IETF Logo Mail Archive

Re: draft-ietf-v6ops-cpe-simple-security: filtering encapsulated flows

Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org> Sun, 23 August 2009 09:21 UTC

Return-Path: <owner-v6ops@ops.ietf.org>
X-Original-To: ietfarch-v6ops-archive@core3.amsl.com
Delivered-To: ietfarch-v6ops-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6A76C3A69C6 for <ietfarch-v6ops-archive@core3.amsl.com>; Sun, 23 Aug 2009 02:21:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.671
X-Spam-Level:
X-Spam-Status: No, score=-0.671 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_EQ_AU=0.377, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0yACjCTEd0Wg for <ietfarch-v6ops-archive@core3.amsl.com>; Sun, 23 Aug 2009 02:21:09 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 7FFD93A6964 for <v6ops-archive@lists.ietf.org>; Sun, 23 Aug 2009 02:21:08 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-v6ops@ops.ietf.org>) id 1Mf9Ac-000Bfu-9j for v6ops-data0@psg.com; Sun, 23 Aug 2009 09:15:26 +0000
Received: from [202.136.110.247] (helo=smtp4.adam.net.au) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <ipng@69706e6720323030352d30312d31340a.nosense.org>) id 1Mf9AX-000Bed-6J for v6ops@ops.ietf.org; Sun, 23 Aug 2009 09:15:23 +0000
Received: from 114-30-113-149.ip.adam.com.au ([114.30.113.149] helo=opy.nosense.org) by smtp4.adam.net.au with esmtp (Exim 4.63) (envelope-from <ipng@69706e6720323030352d30312d31340a.nosense.org>) id 1Mf9AT-000347-BM; Sun, 23 Aug 2009 18:45:17 +0930
Received: from opy.nosense.org (localhost.localdomain [127.0.0.1]) by opy.nosense.org (Postfix) with SMTP id 4BF9249298; Sun, 23 Aug 2009 18:45:16 +0930 (CST)
Date: Sun, 23 Aug 2009 18:45:16 +0930
From: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>
To: james woodyatt <jhw@apple.com>
Cc: IPv6 Operations <v6ops@ops.ietf.org>
Subject: Re: draft-ietf-v6ops-cpe-simple-security: filtering encapsulated flows
Message-Id: <20090823184516.a8667014.ipng@69706e6720323030352d30312d31340a.nosense.org>
In-Reply-To: <ADAD4E36-7059-40F5-B964-607F065639FE@apple.com>
References: <805241AA-DC9A-4498-9D54-8D491DD62A0D@apple.com> <2D21500B-207B-43FB-9728-8A7BCEC82CB1@apple.com> <7F9A6D26EB51614FBF9F81C0DA4CFEC80158E120B3E6@il-ex01.ad.checkpoint.com> <47CF65DB-E3E1-4666-B1E9-51A49B372AD5@apple.com> <390865C6-3343-4C31-9767-6E0FCA4481DD@suspicious.org> <ADAD4E36-7059-40F5-B964-607F065639FE@apple.com>
X-Mailer: Sylpheed 2.6.0 (GTK+ 2.16.5; x86_64-unknown-linux-gnu)
X-Location: Lower Mitcham, South Australia, 5062
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Sender: owner-v6ops@ops.ietf.org
Precedence: bulk
List-ID: <v6ops.ops.ietf.org>

On Sat, 22 Aug 2009 22:33:37 -0700
james woodyatt <jhw@apple.com> wrote:

> On Aug 22, 2009, at 21:58, Truman Boyes wrote:
> >
> > This is quite confusing from an implementation perspective; security  
> > is not explicitly increased by prohibiting non-encrypted tunnels but  
> > allowing encrypted (ESP or AH) traffic flows. Wouldn't this simply  
> > serve as a driver to make all tunnel encapsulations use ESP/AH?
> 
> Yes.  I'm not sure I can explain how this is supposed to increase  
> security, but if consensus in the working group emerges around these  
> recommendations and the draft can proceed through working group last  
> call, then that's good enough for me.
> 

Maybe I haven't fully understood the question, however isn't the answer
as simple as the benefits of IPsec over cleartext? Even the
better-than-nothing-mode of IPsec, while vulnerable to
man-in-the-middle attacks during session setup, has a much smaller
window of opportunity for exploitation over clear text traffic.

Regards,
Mark.

v2.23.0 | Report a Bug | By Email