Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-security WGLC

Lorenzo Colitti <lorenzo@google.com> Wed, 20 November 2013 10:02 UTC

Return-Path: <lorenzo@google.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7EF2F1AD945 for <v6ops@ietfa.amsl.com>; Wed, 20 Nov 2013 02:02:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.903
X-Spam-Level:
X-Spam-Status: No, score=-1.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.525, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id waOay1FSgUme for <v6ops@ietfa.amsl.com>; Wed, 20 Nov 2013 02:02:17 -0800 (PST)
Received: from mail-ie0-x235.google.com (mail-ie0-x235.google.com [IPv6:2607:f8b0:4001:c03::235]) by ietfa.amsl.com (Postfix) with ESMTP id 4DD531AE3D1 for <v6ops@ietf.org>; Wed, 20 Nov 2013 02:02:10 -0800 (PST)
Received: by mail-ie0-f181.google.com with SMTP id e14so6273631iej.40 for <v6ops@ietf.org>; Wed, 20 Nov 2013 02:02:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=PM9t5oRiK07HVO2bexk4k1WVv9BcHLvJTCrUYseQ3PY=; b=G/vOelcufPN07uY4RcmWGWo8NB9C64eJD7BhwV6DXf9/f2eA84VISiQ9px/lSxpNBZ Jvd/erauibqmijETaRYJx6b+KatdVnv/EIRnGiE5FY+bG2RubvdZh+HGC8S7XamYAvOD OmZk9rXGr8i8bAs1c/Ko/ZNl95oAT3Dc789lC7B3/ugWBQnbBvv8mQbXoxbQ60NaVQTV tMXGqfgB7/tsUthmki/mlsB2Cea3rLapcQwmeX6kD21iQPdKQFwcsKKsZ8kOfsoYCcoU OsGwwTrtvquGuJ0fm8GDlg6OE8URQHgAMNNbMANBTx7R59n5nJ/zS0pwrM8+fFxn3WRj 9wLg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=PM9t5oRiK07HVO2bexk4k1WVv9BcHLvJTCrUYseQ3PY=; b=ZnH8DFdn4zuwLpqy7vEox+Ild6izu+JCtVdj8ZqlYZLwfVZNphXg4hTn6aUhqJrVEg XBkyzSrVVYUNjHScCbZyVwoYgFF+LZyfCeFC3vhjPfsJJs90RihR9+QDYiwXgWGVAVjO wzeB2qnrtXs8OHHYD4cBZUXd+KjSIud66lrG2+HL8p5iGljRu+d/RD78gcjITlIOMO5g 5YTQ1bONgQNf3MihvX23c8sELwCO1VWYoSy/Gkfic4p0mdJ7LnWiIY0AMWVaDNTY3uIw MGY2UrxNzPUgxKBBQaZ2T/nkGHtUpWhtAuhxPt+tAq22SvO8+VxNN/TB+fAG20r+IXgI Aolw==
X-Gm-Message-State: ALoCoQnPX5kfrjioulSVkiMsfWrpouN1tcMAVy0f5nmCfZuY5pkVZ6rledzIcL865U4hqB6KylGpxUMKNXHCL4o/jO7jqSiWaku5U5f/INsskGh4uCtu9b7iW6UCpJFDgeIQiWo+NTHEAcj46ueTElD5Kj5qusfF4BuH5zjeX/Z12MOlnnokwd1Fy/Z0WaFCKXAC3AeFv9vQ
X-Received: by 10.50.43.131 with SMTP id w3mr22743629igl.17.1384941723979; Wed, 20 Nov 2013 02:02:03 -0800 (PST)
MIME-Version: 1.0
Received: by 10.64.86.106 with HTTP; Wed, 20 Nov 2013 02:01:43 -0800 (PST)
In-Reply-To: <CAB0C4xPYq4yvi+08_ogsg7VDt1pUBPkmnChp_K3jNvEoVKYBJg@mail.gmail.com>
References: <201311101900.rAAJ0AR6025350@irp-view13.cisco.com> <CAB0C4xOfz_JAjEEJZ-Zz7MBEyZhVzrAE+8Ghf1ggC3+9pyHmNg@mail.gmail.com> <989B8ED6-273E-45D4-BFD8-66A1793A1C9F@cisco.com> <5288FC15.5080508@globis.net> <CAKD1Yr1gQ8r80NxbJwxbNc8esm1ekk1JGMUoQo712CpvLJ8ogw@mail.gmail.com> <CAB0C4xOej1KhU2cA_edozG98V8ah1LgqDcu4RdwpXyQTRYRS_w@mail.gmail.com> <CAKD1Yr3uVmiS6Xqhx_qeFEeWnBkaax5CN2Zb5yu8CeML1tzBHA@mail.gmail.com> <CAB0C4xPYq4yvi+08_ogsg7VDt1pUBPkmnChp_K3jNvEoVKYBJg@mail.gmail.com>
From: Lorenzo Colitti <lorenzo@google.com>
Date: Wed, 20 Nov 2013 19:01:43 +0900
Message-ID: <CAKD1Yr0pNGU22Xv3zBhFnErokGqoVbD9ZKbeFkj6QOi=v=+LoA@mail.gmail.com>
To: Marc Lampo <marc.lampo.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="047d7bfea1867e310104eb98df68"
Cc: Ray Hunter <v6ops@globis.net>, "v6ops@ietf.org WG" <v6ops@ietf.org>
Subject: Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-security WGLC
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Nov 2013 10:02:19 -0000

It's not a second choice:

5. MAY   This word, or the adjective "OPTIONAL", mean that an item is
   truly optional.  One vendor may choose to include the item because a
   particular marketplace requires it or because the vendor feels that
   it enhances the product while another vendor may omit the same item.

So no, RFC6092 and this document do not disagree. If you read the MAY in
REC-49 as "is", then the two documents are compatible (the other point you
cite, REC-34, is sort of irrelevant at that point).

On Wed, Nov 20, 2013 at 6:37 PM, Marc Lampo <marc.lampo.ietf@gmail.com>wrote:

> Yes, RFC 6092 recommends that unsolicited packets be dropped by default !
>
>   REC-34  By DEFAULT, a gateway MUST respond with an ICMPv6
>            "Destination Unreachable" error code 1 (Communication with
>            destination administratively prohibited), to any unsolicited
>            inbound SYN packet after waiting at least 6 seconds without
>            first forwarding the associated outbound SYN or SYN/ACK from
>            the interior peer.
>
> "transparent mode" "MAY" be the default (which, in the context, I
> interpret as a kind of "second choice")
>
>    REC-49  Internet gateways with IPv6 simple security capabilities MUST
>            provide an easily selected configuration option that permits
>            a "transparent mode" of operation that forwards all
>            unsolicited flows regardless of forwarding direction, i.e.,
>            not to use the IPv6 simple security capabilities of the
>            gateway.  The transparent mode of operation MAY be the
>            default configuration.
>
>
>
>
>
> On Wed, Nov 20, 2013 at 9:10 AM, Lorenzo Colitti <lorenzo@google.com>wrote:
>
>> On Wed, Nov 20, 2013 at 5:01 PM, Marc Lampo <marc.lampo.ietf@gmail.com>wrote:
>>
>>> This document states, for several recommendations in RFC 6092, exactly
>>> the opposite of that document.
>>>
>>
>> Which ones? Obviously you're not suggesting that RFC 6092 recommends that
>> unsolicited inbound packets be dropped by default, right? Because it
>> doesn't say that.
>>
>>
>>> In addition, as I touched in my very first reaction, this draft lists a
>>> number of threats - section 2.
>>>  But, in my opinion, none of those threats are addressed by the rules
>>> for balanced security - section 3.1.
>>>  (my first comment only referred to the last threat on covert channels,
>>> but I must rephrase)
>>>
>>
>> Do you have text to suggest?
>>
>>
>>> In reply to the question : yes, personally I would be happier if the ISP
>>> dropped all unsolicited packets towards my network (except IPsec).
>>>
>>
>> And there are people in this working group that will never agree with
>> you. For example, I will never agree with you.
>>
>>  But fortunately, that has no relevance on this document. Since this
>> document does not recommend a security policy, saying "I don't like the
>> security policy" (which is your opinion, and one you're perfectly entitled
>> to) is not a valid reason not to publish this document.
>>
>
>