Re: [v6ops] I-D Action: draft-ietf-v6ops-balanced-ipv6-security-00.txt
"Eric Vyncke (evyncke)" <evyncke@cisco.com> Tue, 22 October 2013 05:35 UTC
Return-Path: <evyncke@cisco.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E87E11E845D for <v6ops@ietfa.amsl.com>; Mon, 21 Oct 2013 22:35:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.149
X-Spam-Level:
X-Spam-Status: No, score=-10.149 tagged_above=-999 required=5 tests=[AWL=-0.149, BAYES_00=-2.599, J_CHICKENPOX_13=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gtPyZ82Aqhpz for <v6ops@ietfa.amsl.com>; Mon, 21 Oct 2013 22:35:47 -0700 (PDT)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) by ietfa.amsl.com (Postfix) with ESMTP id 8610611E8440 for <v6ops@ietf.org>; Mon, 21 Oct 2013 22:35:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3107; q=dns/txt; s=iport; t=1382420147; x=1383629747; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=A9yV8fUcI7UR0uvymdIfwnfGEtpdXQuLCNeaDFE9QRU=; b=iQUGQ/oJYCa/DVht62+zqXqGMZR9E+2iPYoZ5qT2dH9bTACWAmc3fKCD Y4nw4iC/Ez+8vkHYaX3mZXTHX/YYvhODZg5G52g/yKSk2VMAAsFF6BbIB RvTemLf9mG772A7lHBVrJblteMxxr1AISqyoOtsQIonA23h1Ru5RSCI3j I=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AjsGADINZlKtJV2a/2dsb2JhbABZgwc4VL5CgSEWbQeCJQEBAQQBAQE3KwkXBAIBCBEEAQELFAkHJwsUAwEFCAIEEwiHfg27C48qOAaDGYEKA5QqhQ6QWIMkgio
X-IronPort-AV: E=Sophos;i="4.93,546,1378857600"; d="scan'208";a="275020523"
Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by rcdn-iport-4.cisco.com with ESMTP; 22 Oct 2013 05:35:47 +0000
Received: from xhc-aln-x02.cisco.com (xhc-aln-x02.cisco.com [173.36.12.76]) by rcdn-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id r9M5ZjLI014339 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for <v6ops@ietf.org>; Tue, 22 Oct 2013 05:35:47 GMT
Received: from xmb-aln-x02.cisco.com ([169.254.5.143]) by xhc-aln-x02.cisco.com ([173.36.12.76]) with mapi id 14.02.0318.004; Tue, 22 Oct 2013 00:35:45 -0500
From: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
To: "v6ops@ietf.org" <v6ops@ietf.org>
Thread-Topic: [v6ops] I-D Action: draft-ietf-v6ops-balanced-ipv6-security-00.txt
Thread-Index: AQHOzmRxX1vGW2G7M0u07RuArHqPW5oAM1Mg
Date: Tue, 22 Oct 2013 05:35:44 +0000
Message-ID: <97EB7536A2B2C549846804BBF3FD47E123795E0B@xmb-aln-x02.cisco.com>
References: <20131021134852.29396.64222.idtracker@ietfa.amsl.com>
In-Reply-To: <20131021134852.29396.64222.idtracker@ietfa.amsl.com>
Accept-Language: fr-FR, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.35.143]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [v6ops] I-D Action: draft-ietf-v6ops-balanced-ipv6-security-00.txt
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Oct 2013 05:35:52 -0000
Here are the main changes based on the Berlin meeting discussion: In order to avoid that this document appears as an IETF 'blessing' of a specific ACL (or layer-4 ports), a lot of verbiage has been added to show the list as EXAMPLE and we have removed all 'proposals' and 'recommend' in favor of the word 'example'. We kept the list of ports as an example but clearly mentioned that this list was based on known vulnerabilities in protocols (e.g. Telnet is in the clear) or implementations (still some worms active on 445 for old Windows implementations). Again, examples. Another generic rule was added to allow for remote management (in the case of managed CPE). A mention is also added about whether to do stateless or stateful filtering is not that relevant for this I-D as its only objective is to give an example of what a SP did. As a side note, Ragnar (a co-author) has presented this approach at the RIPE meeting => several positive discussions > -----Original Message----- > From: v6ops-bounces@ietf.org [mailto:v6ops-bounces@ietf.org] On Behalf Of > internet-drafts@ietf.org > Sent: lundi 21 octobre 2013 19:19 > To: i-d-announce@ietf.org > Cc: v6ops@ietf.org > Subject: [v6ops] I-D Action: draft-ietf-v6ops-balanced-ipv6-security- > 00.txt > > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the IPv6 Operations Working Group of the > IETF. > > Title : Balanced Security for IPv6 Residential CPE > Author(s) : Martin Gysi > Guillaume Leclanche > Eric Vyncke > Ragnar Anfinsen > Filename : draft-ietf-v6ops-balanced-ipv6-security-00.txt > Pages : 7 > Date : 2013-10-21 > > Abstract: > This document describes how an IPv6 residential Customer Premise > Equipment (CPE) can have a balanced security policy that allows for a > mostly end-to-end connectivity while keeping the major threats > outside of the home. It is based on an actual IPv6 deployment by > Swisscom and allows all packets inbound/outbound EXCEPT for some > layer-4 ports where attacks and vulnerabilities (such as weak > passwords) are well-known. The blocked inbound ports is expected to > be updated as threats come and go. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-v6ops-balanced-ipv6-security > > There's also a htmlized version available at: > http://tools.ietf.org/html/draft-ietf-v6ops-balanced-ipv6-security-00 > > > Please note that it may take a couple of minutes from the time of > submission until the htmlized version and diff are available at > tools.ietf.org. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > _______________________________________________ > v6ops mailing list > v6ops@ietf.org > https://www.ietf.org/mailman/listinfo/v6ops
- [v6ops] I-D Action: draft-ietf-v6ops-balanced-ipv… internet-drafts
- Re: [v6ops] I-D Action: draft-ietf-v6ops-balanced… Eric Vyncke (evyncke)
- Re: [v6ops] I-D Action: draft-ietf-v6ops-balanced… Mark ZZZ Smith