Re: I-D.ietf-v6ops-cpe-simple-security-09
Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org> Mon, 22 March 2010 08:57 UTC
Return-Path: <owner-v6ops@ops.ietf.org>
X-Original-To: ietfarch-v6ops-archive@core3.amsl.com
Delivered-To: ietfarch-v6ops-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E61813A6A21 for <ietfarch-v6ops-archive@core3.amsl.com>; Mon, 22 Mar 2010 01:57:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.567
X-Spam-Level:
X-Spam-Status: No, score=0.567 tagged_above=-999 required=5 tests=[AWL=0.108, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13, FH_RELAY_NODNS=1.451, HELO_EQ_AU=0.377, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RRhZ3V4iUmpR for <ietfarch-v6ops-archive@core3.amsl.com>; Mon, 22 Mar 2010 01:57:27 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id A45AC28C0FA for <v6ops-archive@lists.ietf.org>; Mon, 22 Mar 2010 01:57:03 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.71 (FreeBSD)) (envelope-from <owner-v6ops@ops.ietf.org>) id 1NtdMf-0008cV-OH for v6ops-data0@psg.com; Mon, 22 Mar 2010 08:52:01 +0000
Received: from [202.136.110.251] (helo=smtp2.adam.net.au) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.71 (FreeBSD)) (envelope-from <ipng@69706e6720323030352d30312d31340a.nosense.org>) id 1NtdMX-0008bY-HU for v6ops@ops.ietf.org; Mon, 22 Mar 2010 08:51:53 +0000
Received: from 219-90-253-216.ip.adam.com.au ([219.90.253.216] helo=opy.nosense.org) by smtp2.adam.net.au with esmtp (Exim 4.63) (envelope-from <ipng@69706e6720323030352d30312d31340a.nosense.org>) id 1NtdMP-0000JM-Nn; Mon, 22 Mar 2010 19:21:45 +1030
Received: from opy.nosense.org (localhost.localdomain [IPv6:::1]) by opy.nosense.org (Postfix) with ESMTP id 1C0C04930C; Mon, 22 Mar 2010 19:21:45 +1030 (CST)
Date: Mon, 22 Mar 2010 19:21:44 +1030
From: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>
To: Mark Townsley <townsley@cisco.com>
Cc: Brian E Carpenter <brian.e.carpenter@gmail.com>, james woodyatt <jhw@apple.com>, Gert Doering <gert@space.net>, IPv6 Operations <v6ops@ops.ietf.org>
Subject: Re: I-D.ietf-v6ops-cpe-simple-security-09
Message-ID: <20100322192144.07423809@opy.nosense.org>
In-Reply-To: <4BA7230E.6020505@cisco.com>
References: <D6F5ACD2-EB43-477E-9F48-AC3EDB3F7EB4@apple.com> <4BA3BBCF.2090903@cisco.com> <4BA3D1B3.4010501@gmail.com> <4BA3DAAA.10000@cisco.com> <4BA40DD1.7080306@gmail.com> <6C168711-6A34-4487-9911-92766513183C@apple.com> <4BA522E8.7050504@cisco.com> <4BA56626.20606@gmail.com> <20100321133831.GL69383@Space.Net> <4BA6575D.7070300@gmail.com> <4BA670ED.1020302@cisco.com> <D69F1DE6-D24D-45AA-95D0-99B63E62A1EE@apple.com> <4BA68F61.7020005@cisco.com> <4BA69A3D.7@gmail.com> <4BA7230E.6020505@cisco.com>
X-Mailer: Claws Mail 3.7.5 (GTK+ 2.18.7; x86_64-unknown-linux-gnu)
X-Location: Lower Mitcham, South Australia, 5062
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Sender: owner-v6ops@ops.ietf.org
Precedence: bulk
List-ID: <v6ops.ops.ietf.org>
On Mon, 22 Mar 2010 08:58:06 +0100 Mark Townsley <townsley@cisco.com> wrote: > On 3/21/10 11:14 PM, Brian E Carpenter wrote: > > > > As a co-author of 4864, let me agree violently. It's not a BCP. > > Even if it was, consensus could reverse it. > > > > What 4864 says is: NATs weren't designed as security devices but they > > provide simple security by blocking everything incoming by default. > > To implement simple security for v6 you should do it with a stateful > > firewall. > > > Right, NAPTs were invented primarily for address amplification, but also > brought simple security and address independence. > I agree. The security (I'd like to put that in quotes, but there is a fair bit of it) of NAPT wasn't by design, but as a consequence of the nature of it's operation. It is default deny because it is impossible for it not to be. RFC4864, despite it's more politically correct name (can't remember the earlier more accurate, albeit controversial one), is about exactly replicating the security functions of IPv4 NAT that people have come to expect, using IPv6 methods - because they couldn't "expect" anything else. From the Abstract: " Although there are many perceived benefits to Network Address Translation (NAT), its primary benefit of "amplifying" available address space is not needed in IPv6. In addition to NAT's many serious disadvantages, there is a perception that other benefits exist, such as a variety of management and security attributes that could be useful for an Internet Protocol site. IPv6 was designed with the intention of making NAT unnecessary, and this document shows how Local Network Protection (LNP) using IPv6 can provide the same or more benefits without the need for address translation." IOW, if you really want to exactly replicate IPv4/NAT type security in IPv6, this is how you do it. I think the CPE draft, OTOH, should be saying "this is how you should be doing security in IPv6". I think restoring end-to-end, at least partially or configurably fully, is a key requirement. I think the CPE draft already does that. Arguably, that also already makes it inferior to IPv4/NAPT, because end-nodes will be directly visible over the Internet. However, we also know that end-nodes are much more security aware and capable than they used to be, so we're able to loosen CPE security to help restore end-to-end because we know that modern end-nodes are going to take up the slack. The CPE becomes a security assistant, not a security authority. This is why I've thought a bit more definite problem statement would help. If it is purely to replicate IPv4/NAPT CPE functionality in IPv6, then either RFC4864 would already do, or possibly a slightly more CPE oriented version needs to be produced. If, however, it is to state "this is how IPv6 CPE security should be done", then I think we should leave legacy IPv4/NAPT concepts that aren't appropriate behind. Regards, Mark S. > Address amplification is something that IPv6 currently does not need, > and address independence is something that would be quite useful but we > haven't been able to design and deploy it without breaking end-to-end. > > The firewall function in simple-security explicitly damages end-to-end. > If we go this route, we might as well toss in NAT too as we will have > already paid the price in terms of end-to-end transparency; We might as > well get the address independence benefit along with it. > > I suspect this will be used as an argument in the future if stateful > firewall operations become ubiquitous in CPEs: How is NAT *that much* > worse than the firewall you already have? > > - Mark > > It doesn't say that CPEs MUST do this. It leaves that choice open, as > > an informational document. > > > > > Brian > > > > > >
- I-D.ietf-v6ops-cpe-simple-security-09 james woodyatt
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Baugher
- Re: I-D.ietf-v6ops-cpe-simple-security-09 james woodyatt
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Fred Baker
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Fred Baker
- Re: I-D.ietf-v6ops-cpe-simple-security-09 james woodyatt
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Baugher
- Re: I-D.ietf-v6ops-cpe-simple-security-09 james woodyatt
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Baugher
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Baugher
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Ole Troan
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Baugher
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Baugher
- RE: I-D.ietf-v6ops-cpe-simple-security-09 STARK, BARBARA H (ATTLABS)
- Re: I-D.ietf-v6ops-cpe-simple-security-09 james woodyatt
- Fwd: I-D.ietf-v6ops-cpe-simple-security-09 - ICMP… Rémi Després
- Re: I-D.ietf-v6ops-cpe-simple-security-09 - ICMP … james woodyatt
- Re: I-D.ietf-v6ops-cpe-simple-security-09 - ICMP … Rémi Després
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Brian E Carpenter
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Smith
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Brian E Carpenter
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 james woodyatt
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Brian E Carpenter
- Re: I-D.ietf-v6ops-cpe-simple-security-09 james woodyatt
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Fred Baker
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Fred Baker
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Fred Baker
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Shane Amante
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Smith
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Cameron Byrne
- Re: I-D.ietf-v6ops-cpe-simple-security-09 james woodyatt
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Smith
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Gert Doering
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Brian E Carpenter
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Smith
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 james woodyatt
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Brian E Carpenter
- Re: I-D.ietf-v6ops-cpe-simple-security-09 james woodyatt
- Status of RFC 4864 (was Re: I-D.ietf-v6ops-cpe-si… Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Smith
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Ole Troan
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Brian E Carpenter