From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-ie0-f180.google.com (mail-ie0-f180.google.com [209.85.223.180]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id 7E20621F1DE for ; Fri, 18 Jan 2013 11:01:04 -0800 (PST) Received: by mail-ie0-f180.google.com with SMTP id c10so6838876ieb.11 for ; Fri, 18 Jan 2013 11:01:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=a8DVhl/EnqTJz3MlEBStr+Tpn2Fo9LRI3LmuCXdB5L0=; b=LLn5Q9jgJG33KGFPlmgvwOBPAc4EEXCWGpiQttjiRsuLx0q5gK3aIAQKP449jNtWWf /7Z/X/6fsZsO/zegZjwLcdHcvE0YMFkEl4EsCsFA3JERDvKHX+gIyH35CEossqePPdUH Y7+kVLxhFaPbJtxZor27nXUhhtJSmRpMYHXx8dEgWhDn+hxRb9lZjyq7qQr5Ov9FMjvQ h47qR7d0LJ4Ft5PyEH4076ms9ScZjOtrrArXk26BLABIm6JqQ/vertLJPUZ3Qqo2sguV l52/pw/Um7vsiuNMhr8m5V2Ix/m+bnjW782GILUDk96iYdDDptsv5XTgy/u4Gq4/P+pl lS1A== MIME-Version: 1.0 X-Received: by 10.50.180.200 with SMTP id dq8mr2977728igc.27.1358535663896; Fri, 18 Jan 2013 11:01:03 -0800 (PST) Received: by 10.64.135.39 with HTTP; Fri, 18 Jan 2013 11:01:03 -0800 (PST) In-Reply-To: <1358534753.401125130@apps.rackspace.com> References: <1358534753.401125130@apps.rackspace.com> Date: Fri, 18 Jan 2013 14:01:03 -0500 Message-ID: From: Dave Taht To: dpreed@reed.com Content-Type: multipart/alternative; boundary=14dae9340671a948b804d394bbe8 Cc: Justin Madru , cerowrt-devel@lists.bufferbloat.net Subject: Re: [Cerowrt-devel] DLNA with wired and wireless devices X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Jan 2013 19:01:04 -0000 --14dae9340671a948b804d394bbe8 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On Fri, Jan 18, 2013 at 1:45 PM, wrote: > A non-obvious gateway application that some people like is a "DMZ". In > other words, a portion of the home network (one computer), that handles > traffic from the outside that one never wants to reach internal resources > that are not in the DMZ. > I had explicitly left open an ip range in cerowrt for a DMZ if needed. (33-65) > > > Home routers often talk about how to setup a DMZ, so there ought to be a > way to do so in a routed network. > > > > Please don't react to this by assuming that I personally like the DMZ > concept. I would rather do something more subtle - provide a "honeypot" > feature that attracts would-be scanners/attackers to a place where they c= an > do no harm, and where information about them can be collected. (the latt= er > could be a great benefit to consumers who opt-in to it, whereas the DMZ > "feature" is often misused by people to get around the problem of NAT > getting in the way - sort of an anti-DMZ) > I like the honeypot idea a lot. I'd like very much to be participating in detecting and thwarting a variety of attacks. I note that a huge number of attacks now come from within the firewall as well. My limited preliminary attempt at this was to protect cero slightly by installing sensors on the telnet and ftp ports on the router, using xinetd which disable several other services when probed (notably ssh - except the one that I most want to disable, the web configuration server, which can't run out of xinetd at present. Sigh). Since doing that, discussed on this list have been several higher end and more comprehensive tools but I haven't had time to pursue them (I'll gladly take packages and patches) I'd love to have something that tracked dns amplification attempts (and thwarted/reported them). rbl support, too... Similarly a rate flooding detector more robust than what openwrt currently does (and cerowrt doesn't) would be nice (openwrt artificially rate limits icmp to 1000/sec which is kind of large in the case of a home gateway and rather small in the case of an ethernet) and since this is a topic that the NSF was rather interested in, I thought about applying for grants to try to address it (I have a draft of a proposal if anyone wants to pursue it) in their recent solicitation round..= . .... but me, I'd rather fix bufferbloat (and ipv6). I DID build the thc ipv6 attack toolkit starting a few releases ago. The situation there if you try that stuff out is pretty terrifying. > > > -----Original Message----- > From: "Dave Taht" > Sent: Friday, January 18, 2013 11:32am > To: "Justin Madru" > Cc: cerowrt-devel@lists.bufferbloat.net > Subject: Re: [Cerowrt-devel] DLNA with wired and wireless devices > > > > On Fri, Jan 18, 2013 at 12:36 AM, Justin Madru wr= ote: > >> Awesome! It seems to be working now. Thanks! >> > OK, so to me this means that routing in the home, rather than bridging, > can work even with upnp and dlna. Which makes me happy as I hope to one d= ay > be able to explore the effect of bridging gigE and wireless in larger sca= le > networks. I have plenty of raw data showing how bad an idea it is, but > nothing comprehensive as yet. > A core question for me then becomes, how does upnp deal with multiple > routers in the home, if they aren't natted? > Another item is that upnp has the ability to advertise the available > bandwidth to clients, and I was thinking of storing the rate limiting for > ceroshaper in that rather that in a dedicated file. Does anything actuall= y > use that information? What do common bittorrent clients do with upnp > nowadays? How about skype? > Are there any other common gateway applications that are going to break i= n > a routed environment? > -- > Dave T=E4ht > > Fixing bufferbloat with cerowrt: > http://www.teklibre.com/cerowrt/subscribe.html > --=20 Dave T=E4ht Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html --14dae9340671a948b804d394bbe8 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable

On Fri, Jan 18, 2013 at 1:45 PM, <dpreed= @reed.com> wrote:

A non-obviou= s gateway application that some people like is a "DMZ".=A0 In oth= er words, a portion of the home network (one computer), that handles traffi= c from the outside that one never wants to reach internal resources that ar= e not in the DMZ.


I had explicitly left open an ip ra= nge in cerowrt for a DMZ if needed. (33-65)

=A0

=A0

Home routers often talk about how to setup = a DMZ, so there ought to be a way to do so in a routed network.

=A0

Please don't react to this by assuming = that I personally like the DMZ concept.=A0 I would rather do something more= subtle - provide a "honeypot" feature that attracts would-be sca= nners/attackers to a place where they can do no harm, and where information= about them can be collected.=A0 (the latter could be a great benefit to co= nsumers who opt-in to it, whereas the DMZ "feature" is often misu= sed by people to get around the problem of NAT getting in the way - sort of= an anti-DMZ)


I like the honeypot idea a lot. I&#= 39;d like very much to be participating in detecting and thwarting a variet= y of attacks. I note that a huge number of attacks now come from within the= firewall as well.=A0

My limited preliminary attempt at this was to protect c= ero slightly by installing sensors on the telnet and ftp ports on the route= r, using xinetd=A0which disable several other services when probed (notably= ssh - except the one that I most want to disable, the web configuration se= rver, which can't run out of xinetd at present. Sigh).

Since doing that, discussed on this list have been seve= ral higher end and more comprehensive tools but I haven't had time to p= ursue them (I'll gladly take packages and patches)

I'd love to have something that tracked dns amplification attempts= (and thwarted/reported them). rbl support, too... Similarly a rate floodin= g detector more robust than what openwrt currently does (and cerowrt doesn&= #39;t) would be nice (openwrt artificially rate limits icmp to 1000/sec whi= ch is kind of large in the case of a home gateway and rather small in the c= ase of an ethernet)

and since this is a topic that the NSF was rather inter= ested in, I thought about applying for grants to try to address it (I have = a draft of a proposal if anyone wants to pursue it) in their recent solicit= ation round...

.... but me, I'd rather fix bufferbloat (and ipv6).= =A0

I DID build the thc ipv6 attack toolkit starti= ng a few releases ago. The situation there if you try that stuff out is pre= tty terrifying.
=A0

=A0

-----Original Message-----
From: "D= ave Taht" <dave.taht@gmail.com>
Sent: Friday, January 18, 2013 11:32am
T= o: "Justin Madru" <justin.jdm64@gmail.com>
Cc: cerowrt-devel@lists.bufferbloat.net
Subject: Re: [Cerowrt-devel] D= LNA with wired and wireless devices



On Fri, Jan 18, 2013 at 12:36 AM, Justin Madru <= span dir=3D"ltr"><justin.jdm64@gmail.com> wrote:
Awesome! It seems to be working now. Thanks!
OK, so to me this means that routing in the home, rather than bridging= , can work even with upnp and dlna. Which makes me happy as I hope to one d= ay be able to explore the effect of bridging gigE and wireless in larger sc= ale networks. I have plenty of raw data showing how bad an idea it is, but = nothing comprehensive as yet.
A core question for me then becomes, how does upnp deal with multiple = routers in the home, if they aren't natted?
Another item is that upnp has the ability to advertise the available b= andwidth to clients, and I was thinking of storing the rate limiting for ce= roshaper in that rather that in a dedicated file. Does anything actually us= e that information? What do common bittorrent clients do with upnp nowadays= ? How about skype?
Are there any other common gateway applications that are going to brea= k in a routed environment?
--
Dave T=E4ht

Fixing bufferbloat with cerowrt: http://www.tek= libre.com/cerowrt/subscribe.html
<= /div>


--
Dave T=E4ht

Fixing buffe= rbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html= =20 --14dae9340671a948b804d394bbe8--