Re: draft-ietf-ipv6-deprecate-rh0-01-candidate-01
Pekka Savola <pekkas@netcore.fi> Fri, 15 June 2007 05:16 UTC
Return-path: <ipv6-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Hz4Ac-00079r-DX; Fri, 15 Jun 2007 01:16:26 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Hz4AZ-00078H-1v for ipv6@ietf.org; Fri, 15 Jun 2007 01:16:23 -0400
Received: from eunet-gw.ipv6.netcore.fi ([2001:670:86:3001::1] helo=netcore.fi) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Hz4AY-0005aS-IB for ipv6@ietf.org; Fri, 15 Jun 2007 01:16:23 -0400
Received: from netcore.fi (localhost [127.0.0.1]) by netcore.fi (8.13.8/8.13.8) with ESMTP id l5F5GEAs012918; Fri, 15 Jun 2007 08:16:14 +0300
Received: from localhost (pekkas@localhost) by netcore.fi (8.13.8/8.13.8/Submit) with ESMTP id l5F5GB0a012915; Fri, 15 Jun 2007 08:16:12 +0300
Date: Fri, 15 Jun 2007 08:16:11 +0300
From: Pekka Savola <pekkas@netcore.fi>
To: Joe Abley <jabley@ca.afilias.info>
In-Reply-To: <CA4A94EB-93CA-468F-8A10-7FFC8A463886@ca.afilias.info>
Message-ID: <Pine.LNX.4.64.0706150806280.12496@netcore.fi>
References: <CEC5DC97-9C32-404A-AD3B-AF88F09C9F15@ca.afilias.info> <200706131153.l5DBroLG008411@cichlid.raleigh.ibm.com> <CE90CE47-B548-4D5C-B890-3B004F27D4F8@ca.afilias.info> <9ADA8932-580B-4905-AE70-5F32D8564222@nokia.com> <200706131742.l5DHgLUH002825@cichlid.raleigh.ibm.com> <65A378E6-E3FC-4B76-99A2-E41067DC69A3@ca.afilias.info> <200706150009.l5F099L1014874@cichlid.raleigh.ibm.com> <EEBF9ACB-FE98-4CCA-8755-3D8F09721E0E@ca.afilias.info> <200706150127.l5F1RQsl004445@cichlid.raleigh.ibm.com> <CA4A94EB-93CA-468F-8A10-7FFC8A463886@ca.afilias.info>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
X-Virus-Scanned: ClamAV 0.90.3/3422/Fri Jun 15 03:34:17 2007 on otso.netcore.fi
X-Virus-Status: Clean
X-Spam-Status: No, score=-3.4 required=5.0 tests=ALL_TRUSTED, AWL, BAYES_00 autolearn=ham version=3.1.9
X-Spam-Checker-Version: SpamAssassin 3.1.9 (2007-02-13) on otso.netcore.fi
X-Spam-Score: -2.8 (--)
X-Scan-Signature: bb8f917bb6b8da28fc948aeffb74aa17
Cc: Thomas Narten <narten@us.ibm.com>, IETF IPv6 Mailing List <ipv6@ietf.org>, bob.hinden@nokia.com
Subject: Re: draft-ietf-ipv6-deprecate-rh0-01-candidate-01
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "IP Version 6 Working Group \(ipv6\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
Errors-To: ipv6-bounces@ietf.org
On Thu, 14 Jun 2007, Joe Abley wrote: >> > I think you are missing my point. >> >> I don't think so (though I may have been overly sarcastic in my >> response). I understand that the default security policy/config is >> "just say no". > > OK, good then. Sorry for mischaracterising your reply. > > I think there is a difference between firewalls which: ... I'm not sure if the document needs to say much at all about firewalls. draft-ietf-v6ops-security-overview-06.txt has already said a lot about this (now in RFC-ed queue) and there was significant IESG debate. RFC 4890 may also be an interesting precedent here. Both are Informational documents. But if this document said something, perhaps the best would be to recommend operators don't try to filter RH0 in any ACLs or firewalls. (a) class of networks already de-facto filter it (all RH) so nothing is changed. The rest shouldn't bother because 1) hosts will get updated, and 2) ingress filtering will block most of the abuse. IMHO, it's pointless to try to block RH0 in any firewalls except in very well-managed networks. The more configuration we recommend venders to build in or operators to deploy, the more likely it is that it breaks something especially given that most firewall/ACL implementations have restrictions on which RHs it can see. -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
- draft-ietf-ipv6-deprecate-rh0-01-candidate-01 Joe Abley
- Re: draft-ietf-ipv6-deprecate-rh0-01-candidate-01 Jun-ichiro itojun Hagino
- Re: draft-ietf-ipv6-deprecate-rh0-01-candidate-01 Thomas Narten
- Re: draft-ietf-ipv6-deprecate-rh0-01-candidate-01 George V. Neville-Neil
- Re: draft-ietf-ipv6-deprecate-rh0-01-candidate-01 Joe Abley
- Re: draft-ietf-ipv6-deprecate-rh0-01-candidate-01 Bob Hinden
- Re: draft-ietf-ipv6-deprecate-rh0-01-candidate-01 Jeroen Massar
- Re: draft-ietf-ipv6-deprecate-rh0-01-candidate-01 Thomas Narten
- Re: draft-ietf-ipv6-deprecate-rh0-01-candidate-01 Rémi Denis-Courmont
- Re: draft-ietf-ipv6-deprecate-rh0-01-candidate-01 Bob Hinden
- Re: draft-ietf-ipv6-deprecate-rh0-01-candidate-01 Joe Abley
- Re: draft-ietf-ipv6-deprecate-rh0-01-candidate-01 Jeroen Massar
- Re: draft-ietf-ipv6-deprecate-rh0-01-candidate-01 Joe Abley
- Re: draft-ietf-ipv6-deprecate-rh0-01-candidate-01 Joe Abley
- Re: draft-ietf-ipv6-deprecate-rh0-01-candidate-01 Jeroen Massar
- Re: draft-ietf-ipv6-deprecate-rh0-01-candidate-01 JINMEI Tatuya / 神明達哉
- Re: draft-ietf-ipv6-deprecate-rh0-01-candidate-01 Ebalard, Arnaud
- Re: draft-ietf-ipv6-deprecate-rh0-01-candidate-01 Brian E Carpenter
- Re: draft-ietf-ipv6-deprecate-rh0-01-candidate-01 Thomas Narten
- Re: draft-ietf-ipv6-deprecate-rh0-01-candidate-01 Joe Abley
- Re: draft-ietf-ipv6-deprecate-rh0-01-candidate-01 Thomas Narten
- Re: draft-ietf-ipv6-deprecate-rh0-01-candidate-01 james woodyatt
- Re: draft-ietf-ipv6-deprecate-rh0-01-candidate-01 Joe Abley
- Re: draft-ietf-ipv6-deprecate-rh0-01-candidate-01 Pekka Savola
- Re: draft-ietf-ipv6-deprecate-rh0-01-candidate-01 Brian E Carpenter
- Re: draft-ietf-ipv6-deprecate-rh0-01-candidate-01 Rémi Denis-Courmont
- RE: draft-ietf-ipv6-deprecate-rh0-01-candidate-01 TJ
- Re: draft-ietf-ipv6-deprecate-rh0-01-candidate-01 Jeroen Massar
- Re: draft-ietf-ipv6-deprecate-rh0-01-candidate-01 Guillaume Valadon / ギョーム バラドン
- RE: draft-ietf-ipv6-deprecate-rh0-01-candidate-01 TJ
- Re: draft-ietf-ipv6-deprecate-rh0-01-candidate-01 Guillaume Valadon / ギョーム バラドン
- Re: draft-ietf-ipv6-deprecate-rh0-01-candidate-01 Thomas Narten
- Re: draft-ietf-ipv6-deprecate-rh0-01-candidate-01 Thomas Narten
- RE: draft-ietf-ipv6-deprecate-rh0-01-candidate-01 Nour, Nina N.
- [administra-trivia] how to unsubscribe from IETF … Jeroen Massar
- Re: draft-ietf-ipv6-deprecate-rh0-01-candidate-01 james woodyatt
- RE: draft-ietf-ipv6-deprecate-rh0-01-candidate-01 Manfredi, Albert E
- Re: draft-ietf-ipv6-deprecate-rh0-01-candidate-01 Rémi Denis-Courmont
- Re: draft-ietf-ipv6-deprecate-rh0-01-candidate-01 Christopher Morrow
- Re: draft-ietf-ipv6-deprecate-rh0-01-candidate-01 Christopher Morrow
- Re: draft-ietf-ipv6-deprecate-rh0-01-candidate-01 Joe Abley
- Re: draft-ietf-ipv6-deprecate-rh0-01-candidate-01 Ole Troan
- Re: draft-ietf-ipv6-deprecate-rh0-01-candidate-01 Rémi Denis-Courmont
- Re: draft-ietf-ipv6-deprecate-rh0-01-candidate-01 Geoff Huston
- Re: draft-ietf-ipv6-deprecate-rh0-01-candidate-01 Brian E Carpenter