IETF Logo Mail Archive

Re: draft-ietf-v6ops-cpe-simple-security: filtering encapsulated flows

Brian E Carpenter <brian.e.carpenter@gmail.com> Sun, 23 August 2009 21:01 UTC

Return-Path: <owner-v6ops@ops.ietf.org>
X-Original-To: ietfarch-v6ops-archive@core3.amsl.com
Delivered-To: ietfarch-v6ops-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C45D73A68D8 for <ietfarch-v6ops-archive@core3.amsl.com>; Sun, 23 Aug 2009 14:01:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.155
X-Spam-Level:
X-Spam-Status: No, score=-1.155 tagged_above=-999 required=5 tests=[AWL=-0.660, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AKCs76yppn66 for <ietfarch-v6ops-archive@core3.amsl.com>; Sun, 23 Aug 2009 14:01:44 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id E79813A6774 for <v6ops-archive@lists.ietf.org>; Sun, 23 Aug 2009 14:01:43 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-v6ops@ops.ietf.org>) id 1MfK7D-000FJo-Ps for v6ops-data0@psg.com; Sun, 23 Aug 2009 20:56:39 +0000
Received: from [209.85.216.173] (helo=mail-px0-f173.google.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <brian.e.carpenter@gmail.com>) id 1MfK74-000FIc-T8 for v6ops@ops.ietf.org; Sun, 23 Aug 2009 20:56:35 +0000
Received: by pxi3 with SMTP id 3so5810581pxi.32 for <v6ops@ops.ietf.org>; Sun, 23 Aug 2009 13:56:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :organization:user-agent:mime-version:to:cc:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=ANQ8F9jctRs97Rg59Gj9l7A9toyiQwAvwy/lmsvohNU=; b=XXlNCHQMruQJ4CYfsG3qd1wSvalqG7C5DQsquawTMQt+nlkGNBUYJMwbeCmlKZXXwv xX/sDA9OQrMmho6/Ob6vBzoTe3vTyen27k4AQJlkAdJzLBDcjxc6mQtv1aGOrqh9v3Ta zJY7qCXpRxs4ehwrxLTwfz2z1RWdShF3c0ktE=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; b=PxMyD0eeM9VTnlBs3unp0PXu8AWMy1mEEhnP1+X2lr+pgF7N6E6GnxxXChcMziAfea uuRmgOUu6ysLp75n57GHE+3arvu68srX7QcSV51/4IFHWHBo/63gZ3LHa8dmV8+AJa0u Zs2/KLlg6FUkctVV5dipeIBdEKppv1j1XFCWs=
Received: by 10.114.30.9 with SMTP id d9mr4746961wad.200.1251060989281; Sun, 23 Aug 2009 13:56:29 -0700 (PDT)
Received: from ?10.1.1.4? (118-92-192-68.dsl.dyn.ihug.co.nz [118.92.192.68]) by mx.google.com with ESMTPS id d20sm7500834waa.12.2009.08.23.13.56.26 (version=SSLv3 cipher=RC4-MD5); Sun, 23 Aug 2009 13:56:28 -0700 (PDT)
Message-ID: <4A91ACF5.2000900@gmail.com>
Date: Mon, 24 Aug 2009 08:56:21 +1200
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>
CC: james woodyatt <jhw@apple.com>, IPv6 Operations <v6ops@ops.ietf.org>
Subject: Re: draft-ietf-v6ops-cpe-simple-security: filtering encapsulated flows
References: <805241AA-DC9A-4498-9D54-8D491DD62A0D@apple.com> <2D21500B-207B-43FB-9728-8A7BCEC82CB1@apple.com> <7F9A6D26EB51614FBF9F81C0DA4CFEC80158E120B3E6@il-ex01.ad.checkpoint.com> <47CF65DB-E3E1-4666-B1E9-51A49B372AD5@apple.com> <390865C6-3343-4C31-9767-6E0FCA4481DD@suspicious.org> <ADAD4E36-7059-40F5-B964-607F065639FE@apple.com> <20090823184516.a8667014.ipng@69706e6720323030352d30312d31340a.nosense.org>
In-Reply-To: <20090823184516.a8667014.ipng@69706e6720323030352d30312d31340a.nosense.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Sender: owner-v6ops@ops.ietf.org
Precedence: bulk
List-ID: <v6ops.ops.ietf.org>

On 2009-08-23 21:15, Mark Smith wrote:
> On Sat, 22 Aug 2009 22:33:37 -0700
> james woodyatt <jhw@apple.com> wrote:
> 
>> On Aug 22, 2009, at 21:58, Truman Boyes wrote:
>>> This is quite confusing from an implementation perspective; security  
>>> is not explicitly increased by prohibiting non-encrypted tunnels but  
>>> allowing encrypted (ESP or AH) traffic flows. Wouldn't this simply  
>>> serve as a driver to make all tunnel encapsulations use ESP/AH?
>> Yes.  I'm not sure I can explain how this is supposed to increase  
>> security, but if consensus in the working group emerges around these  
>> recommendations and the draft can proceed through working group last  
>> call, then that's good enough for me.
>>
> 
> Maybe I haven't fully understood the question, however isn't the answer
> as simple as the benefits of IPsec over cleartext? Even the
> better-than-nothing-mode of IPsec, while vulnerable to
> man-in-the-middle attacks during session setup, has a much smaller
> window of opportunity for exploitation over clear text traffic.

Not to mention the fact that other secure VPN techniques such as
IP-over-TLS will still be fine through a conforming CPE.

    Brian

v2.23.0 | Report a Bug | By Email