IETF Logo Mail Archive

Re: SECDIR review: draft-ietf-v6ops-tunnel-concerns-00

Suresh Krishnan <suresh.krishnan@ericsson.com> Fri, 17 October 2008 20:05 UTC

Return-Path: <owner-v6ops@ops.ietf.org>
X-Original-To: ietfarch-v6ops-archive@core3.amsl.com
Delivered-To: ietfarch-v6ops-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A1ED93A67F8 for <ietfarch-v6ops-archive@core3.amsl.com>; Fri, 17 Oct 2008 13:05:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.425
X-Spam-Level:
X-Spam-Status: No, score=-5.425 tagged_above=-999 required=5 tests=[AWL=-0.930, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PMkl0lX15aqG for <ietfarch-v6ops-archive@core3.amsl.com>; Fri, 17 Oct 2008 13:05:07 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 940AC3A67E9 for <v6ops-archive@lists.ietf.org>; Fri, 17 Oct 2008 13:05:07 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-v6ops@ops.ietf.org>) id 1KqvVI-000ITb-Gg for v6ops-data@psg.com; Fri, 17 Oct 2008 20:00:56 +0000
Received: from [198.24.6.9] (helo=imr1.ericy.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <suresh.krishnan@ericsson.com>) id 1KqvVB-000ISr-Q5 for v6ops@ops.ietf.org; Fri, 17 Oct 2008 20:00:53 +0000
Received: from eusrcmw750.eamcs.ericsson.se (eusrcmw750.exu.ericsson.se [138.85.77.50]) by imr1.ericy.com (8.13.1/8.13.1) with ESMTP id m9HK1mUp025058; Fri, 17 Oct 2008 15:01:48 -0500
Received: from eusrcmw750.eamcs.ericsson.se ([138.85.77.53]) by eusrcmw750.eamcs.ericsson.se with Microsoft SMTPSVC(6.0.3790.1830); Fri, 17 Oct 2008 14:59:37 -0500
Received: from [142.133.10.113] ([142.133.10.113]) by eusrcmw750.eamcs.ericsson.se with Microsoft SMTPSVC(6.0.3790.1830); Fri, 17 Oct 2008 14:59:37 -0500
Message-ID: <48F8EE0D.4060307@ericsson.com>
Date: Fri, 17 Oct 2008 15:57:01 -0400
From: Suresh Krishnan <suresh.krishnan@ericsson.com>
User-Agent: Thunderbird 2.0.0.17 (X11/20080925)
MIME-Version: 1.0
To: Nathan Ward <v6ops@daork.net>
CC: Kurt Zeilenga <Kurt.Zeilenga@Isode.com>, Pasi Eronen <Pasi.Eronen@nokia.com>, Tim Polk <tim.polk@nist.gov>, secdir@mit.edu, Jim_Hoagland@symantec.com, dthaler@microsoft.com, v6ops@ops.ietf.org
Subject: Re: SECDIR review: draft-ietf-v6ops-tunnel-concerns-00
References: <8B128AB2-BBD9-49B9-A837-F00DD80BF5D3@Isode.com> <48F2C29B.8090900@ericsson.com> <D6947E23-5209-4767-882A-7EBA645B3DCB@daork.net>
In-Reply-To: <D6947E23-5209-4767-882A-7EBA645B3DCB@daork.net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 17 Oct 2008 19:59:37.0608 (UTC) FILETIME=[E241A080:01C93092]
Sender: owner-v6ops@ops.ietf.org
Precedence: bulk
List-ID: <v6ops.ops.ietf.org>

Hi Nathan,
   Thanks for your comments. Please see responses inline.

Nathan Ward wrote:
> On 13/10/2008, at 4:38 PM, Suresh Krishnan wrote:
> 
>>>>  One simple method to do that is easy to employ for many tunnel
>>>>   protocols is to block outbound packets to the UDP or TCP port used
>>>>   (e.g., UDP port 3544 for Teredo, UDP port 1701 for L2TP, etc.).
>>> The description of this method is not precise.  Is the method to 
>>> block dest ports, with these source ports, or either, or both?
>>
>> The method is to block destination ports. We have changed this sentence
>> to read
>> (e.g., destination UDP port is 3544 for Teredo, UDP port 1701 for
>>   L2TP, etc.)
> 
> This makes me squirm a bit.
> 
> It seems silly to promote blocking discrete ports, when a user could 
> simply run their own Teredo server on a different port and tunnel out 
> with that, or run any other proxy or tunnel server of some kind on any 
> port they wanted. We've all run PPP over SSH before, it's not hard to do 
> this stuff, there are tools to do it automatically.


You are right. This will not stop people from tunneling over other 
ports. But what would you propose to be done instead?

> 
> If an organisation is concerned about people tunnelling through their 
> firewalls, they must use default-deny if they want to have any effect.

Given the savvy user you mentioned above, I don't understand how this 
will have any effect either. The users can still tunnel over anything 
that has been permitted ahead of the default deny.

> 
>>>> In 3.1.3,
>>>>   Tunneling over UDP or TCP (including HTTP) to reach the Internet is
>>>>   not recommended as a solution for managed networks.
>>> First,  I'm going to read the sentence as if the word 'managed' was 
>>> not used as I think all networks on the Internet are 'managed' to 
>>> some degree.  If the authors had a particular definition of the term 
>>> 'managed network' in mind, they should define it.
>>> So reading the sentence without the term 'managed', this is basically 
>>> a general applicability statement that use of tunneling over UDP or 
>>> TCP is not recommend for use to 'reach the Internet'.  I don't see 
>>> this recommendation as being appropriate given the issue.
>>
>> We have changed this text to read
>>
>> "  Tunneling over UDP or TCP (including HTTP) to reach the Internet is
>>   not recommended as a solution for networks that wish to enforce
>>   security polcies on the user traffic.  (Windows, for example,
>>   disables Teredo by default if it detects that it is within an
>>   enterprise network that contains a Windows domain controller.)"
> 
> Why tunnelling over UDP or TCP? Why not tunnelling in IP as in 6to4?
> I don't imagine that UDP makes it any more difficult to inspect than an 
> IP protocol.
> 
> I think this statement should be changed to "Tunnelling through a 
> security device (ie. firewall) is not recommended for.. " etc.

Sounds good. We will make this change.

Cheers
Suresh

v2.23.0 | Report a Bug | By Email