IETF Logo Mail Archive

Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03

Brian E Carpenter <brian.e.carpenter@gmail.com> Mon, 25 August 2008 22:39 UTC

Return-Path: <owner-v6ops@ops.ietf.org>
X-Original-To: ietfarch-v6ops-archive@core3.amsl.com
Delivered-To: ietfarch-v6ops-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 10F3B28C0FB for <ietfarch-v6ops-archive@core3.amsl.com>; Mon, 25 Aug 2008 15:39:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.948
X-Spam-Level:
X-Spam-Status: No, score=0.948 tagged_above=-999 required=5 tests=[AWL=-0.416, BAYES_20=-0.74, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pS5r7twkN-KT for <ietfarch-v6ops-archive@core3.amsl.com>; Mon, 25 Aug 2008 15:39:15 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 3A4173A681C for <v6ops-archive@lists.ietf.org>; Mon, 25 Aug 2008 15:39:15 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-v6ops@ops.ietf.org>) id 1KXkhQ-0004cQ-JG for v6ops-data@psg.com; Mon, 25 Aug 2008 22:38:12 +0000
Received: from [209.85.198.225] (helo=rv-out-0506.google.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <brian.e.carpenter@gmail.com>) id 1KXkhM-0004by-6g for v6ops@ops.ietf.org; Mon, 25 Aug 2008 22:38:09 +0000
Received: by rv-out-0506.google.com with SMTP id b25so1860420rvf.41 for <v6ops@ops.ietf.org>; Mon, 25 Aug 2008 15:38:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :organization:user-agent:mime-version:to:cc:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=RGYy8fWt4iaPg3uGYVVn0BGqBT0NChl2odJgsvVXim4=; b=Zan1O+g8luV/rpBgakkk4QJWj/N1V2mmjSRAPn+LsH4oJYAyTiY02NIy23oPfoEr6z yDWrnZK9AnClcAvHzlgscfOjPYu5TTcFbbe0dKDeClE/p9th/sx0IatPX2J3ksL/mWrP +OCuinpk3fr7fpqZ/RD3peCiF1J0nXJLf93ws=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; b=j/joB8YTugujTIpy5gcCR+nxufFrccdl3GcbJ+pjebEbGfEL2kHSZjH/QVlgYgSKUh F4pawvyM1Nql4Jk3XlWlj15D9hYY3GVze3bdPHO6XmxpYJAijDxxbIibFzeVZ3DpekYf EHphBnwktP5qMvbbAdQKLad4CrHKwhcDG3I5M=
Received: by 10.140.134.15 with SMTP id h15mr2434937rvd.65.1219703887405; Mon, 25 Aug 2008 15:38:07 -0700 (PDT)
Received: from ?130.216.38.124? ( [130.216.38.124]) by mx.google.com with ESMTPS id k2sm8306873rvb.1.2008.08.25.15.38.05 (version=SSLv3 cipher=RC4-MD5); Mon, 25 Aug 2008 15:38:06 -0700 (PDT)
Message-ID: <48B33430.40704@gmail.com>
Date: Tue, 26 Aug 2008 10:37:36 +1200
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Dan Wing <dwing@cisco.com>
CC: 'Mark Smith' <ipng@69706e6720323030352d30312d31340a.nosense.org>, jhw@apple.com, 'IPv6 Operations' <v6ops@ops.ietf.org>
Subject: Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
References: <20080824204553.08131c65.ipng@69706e6720323030352d30312d31340a.nosense.org> <48B1CCE8.1070305@gmail.com> <01af01c9065b$b4602440$c2f0200a@cisco.com> <48B23391.1090503@gmail.com> <01cd01c90672$a57c8790$c2f0200a@cisco.com> <48B31DA3.6080001@gmail.com> <07d201c906f7$50a85e30$c2f0200a@cisco.com> <48B32B43.5010103@gmail.com> <084c01c906fe$f9bf1840$c2f0200a@cisco.com>
In-Reply-To: <084c01c906fe$f9bf1840$c2f0200a@cisco.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Sender: owner-v6ops@ops.ietf.org
Precedence: bulk
List-ID: <v6ops.ops.ietf.org>

On 2008-08-26 10:07, Dan Wing wrote:
>>>> How does it know that a Protocol 41 packet is unsolicited?
>>> The same way it knows a non-protocol 41 packet is solicited: the
>>> host sends a packet first -- the host being protected by the CPE 
>>> doing Simple Security.
>> How does that work if Host A (behind the CPE) has informed Host X
>> (outside) of the tunneled address of Host B (also behind the CPE)?
>> In other words A has solicited X to send a packet to B.
> 
> The network diagram would look like this, I believe:
> 
>               +-----+
>     Host A ---+     |
>               + CPE +--------- Internet ------  Host X
>     Host B ---+     |
>               +-----+
>  
> 
> If the CPE is providing security -- as this draft is titled -- the
> traffic from X to B would be blocked.  
> 
> To permit such traffic, B would need a way to tell the CPE to allow 
> such traffic from X (or to allow arbitrary traffic from any host 
> on the Internet).  This is described in Section 3.4 of 
> draft-ietf-v6ops-cpe-simple-security-03 (where James mentions 
> Apple's ALD") but, to my knowledge, has not received much 
> attention and I do not know if it has working group consensus.

The thing is that it can't meet any reasonable definition of
'simple'...

But blocking tunnels by default, although it's simple, also
blocks innovation. That worries me.

    Brian

v2.23.0 | Report a Bug | By Email