Re: [secdir] secdir review of draft-ietf-v6ops-ipv6-cpe-router

[Ole Troan <ot@cisco.com>]

Scott,

thank you very much for a thorough review!
some further comments inline.

> I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.
> 
> As the title implies, this document discusses basic requirements for IPv6 customer edge routers. The comments given here are limited to security only.
> 
> The security considerations section begins with a paragraph stating that basic stateless egress and ingress filters should be supported (lowercase "should"), and goes on to say that the CE router should offer mechanisms to filter traffic entering the customer network, but that how these are implemented is out of scope (lowercase "should").

we tried to limit RFC2119 language to only the numbered requirements. the initial paragraph is only to set the stage for the more detailed requirements below. basically just saying that the CPE should support a packet filtering capability. but from a security point of view I'm not sure if we can state this in very much more concrete terms?

> Then, it has the following statements:
> 
>   Security requirements:
> 
>   S-1:  The IPv6 CE router SHOULD support
>         [I-D.ietf-v6ops-cpe-simple-security].
> 
>   S-2:  The IPv6 CE router MUST support ingress filtering in accordance
>         with [RFC2827] (BCP 38)
> 
> When I first read this, I thought the statements in the first paragraph were somewhat weak and imprecise, as they don't use RFC2119 language. When I read draft-ietf-v6ops-cpe-simple-security-12.txt, I thought that document gives a relatively thorough treatment of security considerations, but I'm not sure what it means to say "The IPv6 CE router SHOULD support" it. 

the intention was to state the the CPE router should have the capability of doing the functions described in the simple security draft. but we did not want to make any recommendation what the default should be. I believe recommending that simple security is enabled by default in a CPE routers would violate the Internet architecture principles. would it help if we changed the text to:

S-1: The IPv6 CE router SHOULD support the [I-D.ietf-v6ops-cpe-simple-security]. This functionality MUST be user configurable and this
        specification makes no recommendation what the default setting should be.


> 
> What does this mean? Since the referenced ID only makes recommendations (and explicitly states the RFC2119 language is not binding) what does it mean to "support" it? Must a device implement all recommendations? Must it implement only certain ones? 
> 
> I think it makes sense to reference the simple security document rather than re-writing significant sections of it here, but I also think that this statement of security requirements should be considerably more precise.

while on the topic of security. we should perhaps have said something more about device security. as in requirements for access to the device itself. today many of these routers allow telnet and http access, more often than not with default password. where they also make a distinction between 'inside' and 'outside', which some recent attacks have taken advantage of.

does the security directorate have any other (and more detailed) recommendations they would have liked to see in this document?

cheers,
Ole