Re: I-D.ietf-v6ops-cpe-simple-security-09
Mark Townsley <townsley@cisco.com> Fri, 19 March 2010 18:02 UTC
Return-Path: <owner-v6ops@ops.ietf.org>
X-Original-To: ietfarch-v6ops-archive@core3.amsl.com
Delivered-To: ietfarch-v6ops-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9C4DE3A6917 for <ietfarch-v6ops-archive@core3.amsl.com>; Fri, 19 Mar 2010 11:02:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.561
X-Spam-Level:
X-Spam-Status: No, score=-8.561 tagged_above=-999 required=5 tests=[AWL=-1.196, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_HI=-8, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F62uTpbOo7kR for <ietfarch-v6ops-archive@core3.amsl.com>; Fri, 19 Mar 2010 11:02:54 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 9D9613A691C for <v6ops-archive@lists.ietf.org>; Fri, 19 Mar 2010 11:02:54 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.71 (FreeBSD)) (envelope-from <owner-v6ops@ops.ietf.org>) id 1NsgVS-0003QO-QV for v6ops-data0@psg.com; Fri, 19 Mar 2010 18:01:10 +0000
Received: from [171.68.10.86] (helo=sj-iport-4.cisco.com) by psg.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.71 (FreeBSD)) (envelope-from <townsley@cisco.com>) id 1NsgVP-0003Pz-2t for v6ops@ops.ietf.org; Fri, 19 Mar 2010 18:01:07 +0000
Authentication-Results: sj-iport-4.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-AV: E=Sophos;i="4.51,275,1267401600"; d="scan'208";a="103004339"
Received: from sj-core-5.cisco.com ([171.71.177.238]) by sj-iport-4.cisco.com with ESMTP; 19 Mar 2010 18:01:06 +0000
Received: from iwan-view3.cisco.com (iwan-view3.cisco.com [171.70.65.13]) by sj-core-5.cisco.com (8.13.8/8.14.3) with ESMTP id o2JI16ia007289; Fri, 19 Mar 2010 18:01:06 GMT
Received: from ams-townsley-8715.cisco.com (ams-townsley-8715.cisco.com [10.55.233.230]) by iwan-view3.cisco.com (8.11.2/CISCO.WS.1.2) with ESMTP id o2JI0rY11114; Fri, 19 Mar 2010 11:00:54 -0700 (PDT)
Message-ID: <4BA3BBCF.2090903@cisco.com>
Date: Fri, 19 Mar 2010 19:00:47 +0100
From: Mark Townsley <townsley@cisco.com>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.8) Gecko/20100227 Thunderbird/3.0.3
MIME-Version: 1.0
To: IPv6 Operations <v6ops@ops.ietf.org>
CC: james woodyatt <jhw@apple.com>, "Eric Vyncke (evyncke)" <evyncke@cisco.com>
Subject: Re: I-D.ietf-v6ops-cpe-simple-security-09
References: <D6F5ACD2-EB43-477E-9F48-AC3EDB3F7EB4@apple.com>
In-Reply-To: <D6F5ACD2-EB43-477E-9F48-AC3EDB3F7EB4@apple.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Sender: owner-v6ops@ops.ietf.org
Precedence: bulk
List-ID: <v6ops.ops.ietf.org>
I would like to propose some form of "ParanoidOpeness" (Rule #7) from draft-vyncke-advanced-ipv6-security-01 to be brought into the simple-security draft. The basic idea is that rather than blocking otherwise unauthorized inbound connections outright, the CPE rate-limits them according to a variable setting. When that setting is 0, all incoming packets are dropped. When set to its maximum, all packets are permitted (as if the firewall function is configured off). In-between, the CPE rate-limits incoming packets to reduce probing of the home network, but to allow just enough packets through that, if a host inside responds, a pinhole is opened for the communication to occur. Of course, the hard part is what the default setting should be, but I'd like to get a sense first of whether we can bring this function in. James, I think I remember you being warm to the idea in some (jabber?) comments during the meeting in Hiroshima when I presented this first. Thanks, - Mark On 3/4/10 12:06 AM, james woodyatt wrote: > everyone-- > > Once again, I'd like to ask for some discussion and feedback on this draft. Is there any reason this revision of the draft should not proceed to Working Group Last Call at this time? > > > -- > james woodyatt<jhw@apple.com> > member of technical staff, communications engineering > > > > >
- I-D.ietf-v6ops-cpe-simple-security-09 james woodyatt
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Baugher
- Re: I-D.ietf-v6ops-cpe-simple-security-09 james woodyatt
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Fred Baker
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Fred Baker
- Re: I-D.ietf-v6ops-cpe-simple-security-09 james woodyatt
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Baugher
- Re: I-D.ietf-v6ops-cpe-simple-security-09 james woodyatt
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Baugher
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Baugher
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Ole Troan
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Baugher
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Baugher
- RE: I-D.ietf-v6ops-cpe-simple-security-09 STARK, BARBARA H (ATTLABS)
- Re: I-D.ietf-v6ops-cpe-simple-security-09 james woodyatt
- Fwd: I-D.ietf-v6ops-cpe-simple-security-09 - ICMP… Rémi Després
- Re: I-D.ietf-v6ops-cpe-simple-security-09 - ICMP … james woodyatt
- Re: I-D.ietf-v6ops-cpe-simple-security-09 - ICMP … Rémi Després
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Brian E Carpenter
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Smith
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Brian E Carpenter
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 james woodyatt
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Brian E Carpenter
- Re: I-D.ietf-v6ops-cpe-simple-security-09 james woodyatt
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Fred Baker
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Fred Baker
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Fred Baker
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Shane Amante
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Smith
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Cameron Byrne
- Re: I-D.ietf-v6ops-cpe-simple-security-09 james woodyatt
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Smith
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Gert Doering
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Brian E Carpenter
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Smith
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 james woodyatt
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Brian E Carpenter
- Re: I-D.ietf-v6ops-cpe-simple-security-09 james woodyatt
- Status of RFC 4864 (was Re: I-D.ietf-v6ops-cpe-si… Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Smith
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Ole Troan
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Brian E Carpenter