IETF Logo Mail Archive

Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03

Brian E Carpenter <brian.e.carpenter@gmail.com> Tue, 26 August 2008 00:58 UTC

Return-Path: <owner-v6ops@ops.ietf.org>
X-Original-To: ietfarch-v6ops-archive@core3.amsl.com
Delivered-To: ietfarch-v6ops-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 19CDB3A68C6 for <ietfarch-v6ops-archive@core3.amsl.com>; Mon, 25 Aug 2008 17:58:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.088
X-Spam-Level:
X-Spam-Status: No, score=0.088 tagged_above=-999 required=5 tests=[AWL=0.583, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W6V4eOX+2Pd4 for <ietfarch-v6ops-archive@core3.amsl.com>; Mon, 25 Aug 2008 17:58:56 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 28CEC3A685A for <v6ops-archive@lists.ietf.org>; Mon, 25 Aug 2008 17:58:56 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-v6ops@ops.ietf.org>) id 1KXmsL-000PMG-Fs for v6ops-data@psg.com; Tue, 26 Aug 2008 00:57:37 +0000
Received: from [209.85.198.239] (helo=rv-out-0506.google.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <brian.e.carpenter@gmail.com>) id 1KXmsH-000PLo-9r for v6ops@ops.ietf.org; Tue, 26 Aug 2008 00:57:35 +0000
Received: by rv-out-0506.google.com with SMTP id b25so1906726rvf.41 for <v6ops@ops.ietf.org>; Mon, 25 Aug 2008 17:57:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :organization:user-agent:mime-version:to:cc:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=muL5WCEk3k3+DL7LepvUV4zsjirs9BKd7ZVjIjd1yv8=; b=qlO8/sDLBsQbiZjJegwqxE4WLtXY1+XXtu4coWhG4XLIf5Tzl2vTZgvhSCZ7d7BGCK 0T0PM4K00shI3EuGfzKxvoaCUWfPYzLd/W/vRBC8LXWoFbN4UpdqLq07DRav6/utwmIC kAhnKGG0ajHynnp44aOVD7HqGlfjOzVi4LvIQ=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; b=x3OBb9zkgCJzjvHAO/4TJzKC8cy8IQiMOlIEZ1tq3fKKx9XoMB2Opko1RPJfPYsuIy dbiDcArRC9Wp//KZexIYIwKzGPHd/KV92erWDOPn17oZPC+clyVB1VQ4U14Gmx4a08lQ pnByAiUAL4yXItTaTHMSbW5V5mHe3pCwdVRoo=
Received: by 10.115.59.4 with SMTP id m4mr4088025wak.104.1219712253108; Mon, 25 Aug 2008 17:57:33 -0700 (PDT)
Received: from ?130.216.38.124? ( [130.216.38.124]) by mx.google.com with ESMTPS id f20sm7359119waf.53.2008.08.25.17.57.31 (version=SSLv3 cipher=RC4-MD5); Mon, 25 Aug 2008 17:57:32 -0700 (PDT)
Message-ID: <48B354FA.7040601@gmail.com>
Date: Tue, 26 Aug 2008 12:57:30 +1200
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Dan Wing <dwing@cisco.com>
CC: 'Mark Smith' <ipng@69706e6720323030352d30312d31340a.nosense.org>, jhw@apple.com, 'IPv6 Operations' <v6ops@ops.ietf.org>
Subject: Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
References: <20080824204553.08131c65.ipng@69706e6720323030352d30312d31340a.nosense.org> <48B1CCE8.1070305@gmail.com> <01af01c9065b$b4602440$c2f0200a@cisco.com> <48B23391.1090503@gmail.com> <01cd01c90672$a57c8790$c2f0200a@cisco.com> <48B31DA3.6080001@gmail.com> <07d201c906f7$50a85e30$c2f0200a@cisco.com> <48B32B43.5010103@gmail.com> <084c01c906fe$f9bf1840$c2f0200a@cisco.com> <48B33430.40704@gmail.com> <08b901c90710$4064aa60$c2f0200a@cisco.com>
In-Reply-To: <08b901c90710$4064aa60$c2f0200a@cisco.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Sender: owner-v6ops@ops.ietf.org
Precedence: bulk
List-ID: <v6ops.ops.ietf.org>

On 2008-08-26 12:11, Dan Wing wrote:
> Brian E Carpenter wrote:
>> On 2008-08-26 10:07, Dan Wing wrote:
>>>>>> How does it know that a Protocol 41 packet is unsolicited?
>>>>> The same way it knows a non-protocol 41 packet is solicited: the
>>>>> host sends a packet first -- the host being protected by the CPE 
>>>>> doing Simple Security.
>>>> How does that work if Host A (behind the CPE) has informed Host X
>>>> (outside) of the tunneled address of Host B (also behind the CPE)?
>>>> In other words A has solicited X to send a packet to B.
>>> The network diagram would look like this, I believe:
>>>
>>>               +-----+
>>>     Host A ---+     |
>>>               + CPE +--------- Internet ------  Host X
>>>     Host B ---+     |
>>>               +-----+
>>>  
>>>
>>> If the CPE is providing security -- as this draft is titled -- the
>>> traffic from X to B would be blocked.  
>>>
>>> To permit such traffic, B would need a way to tell the CPE to allow 
>>> such traffic from X (or to allow arbitrary traffic from any host 
>>> on the Internet).  This is described in Section 3.4 of 
>>> draft-ietf-v6ops-cpe-simple-security-03 (where James mentions 
>>> Apple's ALD") but, to my knowledge, has not received much 
>>> attention and I do not know if it has working group consensus.
>> The thing is that it can't meet any reasonable definition of
>> 'simple'...
>>
>> But blocking tunnels by default, although it's simple, also
>> blocks innovation. That worries me.
> 
> Would your worry go away if the IETF initiated a standards effort around
> something like Apple's ALD (draft-woodyatt-ald-03.txt)?

I believe that something like that is needed.

   Brian

P.S. I am about to disappear on vacation until Sept. 15.

v2.23.0 | Report a Bug | By Email