IETF Logo Mail Archive

Re: draft-ietf-v6ops-cpe-simple-security-04 WGLC

Brian E Carpenter <brian.e.carpenter@gmail.com> Thu, 16 April 2009 23:32 UTC

Return-Path: <owner-v6ops@ops.ietf.org>
X-Original-To: ietfarch-v6ops-archive@core3.amsl.com
Delivered-To: ietfarch-v6ops-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F3A3B3A68C8 for <ietfarch-v6ops-archive@core3.amsl.com>; Thu, 16 Apr 2009 16:32:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.09
X-Spam-Level:
X-Spam-Status: No, score=-1.09 tagged_above=-999 required=5 tests=[AWL=-1.195, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1, SARE_BAYES_5x7=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AF83iax9SkJP for <ietfarch-v6ops-archive@core3.amsl.com>; Thu, 16 Apr 2009 16:32:30 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id C000F3A67C0 for <v6ops-archive@lists.ietf.org>; Thu, 16 Apr 2009 16:32:29 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-v6ops@ops.ietf.org>) id 1LuazG-0007S5-4w for v6ops-data0@psg.com; Thu, 16 Apr 2009 23:27:18 +0000
Received: from [209.85.146.180] (helo=wa-out-1112.google.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <brian.e.carpenter@gmail.com>) id 1Luaz3-0007RZ-JH for v6ops@ops.ietf.org; Thu, 16 Apr 2009 23:27:11 +0000
Received: by wa-out-1112.google.com with SMTP id j37so310906waf.9 for <v6ops@ops.ietf.org>; Thu, 16 Apr 2009 16:27:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :organization:user-agent:mime-version:to:cc:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=ojYk6g8H8gYz54tgsAPD3na3QpVAHwntymmAWZWhwKA=; b=pY0clx1DRmuaGZ8OCl5jUGALtPsllvvW3HlBcKtq3s3XSXQLiIyfcfTwSp6izeuIH2 ZWC6ovgohXKViHD1E8ECkk9O3ODwb7/j7uQy6tx63cBtvl/TRzaIwJ60I4mIlZu88t5d pWPAe3dWP127rUx7NeNJBrV4WH6d6whNosFM0=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; b=gNuiNantwkUBSEfOGI9deTckLBKIXpjo508ovhlc3batZLimlDtKOqWgy6PL3j2K4Q wo1yE/Ne8G9VRoQdK6ufJRqX4Mab3ywInc7SiwYQHVWP0wHL8Bnj+N15xXYBge+8NJD5 gghJMQCqgaLSlz4W7QZOYrH+ogvfpgiYRZjgE=
Received: by 10.114.60.7 with SMTP id i7mr439886waa.174.1239924424538; Thu, 16 Apr 2009 16:27:04 -0700 (PDT)
Received: from ?130.216.38.124? (stf-brian.sfac.auckland.ac.nz [130.216.38.124]) by mx.google.com with ESMTPS id m6sm1953450wag.14.2009.04.16.16.27.02 (version=SSLv3 cipher=RC4-MD5); Thu, 16 Apr 2009 16:27:03 -0700 (PDT)
Message-ID: <49E7BEC5.5070300@gmail.com>
Date: Fri, 17 Apr 2009 11:27:01 +1200
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Fred Baker <fred@cisco.com>
CC: IPv6 Operations <v6ops@ops.ietf.org>, kurtis@kurtis.pp.se, rbonica@juniper.net
Subject: Re: draft-ietf-v6ops-cpe-simple-security-04 WGLC
References: <32129337-7BED-4D7A-AF06-BC5ABB37D994@cisco.com>
In-Reply-To: <32129337-7BED-4D7A-AF06-BC5ABB37D994@cisco.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Sender: owner-v6ops@ops.ietf.org
Precedence: bulk
List-ID: <v6ops.ops.ietf.org>

IMHO this is an important document, and almost ready to be a BCP, but
a few points need attention:

It pains me to say it, but I think the following sentence in the
Overview section should simply be deleted:

  "It should be noted that NAT for IPv6 is both strictly forbidden by
   the standards documents and strongly deprecated by Internet
   operators."

There's no way this sentence won't be controversial at the IESG stage,
and any attempt to wordsmith it will be highly painful for all concerned.
Deleting it doesn't change the value or recommendations of the draft.

At the bottom of page 4:

  "As the latest revision of this document is being drafted,
   conventional stateful packet filters are activated as a side effect
   of outbound flow initiations from interior network nodes."

I can't parse this sentence. What does "are activated" mean? By who, in
which boxes? And does the first clause just mean "Today, " ?

"2.1.  Basic Sanitation

   In addition to the functions required of all Internet routers
   [RFC4294], residential gateways are expected to have basic stateless
   filters for prohibiting certains kinds of traffic with invalid
   headers, e.g. martian packets, spoofs, routing header type code zero,
   etc."

I think 'martian' needs a definition.

Also, should this section say something about ICMP in general?


In section 2.2:
  "To prevent Teredo from
   acquiring a utility that it was never meant to have on networks where
   both IPv4/NAT and native IPv6 services are available, gateways MUST
   impede Teredo tunnels by blocking clients from learning their mapped
   addresses and ports in the qualification procedure described in
   sections 5.2.1 and 5.2.2 of [RFC4380]."

Just to avoid silly misunderstandings, could we
s/gateways/gateways on such networks/ please?
Also, I don't think we can justify MUST; how about SHOULD?

Also, should this topic also cover 6to4? Hosts behind an IPv6 CPE
SHOULD NOT use host 6to4 based on RFC3068.

However, I have to wonder why this whole topic (Teredo+6to4) is
relevant to this document. Shouldn't it be in the CPE requirements
document instead?

  "R2: Packets bearing in their outer IPv6 headers multicast destination
   addresses of equal or narrower scope that the configured scope
   boundary level of the gateway MUST NOT be forwarded in any direction.
   The DEFAULT scope boundary level SHOULD be organization-local scope."

I can't find a definition of "organization-local scope" or even what
is meant by "configured scope boundary level". Probably the document needs
a short discussion of what it means by "scope".

  "R5: Packets MAY be discarded if the source and/or destination address
   in the outer IPv6 header is a unique local address.  By DEFAULT,
   gateways SHOULD NOT forward packets across unique local address scope
   boundaries."

I would insert a normative reference to RFC4193.

  "R28: If a gateway cannot determine whether the endpoints of a TCP
   connection are active, then it MAY abandon the state record if it has
   been idle for some time.  In such cases, the value of the
   "established connection idle-timeout" MUST NOT be less than two hours
   four minutes."

Two hours four minutes?

"3.3.2.  SCTP Filters"

Reading this section, I wondered whether there is anything to say
about SHIM6? A TCP session over SHIM6 could simply appear, with
no SYN/ACK, or disappear, as the shim switches addresses.

  "R31: Gateways MUST implement a protocol to permit applications to
   solicit inbound traffic without advance knowledge of the addresses of
   exterior nodes with which they expect to communicate.  This protocol
   MUST have a specification that meets the requirements of [RFC5378],
   [RFC3979], [RFC4748] and [RFC4879]."

It sounds good but it doesn't tell a CPE implementor what to code.
Also, is it really part of simple security?

I'm not sure that I have a constructive suggestion, but maybe the
hard requirement should be more firewallish: gateways must not
allow unsolicited inbound traffic by default? With the solicitation
mechanisms being out of scope for this document?

  "Much of the text describing the detailed requirements for TCP and UDP
   filtering is derived or transposed from [RFC5382] and [RFC4787], and
   some form of attribution here may therefore be appopriate."

I fear you will need to insert the pre-RFC5378 disclaimer.

  ** Obsolete normative reference: RFC 4748 (Obsoleted by RFC 5378)

  -- Obsolete informational reference (is this intentional?): RFC 3989
     (Obsoleted by RFC 5189)

   Brian

v2.23.0 | Report a Bug | By Email