IETF Logo Mail Archive

Status of RFC 4864 (was Re: I-D.ietf-v6ops-cpe-simple-security-09)

Mark Townsley <townsley@cisco.com> Mon, 22 March 2010 07:47 UTC

Return-Path: <owner-v6ops@ops.ietf.org>
X-Original-To: ietfarch-v6ops-archive@core3.amsl.com
Delivered-To: ietfarch-v6ops-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9F8ED3A694D for <ietfarch-v6ops-archive@core3.amsl.com>; Mon, 22 Mar 2010 00:47:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.602
X-Spam-Level:
X-Spam-Status: No, score=-7.602 tagged_above=-999 required=5 tests=[AWL=-0.237, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_HI=-8, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gflyT1BBagDC for <ietfarch-v6ops-archive@core3.amsl.com>; Mon, 22 Mar 2010 00:47:58 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id A71123A67FF for <v6ops-archive@lists.ietf.org>; Mon, 22 Mar 2010 00:47:58 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.71 (FreeBSD)) (envelope-from <owner-v6ops@ops.ietf.org>) id 1NtcIr-0000Ec-0l for v6ops-data0@psg.com; Mon, 22 Mar 2010 07:44:01 +0000
Received: from [171.68.10.86] (helo=sj-iport-4.cisco.com) by psg.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.71 (FreeBSD)) (envelope-from <townsley@cisco.com>) id 1NtcIn-0000EI-Mu for v6ops@ops.ietf.org; Mon, 22 Mar 2010 07:43:57 +0000
Authentication-Results: sj-iport-4.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av0EANq8pkurR7Hu/2dsb2JhbACDCZgpc6EDiDGPPIEsgmdqBA
X-IronPort-AV: E=Sophos;i="4.51,286,1267401600"; d="scan'208";a="103718367"
Received: from sj-core-5.cisco.com ([171.71.177.238]) by sj-iport-4.cisco.com with ESMTP; 22 Mar 2010 07:43:56 +0000
Received: from iwan-view3.cisco.com (iwan-view3.cisco.com [171.70.65.13]) by sj-core-5.cisco.com (8.13.8/8.14.3) with ESMTP id o2M7hulN020054; Mon, 22 Mar 2010 07:43:56 GMT
Received: from ams-townsley-8715.cisco.com (ams-townsley-8715.cisco.com [10.55.233.230]) by iwan-view3.cisco.com (8.11.2/CISCO.WS.1.2) with ESMTP id o2M7hsY15110; Mon, 22 Mar 2010 00:43:54 -0700 (PDT)
Message-ID: <4BA71FB9.7020807@cisco.com>
Date: Mon, 22 Mar 2010 08:43:53 +0100
From: Mark Townsley <townsley@cisco.com>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.8) Gecko/20100227 Thunderbird/3.0.3
MIME-Version: 1.0
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
CC: james woodyatt <jhw@apple.com>, Gert Doering <gert@space.net>, IPv6 Operations <v6ops@ops.ietf.org>
Subject: Status of RFC 4864 (was Re: I-D.ietf-v6ops-cpe-simple-security-09)
References: <D6F5ACD2-EB43-477E-9F48-AC3EDB3F7EB4@apple.com> <4BA3BBCF.2090903@cisco.com> <4BA3D1B3.4010501@gmail.com> <4BA3DAAA.10000@cisco.com> <4BA40DD1.7080306@gmail.com> <6C168711-6A34-4487-9911-92766513183C@apple.com> <4BA522E8.7050504@cisco.com> <4BA56626.20606@gmail.com> <20100321133831.GL69383@Space.Net> <4BA6575D.7070300@gmail.com> <4BA670ED.1020302@cisco.com> <D69F1DE6-D24D-45AA-95D0-99B63E62A1EE@apple.com> <4BA68F61.7020005@cisco.com> <4BA69A3D.7@gmail.com>
In-Reply-To: <4BA69A3D.7@gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Sender: owner-v6ops@ops.ietf.org
Precedence: bulk
List-ID: <v6ops.ops.ietf.org>

This exchange highlights a very significant point with respect to the 
content in v6ops-cpe-simple-security.

According to its author, v6ops-cpe-simple-security has been operating 
under the influence of precedent from RFC 4864, something that was never 
intended by the authors of the RFC, nor something expected under IETF 
procedures.

- Mark

On 3/21/10 11:14 PM, Brian E Carpenter wrote:
> On 2010-03-22 10:28, Mark Townsley wrote:
>    
>> On 3/21/10 9:29 PM, james woodyatt wrote:
>>      
>>> On Mar 21, 2010, at 12:18, Mark Townsley<townsley@cisco.com>  wrote:
>>>        
>>>> On 3/21/10 6:29 PM, Brian E Carpenter wrote:
>>>>          
>>>>> So, I'm wondering what's really wrong with:
>>>>>
>>>>>    REC-41  Gateways MUST provide an easily selected configuration option
>>>>>        that permits operation in a mode that forwards all unsolicited
>>>>>        flows regardless of forwarding direction.
>>>>>            
>>>> The problem is the default, which is not to permit this.
>>>>          
>>> That problem is inherited from RFC 4864, which this draft is not
>>> intended to reverse.
>>>        
>> Why not, if that is the current consensus? We've reversed the text of
>> IETF standards track documents before, much less Informational documents
>> that are not a standard of any kind.
>>      
> As a co-author of 4864, let me agree violently. It's not a BCP.
> Even if it was, consensus could reverse it.
>
> What 4864 says is: NATs weren't designed as security devices but they
> provide simple security by blocking everything incoming by default.
> To implement simple security for v6 you should do it with a stateful
> firewall.
>
> It doesn't say that CPEs MUST do this. It leaves that choice open, as
> an informational document.
>
>      Brian
>
>

v2.23.0 | Report a Bug | By Email