Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-security WGLC
Marc Lampo <marc.lampo.ietf@gmail.com> Wed, 13 November 2013 19:47 UTC
Return-Path: <marc.lampo.ietf@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D46BA21E8162 for <v6ops@ietfa.amsl.com>; Wed, 13 Nov 2013 11:47:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.825
X-Spam-Level:
X-Spam-Status: No, score=-0.825 tagged_above=-999 required=5 tests=[AWL=-0.492, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_13=0.6, NO_RELAYS=-0.001, SARE_HTML_USL_OBFU=1.666]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2v1ILp4GkmUq for <v6ops@ietfa.amsl.com>; Wed, 13 Nov 2013 11:47:08 -0800 (PST)
Received: from mail-ve0-x232.google.com (mail-ve0-x232.google.com [IPv6:2607:f8b0:400c:c01::232]) by ietfa.amsl.com (Postfix) with ESMTP id 05BF811E81BC for <v6ops@ietf.org>; Wed, 13 Nov 2013 11:47:05 -0800 (PST)
Received: by mail-ve0-f178.google.com with SMTP id jy13so708924veb.37 for <v6ops@ietf.org>; Wed, 13 Nov 2013 11:47:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=mjFOATOFkWh4LBospUbnOocT0a04mbum5L5CF7ctsC8=; b=Ly7eUEAIQ5H+k6398Qux6IEba03SSKD9y0ewVVM+34oRAPAmS62df4GhjyI3r7WQ1P tkVIwE9mwKFQHZVR5bhN5jp28iZkxlJi9y+a8g5PQNN8yjoY6ROpISpI6LGaO23b9FeA zMFVyDzK0OYJGtbmfzqIKfOHNmjcmGhDcjblCwl+UmwY4peA+MmqiNRNckvdThjcWPYn QKos4SDFu8jwmYUGUy5suNFeSoFIQCDWAeKtYpnHouxQbl+lc5PpkLKFhHstKiCNMAII wLxSHUTbXG1xlUwAXP+CN6Fd5/4aHsUq6fv61nsDrjy7C/2guO9uJhxqOLHbrpMXXI1A QGsQ==
MIME-Version: 1.0
X-Received: by 10.52.117.129 with SMTP id ke1mr72792vdb.83.1384372025221; Wed, 13 Nov 2013 11:47:05 -0800 (PST)
Received: by 10.58.227.66 with HTTP; Wed, 13 Nov 2013 11:47:05 -0800 (PST)
In-Reply-To: <alpine.DEB.2.02.1311130329180.26054@uplift.swm.pp.se>
References: <201311101900.rAAJ0AR6025350@irp-view13.cisco.com> <CAB0C4xOfz_JAjEEJZ-Zz7MBEyZhVzrAE+8Ghf1ggC3+9pyHmNg@mail.gmail.com> <989B8ED6-273E-45D4-BFD8-66A1793A1C9F@cisco.com> <alpine.DEB.2.02.1311130329180.26054@uplift.swm.pp.se>
Date: Wed, 13 Nov 2013 20:47:05 +0100
Message-ID: <CAB0C4xOd-ryBXe4O3XoLTLDw-XuOV==X0nkRg5y3aPXCtf+Gow@mail.gmail.com>
From: Marc Lampo <marc.lampo.ietf@gmail.com>
To: Mikael Abrahamsson <swmike@swm.pp.se>
Content-Type: multipart/alternative; boundary="bcaec5485846cceb7004eb143a14"
Cc: "v6ops@ietf.org WG" <v6ops@ietf.org>
Subject: Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-security WGLC
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Nov 2013 19:47:14 -0000
I as well would prefer that unsolicited traffic from the Internet is stopped at the border of the network - like RFC 6092 recommends (though I don't see a recommendation for incoming UDP traffic ?) If a device in the network desires to communicate with the outside world, it is probably/hopefully after an act of configuration (of its owner) on that device. That outgoing traffic could be the trigger to allow the rest of the communication. If, in some years, fridges have IPv6 connectivity, perhaps they might send an inventory or shopping list to your mobile device (outgoing traffic) But probably/hopefully that will only happen after it was configured with some destination and authentication data so that the info arrives on your mobile and does indeed come from your fridge. But the fact that the fridge does have connectivity does not imply I would allow my favorite shop to come and look, or some marketing firm, or the fridge of a neighbor in search for eggs (s)he forgot ... So, by default allow the first packet towards ports "considered harmless" ? As Fred already pointed out, the listener on TCP port 80 might not be a webserver; and why would any port (lower or higher than 1024) be harmless ? After all, malware could chose any free port. The number 1024 is only there because, on UNIX, it requires super user privileges to bind to low ports. Hence, in my opinion, the security (and privacy) of IPv6 users is best served by keeping unsolicited traffic out. Kind regards, On Wed, Nov 13, 2013 at 3:34 AM, Mikael Abrahamsson <swmike@swm.pp.se>wrote: > On Tue, 12 Nov 2013, Fred Baker (fred) wrote: > > From my perspective, I think I would prefer that the firewall - if >> implemented - blocked everything, and applications within the network >> advised the firewall(s) of traffic that they are willing to receive. If a >> potential session has no willing counterpart within my network, I don't see >> the argument for letting the first packet in. >> > > My biggest problem with this resoning, is that I am not aware of any > firewall poking mechanism actively being in use for IPv6. This means that > if we have a firewall with default-deny for incoming connections, then > either hosts need an Internet based machine to coordinate a STUN type of > behaviour to get the firewall to accept packets for sessions, or they need > to implement a firewall poking mechanism that as far as I know, neither > todays firewalls/CPEs nor hosts actually has. > > So today, implementing default-deny would mean a lot of the benefit of > IPv6 wouldn't be seen immediately but would takes many years to realise. > Right? > > Or am I mistaken and uPNP for IPv6 actually functional today? PCP I have > never seen in home devices. > > -- > Mikael Abrahamsson email: swmike@swm.pp.se > > _______________________________________________ > v6ops mailing list > v6ops@ietf.org > https://www.ietf.org/mailman/listinfo/v6ops >
- [v6ops] draft-ietf-v6ops-balanced-ipv6-security W… Fred Baker
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tarko Tikan
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Fred Baker (fred)
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Guillaume Leclanche
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Guillaume Leclanche
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… cb.list6
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ted Lemon
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… cb.list6
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tore Anderson
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tarko Tikan
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark ZZZ Smith
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ted Lemon
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tarko Tikan
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Fred Baker (fred)
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ted Lemon
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tarko Tikan
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Fred Baker (fred)
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark Andrews
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Brian E Carpenter
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Sander Steffann
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… joel jaeggli
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Fred Baker (fred)
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… joel jaeggli
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tassos Chatzithomaoglou
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Fred Baker (fred)
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… cb.list6
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Fred Baker (fred)
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark ZZZ Smith
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark ZZZ Smith
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tassos Chatzithomaoglou
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ray Hunter
- [v6ops] draft-ietf-v6ops-balanced-ipv6-security W… Fred Baker
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Joe Touch
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… de =?iso-8859-1?q?Br=FCn?=, Markus
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Lorenzo Colitti
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark ZZZ Smith
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Lorenzo Colitti
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ray Hunter
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Lorenzo Colitti
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ray Hunter
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Lorenzo Colitti
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Lorenzo Colitti
- [v6ops] RFC 6092 [was draft-ietf-v6ops-balanced-i… Brian E Carpenter
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark ZZZ Smith
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark ZZZ Smith
- Re: [v6ops] RFC 6092 [was draft-ietf-v6ops-balanc… Marc Lampo
- Re: [v6ops] RFC 6092 [was draft-ietf-v6ops-balanc… Lorenzo Colitti
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ray Hunter
- Re: [v6ops] RFC 6092 [was draft-ietf-v6ops-balanc… Brian E Carpenter
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ray Hunter
- Re: [v6ops] RFC 6092 [was draft-ietf-v6ops-balanc… cb.list6
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Brian E Carpenter