Re: draft-ietf-v6ops-cpe-simple-security: filtering encapsulated flows
Truman Boyes <truman@suspicious.org> Sun, 23 August 2009 05:04 UTC
Return-Path: <owner-v6ops@ops.ietf.org>
X-Original-To: ietfarch-v6ops-archive@core3.amsl.com
Delivered-To: ietfarch-v6ops-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BD7E13A6A66 for <ietfarch-v6ops-archive@core3.amsl.com>; Sat, 22 Aug 2009 22:04:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GqCNV1S7FD36 for <ietfarch-v6ops-archive@core3.amsl.com>; Sat, 22 Aug 2009 22:04:30 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 2FD683A67D1 for <v6ops-archive@lists.ietf.org>; Sat, 22 Aug 2009 22:04:30 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-v6ops@ops.ietf.org>) id 1Mf5AI-000FqV-U6 for v6ops-data0@psg.com; Sun, 23 Aug 2009 04:58:50 +0000
Received: from [2001:470:8859:cafe:20c:29ff:fec5:e30a] (helo=research.suspicious.org) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <truman@suspicious.org>) id 1Mf5AD-000FpZ-9W for v6ops@ops.ietf.org; Sun, 23 Aug 2009 04:58:48 +0000
Received: from [IPv6:2001::53aa:64c:0:e0bf:9f0d:6265] (unknown [IPv6:2001:0:53aa:64c:0:e0bf:9f0d:6265]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by research.suspicious.org (Postfix) with ESMTPSA id D46DA7FE0; Sun, 23 Aug 2009 00:58:42 -0400 (EDT)
Cc: IPv6 Operations <v6ops@ops.ietf.org>
Message-Id: <390865C6-3343-4C31-9767-6E0FCA4481DD@suspicious.org>
From: Truman Boyes <truman@suspicious.org>
To: james woodyatt <jhw@apple.com>
In-Reply-To: <47CF65DB-E3E1-4666-B1E9-51A49B372AD5@apple.com>
Content-Type: multipart/alternative; boundary="Apple-Mail-17--34100891"
Mime-Version: 1.0 (Apple Message framework v935.3)
Subject: Re: draft-ietf-v6ops-cpe-simple-security: filtering encapsulated flows
Date: Sun, 23 Aug 2009 00:58:42 -0400
References: <805241AA-DC9A-4498-9D54-8D491DD62A0D@apple.com> <2D21500B-207B-43FB-9728-8A7BCEC82CB1@apple.com> <7F9A6D26EB51614FBF9F81C0DA4CFEC80158E120B3E6@il-ex01.ad.checkpoint.com> <47CF65DB-E3E1-4666-B1E9-51A49B372AD5@apple.com>
X-Mailer: Apple Mail (2.935.3)
Sender: owner-v6ops@ops.ietf.org
Precedence: bulk
List-ID: <v6ops.ops.ietf.org>
Greetings, This is quite confusing from an implementation perspective; security is not explicitly increased by prohibiting non-encrypted tunnels but allowing encrypted (ESP or AH) traffic flows. Wouldn't this simply serve as a driver to make all tunnel encapsulations use ESP/AH? Kind regards, Truman Boyes On 22/08/2009, at 3:03 PM, james woodyatt wrote: > On Aug 22, 2009, at 04:01, Yaron Sheffer wrote: >> >> In other words, the CPE is only required to verify that the *outer* >> packet >> is protected; if it is not protected, the standard internal- >> initiator policy >> applies, plus the gateway should drop suspicious GRE and IP-IP >> tunnels. > > Ah, I think I see where the confusion is arising. The > recommendation to allow IPsec AH and ESP transport mode in both > directions suffice to police the outer packet header chain. > > R20 In their DEFAULT operating mode, IPv6 gateways MUST NOT prohibit > the forwarding of packets, to and from legitimate node addresses, > with destination extension headers of type "Authenticated Header > (AH)" [RFC4302] in their outer IP extension header chain. > > R21 In their DEFAULT operating mode, IPv6 gateways MUST NOT prohibit > the forwarding of packets, to and from legitimate node addresses, > with an upper layer protocol of type "Encapsulating Security > Payload (ESP)" [RFC4303] in their outer IP extension header > chain. > > What you would prefer to see is that section 3.2.7 be deleted in its > entirety, which is precisely what I proposed at IETF 75 in > Stockholm, and which failed to achieve consensus. Perhaps, after > further discussion, this option will seem sensible to a larger > fraction of participants? > > However, I should note that allowing outbound tunnel initiations > still doesn't address the concern I described in my previous message. > > [My proposed text for section 3.2.7 to address this concern.] >>> > >>> While residential IPv6 gateways are not expected to prohibit >>> virtual private networks from operating with tunnel endpoints >>> located at interior nodes, it is important to protect interior >>> networks from being reachable through routes created remotely by >>> exploiting vulnerable interior hosts. Therefore, residential IPv6 >>> gateways are expected to require tunnel encapsulations to be >>> protected by a cryptographic protocol. > > If the perception is that flows encapsulated in tunnels must be > subject to a stateful filtering regime to protect the interior > network against exploits against vulnerable tunnel endpoint hosts, > and if requiring such encapsulated flows to be encrypted with IPsec- > in-IPv6-in-IPv6 is regarded as an acceptable way to meet the > perceived need to protect all encapsulated flows with a > cryptographic protocol, then simply treating outbound tunnel > initiations as any other unrecognized protocol would be insufficient > to address the objections in the working group to taking this draft > to Last Call. > > How should we proceed? > > > -- > james woodyatt <jhw@apple.com> > member of technical staff, communications engineering > > >
- draft-ietf-v6ops-cpe-simple-security: filtering e… james woodyatt
- Re: draft-ietf-v6ops-cpe-simple-security: filteri… james woodyatt
- RE: draft-ietf-v6ops-cpe-simple-security: filteri… Yaron Sheffer
- Re: draft-ietf-v6ops-cpe-simple-security: filteri… james woodyatt
- Re: draft-ietf-v6ops-cpe-simple-security: filteri… Truman Boyes
- Re: draft-ietf-v6ops-cpe-simple-security: filteri… james woodyatt
- Re: draft-ietf-v6ops-cpe-simple-security: filteri… Mark Smith
- RE: draft-ietf-v6ops-cpe-simple-security: filteri… Yaron Sheffer
- Re: draft-ietf-v6ops-cpe-simple-security: filteri… Brian E Carpenter
- Re: draft-ietf-v6ops-cpe-simple-security: filteri… Mark Baugher
- Re: draft-ietf-v6ops-cpe-simple-security: filteri… james woodyatt
- Re: draft-ietf-v6ops-cpe-simple-security: filteri… Mark Smith