IETF Logo Mail Archive

Re: draft-ietf-v6ops-cpe-simple-security: filtering encapsulated flows

james woodyatt <jhw@apple.com> Sat, 22 August 2009 19:09 UTC

Return-Path: <owner-v6ops@ops.ietf.org>
X-Original-To: ietfarch-v6ops-archive@core3.amsl.com
Delivered-To: ietfarch-v6ops-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 831703A68F6 for <ietfarch-v6ops-archive@core3.amsl.com>; Sat, 22 Aug 2009 12:09:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.63
X-Spam-Level:
X-Spam-Status: No, score=-104.63 tagged_above=-999 required=5 tests=[AWL=-0.135, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ku-NpLJHf7RM for <ietfarch-v6ops-archive@core3.amsl.com>; Sat, 22 Aug 2009 12:09:24 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 0DB763A6834 for <v6ops-archive@lists.ietf.org>; Sat, 22 Aug 2009 12:09:15 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-v6ops@ops.ietf.org>) id 1MevsL-000FD7-DS for v6ops-data0@psg.com; Sat, 22 Aug 2009 19:03:41 +0000
Received: from [17.254.13.22] (helo=mail-out3.apple.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <jhw@apple.com>) id 1MevsH-000FCR-9j for v6ops@ops.ietf.org; Sat, 22 Aug 2009 19:03:38 +0000
Received: from relay11.apple.com (relay11.apple.com [17.128.113.48]) by mail-out3.apple.com (Postfix) with ESMTP id 07F9C6F0460C for <v6ops@ops.ietf.org>; Sat, 22 Aug 2009 12:03:37 -0700 (PDT)
X-AuditID: 11807130-b7bdfae000004bc9-92-4a904108fe25
Received: from [17.151.80.241] (Unknown_Domain [17.151.80.241]) (using TLS with cipher AES128-SHA (AES128-SHA/128 bits)) (Client did not present a certificate) by relay11.apple.com (Apple SCV relay) with SMTP id EE.8F.19401.801409A4; Sat, 22 Aug 2009 12:03:36 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"; format="flowed"; delsp="yes"
Mime-Version: 1.0 (Apple Message framework v1075.2)
Subject: Re: draft-ietf-v6ops-cpe-simple-security: filtering encapsulated flows
From: james woodyatt <jhw@apple.com>
In-Reply-To: <7F9A6D26EB51614FBF9F81C0DA4CFEC80158E120B3E6@il-ex01.ad.checkpoint.com>
Date: Sat, 22 Aug 2009 12:03:36 -0700
Content-Transfer-Encoding: 7bit
Message-Id: <47CF65DB-E3E1-4666-B1E9-51A49B372AD5@apple.com>
References: <805241AA-DC9A-4498-9D54-8D491DD62A0D@apple.com> <2D21500B-207B-43FB-9728-8A7BCEC82CB1@apple.com> <7F9A6D26EB51614FBF9F81C0DA4CFEC80158E120B3E6@il-ex01.ad.checkpoint.com>
To: IPv6 Operations <v6ops@ops.ietf.org>
X-Mailer: Apple Mail (2.1075.2)
X-Brightmail-Tracker: AAAAAQAAAZE=
Sender: owner-v6ops@ops.ietf.org
Precedence: bulk
List-ID: <v6ops.ops.ietf.org>

On Aug 22, 2009, at 04:01, Yaron Sheffer wrote:
>
> In other words, the CPE is only required to verify that the *outer*  
> packet
> is protected; if it is not protected, the standard internal- 
> initiator policy
> applies, plus the gateway should drop suspicious GRE and IP-IP  
> tunnels.

Ah, I think I see where the confusion is arising.  The recommendation  
to allow IPsec AH and ESP transport mode in both directions suffice to  
police the outer packet header chain.

  R20  In their DEFAULT operating mode, IPv6 gateways MUST NOT prohibit
       the forwarding of packets, to and from legitimate node addresses,
       with destination extension headers of type "Authenticated Header
       (AH)" [RFC4302] in their outer IP extension header chain.

  R21  In their DEFAULT operating mode, IPv6 gateways MUST NOT prohibit
       the forwarding of packets, to and from legitimate node addresses,
       with an upper layer protocol of type "Encapsulating Security
       Payload (ESP)" [RFC4303] in their outer IP extension header  
chain.

What you would prefer to see is that section 3.2.7 be deleted in its  
entirety, which is precisely what I proposed at IETF 75 in Stockholm,  
and which failed to achieve consensus.  Perhaps, after further  
discussion, this option will seem sensible to a larger fraction of  
participants?

However, I should note that allowing outbound tunnel initiations still  
doesn't address the concern I described in my previous message.

[My proposed text for section 3.2.7 to address this concern.]
>>

>> While residential IPv6 gateways are not expected to prohibit  
>> virtual private networks from operating with tunnel endpoints  
>> located at interior nodes, it is important to protect interior  
>> networks from being reachable through routes created remotely by  
>> exploiting vulnerable interior hosts.  Therefore, residential IPv6  
>> gateways are expected to require tunnel encapsulations to be  
>> protected by a cryptographic protocol.

If the perception is that flows encapsulated in tunnels must be  
subject to a stateful filtering regime to protect the interior network  
against exploits against vulnerable tunnel endpoint hosts, and if  
requiring such encapsulated flows to be encrypted with IPsec-in-IPv6- 
in-IPv6 is regarded as an acceptable way to meet the perceived need to  
protect all encapsulated flows with a cryptographic protocol, then  
simply treating outbound tunnel initiations as any other unrecognized  
protocol would be insufficient to address the objections in the  
working group to taking this draft to Last Call.

How should we proceed?


--
james woodyatt <jhw@apple.com>
member of technical staff, communications engineering

v2.23.0 | Report a Bug | By Email