Re: draft-ietf-v6ops-cpe-simple-security: filtering encapsulated flows
james woodyatt <jhw@apple.com> Sat, 22 August 2009 19:09 UTC
Return-Path: <owner-v6ops@ops.ietf.org>
X-Original-To: ietfarch-v6ops-archive@core3.amsl.com
Delivered-To: ietfarch-v6ops-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 831703A68F6 for <ietfarch-v6ops-archive@core3.amsl.com>; Sat, 22 Aug 2009 12:09:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.63
X-Spam-Level:
X-Spam-Status: No, score=-104.63 tagged_above=-999 required=5 tests=[AWL=-0.135, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ku-NpLJHf7RM for <ietfarch-v6ops-archive@core3.amsl.com>; Sat, 22 Aug 2009 12:09:24 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 0DB763A6834 for <v6ops-archive@lists.ietf.org>; Sat, 22 Aug 2009 12:09:15 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-v6ops@ops.ietf.org>) id 1MevsL-000FD7-DS for v6ops-data0@psg.com; Sat, 22 Aug 2009 19:03:41 +0000
Received: from [17.254.13.22] (helo=mail-out3.apple.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <jhw@apple.com>) id 1MevsH-000FCR-9j for v6ops@ops.ietf.org; Sat, 22 Aug 2009 19:03:38 +0000
Received: from relay11.apple.com (relay11.apple.com [17.128.113.48]) by mail-out3.apple.com (Postfix) with ESMTP id 07F9C6F0460C for <v6ops@ops.ietf.org>; Sat, 22 Aug 2009 12:03:37 -0700 (PDT)
X-AuditID: 11807130-b7bdfae000004bc9-92-4a904108fe25
Received: from [17.151.80.241] (Unknown_Domain [17.151.80.241]) (using TLS with cipher AES128-SHA (AES128-SHA/128 bits)) (Client did not present a certificate) by relay11.apple.com (Apple SCV relay) with SMTP id EE.8F.19401.801409A4; Sat, 22 Aug 2009 12:03:36 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"; format="flowed"; delsp="yes"
Mime-Version: 1.0 (Apple Message framework v1075.2)
Subject: Re: draft-ietf-v6ops-cpe-simple-security: filtering encapsulated flows
From: james woodyatt <jhw@apple.com>
In-Reply-To: <7F9A6D26EB51614FBF9F81C0DA4CFEC80158E120B3E6@il-ex01.ad.checkpoint.com>
Date: Sat, 22 Aug 2009 12:03:36 -0700
Content-Transfer-Encoding: 7bit
Message-Id: <47CF65DB-E3E1-4666-B1E9-51A49B372AD5@apple.com>
References: <805241AA-DC9A-4498-9D54-8D491DD62A0D@apple.com> <2D21500B-207B-43FB-9728-8A7BCEC82CB1@apple.com> <7F9A6D26EB51614FBF9F81C0DA4CFEC80158E120B3E6@il-ex01.ad.checkpoint.com>
To: IPv6 Operations <v6ops@ops.ietf.org>
X-Mailer: Apple Mail (2.1075.2)
X-Brightmail-Tracker: AAAAAQAAAZE=
Sender: owner-v6ops@ops.ietf.org
Precedence: bulk
List-ID: <v6ops.ops.ietf.org>
On Aug 22, 2009, at 04:01, Yaron Sheffer wrote: > > In other words, the CPE is only required to verify that the *outer* > packet > is protected; if it is not protected, the standard internal- > initiator policy > applies, plus the gateway should drop suspicious GRE and IP-IP > tunnels. Ah, I think I see where the confusion is arising. The recommendation to allow IPsec AH and ESP transport mode in both directions suffice to police the outer packet header chain. R20 In their DEFAULT operating mode, IPv6 gateways MUST NOT prohibit the forwarding of packets, to and from legitimate node addresses, with destination extension headers of type "Authenticated Header (AH)" [RFC4302] in their outer IP extension header chain. R21 In their DEFAULT operating mode, IPv6 gateways MUST NOT prohibit the forwarding of packets, to and from legitimate node addresses, with an upper layer protocol of type "Encapsulating Security Payload (ESP)" [RFC4303] in their outer IP extension header chain. What you would prefer to see is that section 3.2.7 be deleted in its entirety, which is precisely what I proposed at IETF 75 in Stockholm, and which failed to achieve consensus. Perhaps, after further discussion, this option will seem sensible to a larger fraction of participants? However, I should note that allowing outbound tunnel initiations still doesn't address the concern I described in my previous message. [My proposed text for section 3.2.7 to address this concern.] >> >> While residential IPv6 gateways are not expected to prohibit >> virtual private networks from operating with tunnel endpoints >> located at interior nodes, it is important to protect interior >> networks from being reachable through routes created remotely by >> exploiting vulnerable interior hosts. Therefore, residential IPv6 >> gateways are expected to require tunnel encapsulations to be >> protected by a cryptographic protocol. If the perception is that flows encapsulated in tunnels must be subject to a stateful filtering regime to protect the interior network against exploits against vulnerable tunnel endpoint hosts, and if requiring such encapsulated flows to be encrypted with IPsec-in-IPv6- in-IPv6 is regarded as an acceptable way to meet the perceived need to protect all encapsulated flows with a cryptographic protocol, then simply treating outbound tunnel initiations as any other unrecognized protocol would be insufficient to address the objections in the working group to taking this draft to Last Call. How should we proceed? -- james woodyatt <jhw@apple.com> member of technical staff, communications engineering
- draft-ietf-v6ops-cpe-simple-security: filtering e… james woodyatt
- Re: draft-ietf-v6ops-cpe-simple-security: filteri… james woodyatt
- RE: draft-ietf-v6ops-cpe-simple-security: filteri… Yaron Sheffer
- Re: draft-ietf-v6ops-cpe-simple-security: filteri… james woodyatt
- Re: draft-ietf-v6ops-cpe-simple-security: filteri… Truman Boyes
- Re: draft-ietf-v6ops-cpe-simple-security: filteri… james woodyatt
- Re: draft-ietf-v6ops-cpe-simple-security: filteri… Mark Smith
- RE: draft-ietf-v6ops-cpe-simple-security: filteri… Yaron Sheffer
- Re: draft-ietf-v6ops-cpe-simple-security: filteri… Brian E Carpenter
- Re: draft-ietf-v6ops-cpe-simple-security: filteri… Mark Baugher
- Re: draft-ietf-v6ops-cpe-simple-security: filteri… james woodyatt
- Re: draft-ietf-v6ops-cpe-simple-security: filteri… Mark Smith