Re: draft-ietf-v6ops-cpe-simple-security-04 WGLC
Brian E Carpenter <brian.e.carpenter@gmail.com> Thu, 16 April 2009 23:32 UTC
Return-Path: <owner-v6ops@ops.ietf.org>
X-Original-To: ietfarch-v6ops-archive@core3.amsl.com
Delivered-To: ietfarch-v6ops-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F3A3B3A68C8 for <ietfarch-v6ops-archive@core3.amsl.com>; Thu, 16 Apr 2009 16:32:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.09
X-Spam-Level:
X-Spam-Status: No, score=-1.09 tagged_above=-999 required=5 tests=[AWL=-1.195, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1, SARE_BAYES_5x7=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AF83iax9SkJP for <ietfarch-v6ops-archive@core3.amsl.com>; Thu, 16 Apr 2009 16:32:30 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id C000F3A67C0 for <v6ops-archive@lists.ietf.org>; Thu, 16 Apr 2009 16:32:29 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-v6ops@ops.ietf.org>) id 1LuazG-0007S5-4w for v6ops-data0@psg.com; Thu, 16 Apr 2009 23:27:18 +0000
Received: from [209.85.146.180] (helo=wa-out-1112.google.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <brian.e.carpenter@gmail.com>) id 1Luaz3-0007RZ-JH for v6ops@ops.ietf.org; Thu, 16 Apr 2009 23:27:11 +0000
Received: by wa-out-1112.google.com with SMTP id j37so310906waf.9 for <v6ops@ops.ietf.org>; Thu, 16 Apr 2009 16:27:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :organization:user-agent:mime-version:to:cc:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=ojYk6g8H8gYz54tgsAPD3na3QpVAHwntymmAWZWhwKA=; b=pY0clx1DRmuaGZ8OCl5jUGALtPsllvvW3HlBcKtq3s3XSXQLiIyfcfTwSp6izeuIH2 ZWC6ovgohXKViHD1E8ECkk9O3ODwb7/j7uQy6tx63cBtvl/TRzaIwJ60I4mIlZu88t5d pWPAe3dWP127rUx7NeNJBrV4WH6d6whNosFM0=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; b=gNuiNantwkUBSEfOGI9deTckLBKIXpjo508ovhlc3batZLimlDtKOqWgy6PL3j2K4Q wo1yE/Ne8G9VRoQdK6ufJRqX4Mab3ywInc7SiwYQHVWP0wHL8Bnj+N15xXYBge+8NJD5 gghJMQCqgaLSlz4W7QZOYrH+ogvfpgiYRZjgE=
Received: by 10.114.60.7 with SMTP id i7mr439886waa.174.1239924424538; Thu, 16 Apr 2009 16:27:04 -0700 (PDT)
Received: from ?130.216.38.124? (stf-brian.sfac.auckland.ac.nz [130.216.38.124]) by mx.google.com with ESMTPS id m6sm1953450wag.14.2009.04.16.16.27.02 (version=SSLv3 cipher=RC4-MD5); Thu, 16 Apr 2009 16:27:03 -0700 (PDT)
Message-ID: <49E7BEC5.5070300@gmail.com>
Date: Fri, 17 Apr 2009 11:27:01 +1200
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Fred Baker <fred@cisco.com>
CC: IPv6 Operations <v6ops@ops.ietf.org>, kurtis@kurtis.pp.se, rbonica@juniper.net
Subject: Re: draft-ietf-v6ops-cpe-simple-security-04 WGLC
References: <32129337-7BED-4D7A-AF06-BC5ABB37D994@cisco.com>
In-Reply-To: <32129337-7BED-4D7A-AF06-BC5ABB37D994@cisco.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Sender: owner-v6ops@ops.ietf.org
Precedence: bulk
List-ID: <v6ops.ops.ietf.org>
IMHO this is an important document, and almost ready to be a BCP, but a few points need attention: It pains me to say it, but I think the following sentence in the Overview section should simply be deleted: "It should be noted that NAT for IPv6 is both strictly forbidden by the standards documents and strongly deprecated by Internet operators." There's no way this sentence won't be controversial at the IESG stage, and any attempt to wordsmith it will be highly painful for all concerned. Deleting it doesn't change the value or recommendations of the draft. At the bottom of page 4: "As the latest revision of this document is being drafted, conventional stateful packet filters are activated as a side effect of outbound flow initiations from interior network nodes." I can't parse this sentence. What does "are activated" mean? By who, in which boxes? And does the first clause just mean "Today, " ? "2.1. Basic Sanitation In addition to the functions required of all Internet routers [RFC4294], residential gateways are expected to have basic stateless filters for prohibiting certains kinds of traffic with invalid headers, e.g. martian packets, spoofs, routing header type code zero, etc." I think 'martian' needs a definition. Also, should this section say something about ICMP in general? In section 2.2: "To prevent Teredo from acquiring a utility that it was never meant to have on networks where both IPv4/NAT and native IPv6 services are available, gateways MUST impede Teredo tunnels by blocking clients from learning their mapped addresses and ports in the qualification procedure described in sections 5.2.1 and 5.2.2 of [RFC4380]." Just to avoid silly misunderstandings, could we s/gateways/gateways on such networks/ please? Also, I don't think we can justify MUST; how about SHOULD? Also, should this topic also cover 6to4? Hosts behind an IPv6 CPE SHOULD NOT use host 6to4 based on RFC3068. However, I have to wonder why this whole topic (Teredo+6to4) is relevant to this document. Shouldn't it be in the CPE requirements document instead? "R2: Packets bearing in their outer IPv6 headers multicast destination addresses of equal or narrower scope that the configured scope boundary level of the gateway MUST NOT be forwarded in any direction. The DEFAULT scope boundary level SHOULD be organization-local scope." I can't find a definition of "organization-local scope" or even what is meant by "configured scope boundary level". Probably the document needs a short discussion of what it means by "scope". "R5: Packets MAY be discarded if the source and/or destination address in the outer IPv6 header is a unique local address. By DEFAULT, gateways SHOULD NOT forward packets across unique local address scope boundaries." I would insert a normative reference to RFC4193. "R28: If a gateway cannot determine whether the endpoints of a TCP connection are active, then it MAY abandon the state record if it has been idle for some time. In such cases, the value of the "established connection idle-timeout" MUST NOT be less than two hours four minutes." Two hours four minutes? "3.3.2. SCTP Filters" Reading this section, I wondered whether there is anything to say about SHIM6? A TCP session over SHIM6 could simply appear, with no SYN/ACK, or disappear, as the shim switches addresses. "R31: Gateways MUST implement a protocol to permit applications to solicit inbound traffic without advance knowledge of the addresses of exterior nodes with which they expect to communicate. This protocol MUST have a specification that meets the requirements of [RFC5378], [RFC3979], [RFC4748] and [RFC4879]." It sounds good but it doesn't tell a CPE implementor what to code. Also, is it really part of simple security? I'm not sure that I have a constructive suggestion, but maybe the hard requirement should be more firewallish: gateways must not allow unsolicited inbound traffic by default? With the solicitation mechanisms being out of scope for this document? "Much of the text describing the detailed requirements for TCP and UDP filtering is derived or transposed from [RFC5382] and [RFC4787], and some form of attribution here may therefore be appopriate." I fear you will need to insert the pre-RFC5378 disclaimer. ** Obsolete normative reference: RFC 4748 (Obsoleted by RFC 5378) -- Obsolete informational reference (is this intentional?): RFC 3989 (Obsoleted by RFC 5189) Brian
- draft-ietf-v6ops-cpe-simple-security-04 WGLC Fred Baker
- RE: draft-ietf-v6ops-cpe-simple-security-04 WGLC Hemant Singh (shemant)
- Re: draft-ietf-v6ops-cpe-simple-security-04 WGLC james woodyatt
- Re: draft-ietf-v6ops-cpe-simple-security-04 WGLC Fred Baker
- Re: draft-ietf-v6ops-cpe-simple-security-04 WGLC Brian E Carpenter
- Re: draft-ietf-v6ops-cpe-simple-security-04 WGLC Fred Baker
- Re: draft-ietf-v6ops-cpe-simple-security-04 WGLC james woodyatt
- Re: draft-ietf-v6ops-cpe-simple-security-04 WGLC Brian E Carpenter
- RE: draft-ietf-v6ops-cpe-simple-security-04 WGLC teemu.savolainen
- RE: draft-ietf-v6ops-cpe-simple-security-04 WGLC Dan Wing
- Re: draft-ietf-v6ops-cpe-simple-security-04 WGLC Fred Baker
- Re: draft-ietf-v6ops-cpe-simple-security-04 WGLC james woodyatt
- RE: draft-ietf-v6ops-cpe-simple-security-04 WGLC Dan Wing
- RE: draft-ietf-v6ops-cpe-simple-security-04 WGLC teemu.savolainen
- Re: draft-ietf-v6ops-cpe-simple-security-04 WGLC Joel Jaeggli
- Re: draft-ietf-v6ops-cpe-simple-security-04 WGLC james woodyatt
- Re: draft-ietf-v6ops-cpe-simple-security-04 WGLC Fred Baker