Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-security WGLC
Mikael Abrahamsson <swmike@swm.pp.se> Mon, 18 November 2013 08:20 UTC
Return-Path: <swmike@swm.pp.se>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1EFA321F8E2D for <v6ops@ietfa.amsl.com>; Mon, 18 Nov 2013 00:20:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.229
X-Spam-Level:
X-Spam-Status: No, score=-4.229 tagged_above=-999 required=5 tests=[AWL=1.705, BAYES_00=-2.599, HELO_EQ_SE=0.35, RCVD_IN_DNSWL_MED=-4, SARE_MILLIONSOF=0.315]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3-6IlmU8BukL for <v6ops@ietfa.amsl.com>; Mon, 18 Nov 2013 00:19:54 -0800 (PST)
Received: from uplift.swm.pp.se (swm.pp.se [212.247.200.143]) by ietfa.amsl.com (Postfix) with ESMTP id 385A821F8D62 for <v6ops@ietf.org>; Mon, 18 Nov 2013 00:19:54 -0800 (PST)
Received: by uplift.swm.pp.se (Postfix, from userid 501) id 87875A1; Mon, 18 Nov 2013 09:19:52 +0100 (CET)
Received: from localhost (localhost [127.0.0.1]) by uplift.swm.pp.se (Postfix) with ESMTP id 8300D9A for <v6ops@ietf.org>; Mon, 18 Nov 2013 09:19:52 +0100 (CET)
Date: Mon, 18 Nov 2013 09:19:52 +0100
From: Mikael Abrahamsson <swmike@swm.pp.se>
To: "v6ops@ietf.org WG" <v6ops@ietf.org>
In-Reply-To: <CAB0C4xPR6dhFcEwAtw57PufAWLWZ2=Dkk+aOn11YY1HR8hK-KA@mail.gmail.com>
Message-ID: <alpine.DEB.2.02.1311180912390.5805@uplift.swm.pp.se>
References: <201311101900.rAAJ0AR6025350@irp-view13.cisco.com> <CAB0C4xOfz_JAjEEJZ-Zz7MBEyZhVzrAE+8Ghf1ggC3+9pyHmNg@mail.gmail.com> <989B8ED6-273E-45D4-BFD8-66A1793A1C9F@cisco.com> <alpine.DEB.2.02.1311130329180.26054@uplift.swm.pp.se> <CAB0C4xOd-ryBXe4O3XoLTLDw-XuOV==X0nkRg5y3aPXCtf+Gow@mail.gmail.com> <alpine.DEB.2.02.1311140639140.5805@uplift.swm.pp.se> <5FC5FC3F-B933-4ACE-A7A9-00A1E275B4EF@cisco.com> <CAB0C4xMhxnev+NHx_Vzdjvrp9zE0jj7avsb9zUFGRKhQFne14A@mail.gmail.com> <alpine.DEB.2.02.1311140935510.5805@uplift.swm.pp.se> <CAB0C4xM_eN7x-4G6YYku+t=X_w3c7LiEU6AR1EDvhT6Kea_hqw@mail.gmail.com> <1384583413.2103.YahooMailNeo@web142501.mail.bf1.yahoo.com> <CAB0C4xPR6dhFcEwAtw57PufAWLWZ2=Dkk+aOn11YY1HR8hK-KA@mail.gmail.com>
User-Agent: Alpine 2.02 (DEB 1266 2009-07-14)
Organization: People's Front Against WWW
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Subject: Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-security WGLC
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Nov 2013 08:20:00 -0000
On Mon, 18 Nov 2013, Marc Lampo wrote: > I acknowledge other contributions in this list stating that any device > can end up with infected/hostile neighbors in the local network, but is > this a reason/excuse to have a "mostly open policy for incoming traffic" > ? It all comes down to "better safe than sorry" as opposed to "make things work without operator invention". Do you want devices to be part of the Internet as default or not is the major philosophical question. Should devices have a one-way peep-hole to the Internet by default or should they be open and be reachable from the Internet by default. Gated community and don't care about locking your door because you trust the neighborhood, or open community and take care of your own security. There is no right answer here, but I am in favour of the open variant and let hosts take care of their own security. Most devices today are hardened enough to handle being exposed to the Internet, is my opinion. From your reasoning I guess you do not agree. My background is that I worked for 7 years for a mobile operator that didn't have any filters apart from outgoing port 25 and a few other things (very similar to balanced security proposal). Even less for residential access. No bad effects from this even with millions of customers. So I think it's up to the people who want to put filters in CPEs by default to prove that applications work well with this, and give advice to application implementers what they need to do in order to make things work. Do they need to do STUN-like functionality always, even though there is no NAT, just to make sure the stateful filtering device actually sees this as a wanted session? -- Mikael Abrahamsson email: swmike@swm.pp.se
- [v6ops] draft-ietf-v6ops-balanced-ipv6-security W… Fred Baker
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tarko Tikan
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Fred Baker (fred)
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Guillaume Leclanche
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Guillaume Leclanche
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… cb.list6
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ted Lemon
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… cb.list6
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tore Anderson
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tarko Tikan
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark ZZZ Smith
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ted Lemon
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tarko Tikan
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Fred Baker (fred)
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ted Lemon
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tarko Tikan
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Fred Baker (fred)
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark Andrews
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Brian E Carpenter
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Sander Steffann
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… joel jaeggli
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Fred Baker (fred)
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… joel jaeggli
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tassos Chatzithomaoglou
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Fred Baker (fred)
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… cb.list6
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Fred Baker (fred)
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark ZZZ Smith
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark ZZZ Smith
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tassos Chatzithomaoglou
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ray Hunter
- [v6ops] draft-ietf-v6ops-balanced-ipv6-security W… Fred Baker
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Joe Touch
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… de =?iso-8859-1?q?Br=FCn?=, Markus
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Lorenzo Colitti
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark ZZZ Smith
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Lorenzo Colitti
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ray Hunter
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Lorenzo Colitti
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ray Hunter
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Lorenzo Colitti
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Lorenzo Colitti
- [v6ops] RFC 6092 [was draft-ietf-v6ops-balanced-i… Brian E Carpenter
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark ZZZ Smith
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark ZZZ Smith
- Re: [v6ops] RFC 6092 [was draft-ietf-v6ops-balanc… Marc Lampo
- Re: [v6ops] RFC 6092 [was draft-ietf-v6ops-balanc… Lorenzo Colitti
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ray Hunter
- Re: [v6ops] RFC 6092 [was draft-ietf-v6ops-balanc… Brian E Carpenter
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ray Hunter
- Re: [v6ops] RFC 6092 [was draft-ietf-v6ops-balanc… cb.list6
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Brian E Carpenter