Re: I-D.ietf-v6ops-cpe-simple-security-09

[Mark Townsley <townsley@cisco.com>]

On 3/21/10 9:08 AM, Mark Smith wrote:
> Hi James,
>
> On Sat, 20 Mar 2010 23:00:40 -0700
> james woodyatt<jhw@apple.com>  wrote:
>
>    
>> On Mar 20, 2010, at 18:00, Mark Smith wrote:
>>      
>>> One thing that does seem to be missing from the draft is a specific list of threats it is attempting to mitigate i.e. a threat model.
>>>        
>> RFC 4864 doesn't offer one, and its authors haven't offered much in the way of specifics to the discussion here or on the design team list.  Perhaps, you'd like to offer a contribution?
>>
>>      
> While threat model is probably the correct term, more broadly I think
> probably something of a problem statement i.e. what security measures
> the CPE does provide, and what it doesn't, probably with some
> justification.
>
> I think the role of IPv6 CPE in the residential Internet security model
> is different to the role IPv4/NAT CPE commonly is or was capable of
> playing.
>
> Stating the obvious, IPv4/NAT provides a much harder boundary between
> internal and external devices, primarily due to the nature of NAPT.
> NAPT by it's nature provides a default deny to inbound traffic. That's
> what breaks end-to-end. Because of that harder boundary, I think
> end-user expectations are that the IPv4/NAPT CPE can perform much
> more of a primary security role when it comes to protecting them from
> the Internet.
>
> The nature of the operation of NAPT inherently defined a set of threats
> that it protected against.
>
> With IPv6/CPE security, by trying to restore end-to-end, I think we're
> inherently reducing the security that people formerly had with
> IPv4/NAPT CPE. End nodes will now have to play more of a primary
> security role, with filtering IPv6/CPE providing an
> assisting/secondary/defence in depth role.
>    
Which that vast majority of IPv6-enabled devices already do.

- Mark
> Now that IPv6 end-nodes will be "burdened" with more security
> responsibility, I think it is important to make sure it is clear that
> the security functions performed in IPv6 CPE aren't exactly the
> same as as they were in IPv4/NAPT CPE.
>    





>
>    
>> The Overview contains my best attempt at explaining what considerations I think are really in play behind the CPE Simple Security recommendation.  Here's what I think is the most relevant excerpt:
>>
>>      
>>>> The stateful packet filtering behavior of NAT set user expectations that persist today with residential IPv6 service.  "Local Network Protection for IPv6" [RFC4864] recommends applying stateful packet filtering at residential IPv6 gateways that conforms to the user expectations already in place.
>>>>          
>> In other words, we recommend filtering at the middlebox-- making IPv6 routers do filtering like IPv4/NAT gateways do-- because "defense in depth" is a virtue in and of itself, and that Internet users have come to expect it.  Apparently, there's a consensus in IETF that this is enough reason to do it, and I strongly suspect that an explicit threat model might be inviting more controversy than anyone wants to endure.
>>
>>
>>      
> Regards,
> Mark.
>
>
>