Re: AD review of draft-krishnan-v6ops-teredo-update
Suresh Krishnan <suresh.krishnan@ericsson.com> Tue, 27 April 2010 23:10 UTC
Return-Path: <owner-v6ops@ops.ietf.org>
X-Original-To: ietfarch-v6ops-archive@core3.amsl.com
Delivered-To: ietfarch-v6ops-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 77D833A6924 for <ietfarch-v6ops-archive@core3.amsl.com>; Tue, 27 Apr 2010 16:10:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.738
X-Spam-Level:
X-Spam-Status: No, score=-1.738 tagged_above=-999 required=5 tests=[AWL=-2.732, BAYES_05=-1.11, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uzapKwKvyla3 for <ietfarch-v6ops-archive@core3.amsl.com>; Tue, 27 Apr 2010 16:10:01 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 44CC93A6915 for <v6ops-archive@lists.ietf.org>; Tue, 27 Apr 2010 16:10:01 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.71 (FreeBSD)) (envelope-from <owner-v6ops@ops.ietf.org>) id 1O6tru-0005D6-QG for v6ops-data0@psg.com; Tue, 27 Apr 2010 23:07:06 +0000
Received: from [198.24.6.13] (helo=imr3.ericy.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.71 (FreeBSD)) (envelope-from <suresh.krishnan@ericsson.com>) id 1O6trp-0005AV-1h for v6ops@ops.ietf.org; Tue, 27 Apr 2010 23:07:01 +0000
Received: from eusaamw0711.eamcs.ericsson.se ([147.117.20.178]) by imr3.ericy.com (8.13.8/8.13.8) with ESMTP id o3RN6w0j004775 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 27 Apr 2010 18:06:59 -0500
Received: from [142.133.10.113] (147.117.20.212) by eusaamw0711.eamcs.ericsson.se (147.117.20.179) with Microsoft SMTP Server id 8.1.375.2; Tue, 27 Apr 2010 19:06:58 -0400
Message-ID: <4BD76C98.2030003@ericsson.com>
Date: Tue, 27 Apr 2010 19:00:40 -0400
From: Suresh Krishnan <suresh.krishnan@ericsson.com>
User-Agent: Thunderbird 2.0.0.24 (X11/20100411)
MIME-Version: 1.0
To: Jari Arkko <jari.arkko@piuha.net>
CC: "draft-krishnan-v6ops-teredo-update@tools.ietf.org" <draft-krishnan-v6ops-teredo-update@tools.ietf.org>, 'IPv6 Operations' <v6ops@ops.ietf.org>
Subject: Re: AD review of draft-krishnan-v6ops-teredo-update
References: <4BD6A16E.5090601@piuha.net>
In-Reply-To: <4BD6A16E.5090601@piuha.net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Sender: owner-v6ops@ops.ietf.org
Precedence: bulk
List-ID: <v6ops.ops.ietf.org>
Hi Jari, Thanks for the comments. I will address them in a new version by the end of this week. Thanks Suresh On 10-04-27 04:33 AM, Jari Arkko wrote: > I have reviewed this draft and have the following comments. In general, > the draft is in good shape and can move forward. I have two small > technical issues and a few minor editorial ones. Nevertheless, I have > decided to initiate last call, but I would appreciate a quick document > update in the next few days to correct these issues. > > Technical: >> Teredo Client: A node that has access to the IPv4 Internet and wants >> to gain access to the IPv6 Internet. >> > There are lots of such nodes, but not all of them are Teredo clients, > i.e., implement the Teredo protocol... please correct the definition. > >> Opening a hole in an enterprise firewall >> [I-D.ietf-v6ops-tunnel-security-concerns <http://tools.ietf.org/html/draft-krishnan-v6ops-teredo-update-06#ref-I-D.ietf-v6ops-tunnel-security-concerns>]: Teredo is NOT RECOMMENDED >> as a solution for managed networks. Administrators of such networks >> may wish to filter all Teredo traffic at the boundaries of their >> networks. >> > > I'm not sure the term "managed networks" is a correct one here. There > are many types of managed networks, some care about blocking Teredo and > some would not. Suggested rewrite: > > "Opening a hole in an enterprise firewall > [I-D.ietf-v6ops-tunnel-security-concerns]: Teredo is NOT RECOMMENDED as > a solution for networks that wish to implement strict controls for what > traffic passes to and from the Internet. Administrators of such > networks may wish to filter all Teredo traffic at the boundaries of > their networks." > > (Also, speaking personally, I may not completely agree with the > conclusions from draft-ietf-v6ops-tunnel-security-concerns that > inspection of tunneled traffic is always hard and inefficient. I think > there is some room to allow firewalls to inspect tunneling traffic on > top of well-known and established tunneling protocols such as Teredo.) > > Editorial: > >> Teredo IPv6 Address: An IPv6 address that starts with the prefix >> 2001:0000:/32 and is formed as specified in [RFC4380] section 2.14 <http://tools.ietf.org/html/rfc4380#section-2.14>. >> > > Wouldn't Section 4 be a better reference here? > >> Teredo addresses are structured and some of the fields contained in >> them are fairly predictable. This can be used to better predict the >> address. >> > > I would rewrite the second sentence (which currently doesn't say much) > as follows: "This makes it easier to predict an address, opening a > (small) vulnerability." > >> open on a IPv4 address, prior to trying to form a Teredo address for > s/on a/on an/ > >> 4. Acknowledgments >> .... >> 5. Security Considerations > > I think it would be better if all the technical parts of the document > were explained first, followed by the acknowledgment section. That is, I > think Section 5 would come more naturally before Section 4. > > Jari
- AD review of draft-krishnan-v6ops-teredo-update Jari Arkko
- Re: AD review of draft-krishnan-v6ops-teredo-upda… Suresh Krishnan