IETF Logo Mail Archive

Re: [v6ops] RFC 6092 [was draft-ietf-v6ops-balanced-ipv6-security WGLC]

"cb.list6" <cb.list6@gmail.com> Thu, 21 November 2013 22:40 UTC

Return-Path: <cb.list6@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 294F81AE345 for <v6ops@ietfa.amsl.com>; Thu, 21 Nov 2013 14:40:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.749
X-Spam-Level:
X-Spam-Status: No, score=-1.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yA0LYUMTPnf5 for <v6ops@ietfa.amsl.com>; Thu, 21 Nov 2013 14:40:11 -0800 (PST)
Received: from mail-we0-x235.google.com (mail-we0-x235.google.com [IPv6:2a00:1450:400c:c03::235]) by ietfa.amsl.com (Postfix) with ESMTP id DC4A51AE1A8 for <v6ops@ietf.org>; Thu, 21 Nov 2013 14:40:10 -0800 (PST)
Received: by mail-we0-f181.google.com with SMTP id x55so424463wes.12 for <v6ops@ietf.org>; Thu, 21 Nov 2013 14:40:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=gH2jVROd9Vpso97E2La6skXhQNEnIzYMm2y+siDIRYI=; b=RozTwfAFgmGe4YjH5Tjzn9pvCwIeSmoj0jZGTLEfFN51dLsQMfvc6tAIYJ+FZ5hmbF 1y4SseDd20LnufjxFsMO6kOaGpqdlc8kcZOF0n+F1J/cRRbBfWesUyFuLGkLdNcMIINu U1rfGe2JCDAiqd8mvFwsOxCYtbDB1Hqjc/qsytXrZOYTAQNhUMGSbSlF7BETS/ARSMRh 8K1JdY9hItrtL8L5XpWtyHcvhBgTbeP7Sv4uRZc8W3nYWjb2f7e0WvqVtaB1SdGR1o00 kEWIXRLYB5+ylcjVM3b7mQw09PcJT+am9c7MOGqG2kUhKCf+gyMvK+lrH4YjQb+7xu8z jp4g==
MIME-Version: 1.0
X-Received: by 10.180.219.33 with SMTP id pl1mr7870644wic.49.1385073603588; Thu, 21 Nov 2013 14:40:03 -0800 (PST)
Received: by 10.217.58.133 with HTTP; Thu, 21 Nov 2013 14:40:03 -0800 (PST)
Received: by 10.217.58.133 with HTTP; Thu, 21 Nov 2013 14:40:03 -0800 (PST)
In-Reply-To: <528E5DC2.2040108@gmail.com>
References: <201311101900.rAAJ0AR6025350@irp-view13.cisco.com> <CAB0C4xOfz_JAjEEJZ-Zz7MBEyZhVzrAE+8Ghf1ggC3+9pyHmNg@mail.gmail.com> <989B8ED6-273E-45D4-BFD8-66A1793A1C9F@cisco.com> <5288FC15.5080508@globis.net> <CAKD1Yr1gQ8r80NxbJwxbNc8esm1ekk1JGMUoQo712CpvLJ8ogw@mail.gmail.com> <CAB0C4xOej1KhU2cA_edozG98V8ah1LgqDcu4RdwpXyQTRYRS_w@mail.gmail.com> <CAKD1Yr3uVmiS6Xqhx_qeFEeWnBkaax5CN2Zb5yu8CeML1tzBHA@mail.gmail.com> <CAB0C4xPYq4yvi+08_ogsg7VDt1pUBPkmnChp_K3jNvEoVKYBJg@mail.gmail.com> <528D10B7.8080201@gmail.com> <CAB0C4xMB3hQho6vQF8-FkP5tv456dgn5JZJjL4h30sfrgPXcbA@mail.gmail.com> <528E5DC2.2040108@gmail.com>
Date: Thu, 21 Nov 2013 14:40:03 -0800
Message-ID: <CAD6AjGSCR6XnzMaoF6A=z1C0uGBJVtdVGdJh56anwc-V_B+0hg@mail.gmail.com>
From: "cb.list6" <cb.list6@gmail.com>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
Content-Type: multipart/alternative; boundary="001a1134c92821373b04ebb79446"
Cc: Ray Hunter <v6ops@globis.net>, "v6ops@ietf.org WG" <v6ops@ietf.org>
Subject: Re: [v6ops] RFC 6092 [was draft-ietf-v6ops-balanced-ipv6-security WGLC]
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Nov 2013 22:40:13 -0000

On Nov 21, 2013 11:23 AM, "Brian E Carpenter" <brian.e.carpenter@gmail.com>
wrote:
>
> On 21/11/2013 19:51, Marc Lampo wrote:
> > A pity that the text can be interpreted in various ways and that those
lead
> > to completely opposite results.
>
> Well yes, I'd say that text is unclear and should have been fixed before
> publication. However, when you think of how to implement it, the
requirement
> to wait at least 6 seconds tells you that (a) the firewall is stateful and
> (b) there might be a response packet coming, so the firewall must have
> forwarded the incoming SYN.
>
> >
> > (written by a politician ? ;-)
>
> No, just a careless engineer, and reviewed by other careless engineers!
> We all share the blame ;-)
>

Well.  The stateful inspection debate did not have a strong consensus then,
like now.

When consensus is weak, the guidance is weak. Death by 1,000 cuts.

Many network operators think stateful inspection is an Achilles heel of a
network and an affront to the internet model (me) .Others think it is a
"must have"  .

The ietf should not guide either way since there is no strong consensus.

This I-D is very useful for networks that choose no stateful inspection of
ipv6 -- including me, Swisscom,  Alitbox...

CB

>     Brian
>
> >
> >
> > On Wed, Nov 20, 2013 at 8:42 PM, Brian E Carpenter <
> > brian.e.carpenter@gmail.com> wrote:
> >
> >> On 20/11/2013 22:37, Marc Lampo wrote:
> >>> Yes, RFC 6092 recommends that unsolicited packets be dropped by
default !
> >>>
> >>>   REC-34  By DEFAULT, a gateway MUST respond with an ICMPv6
> >>>            "Destination Unreachable" error code 1 (Communication with
> >>>            destination administratively prohibited), to any
unsolicited
> >>>            inbound SYN packet after waiting at least 6 seconds without
> >>>            first forwarding the associated outbound SYN or SYN/ACK
from
> >>>            the interior peer.
> >> Er, no, it recommends that unacknowledged unsolicited SYNs should cause
> >> Destination Unreachable, if no TCP listener has responded after 6
seconds.
> >> The gateway isn't dropping anything. It is required to be stateful for
> >> 6 seconds in case there is a response.
> >>
> >>> "transparent mode" "MAY" be the default (which, in the context, I
> >> interpret
> >>> as a kind of "second choice")
> >> That interpretation is not justified by RFC 2119.
> >>
> >>>    REC-49  Internet gateways with IPv6 simple security capabilities
MUST
> >>>            provide an easily selected configuration option that
permits
> >>>            a "transparent mode" of operation that forwards all
> >>>            unsolicited flows regardless of forwarding direction, i.e.,
> >>>            not to use the IPv6 simple security capabilities of the
> >>>            gateway.  The transparent mode of operation MAY be the
> >>>            default configuration.
> >>    Brian
> >>
> >>
> >
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops

v2.23.0 | Report a Bug | By Email