IETF Logo Mail Archive

RE: But are we talking IPv6 only? That's how I read the draft. (Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03)

"Dan Wing" <dwing@cisco.com> Wed, 27 August 2008 14:55 UTC

Return-Path: <owner-v6ops@ops.ietf.org>
X-Original-To: ietfarch-v6ops-archive@core3.amsl.com
Delivered-To: ietfarch-v6ops-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1449C3A67B0 for <ietfarch-v6ops-archive@core3.amsl.com>; Wed, 27 Aug 2008 07:55:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.315
X-Spam-Level:
X-Spam-Status: No, score=-4.315 tagged_above=-999 required=5 tests=[AWL=0.180, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id djs-0sSnWf1M for <ietfarch-v6ops-archive@core3.amsl.com>; Wed, 27 Aug 2008 07:55:51 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id EAB8D3A683A for <v6ops-archive@lists.ietf.org>; Wed, 27 Aug 2008 07:55:50 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-v6ops@ops.ietf.org>) id 1KYMPn-000Guo-Nk for v6ops-data@psg.com; Wed, 27 Aug 2008 14:54:31 +0000
Received: from [171.71.176.71] (helo=sj-iport-2.cisco.com) by psg.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.69 (FreeBSD)) (envelope-from <dwing@cisco.com>) id 1KYMPd-000Gtd-Cb for v6ops@ops.ietf.org; Wed, 27 Aug 2008 14:54:26 +0000
X-IronPort-AV: E=Sophos;i="4.32,279,1217808000"; d="scan'208";a="78576275"
Received: from sj-dkim-3.cisco.com ([171.71.179.195]) by sj-iport-2.cisco.com with ESMTP; 27 Aug 2008 14:54:20 +0000
Received: from sj-core-5.cisco.com (sj-core-5.cisco.com [171.71.177.238]) by sj-dkim-3.cisco.com (8.12.11/8.12.11) with ESMTP id m7REsK6E030739; Wed, 27 Aug 2008 07:54:20 -0700
Received: from dwingwxp01 ([10.32.240.194]) by sj-core-5.cisco.com (8.13.8/8.13.8) with ESMTP id m7REsKon018295; Wed, 27 Aug 2008 14:54:20 GMT
From: Dan Wing <dwing@cisco.com>
To: 'Mark Smith' <ipng@69706e6720323030352d30312d31340a.nosense.org>
Cc: 'Truman Boyes' <truman@suspicious.org>, 'Brian E Carpenter' <brian.e.carpenter@gmail.com>, jhw@apple.com, 'IPv6 Operations' <v6ops@ops.ietf.org>
References: <20080824204553.08131c65.ipng@69706e6720323030352d30312d31340a.nosense.org><48B1CCE8.1070305@gmail.com><01af01c9065b$b4602440$c2f0200a@cisco.com><48B23391.1090503@gmail.com><01cd01c90672$a57c8790$c2f0200a@cisco.com><48B31DA3.6080001@gmail.com><07d201c906f7$50a85e30$c2f0200a@cisco.com><48B32B43.5010103@gmail.com><084c01c906fe$f9bf1840$c2f0200a@cisco.com><48B33430.40704@gmail.com><A31EB889-2BD9-4283-A408-AB6DCC1D568A@suspicious.org><08be01c90712$d876cd40$c2f0200a@cisco.com> <20080827194713.23271bd1.ipng@69706e6720323030352d30312d31340a.nosense.org>
Subject: RE: But are we talking IPv6 only? That's how I read the draft. (Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03)
Date: Wed, 27 Aug 2008 07:54:20 -0700
Message-ID: <013201c90854$c978c4e0$c2f0200a@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
Thread-Index: AckILhpTYuMDYOOfSciUe3oLJoiZjgAJbCAA
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
In-Reply-To: <20080827194713.23271bd1.ipng@69706e6720323030352d30312d31340a.nosense.org>
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=3665; t=1219848860; x=1220712860; c=relaxed/simple; s=sjdkim3002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=dwing@cisco.com; z=From:=20=22Dan=20Wing=22=20<dwing@cisco.com> |Subject:=20RE=3A=20But=20are=20we=20talking=20IPv6=20only? =20That's=20how=20I=20read=20the=20draft.=20(Re=3A=20Some=20 suggestions=20for=20draft-ietf-v6ops-cpe-simple-security-03) |Sender:=20; bh=jdBh2sZjq9IXiV/Tm1yD55o5ZcTuGr5SwPTtso5YzR0=; b=AFZYuU8u74xcPXY8wkZHVwo/WYX31DZiAx6MPn2JV0wiDWQj3//eoVs+tv ZsPFzLQuTs+MwkoeKWU5TFHwrisA314hKDUUfbluGClCDmdpT0LjuQhoPtvJ V6d+Nn5dNK;
Authentication-Results: sj-dkim-3; header.From=dwing@cisco.com; dkim=pass ( sig from cisco.com/sjdkim3002 verified; );
Sender: owner-v6ops@ops.ietf.org
Precedence: bulk
List-ID: <v6ops.ops.ietf.org>

 

> -----Original Message-----
> From: Mark Smith 
> [mailto:ipng@69706e6720323030352d30312d31340a.nosense.org] 
> Sent: Wednesday, August 27, 2008 3:17 AM
> To: Dan Wing
> Cc: 'Truman Boyes'; 'Brian E Carpenter'; jhw@apple.com; 'IPv6 
> Operations'
> Subject: But are we talking IPv6 only? That's how I read the 
> draft. (Re: Some suggestions for 
> draft-ietf-v6ops-cpe-simple-security-03)
> 
> 
> On Mon, 25 Aug 2008 17:29:47 -0700
> "Dan Wing" <dwing@cisco.com> wrote:
> 
> > > On 25/08/2008, at 6:37 PM, Brian E Carpenter wrote:
> > > > But blocking tunnels by default, although it's simple, also
> > > > blocks innovation. That worries me.
> > > >
> > > >    Brian
> > > 
> > > I agree with this stance. Blocking tunnels, although 
> possibly more  
> > > secure is going to make it very difficult to solve real world  
> > > problems. We have enough trouble today with IPv4 Port 
> forwarding in  
> > > CPEs and the fact that some devices do not by default pass VPN  
> > > traffic. I believe internal to external tunnel flow/solicitation  
> > > should be permitted by default.
> > 
> > Internalt to external is permitted, by default, in the 
> current document.
> > 
> > We are discussing external to internal.  
> > 
> 
> external to interal what?

External to network that the CPE, providing Simple Security, is
protecting.

> IPv6 in IPv4, IPv6 in GRE in IPv4, IPv6 in
> IPsec in IPv4, IPv6 in L2TP in IPv4, IPv6 in IPv6, IPv6 in GRE in IPv6
> etc. etc.
> 
> The draft seems to be limited to specifying IPv6 only CPE
> security functionality. My comments about limiting uninspected
> inbound tunnel encapsuluation to authenticated protocols were only
> regarding IPv6 in IPv6 (or IPsec over IPv6, or GRE over IPv6)
> tunneling. No IPv4 involved or seen.
> 
> All the discussion that has occured since seems to be discussing IPv6
> over IPv4, and IMHO that is not within scope the way the draft
> is currently written.

I, at least, am not thinking of anything running over v4 in 
regards to v6ops-cpe-simple-security.

The only exception for tunnels that I see in the draft is for
tunnels running over v6, in requirement R22:

   R23: In their DEFAULT operating mode, IPv6 gateways MUST NOT prohibit
   the forwarding, to and from legitimate node addresses, with upper
   layer protocol of type IP version 6, and SHOULD NOT prohibit the
   forwarding of other tunneled networking protocols commonly used for
   virtual private networking, e.g.  IP version 4, Generic Routing
   Encapsulation, etcetera.

I don't see any exception, or discussion, of v4 tunnels except for
Teredo -- and the draft recommends those be blocked.

> So it seems to me that before this discussion goes on too 
> much more, we
> should agree on exactly what we're talking about and what we 
> understand
> the draft is to cover. Namely, is it:
> 
> * IPv6 only CPE security functionality
> * Native IPv6 CPE security, plus IPv4 security/functionality
> requirements to support IPv6 transition via IPv4 tunnelling
> * Native IPv6, plus IPv4 security/functionality requirements 
> to support
> IPv6 transition, and IPv4 security in both IPv4 NAT and Non-NAT
> scenarios.
> 
> I certainly think the last point is out of scope.

And the draft has no requirement for that last point, except to
break Teredo (requirement R18).

> However, if the
> second one is the scope, then I think the draft will have to deal with
>  and specify all the various IPv4 NAT/NAPT/No NAT tunnelling scenarios
> and security issues related to tunnelling IPv6 over IPv4.

-d

> Regards,
> Mark.
>

v2.23.0 | Report a Bug | By Email