IETF Logo Mail Archive

Re: WGLC: draft-ietf-v6ops-cpe-simple-security-10.txt

Fred Baker <fred@cisco.com> Tue, 20 April 2010 17:08 UTC

Return-Path: <owner-v6ops@ops.ietf.org>
X-Original-To: ietfarch-v6ops-archive@core3.amsl.com
Delivered-To: ietfarch-v6ops-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B132828C105 for <ietfarch-v6ops-archive@core3.amsl.com>; Tue, 20 Apr 2010 10:08:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -108.495
X-Spam-Level:
X-Spam-Status: No, score=-108.495 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_HI=-8, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dIU-eKMU60Ba for <ietfarch-v6ops-archive@core3.amsl.com>; Tue, 20 Apr 2010 10:08:28 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 6AE8B3A6A61 for <v6ops-archive@lists.ietf.org>; Tue, 20 Apr 2010 10:08:25 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.71 (FreeBSD)) (envelope-from <owner-v6ops@ops.ietf.org>) id 1O4Gts-000Lu4-F0 for v6ops-data0@psg.com; Tue, 20 Apr 2010 17:06:16 +0000
Received: from [171.68.10.86] (helo=sj-iport-4.cisco.com) by psg.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.71 (FreeBSD)) (envelope-from <fred@cisco.com>) id 1O4Gtp-000Ltd-Vn for v6ops@ops.ietf.org; Tue, 20 Apr 2010 17:06:14 +0000
Authentication-Results: sj-iport-4.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AvsEAGp7zUurR7H+/2dsb2JhbACcAHGjBppHhQ8EgzQ
X-IronPort-AV: E=Sophos;i="4.52,243,1270425600"; d="scan'208";a="118000855"
Received: from sj-core-2.cisco.com ([171.71.177.254]) by sj-iport-4.cisco.com with ESMTP; 20 Apr 2010 17:06:13 +0000
Received: from dhcp-128-107-109-191.cisco.com (dhcp-128-107-109-191.cisco.com [128.107.109.191]) by sj-core-2.cisco.com (8.13.8/8.14.3) with ESMTP id o3KH6DCQ001009; Tue, 20 Apr 2010 17:06:13 GMT
Subject: Re: WGLC: draft-ietf-v6ops-cpe-simple-security-10.txt
Mime-Version: 1.0 (Apple Message framework v1078)
Content-Type: text/plain; charset="us-ascii"
From: Fred Baker <fred@cisco.com>
In-Reply-To: <BF345F63074F8040B58C00A186FCA57F1EFEFD6EBB@NALASEXMB04.na.qualcomm.com>
Date: Tue, 20 Apr 2010 10:06:11 -0700
Cc: IPv6 v6ops <v6ops@ops.ietf.org>, "draft-ietf-v6ops-cpe-simple-security@tools.ietf.org" <draft-ietf-v6ops-cpe-simple-security@tools.ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <9D778C51-17F1-4C9A-9A5B-0E957212E80E@cisco.com>
References: <118FE8EC-41DF-4907-AE1C-2B7185477D64@cisco.com> <BF345F63074F8040B58C00A186FCA57F1EFEFD6EBB@NALASEXMB04.na.qualcomm.com>
To: "Laganier, Julien" <julienl@qualcomm.com>
X-Mailer: Apple Mail (2.1078)
Sender: owner-v6ops@ops.ietf.org
Precedence: bulk
List-ID: <v6ops.ops.ietf.org>

Thanks. On your first point, we tossed around the idea of merging it into draft-ietf-cpe-router and chose not to. This document describes an additional feature that vendors MAY build into a CPE Router.

On Apr 20, 2010, at 9:17 AM, Laganier, Julien wrote:

>> Fred Baker wrote: 
>> 
>> As agreed at the last IETF meeting, I am opening a two week WGLC of 
>> draft-ietf-v6ops-cpe-simple-security-10.txt. Please read the document, 
>> comment to this list on matters of substance, and send nits (spelling/
>> grammar, word choice, sentence structure comments) to the authors.
> 
> I realize I am late with this but I have reviewed the document and have the following comment:
> 
> The document does not explicitly mention how should IPv6 be treated by a CPE. 
> 
> Mobile IPv6 involves the use of IP-in-IP tunneling and of IPsec and IKE, all of which seems to be covered in Section 2.2. in an adequate manner:
> 
> 2.2.  Internet Layer Protocols
> 
>   As virtual private networking tunnels are regarded as an unacceptably
>   wide attack surface, this document recommends the DEFAULT operating
>   mode for residential IPv6 simple security is to treat IP-in-IP and
>   GRE tunneling protocols as opaque transport layers, i.e. inbound
>   tunnel initiations are denied and outbound tunnel initiations are
>   accepted.  IPsec transport and tunnel modes are explicitly secured by
>   definition, so this document recommends the DEFAULT operating mode
>   permit IPsec and Internet Key Exchange (IKE) flows to pass without
>   filtering.
> 
> Mobile IPv6 also involves the use of the Mobility Header, which seems to be appropriately covered by the recommendation of Section 3.2.2.:
> 
> 3.2.2.  Upper-layer Transport Protocols
> 
>   Residential IPv6 gateways are not expected to prohibit the use of
>   applications to be developed using future upper-layer transport
>   protocols.  In particular, transport protocols not otherwise
>   discussed in subsequent sections of this document are expected to be
>   treated consistently, i.e. as having connection-free semantics and no
>   special requirements to inspect the transport headers.
> 
>   In general, upper-layer transport filter state records are expected
>   to be created when an interior endpoint sends a packet to an exterior
>   address.  The filter allocates (or reuses) a record for the duration
>   of communications, with an idle timer to delete the state record when
>   no further communications are detected.
> 
>   REC-10: Filter state records for generic upper-layer transport
>   protocols MUST BE indexable by a 3-tuple comprising the interior node
>   address, the exterior node address and the upper-layer transport
>   protocol identifier.
> 
>   REC-11: Filter state records for generic upper-layer transport
>   protocols MUST NOT be deleted or recycled until an idle timer not
>   less than two minutes has expired without having forwarded a packet
>   matching the state in some configurable amount of time.  By DEFAULT,
>   the idle timer for such state records is five minutes.
> 
> However MIPv6 also relies on the use of a degenerated tunneling mechanism between a Mobile Node and its corresponds nodes. This tunneling involves the use of the Routing Header Type 2 and of the Home Address destination option, which are not covered in the document. 
> 
> In practice I believe this type of tunnel should be treated as IP-in-IP tunnels, but this is currently not the case. The issues is as follows:
> 
> Outbound packets sent in the tunnel are sent from the Mobile Node Care-of Address and with a Home Address destination option -- so it seems that there is no problem for those, although we might want to be explicit.
> 
> However inbound packets corresponding to an outbound initiated tunnel should be accepted as well (as for IP-in-IP), but these packets will be destined to the Home Address and carrying the Care-of Address in the Routing Header Type 2, so they will not be handled properly absent an explicit recommendation that the CPE tracks MIPv6 HoA/RH2 degenerated tunnels.
> 
> I believe we should cover MIPv6 adequately in this specification by adding explicit tracking of outbound initiated MIPv6 HoA/RH2 degenerated tunnels. 
> 
> [ The MEXT WG has two documents specifying firewall behavior for MIPv6 that could be used as a starting point for text to be included in this spec -- see http://tools.ietf.org/html/draft-ietf-mext-firewall-vendor-02 and http://tools.ietf.org/html/draft-ietf-mext-firewall-admin-02 ]
> 
> What do people think?
> 
> --julien
> 
> 
> 

http://www.ipinc.net/IPv4.GIF

v2.23.0 | Report a Bug | By Email