IETF Logo Mail Archive

Re: [v6ops] Hmm. Interesting article...

"Fred Baker (fred)" <fred@cisco.com> Tue, 02 February 2016 18:45 UTC

Return-Path: <fred@cisco.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C73861B2EF9 for <v6ops@ietfa.amsl.com>; Tue, 2 Feb 2016 10:45:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -114.502
X-Spam-Level:
X-Spam-Status: No, score=-114.502 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tQFPuDjqgVal for <v6ops@ietfa.amsl.com>; Tue, 2 Feb 2016 10:45:22 -0800 (PST)
Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E72AA1B2F20 for <v6ops@ietf.org>; Tue, 2 Feb 2016 10:45:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2994; q=dns/txt; s=iport; t=1454438721; x=1455648321; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=tyxpC+HPez2Kwx15QvGMOvlEvUaX8WtRbbpwdiojDZA=; b=DOh4V4BZeCpOv+dLAmHiOpZmWEP77RLlRPKqp5MBnbi7qLAIQbrfS8+e nkQK9ZZzgiq/s7CcXGv3t/y3/HNppjB2pusHK/j7X6TPH685ihSkioOrN 9pbvHKzthd+qTJuKx656TN0CEYH8YJy7dDjTCe+s12rtxJxCW5ri1RFvt A=;
X-Files: signature.asc : 833
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0DKAgB4+LBW/4UNJK1eDoMsgT8GiFOxbQ6BZIYNAoFJOBQBAQEBAQEBgQqEQQEBAQMBI0IUBQsCAQgOCioCAjIlAgQOBQ6IBQiwRo54AQEBAQEBAQEBAQEBAQEBAQEBAQEOCId8gkqEAYMxK4EPBZZxAYJ5gWOIbo5xjj4BHgFDgyk7aohvfAEBAQ
X-IronPort-AV: E=Sophos;i="5.22,385,1449532800"; d="asc'?scan'208";a="232332584"
Received: from alln-core-11.cisco.com ([173.36.13.133]) by alln-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 02 Feb 2016 18:45:21 +0000
Received: from XCH-ALN-011.cisco.com (xch-aln-011.cisco.com [173.36.7.21]) by alln-core-11.cisco.com (8.14.5/8.14.5) with ESMTP id u12IjLtj017553 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 2 Feb 2016 18:45:21 GMT
Received: from xch-rcd-013.cisco.com (173.37.102.23) by XCH-ALN-011.cisco.com (173.36.7.21) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Tue, 2 Feb 2016 12:45:20 -0600
Received: from xch-rcd-013.cisco.com ([173.37.102.23]) by XCH-RCD-013.cisco.com ([173.37.102.23]) with mapi id 15.00.1104.009; Tue, 2 Feb 2016 12:45:20 -0600
From: "Fred Baker (fred)" <fred@cisco.com>
To: Tim Chown <tjc@ecs.soton.ac.uk>
Thread-Topic: [v6ops] Hmm. Interesting article...
Thread-Index: AQHRXTXPq0lOHFaM0UKosnY0g5wI7g==
Date: Tue, 02 Feb 2016 18:45:20 +0000
Message-ID: <1FE3E9E6-57B8-40E8-AE4D-5CA181F07F88@cisco.com>
References: <165F7549-2A4C-44C3-9FBA-3AF69DE50110@cisco.com> <CAHw9_iLDjyZ6CKUjcyqUBe3-_EJxDekG7a1cPVLpF_U9tVvUgQ@mail.gmail.com> <56AFD626.1000802@bogus.com> <FBABBC18-CFFA-46C9-A63C-B86FE2CFFC94@cisco.com> <6EB29183-FA9A-4B94-BD68-115DB190FE65@delong.com> <56B06129.7090301@si6networks.com> <657448B4-4F56-445A-8862-8E0EB8D1A8B2@delong.com> <56B0BE2B.5050408@si6networks.com> <D2D633A9.D612D%Lee.Howard@twcable.com> <7A88E510-8A39-4765-A762-E855B9ACBDFF@ecs.soton.ac.uk> <EMEW3|48c0728de4c77e844da42a157e2bc520s11IVo03tjc|ecs.soton.ac.uk|7A88E510-8A39-4765-A762-E855B9ACBDFF@ecs.soton.ac.uk>
In-Reply-To: <EMEW3|48c0728de4c77e844da42a157e2bc520s11IVo03tjc|ecs.soton.ac.uk|7A88E510-8A39-4765-A762-E855B9ACBDFF@ecs.soton.ac.uk>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3112)
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.24.51.158]
Content-Type: multipart/signed; boundary="Apple-Mail=_2EFFAA14-29DD-41A5-98A7-8F68F1E979DF"; protocol="application/pgp-signature"; micalg="pgp-sha1"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/v6ops/3-8Nd-aAjiqCtzcxytt67AMIdBs>
Cc: Fernando Gont <fgont@si6networks.com>, "v6ops@ietf.org" <v6ops@ietf.org>
Subject: Re: [v6ops] Hmm. Interesting article...
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Feb 2016 18:45:27 -0000

> On Feb 2, 2016, at 10:31 AM, Tim Chown <tjc@ecs.soton.ac.uk> wrote:
> 
>> There is an unaddressed tension here.
>> I think one view is that IPv6 should be deployed without firewalls so all
>> hosts are reachable from arbitrary other hosts on the Internet.
>> I think the other view is that all/most/many hosts should be protected by
>> a stateful firewall.
>> 
>> I don¹t know that we can resolve this tension in v6ops, but I want to make
>> it explicit.
> 
> Well, we’ve seen a few firewall models put forward in v6ops. RFC 6092 seems
> to have been generally well received. It may well be the only one that made it
> to RFC status? e.g. draft-ietf-v6ops-balanced-ipv6-security-01 stopped at that
> version.

That is explicitly why Fernando and I are trying to have a firewall discussion in opsawg (draft-gont-opsawg-firewalls-analysis). RFC 6092 is certainly a common firewall model (modeling a NAT's behavior), but I would say that the consensus supporting it was "rough". The other firewall models proposed (draft-ietf-v6ops-balanced-ipv6-security, draft-vyncke-advanced-ipv6-security) basically pushed towards firewall-as-a-service, and as such gutted the filter function.

I'll refer us to that discussion if we want to go general on firewall functionality.

My question here was essentially about finding a simple rule *on*the*host* that might obviate a lot of attacks and probing. The conclusion that I draw is that I can do anything I want as long as I don't change anything, and yes, my suggestion is a change. I actually do think there may be value in it, however.

v2.23.0 | Report a Bug | By Email