Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-security WGLC

"Fred Baker (fred)" <fred@cisco.com> Fri, 15 November 2013 18:36 UTC

From: "Fred Baker (fred)" <fred@cisco.com>
To: "v6ops@ietf.org WG" <v6ops@ietf.org>
Thread-Topic: [v6ops] draft-ietf-v6ops-balanced-ipv6-security WGLC
Thread-Index: AQHO4jFqwFfRrQERTkW19poqfBMEFA==
Date: Fri, 15 Nov 2013 18:35:11 +0000
Message-ID: <2BED1CEF-FBF2-490B-8468-8024BCBEC1F0@cisco.com>
References: <201311101900.rAAJ0AR6025350@irp-view13.cisco.com> <528661C5.3060005@forthnet.gr>
In-Reply-To: <528661C5.3060005@forthnet.gr>
Accept-Language: en-US
Content-Language: en-US
Content-Type: multipart/signed; boundary="Apple-Mail=_E547FAE9-A9A2-4892-A179-DBC278B176A2"; protocol="application/pgp-signature"; micalg="pgp-sha1"
MIME-Version: 1.0
Subject: Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-security WGLC
Precedence: list

On Nov 15, 2013, at 10:02 AM, Tassos Chatzithomaoglou <achatz@forthnet.gr> wrote:

> So, although i support this, i would like to see a note warning about some of the above dangers and noting that extra caution is to be used when following this.

Thanks.

Again, speaking as a participant.

Where I most scratch my head is that the threat the firewall presumably is intended to defend against, and the asset it is trying to defend, is not usually related to a protocol. If we decide that a given protocol number or port number is "universally OK", such as RFC 6092's comments on ESP/AH/IKE, one can expect port-agile attacks to use that port number for whatever protocol they use. If we say that we want a specified server to act as a listener for a protocol, such as a web server for http/https, that doesn't imply that all devices implementing listeners should be exposed as a matter of policy (if you have a Canon MP620 series printer or a Cisco telephone, and its address is X.X.X.X, open http://X.X.X.X, and ask yourself if that's information you want available to the world).

So, blocking a couple of ports doesn't seem to accomplish much from a security perspective. I'm not sure what I would call "security" in this draft, much less "balanced". What the draft does, as near as I can tell, is give service providers something that somebody called a firewall, so that they can tell their customers that have the presence of a firewall as a market requirement that they are deploying a firewall, but depending on their customers to be dumb enough to not realize that the firewall doesn't secure anything.

BTW, as chair, I have asked for a security directorate review of this draft.

Attachment: signature.asc

[v6ops] draft-ietf-v6ops-balanced-ipv6-security W… Fred Baker
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tarko Tikan
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Fred Baker (fred)
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Guillaume Leclanche
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Guillaume Leclanche
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… cb.list6
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ted Lemon
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… cb.list6
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tore Anderson
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tarko Tikan
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark ZZZ Smith
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ted Lemon
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tarko Tikan
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Fred Baker (fred)
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ted Lemon
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tarko Tikan
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Fred Baker (fred)
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark Andrews
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Brian E Carpenter
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Sander Steffann
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… joel jaeggli
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Fred Baker (fred)
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… joel jaeggli
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tassos Chatzithomaoglou
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Fred Baker (fred)
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… cb.list6
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Fred Baker (fred)
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark ZZZ Smith
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark ZZZ Smith
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tassos Chatzithomaoglou
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ray Hunter
[v6ops] draft-ietf-v6ops-balanced-ipv6-security W… Fred Baker
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Joe Touch
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… de =?iso-8859-1?q?Br=FCn?=, Markus
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Lorenzo Colitti
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark ZZZ Smith
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Lorenzo Colitti
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ray Hunter
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Lorenzo Colitti
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ray Hunter
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Lorenzo Colitti
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Lorenzo Colitti
[v6ops] RFC 6092 [was draft-ietf-v6ops-balanced-i… Brian E Carpenter
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark ZZZ Smith
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark ZZZ Smith
Re: [v6ops] RFC 6092 [was draft-ietf-v6ops-balanc… Marc Lampo
Re: [v6ops] RFC 6092 [was draft-ietf-v6ops-balanc… Lorenzo Colitti
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ray Hunter
Re: [v6ops] RFC 6092 [was draft-ietf-v6ops-balanc… Brian E Carpenter
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ray Hunter
Re: [v6ops] RFC 6092 [was draft-ietf-v6ops-balanc… cb.list6
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Brian E Carpenter

Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-security WGLC

Attachment: signature.asc