IETF Logo Mail Archive

RE: But are we talking IPv6 only? That's how I read the draft. (Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03)

"Dan Wing" <dwing@cisco.com> Thu, 28 August 2008 01:27 UTC

Return-Path: <owner-v6ops@ops.ietf.org>
X-Original-To: ietfarch-v6ops-archive@core3.amsl.com
Delivered-To: ietfarch-v6ops-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 086EF3A6C04 for <ietfarch-v6ops-archive@core3.amsl.com>; Wed, 27 Aug 2008 18:27:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.387
X-Spam-Level:
X-Spam-Status: No, score=-4.387 tagged_above=-999 required=5 tests=[AWL=0.108, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4nTNKRb2EIjr for <ietfarch-v6ops-archive@core3.amsl.com>; Wed, 27 Aug 2008 18:27:51 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 9FC1D3A679F for <v6ops-archive@lists.ietf.org>; Wed, 27 Aug 2008 18:27:50 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-v6ops@ops.ietf.org>) id 1KYWB4-000067-S5 for v6ops-data@psg.com; Thu, 28 Aug 2008 01:19:58 +0000
Received: from [171.71.176.72] (helo=sj-iport-3.cisco.com) by psg.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.69 (FreeBSD)) (envelope-from <dwing@cisco.com>) id 1KYWAz-000058-C5 for v6ops@ops.ietf.org; Thu, 28 Aug 2008 01:19:56 +0000
X-IronPort-AV: E=Sophos;i="4.32,283,1217808000"; d="scan'208";a="97744343"
Received: from sj-dkim-2.cisco.com ([171.71.179.186]) by sj-iport-3.cisco.com with ESMTP; 28 Aug 2008 01:19:51 +0000
Received: from sj-core-5.cisco.com (sj-core-5.cisco.com [171.71.177.238]) by sj-dkim-2.cisco.com (8.12.11/8.12.11) with ESMTP id m7S1JpAY027851; Wed, 27 Aug 2008 18:19:51 -0700
Received: from dwingwxp01 ([10.32.240.194]) by sj-core-5.cisco.com (8.13.8/8.13.8) with ESMTP id m7S1JpDO025929; Thu, 28 Aug 2008 01:19:51 GMT
From: Dan Wing <dwing@cisco.com>
To: 'james woodyatt' <jhw@apple.com>, 'IPv6 Operations' <v6ops@ops.ietf.org>
References: <20080824204553.08131c65.ipng@69706e6720323030352d30312d31340a.nosense.org> <48B1CCE8.1070305@gmail.com> <01af01c9065b$b4602440$c2f0200a@cisco.com> <48B23391.1090503@gmail.com> <01cd01c90672$a57c8790$c2f0200a@cisco.com> <48B31DA3.6080001@gmail.com> <07d201c906f7$50a85e30$c2f0200a@cisco.com> <48B32B43.5010103@gmail.com> <084c01c906fe$f9bf1840$c2f0200a@cisco.com> <48B33430.40704@gmail.com> <A31EB889-2BD9-4283-A408-AB6DCC1D568A@suspicious.org> <08be01c90712$d876cd40$c2f0200a@cisco.com> <20080827194713.23271bd1.ipng@69706e6720323030352d30312d31340a.nosense.org> <CD947C45-58F7-47F1-807F-A276490B1E39@apple.com> <0e6001c908a2$b8fcf700$c2f0200a@cisco.com> <F0E4B018-AA5E-4344-A40B-3F6D974B7EA1@apple.com>
Subject: RE: But are we talking IPv6 only? That's how I read the draft. (Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03)
Date: Wed, 27 Aug 2008 18:19:51 -0700
Message-ID: <001b01c908ac$2b7d5140$c2f0200a@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
Thread-Index: AckIqJVZkxMn88XYT3yfZ5L+fRrrJwAAxBwg
In-Reply-To: <F0E4B018-AA5E-4344-A40B-3F6D974B7EA1@apple.com>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=2604; t=1219886391; x=1220750391; c=relaxed/simple; s=sjdkim2002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=dwing@cisco.com; z=From:=20=22Dan=20Wing=22=20<dwing@cisco.com> |Subject:=20RE=3A=20But=20are=20we=20talking=20IPv6=20only? =20That's=20how=20I=20read=20the=20draft.=20(Re=3A=20Some=20 suggestions=20for=20draft-ietf-v6ops-cpe-simple-security-03) |Sender:=20; bh=LPCWiGUGalGxu9+0+ze4cPMQb1qccAb5rTjfUFYUOmw=; b=v3F6ynluKQ+Ltk5tkBfvdSIS6TsWMoVfDaqva5Kx5EaQZFEyp9+Ghfd0u6 ImZcQ/59pKeRwzvGuZGEK7bnI1y71FlfpVQf6EmGAMvmQxzwXMm6qzHyRq2B 0i6idcwQzm;
Authentication-Results: sj-dkim-2; header.From=dwing@cisco.com; dkim=pass ( sig from cisco.com/sjdkim2002 verified; );
Sender: owner-v6ops@ops.ietf.org
Precedence: bulk
List-ID: <v6ops.ops.ietf.org>

 

> -----Original Message-----
> From: james woodyatt [mailto:jhw@apple.com] 
> Sent: Wednesday, August 27, 2008 5:54 PM
> To: IPv6 Operations
> Cc: Dan Wing
> Subject: Re: But are we talking IPv6 only? That's how I read 
> the draft. (Re: Some suggestions for 
> draft-ietf-v6ops-cpe-simple-security-03)
> 
> On Aug 27, 2008, at 17:12, Dan Wing wrote:
> > [I wrote:]
> >> On Aug 27, 2008, at 03:17, Mark Smith wrote:
> >>> * Native IPv6 CPE security, plus IPv4 security/functionality
> >>> requirements to support IPv6 transition via IPv4 tunnelling
> >>
> >> It was my understanding that this is the proper scope, not the
> >> alternatives you mentioned.
> >
> > If the scope includes IPv6-over-IPv4 tunnels, then there are two
> > network topologies:
> >
> >  1.  CPE gets a single IPv4 address and is an IPv4 NAPT, or
> >  2.  the residential user gets one IPv4 address for each
> >      device in their home that wants to do a IPv6-over-IPv4
> >      tunnel.
> >
> > If (1), I don't see how unsolicited incoming packets can be
> > directed to the correct host behind the IPv4 NAPT.
> >
> > If (2), we are outside the realm of simple residential networks --  
> > they only
> > have one IPv4 address.  We can't plan for more to become common as  
> > we approach
> > IPv4 exhaustion.
> >
> > Is there another network topology that I am missing?
> 
> Ah.   I see the confusion.  In the scope of the whole draft, we are  
> talking about CPE that can include dual-stack transition 
> mechanisms.   
> In the specific scope of R23, the words "upper layer protocol" are  
> intended to imply only IPv6 as the outer layer (which may itself be  
> tunneled in an IPv4 transition mechanism, but the filtering  
> recommendations in this draft are intended for use in 
> applying filters  
> inside the tunnel, not to the outside).
> 
> We are not trying to make recommendations about IPv4 simple security  
> in this draft.  This could be made more clear.

I was not expecting the draft to discuss IPv4 simple security.

My confusion -- which persists even after reading your email -- is
what this home network (with a dual-stack CPE) looks like:  which 
device(s) terminate IPv6-over-IPv4 tunnels (the CPE itself?  Or a 
host behind the CPE?), which devices get IPv4 addresses (only the 
CPE itself, or also devices behind the CPE?), and so on.

Network diagrams would go a long ways towards my understanding.
If you could whiteboard such a network diagram and send me a JPG
of the whiteboard, I would be happy to build some ASCII art.

-d

v2.23.0 | Report a Bug | By Email