IETF Logo Mail Archive

Re: draft-ietf-v6ops-cpe-simple-security-04 WGLC

james woodyatt <jhw@apple.com> Fri, 17 April 2009 20:06 UTC

Return-Path: <owner-v6ops@ops.ietf.org>
X-Original-To: ietfarch-v6ops-archive@core3.amsl.com
Delivered-To: ietfarch-v6ops-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 80AB33A6840 for <ietfarch-v6ops-archive@core3.amsl.com>; Fri, 17 Apr 2009 13:06:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.75
X-Spam-Level:
X-Spam-Status: No, score=-104.75 tagged_above=-999 required=5 tests=[AWL=-1.455, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, J_CHICKENPOX_16=0.6, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1, SARE_BAYES_5x7=0.6, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g1RDJGsbBekj for <ietfarch-v6ops-archive@core3.amsl.com>; Fri, 17 Apr 2009 13:06:49 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 3CB613A688D for <v6ops-archive@lists.ietf.org>; Fri, 17 Apr 2009 13:06:49 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-v6ops@ops.ietf.org>) id 1LuuHR-000INk-Db for v6ops-data0@psg.com; Fri, 17 Apr 2009 20:03:21 +0000
Received: from [17.254.13.23] (helo=mail-out4.apple.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <jhw@apple.com>) id 1LuuHE-000IMs-E3 for v6ops@ops.ietf.org; Fri, 17 Apr 2009 20:03:14 +0000
Received: from relay13.apple.com (relay13.apple.com [17.128.113.29]) by mail-out4.apple.com (Postfix) with ESMTP id F11E6600CEC7; Fri, 17 Apr 2009 13:03:07 -0700 (PDT)
Received: from relay13.apple.com (unknown [127.0.0.1]) by relay13.apple.com (Symantec Brightmail Gateway) with ESMTP id D5C6D28092; Fri, 17 Apr 2009 13:03:07 -0700 (PDT)
X-AuditID: 1180711d-ab6fabb000000259-a3-49e8e07b6559
Received: from il0602f-dhcp171.apple.com (il0602f-dhcp171.apple.com [17.206.50.171]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by relay13.apple.com (Apple SCV relay) with ESMTP id 994152807D; Fri, 17 Apr 2009 13:03:07 -0700 (PDT)
Cc: Fred Baker <fred@cisco.com>, Kurt Erik Lindqvist <kurtis@kurtis.pp.se>, Ron Bonica <rbonica@juniper.net>
Message-Id: <36FA1A22-914E-479E-BB4B-9FBAC63B89A6@apple.com>
From: james woodyatt <jhw@apple.com>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>, IPv6 Operations <v6ops@ops.ietf.org>
In-Reply-To: <49E7BEC5.5070300@gmail.com>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v930.3)
Subject: Re: draft-ietf-v6ops-cpe-simple-security-04 WGLC
Date: Fri, 17 Apr 2009 13:03:07 -0700
References: <32129337-7BED-4D7A-AF06-BC5ABB37D994@cisco.com> <49E7BEC5.5070300@gmail.com>
X-Mailer: Apple Mail (2.930.3)
X-Brightmail-Tracker: AAAAAA==
Sender: owner-v6ops@ops.ietf.org
Precedence: bulk
List-ID: <v6ops.ops.ietf.org>

On Apr 16, 2009, at 16:27, Brian E Carpenter wrote:
>
> It pains me to say it, but I think the following sentence in the
> Overview section should simply be deleted:
>
>  "It should be noted that NAT for IPv6 is both strictly forbidden by
>   the standards documents and strongly deprecated by Internet
>   operators."
>
> There's no way this sentence won't be controversial at the IESG stage,
> and any attempt to wordsmith it will be highly painful for all  
> concerned.
> Deleting it doesn't change the value or recommendations of the draft.

My next revision deletes the entire paragraph containing this sentence.

> At the bottom of page 4:
>
>  "As the latest revision of this document is being drafted,
>   conventional stateful packet filters are activated as a side effect
>   of outbound flow initiations from interior network nodes."
>
> I can't parse this sentence. What does "are activated" mean? By who,  
> in
> which boxes? And does the first clause just mean "Today, " ?

It's a tough sentence to make work.  The idea I'm trying to describe  
here is the conventional method of creating state at the time of  
forwarding the initial packet for a new outbound flow to permit  
reverse path traffic to flow inbound.  I've got a candidate phrase in  
the next revision.

> "2.1.  Basic Sanitation
>
>   In addition to the functions required of all Internet routers
>   [RFC4294], residential gateways are expected to have basic stateless
>   filters for prohibiting certains kinds of traffic with invalid
>   headers, e.g. martian packets, spoofs, routing header type code  
> zero,
>   etc."
>
> I think 'martian' needs a definition.

Hmmm.  That could be an interesting tangent.  I thought I mostly  
covered the bases of what constitutes the martian addresses in IPv6 in  
section 3.1, but I suppose I could have added an explicit prohibition  
of packets with V4MAPPED addresses.  I didn't think that was  
necessary, and the design team didn't consider it, but I wouldn't  
object to adding it if there were calls for it here.

> Also, should this section say something about ICMP in general?
>
>
> In section 2.2:
>  "To prevent Teredo from
>   acquiring a utility that it was never meant to have on networks  
> where
>   both IPv4/NAT and native IPv6 services are available, gateways MUST
>   impede Teredo tunnels by blocking clients from learning their mapped
>   addresses and ports in the qualification procedure described in
>   sections 5.2.1 and 5.2.2 of [RFC4380]."
>
> Just to avoid silly misunderstandings, could we
> s/gateways/gateways on such networks/ please?

No problem.

> Also, I don't think we can justify MUST; how about SHOULD?

I have no objection.

> Also, should this topic also cover 6to4? Hosts behind an IPv6 CPE
> SHOULD NOT use host 6to4 based on RFC3068.

My assumption was that residential IPv6 CPE would normally prevent  
this by using RFC 1918 addressing behind their IPv4 NAT.  An explicit  
deprecation would only seem necessary in the case of IPv4/NAT gateways  
that translate between global addresses across the realm boundary.  I  
don't think those are very common, are they?

> However, I have to wonder why this whole topic (Teredo+6to4) is
> relevant to this document. Shouldn't it be in the CPE requirements
> document instead?
>
>  "R2: Packets bearing in their outer IPv6 headers multicast  
> destination
>   addresses of equal or narrower scope that the configured scope
>   boundary level of the gateway MUST NOT be forwarded in any  
> direction.
>   The DEFAULT scope boundary level SHOULD be organization-local  
> scope."
>
> I can't find a definition of "organization-local scope" or even what
> is meant by "configured scope boundary level". Probably the document  
> needs
> a short discussion of what it means by "scope".
>
>  "R5: Packets MAY be discarded if the source and/or destination  
> address
>   in the outer IPv6 header is a unique local address.  By DEFAULT,
>   gateways SHOULD NOT forward packets across unique local address  
> scope
>   boundaries."
>
> I would insert a normative reference to RFC4193.

Good idea.

>  "R28: If a gateway cannot determine whether the endpoints of a TCP
>   connection are active, then it MAY abandon the state record if it  
> has
>   been idle for some time.  In such cases, the value of the
>   "established connection idle-timeout" MUST NOT be less than two  
> hours
>   four minutes."
>
> Two hours four minutes?

The same reasoning as in RFC 5382, hence the informative reference.   
I'll insert an explicit reference into the recommendation paragraph.

>
> "3.3.2.  SCTP Filters"
>
> Reading this section, I wondered whether there is anything to say
> about SHIM6? A TCP session over SHIM6 could simply appear, with
> no SYN/ACK, or disappear, as the shim switches addresses.
>
>  "R31: Gateways MUST implement a protocol to permit applications to
>   solicit inbound traffic without advance knowledge of the addresses  
> of
>   exterior nodes with which they expect to communicate.  This protocol
>   MUST have a specification that meets the requirements of [RFC5378],
>   [RFC3979], [RFC4748] and [RFC4879]."

I think I should relax both these MUST instances to SHOULD instances  
here.  The second sentence should probably have an 'if implemented'  
conditional phrase after the subject.

> It sounds good but it doesn't tell a CPE implementor what to code.

We can't very well tell them to code UPnP IGD for IPv6 until the UPnP  
Forum publishes a specification that meets our requirements.  We can't  
tell them to code ALD, because it's just a draft, and an expired one  
at that.  We might try to tell them to code MIDCOM, but I say good  
luck with that.

This recommendation is basically a stand-in for a more concrete  
recommendation once some kind of de facto standard, if any, emerges.

> Also, is it really part of simple security?

I would argue it is.  Specifically, it's a constraint on simple  
security to ensure that applications are not prevented from soliciting  
inbound flows without knowing in advance the remote addresses of their  
peers.

> I fear you will need to insert the pre-RFC5378 disclaimer.

Why do you think this may be necessary?

>  ** Obsolete normative reference: RFC 4748 (Obsoleted by RFC 5378)
>
>  -- Obsolete informational reference (is this intentional?): RFC 3989
>     (Obsoleted by RFC 5189)

Thanks for catching these.


--
james woodyatt <jhw@apple.com>
member of technical staff, communications engineering

v2.23.0 | Report a Bug | By Email