IETF Logo Mail Archive

Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03

Brian E Carpenter <brian.e.carpenter@gmail.com> Mon, 25 August 2008 22:01 UTC

Return-Path: <owner-v6ops@ops.ietf.org>
X-Original-To: ietfarch-v6ops-archive@core3.amsl.com
Delivered-To: ietfarch-v6ops-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B418E3A69B1 for <ietfarch-v6ops-archive@core3.amsl.com>; Mon, 25 Aug 2008 15:01:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.147
X-Spam-Level:
X-Spam-Status: No, score=0.147 tagged_above=-999 required=5 tests=[AWL=0.642, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 66VEoFVba6X0 for <ietfarch-v6ops-archive@core3.amsl.com>; Mon, 25 Aug 2008 15:01:26 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id C79BB3A6944 for <v6ops-archive@lists.ietf.org>; Mon, 25 Aug 2008 15:01:25 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-v6ops@ops.ietf.org>) id 1KXk6Y-000OLb-T7 for v6ops-data@psg.com; Mon, 25 Aug 2008 22:00:06 +0000
Received: from [74.125.44.29] (helo=yx-out-2324.google.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <brian.e.carpenter@gmail.com>) id 1KXk6U-000OKo-9O for v6ops@ops.ietf.org; Mon, 25 Aug 2008 22:00:04 +0000
Received: by yx-out-2324.google.com with SMTP id 8so1008172yxb.71 for <v6ops@ops.ietf.org>; Mon, 25 Aug 2008 15:00:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :organization:user-agent:mime-version:to:cc:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=SdgHSqjBubcVTO9s21CME78B8z8jeBDmFD86p3Q6cKI=; b=baapLhC5Obe3tl9TPPf6SLRXri8Ja3WBjhPs/KGA9EkJAY5rUhJz62uV8Ykohg8TGD MP3x99IzlTkI5JiYvV/ULIWfAEYw0hpC1cttgYyomwA4xgBGIpRgl17Ugbl5HWcIvqBT 1UkAnrPB2QUwAussJurKPwh7rXDKKDVvu7v/w=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; b=jx86isxpkWEZp2lo/KisWtlSvQ6QmqzBTGFx1Xbmb0YY9tKHhNo8lvrBcfrMixH94l 3zN0Wy6Ud1nqzTEFG95LcwkKtAIzEAW/wfE2B1v9oJV7VhezjvjzHPIWuygfDEXVR2Lx DGAuzrBhglwp9KhLYoIdTV44fyd+jZyTiwIWI=
Received: by 10.114.57.15 with SMTP id f15mr3997805waa.116.1219701600888; Mon, 25 Aug 2008 15:00:00 -0700 (PDT)
Received: from ?130.216.38.124? ( [130.216.38.124]) by mx.google.com with ESMTPS id m30sm7013107wag.0.2008.08.25.14.59.57 (version=SSLv3 cipher=RC4-MD5); Mon, 25 Aug 2008 15:00:00 -0700 (PDT)
Message-ID: <48B32B43.5010103@gmail.com>
Date: Tue, 26 Aug 2008 09:59:31 +1200
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Dan Wing <dwing@cisco.com>
CC: 'Mark Smith' <ipng@69706e6720323030352d30312d31340a.nosense.org>, jhw@apple.com, 'IPv6 Operations' <v6ops@ops.ietf.org>
Subject: Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
References: <20080824204553.08131c65.ipng@69706e6720323030352d30312d31340a.nosense.org> <48B1CCE8.1070305@gmail.com> <01af01c9065b$b4602440$c2f0200a@cisco.com> <48B23391.1090503@gmail.com> <01cd01c90672$a57c8790$c2f0200a@cisco.com> <48B31DA3.6080001@gmail.com> <07d201c906f7$50a85e30$c2f0200a@cisco.com>
In-Reply-To: <07d201c906f7$50a85e30$c2f0200a@cisco.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Sender: owner-v6ops@ops.ietf.org
Precedence: bulk
List-ID: <v6ops.ops.ietf.org>

On 2008-08-26 09:12, Dan Wing wrote:
>> On 2008-08-25 17:23, Dan Wing wrote:
>>>>> You're saying that the Simple CPE Security document is 
>> not intended
>>>>> to provide security, but rather intended to provide a way 
>> to receive
>>>>> unsolicited IPv6 traffic through non-IPv6-capable SPs?
>>>> If a host behind the CPE chooses to set up an IPv6 tunnel to
>>>> an IPv6-supporting ISP, I don't see that the tunnel is anybody's
>>>> business but the host's. So yes, in that case I think the CPE
>>>> should step back, because the host *is* soliciting incoming
>>>> packets.
>>> But in that case, the host behind the CPE initiated the 
>>> communication to the tunnel.  For that to work, I do not
>>> believe it requires the CPE to allow unsolicited *incoming* 
>>> traffic from the Internet (as currently written in 
>>> draft-ietf-v6ops-cpe-simple-security-03.txt R19, R20, and R21).
>> How does it know that a Protocol 41 packet is unsolicited?
> 
> The same way it knows a non-protocol 41 packet is solicited: the
> host sends a packet first -- the host being protected by the CPE 
> doing Simple Security.

How does that work if Host A (behind the CPE) has informed Host X
(outside) of the tunneled address of Host B (also behind the CPE)?
In other words A has solicited X to send a packet to B.

   Brian
> 
> -d
> 
>> An IPv4 router takes no part in IPv6 tunnel setup. Either it
>> allows Protocol 41 or it doesn't, as far as I can see.
>>
>> Note, I'm not talking about *-in-IPv6 tunnels.
>>
>>     Brian
> 
>

v2.23.0 | Report a Bug | By Email