Re: I-D.ietf-v6ops-cpe-simple-security-09
Brian E Carpenter <brian.e.carpenter@gmail.com> Fri, 19 March 2010 19:35 UTC
Return-Path: <owner-v6ops@ops.ietf.org>
X-Original-To: ietfarch-v6ops-archive@core3.amsl.com
Delivered-To: ietfarch-v6ops-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4FBA83A6929 for <ietfarch-v6ops-archive@core3.amsl.com>; Fri, 19 Mar 2010 12:35:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.699
X-Spam-Level:
X-Spam-Status: No, score=-0.699 tagged_above=-999 required=5 tests=[AWL=-1.334, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9MpzUhRG9LfZ for <ietfarch-v6ops-archive@core3.amsl.com>; Fri, 19 Mar 2010 12:35:17 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 6CBBB3A68F6 for <v6ops-archive@lists.ietf.org>; Fri, 19 Mar 2010 12:35:17 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.71 (FreeBSD)) (envelope-from <owner-v6ops@ops.ietf.org>) id 1Nshxh-000KPi-RN for v6ops-data0@psg.com; Fri, 19 Mar 2010 19:34:25 +0000
Received: from [209.85.220.228] (helo=mail-fx0-f228.google.com) by psg.com with esmtp (Exim 4.71 (FreeBSD)) (envelope-from <brian.e.carpenter@gmail.com>) id 1Nshxe-000KPI-Oa for v6ops@ops.ietf.org; Fri, 19 Mar 2010 19:34:23 +0000
Received: by fxm28 with SMTP id 28so1924953fxm.19 for <v6ops@ops.ietf.org>; Fri, 19 Mar 2010 12:34:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :organization:user-agent:mime-version:to:cc:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=8NiOM3XMsxj353VgW7W/pFoPavPhT54cVUFVwxIshVI=; b=hThlCvk+3mXYaSVz0UrbUHqPTy8o0QBf6H8ii+QB5KgxvB7A8TayOeLPBdURxr/spb OBauBLkOJXwV2ruWNGfSYelyaEqlMHE5s0luxQAElOwfjcru2oof4KZ+8BdtswM7kUSD EcKFIJyw5wqyPZTWtFelHFGdlL+SVrvHegSDc=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; b=QJ9D6aHzD6TntxycwUEQjTtUkarZN5AbHIlGGBWFapwHaHty91Yu8DR0S7YR1RTFwN 75bdzG5+07jzNKM8MkpIhG1GBD2tFH8+Z658Lx+Z4A8nkjDoZo1MYR2wrw0D0WdneKy4 VHAzgGj5l5hYm8jp1DJeuBshRIUoSSGLXchcE=
Received: by 10.87.38.38 with SMTP id q38mr668768fgj.66.1269027261491; Fri, 19 Mar 2010 12:34:21 -0700 (PDT)
Received: from [10.1.1.4] ([121.98.142.15]) by mx.google.com with ESMTPS id 19sm1979770fkr.39.2010.03.19.12.34.17 (version=SSLv3 cipher=RC4-MD5); Fri, 19 Mar 2010 12:34:20 -0700 (PDT)
Message-ID: <4BA3D1B3.4010501@gmail.com>
Date: Sat, 20 Mar 2010 08:34:11 +1300
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Mark Townsley <townsley@cisco.com>
CC: IPv6 Operations <v6ops@ops.ietf.org>, james woodyatt <jhw@apple.com>, "Eric Vyncke (evyncke)" <evyncke@cisco.com>
Subject: Re: I-D.ietf-v6ops-cpe-simple-security-09
References: <D6F5ACD2-EB43-477E-9F48-AC3EDB3F7EB4@apple.com> <4BA3BBCF.2090903@cisco.com>
In-Reply-To: <4BA3BBCF.2090903@cisco.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Sender: owner-v6ops@ops.ietf.org
Precedence: bulk
List-ID: <v6ops.ops.ietf.org>
Mark, I'm not going to reply to your specific question. The one most clear result from the ISP survey I will report on during the IETF is that the biggest gap in products holding up general v6 deployment is CPE. I think it's a matter of great urgency to get this draft out as an RFC; it's a couple of years too late. So I want to say: let's not add *anything*. Let's just push it out in a matter of weeks. The same applies to draft-ietf-v6ops-ipv6-cpe-router of course. Regards Brian Carpenter On 2010-03-20 07:00, Mark Townsley wrote: > > I would like to propose some form of "ParanoidOpeness" (Rule #7) from > draft-vyncke-advanced-ipv6-security-01 to be brought into the > simple-security draft. > > The basic idea is that rather than blocking otherwise unauthorized > inbound connections outright, the CPE rate-limits them according to a > variable setting. When that setting is 0, all incoming packets are > dropped. When set to its maximum, all packets are permitted (as if the > firewall function is configured off). In-between, the CPE rate-limits > incoming packets to reduce probing of the home network, but to allow > just enough packets through that, if a host inside responds, a pinhole > is opened for the communication to occur. Of course, the hard part is > what the default setting should be, but I'd like to get a sense first of > whether we can bring this function in. > > James, I think I remember you being warm to the idea in some (jabber?) > comments during the meeting in Hiroshima when I presented this first. > > Thanks, > > - Mark > > On 3/4/10 12:06 AM, james woodyatt wrote: >> everyone-- >> >> Once again, I'd like to ask for some discussion and feedback on this >> draft. Is there any reason this revision of the draft should not >> proceed to Working Group Last Call at this time? >> >> >> -- >> james woodyatt<jhw@apple.com> >> member of technical staff, communications engineering >> >> >> >> >> > > >
- I-D.ietf-v6ops-cpe-simple-security-09 james woodyatt
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Baugher
- Re: I-D.ietf-v6ops-cpe-simple-security-09 james woodyatt
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Fred Baker
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Fred Baker
- Re: I-D.ietf-v6ops-cpe-simple-security-09 james woodyatt
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Baugher
- Re: I-D.ietf-v6ops-cpe-simple-security-09 james woodyatt
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Baugher
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Baugher
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Ole Troan
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Baugher
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Baugher
- RE: I-D.ietf-v6ops-cpe-simple-security-09 STARK, BARBARA H (ATTLABS)
- Re: I-D.ietf-v6ops-cpe-simple-security-09 james woodyatt
- Fwd: I-D.ietf-v6ops-cpe-simple-security-09 - ICMP… Rémi Després
- Re: I-D.ietf-v6ops-cpe-simple-security-09 - ICMP … james woodyatt
- Re: I-D.ietf-v6ops-cpe-simple-security-09 - ICMP … Rémi Després
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Brian E Carpenter
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Smith
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Brian E Carpenter
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 james woodyatt
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Brian E Carpenter
- Re: I-D.ietf-v6ops-cpe-simple-security-09 james woodyatt
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Fred Baker
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Fred Baker
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Fred Baker
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Shane Amante
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Smith
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Cameron Byrne
- Re: I-D.ietf-v6ops-cpe-simple-security-09 james woodyatt
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Smith
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Gert Doering
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Brian E Carpenter
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Smith
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 james woodyatt
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Brian E Carpenter
- Re: I-D.ietf-v6ops-cpe-simple-security-09 james woodyatt
- Status of RFC 4864 (was Re: I-D.ietf-v6ops-cpe-si… Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Smith
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Ole Troan
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Brian E Carpenter