Only it is better, because one can
> > have several parallel services using well-known ports. Sometimes (most
> > of the time) the protocol spec has no option to change port either,
> > making port forwarding futile anyway. (the let's have a TXT record bunch
> > at it again, purposefully ignoring SRV since its inception.)
> >
> 
> It's not always people. Lots of games, lots of telephony things, services
> like Syncthing... They all open firewall holes (yes, NAT is a firewall) to
> allow inbound connections for specific conditions, like "this protocol and
> port combination".
 
You obviously read it. Now I'm confused. 
 
> You are not. I'm glad my internet connected light bulbs are controlled by
> the Australian firm that manufactures them and the American firm that has a
> surveillance device in my kitchen listening for the immortal words "turn on
> the living room lights", rather than Billy* from Doncaster who's looking
> for something funny to do after losing at CS:GO again and happens to have
> found a list of IP addresses of known vulnerable devices accessible from
> the internet.

( I'd rather not have my lighting in the cloud. But I'm strange like that. )

Routing and allowing traffic are choices. Only that people with unusable
non-unique addresses don't get to make those choices.  One can probably
find quantitative research stating that letting people handle their
IT security makes for less secure systems, and from that standpoint
argue that they don't deserve the choice.  To me, that is elitist and
condescending (And I oughta know condescending, I'm quite good at it.) and
I think we could do better.

-- 
Måns Nilsson     primary/secondary/besserwisser/machina
MN-1334-RIPE           SA0XLR            +46 705 989668
I want another RE-WRITE on my CEASAR SALAD!!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20211120/c6a3b050/attachment.sig>

• Previous message (by thread): Redploying most of 127/8 as unicast public
• Next message (by thread): Redploying most of 127/8 as unicast public
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]