RE: WGLC: draft-ietf-v6ops-cpe-simple-security-10.txt
"Laganier, Julien" <julienl@qualcomm.com> Tue, 20 April 2010 16:21 UTC
Return-Path: <owner-v6ops@ops.ietf.org>
X-Original-To: ietfarch-v6ops-archive@core3.amsl.com
Delivered-To: ietfarch-v6ops-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4B6FE3A6965 for <ietfarch-v6ops-archive@core3.amsl.com>; Tue, 20 Apr 2010 09:21:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.335
X-Spam-Level:
X-Spam-Status: No, score=-105.335 tagged_above=-999 required=5 tests=[AWL=-0.840, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4YB1N+CL35iS for <ietfarch-v6ops-archive@core3.amsl.com>; Tue, 20 Apr 2010 09:21:17 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 1176A3A68BC for <v6ops-archive@lists.ietf.org>; Tue, 20 Apr 2010 09:21:12 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.71 (FreeBSD)) (envelope-from <owner-v6ops@ops.ietf.org>) id 1O4G8Y-000BCX-CS for v6ops-data0@psg.com; Tue, 20 Apr 2010 16:17:22 +0000
Received: from [199.106.114.254] (helo=wolverine01.qualcomm.com) by psg.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.71 (FreeBSD)) (envelope-from <julienl@qualcomm.com>) id 1O4G8S-000B9H-JQ for v6ops@ops.ietf.org; Tue, 20 Apr 2010 16:17:17 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=qualcomm.com; i=julienl@qualcomm.com; q=dns/txt; s=qcdkim; t=1271780236; x=1303316236; h=from:to:cc:date:subject:thread-topic:thread-index: message-id:references:in-reply-to:accept-language: content-language:x-ms-has-attach:x-ms-tnef-correlator: acceptlanguage:content-type:content-transfer-encoding: mime-version; z=From:=20"Laganier,=20Julien"=20<julienl@qualcomm.com> |To:=20Fred=20Baker=20<fred@cisco.com>,=20IPv6=20v6ops=20 <v6ops@ops.ietf.org>|CC:=20"draft-ietf-v6ops-cpe-simple-s ecurity@tools.ietf.org"=0D=0A=09<draft-ietf-v6ops-cpe-sim ple-security@tools.ietf.org>|Date:=20Tue,=2020=20Apr=2020 10=2009:17:11=20-0700|Subject:=20RE:=20WGLC:=20draft-ietf -v6ops-cpe-simple-security-10.txt=20|Thread-Topic:=20WGLC :=20draft-ietf-v6ops-cpe-simple-security-10.txt=20 |Thread-Index:=20AcrZtH+f5T9DiGN8THKKvs+UoWPU9gG57o/g |Message-ID:=20<BF345F63074F8040B58C00A186FCA57F1EFEFD6EB B@NALASEXMB04.na.qualcomm.com>|References:=20<118FE8EC-41 DF-4907-AE1C-2B7185477D64@cisco.com>|In-Reply-To:=20<118F E8EC-41DF-4907-AE1C-2B7185477D64@cisco.com> |Accept-Language:=20en-US|Content-Language:=20en-US |X-MS-Has-Attach:|X-MS-TNEF-Correlator:|acceptlanguage: =20en-US|Content-Type:=20text/plain=3B=20charset=3D"us-as cii"|Content-Transfer-Encoding:=20quoted-printable |MIME-Version:=201.0; bh=lzEAzbkwULpt1PfCvO9i4BeSpD6uSZGQjW3QDj38Wk8=; b=THh99vXtua/1ruBv71G8FBex2Smrz1VF8DR6+lT+P06ciid5BK93HcAM DOQJ82x1gA8NN7OdlmsWiB4NpcIe6WQCb9fdayUOVxYQVnqee0tu3/xiL O27RgTDAEcWBA6QvRWjChl70l8fpI8onWMIXiEUhAXEfvP4n/UKCnqkqq s=;
X-IronPort-AV: E=McAfee;i="5400,1158,5957"; a="39265639"
Received: from ironmsg01-r.qualcomm.com ([172.30.46.15]) by wolverine01.qualcomm.com with ESMTP; 20 Apr 2010 09:17:13 -0700
X-IronPort-AV: E=Sophos;i="4.52,241,1270450800"; d="scan'208";a="18790820"
Received: from nasanexhub02.na.qualcomm.com ([10.46.143.120]) by ironmsg01-r.qualcomm.com with ESMTP/TLS/RC4-MD5; 20 Apr 2010 09:17:13 -0700
Received: from nalasexhub01.na.qualcomm.com (10.47.130.49) by nasanexhub02.na.qualcomm.com (10.46.143.120) with Microsoft SMTP Server (TLS) id 8.2.234.1; Tue, 20 Apr 2010 09:17:13 -0700
Received: from NALASEXMB04.na.qualcomm.com ([10.47.7.118]) by nalasexhub01.na.qualcomm.com ([10.47.130.49]) with mapi; Tue, 20 Apr 2010 09:17:13 -0700
From: "Laganier, Julien" <julienl@qualcomm.com>
To: Fred Baker <fred@cisco.com>, IPv6 v6ops <v6ops@ops.ietf.org>
CC: "draft-ietf-v6ops-cpe-simple-security@tools.ietf.org" <draft-ietf-v6ops-cpe-simple-security@tools.ietf.org>
Date: Tue, 20 Apr 2010 09:17:11 -0700
Subject: RE: WGLC: draft-ietf-v6ops-cpe-simple-security-10.txt
Thread-Topic: WGLC: draft-ietf-v6ops-cpe-simple-security-10.txt
Thread-Index: AcrZtH+f5T9DiGN8THKKvs+UoWPU9gG57o/g
Message-ID: <BF345F63074F8040B58C00A186FCA57F1EFEFD6EBB@NALASEXMB04.na.qualcomm.com>
References: <118FE8EC-41DF-4907-AE1C-2B7185477D64@cisco.com>
In-Reply-To: <118FE8EC-41DF-4907-AE1C-2B7185477D64@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Sender: owner-v6ops@ops.ietf.org
Precedence: bulk
List-ID: <v6ops.ops.ietf.org>
> Fred Baker wrote: > > As agreed at the last IETF meeting, I am opening a two week WGLC of > draft-ietf-v6ops-cpe-simple-security-10.txt. Please read the document, > comment to this list on matters of substance, and send nits (spelling/ > grammar, word choice, sentence structure comments) to the authors. I realize I am late with this but I have reviewed the document and have the following comment: The document does not explicitly mention how should IPv6 be treated by a CPE. Mobile IPv6 involves the use of IP-in-IP tunneling and of IPsec and IKE, all of which seems to be covered in Section 2.2. in an adequate manner: 2.2. Internet Layer Protocols As virtual private networking tunnels are regarded as an unacceptably wide attack surface, this document recommends the DEFAULT operating mode for residential IPv6 simple security is to treat IP-in-IP and GRE tunneling protocols as opaque transport layers, i.e. inbound tunnel initiations are denied and outbound tunnel initiations are accepted. IPsec transport and tunnel modes are explicitly secured by definition, so this document recommends the DEFAULT operating mode permit IPsec and Internet Key Exchange (IKE) flows to pass without filtering. Mobile IPv6 also involves the use of the Mobility Header, which seems to be appropriately covered by the recommendation of Section 3.2.2.: 3.2.2. Upper-layer Transport Protocols Residential IPv6 gateways are not expected to prohibit the use of applications to be developed using future upper-layer transport protocols. In particular, transport protocols not otherwise discussed in subsequent sections of this document are expected to be treated consistently, i.e. as having connection-free semantics and no special requirements to inspect the transport headers. In general, upper-layer transport filter state records are expected to be created when an interior endpoint sends a packet to an exterior address. The filter allocates (or reuses) a record for the duration of communications, with an idle timer to delete the state record when no further communications are detected. REC-10: Filter state records for generic upper-layer transport protocols MUST BE indexable by a 3-tuple comprising the interior node address, the exterior node address and the upper-layer transport protocol identifier. REC-11: Filter state records for generic upper-layer transport protocols MUST NOT be deleted or recycled until an idle timer not less than two minutes has expired without having forwarded a packet matching the state in some configurable amount of time. By DEFAULT, the idle timer for such state records is five minutes. However MIPv6 also relies on the use of a degenerated tunneling mechanism between a Mobile Node and its corresponds nodes. This tunneling involves the use of the Routing Header Type 2 and of the Home Address destination option, which are not covered in the document. In practice I believe this type of tunnel should be treated as IP-in-IP tunnels, but this is currently not the case. The issues is as follows: Outbound packets sent in the tunnel are sent from the Mobile Node Care-of Address and with a Home Address destination option -- so it seems that there is no problem for those, although we might want to be explicit. However inbound packets corresponding to an outbound initiated tunnel should be accepted as well (as for IP-in-IP), but these packets will be destined to the Home Address and carrying the Care-of Address in the Routing Header Type 2, so they will not be handled properly absent an explicit recommendation that the CPE tracks MIPv6 HoA/RH2 degenerated tunnels. I believe we should cover MIPv6 adequately in this specification by adding explicit tracking of outbound initiated MIPv6 HoA/RH2 degenerated tunnels. [ The MEXT WG has two documents specifying firewall behavior for MIPv6 that could be used as a starting point for text to be included in this spec -- see http://tools.ietf.org/html/draft-ietf-mext-firewall-vendor-02 and http://tools.ietf.org/html/draft-ietf-mext-firewall-admin-02 ] What do people think? --julien
- WGLC: draft-ietf-v6ops-cpe-simple-security-10.txt Fred Baker
- Re: WGLC: draft-ietf-v6ops-cpe-simple-security-10… Brian E Carpenter
- Re: WGLC: draft-ietf-v6ops-cpe-simple-security-10… Rémi Després
- Re: WGLC: draft-ietf-v6ops-cpe-simple-security-10… Rémi Després
- RE: WGLC: draft-ietf-v6ops-cpe-simple-security-10… Laganier, Julien
- Re: WGLC: draft-ietf-v6ops-cpe-simple-security-10… Fred Baker
- Re: WGLC: draft-ietf-v6ops-cpe-simple-security-10… james woodyatt
- RE: WGLC: draft-ietf-v6ops-cpe-simple-security-10… Mohacsi Janos
- RE: WGLC: draft-ietf-v6ops-cpe-simple-security-10… Laganier, Julien
- Re: WGLC: draft-ietf-v6ops-cpe-simple-security-10… Mohacsi Janos
- Re: WGLC: draft-ietf-v6ops-cpe-simple-security-10… Rémi Després
- Re: WGLC: draft-ietf-v6ops-cpe-simple-security-10… Timothy Baldwin
- Re: WGLC: draft-ietf-v6ops-cpe-simple-security-10… james woodyatt
- Re: WGLC: draft-ietf-v6ops-cpe-simple-security-10… Cullen Jennings