IETF Logo Mail Archive

Re: I-D.ietf-v6ops-cpe-simple-security-09

james woodyatt <jhw@apple.com> Mon, 22 March 2010 05:27 UTC

Return-Path: <owner-v6ops@ops.ietf.org>
X-Original-To: ietfarch-v6ops-archive@core3.amsl.com
Delivered-To: ietfarch-v6ops-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9E9123A6A02 for <ietfarch-v6ops-archive@core3.amsl.com>; Sun, 21 Mar 2010 22:27:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.58
X-Spam-Level:
X-Spam-Status: No, score=-101.58 tagged_above=-999 required=5 tests=[AWL=-1.415, BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, J_CHICKENPOX_13=0.6, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yYwoCBXcLXPM for <ietfarch-v6ops-archive@core3.amsl.com>; Sun, 21 Mar 2010 22:27:38 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 2B9903A6954 for <v6ops-archive@lists.ietf.org>; Sun, 21 Mar 2010 22:26:01 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.71 (FreeBSD)) (envelope-from <owner-v6ops@ops.ietf.org>) id 1Nta2w-000BSq-Ai for v6ops-data0@psg.com; Mon, 22 Mar 2010 05:19:27 +0000
Received: from [17.254.13.22] (helo=mail-out3.apple.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.71 (FreeBSD)) (envelope-from <jhw@apple.com>) id 1Nta2s-000BSP-RB for v6ops@ops.ietf.org; Mon, 22 Mar 2010 05:19:23 +0000
Received: from relay11.apple.com (relay11.apple.com [17.128.113.48]) by mail-out3.apple.com (Postfix) with ESMTP id 4938E8A76303 for <v6ops@ops.ietf.org>; Sun, 21 Mar 2010 22:19:22 -0700 (PDT)
X-AuditID: 11807130-b7bdcae000007b51-3e-4ba6fdd97638
Received: from [17.151.98.32] (Unknown_Domain [17.151.98.32]) (using TLS with cipher AES128-SHA (AES128-SHA/128 bits)) (Client did not present a certificate) by relay11.apple.com (Apple SCV relay) with SMTP id 2B.0D.31569.ADDF6AB4; Sun, 21 Mar 2010 22:19:22 -0700 (PDT)
Content-Type: text/plain; charset="iso-8859-1"
Mime-Version: 1.0 (Apple Message framework v1078)
Subject: Re: I-D.ietf-v6ops-cpe-simple-security-09
From: james woodyatt <jhw@apple.com>
In-Reply-To: <4BA69A3D.7@gmail.com>
Date: Sun, 21 Mar 2010 22:19:21 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <FF6C57C8-664B-40F1-B071-CF794ED2A8FE@apple.com>
References: <D6F5ACD2-EB43-477E-9F48-AC3EDB3F7EB4@apple.com> <4BA3BBCF.2090903@cisco.com> <4BA3D1B3.4010501@gmail.com> <4BA3DAAA.10000@cisco.com> <4BA40DD1.7080306@gmail.com> <6C168711-6A34-4487-9911-92766513183C@apple.com> <4BA522E8.7050504@cisco.com> <4BA56626.20606@gmail.com> <20100321133831.GL69383@Space.Net> <4BA6575D.7070300@gmail.com> <4BA670ED.1020302@cisco.com> <D69F1DE6-D24D-45AA-95D0-99B63E62A1EE@apple.com> <4BA68F61.7020005@cisco.com> <4BA69A3D.7@gmail.com>
To: IPv6 Operations <v6ops@ops.ietf.org>
X-Mailer: Apple Mail (2.1078)
X-Brightmail-Tracker: AAAAAQAAAZE=
Sender: owner-v6ops@ops.ietf.org
Precedence: bulk
List-ID: <v6ops.ops.ietf.org>

On Mar 21, 2010, at 15:14, Brian E Carpenter wrote:
> On 2010-03-22 10:28, Mark Townsley wrote:
>> 
>> Why not, if that is the current consensus? We've reversed the text of
>> IETF standards track documents before, much less Informational documents
>> that are not a standard of any kind.

The design team was directed by the chair to write a draft that detailed the recommendation in Section 4.2 of RFC 4864 for a stateful filter in residential IPv6 CPE routers, and we were not instructed that revisiting the recommendation with an eye toward reversing it was explicitly within our ambit.

> As a co-author of 4864, let me agree violently. It's not a BCP.
> Even if it was, consensus could reverse it.
> 
> What 4864 says is: NATs weren't designed as security devices but they
> provide simple security by blocking everything incoming by default.
> To implement simple security for v6 you should do it with a stateful
> firewall.

I would have expected an author of RFC 4864 to quote the following excerpt from Section 4.2 instead:

   To implement simple security for IPv6 in, for example, a DSL or cable
   modem-connected home network, the broadband gateway/router should be
   equipped with stateful firewall capabilities.  These should provide a
   default configuration where incoming traffic is limited to return
   traffic resulting from outgoing packets (sometimes known as
   reflective session state).  There should also be an easy interface
   that allows users to create inbound 'pinholes' for specific purposes
   such as online gaming.

That paragraph is the whole reason that I-D.ietf-v6ops-cpe-simple-security exists today.  Note the use of the word "should" in the verb phrase of the second sentence.  It sure looks to me like it makes a value judgment that IPv6 Simple Security in unmanaged home routers is considered helpful.

When I first read Section 4.2 of the Internet Draft that would become RFC 4864, just a little over three years ago, I sent <http://ops.ietf.org/lists/v6ops/v6ops.2007/msg00055.html> to the V6OPS list to surface what I thought, at the time, was an oversight.  Note that I was objecting to the use of the word "should" in that paragraph.  I thought RFC 4864 should not be making such a recommendation, and I believed that the authors must have been mistaken to include it in an Informational category document.

Alas, I later learned that this recommendation was quite deliberate and *NOT* open for discussion anymore.  I withdrew my objection soon thereafter, after one of the authors expressed "violent" disagreement with me, because I came to believe my personal misgivings about this recommendation weren't shared by the majority of IETF participants.  I still think only a small minority of participants agrees with me.

> It doesn't say that CPEs MUST do this. It leaves that choice open, as an informational document.

No, it doesn't say that CPE routers MUST do this, but it does go out of its way to say that CPE routers "should" do this.

More importantly, other specifications which reference RFC 4864 as if it's morally equivalent to a proposed standard *do* say that CPE routers MUST do this.  While categorized as Informational, the language in I-D.ietf-v6ops-cpe-simple-security is deliberately crafted to be easily cited by other SDO's in requirement specifications, which are expecting to describe not just the CPE routers MUST do this, but HOW they will do this.  I am aware of at least two other SDO's that are preparing exactly that.

So, while it's true that neither RFC 4864 nor I-D.ietf-v6ops-cpe-simple-security say that CPE routers MUST implement a "default deny" stateful filtering regime, the common law is congealing around this as a requirement as we speak.  So, despite the fact that this draft is Informational and not BCP or Proposed Standard, what we say in this document should it be published in the RFC series is very likely to become the Law of the Internet pretty much overnight, and I think that pretending otherwise would be awfully naïve.


--
james woodyatt <jhw@apple.com>
member of technical staff, communications engineering

v2.23.0 | Report a Bug | By Email