IETF Logo Mail Archive

Re: I-D.ietf-v6ops-cpe-simple-security-09

Brian E Carpenter <brian.e.carpenter@gmail.com> Mon, 22 March 2010 14:33 UTC

Return-Path: <owner-v6ops@ops.ietf.org>
X-Original-To: ietfarch-v6ops-archive@core3.amsl.com
Delivered-To: ietfarch-v6ops-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 837D73A688F for <ietfarch-v6ops-archive@core3.amsl.com>; Mon, 22 Mar 2010 07:33:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.372
X-Spam-Level:
X-Spam-Status: No, score=0.372 tagged_above=-999 required=5 tests=[AWL=-0.263, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x8AltlbPCu-5 for <ietfarch-v6ops-archive@core3.amsl.com>; Mon, 22 Mar 2010 07:33:05 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 48F043A681F for <v6ops-archive@lists.ietf.org>; Mon, 22 Mar 2010 07:32:57 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.71 (FreeBSD)) (envelope-from <owner-v6ops@ops.ietf.org>) id 1Ntick-000OLI-Lf for v6ops-data0@psg.com; Mon, 22 Mar 2010 14:28:58 +0000
Received: from [72.14.220.157] (helo=fg-out-1718.google.com) by psg.com with esmtp (Exim 4.71 (FreeBSD)) (envelope-from <brian.e.carpenter@gmail.com>) id 1Ntich-000OKu-Vi for v6ops@ops.ietf.org; Mon, 22 Mar 2010 14:28:56 +0000
Received: by fg-out-1718.google.com with SMTP id d23so479790fga.17 for <v6ops@ops.ietf.org>; Mon, 22 Mar 2010 07:28:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :organization:user-agent:mime-version:to:cc:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=C1t4jhglYdL3wBK7fUQoNc5LwP4Z78H/ybkoA41pUBg=; b=ppvXrol/ulh8Pc6vPXSi9y69iJm9fhCG9Ov2Zn6dTi2ymFr3Nnn6UyqEVmlRkUO49r t4KmNDA7cNJYPGUZ+eHHOmBRnRff4vXDwAwHSfWlFX9kfPXHnwXfyQlrHH67zHOa7ab3 vwnV/jknpPwal0b/JDpy9FA7A++pb8aSdjaj4=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; b=pzptFrqZEmgUloJJ3uuzwR/2cNpDRrm+3WSzMnPPBL44rCiiu/lcL4wvpzdVnExVMc FRMzGiVptVMf++TRUzdX4xMJfEcfu/w21kcqVDaJpjhaPOYL1bKihJscuI6Np9U+jqv6 JfhZJY1qRR7Gb0SiUhpKyS35BgOWp+UguUBIY=
Received: by 10.87.47.3 with SMTP id z3mr4066029fgj.70.1269268134642; Mon, 22 Mar 2010 07:28:54 -0700 (PDT)
Received: from [130.129.27.105] (dhcp-wireless-open-abg-27-105.meeting.ietf.org [130.129.27.105]) by mx.google.com with ESMTPS id 15sm142223fxm.15.2010.03.22.07.28.52 (version=SSLv3 cipher=RC4-MD5); Mon, 22 Mar 2010 07:28:53 -0700 (PDT)
Message-ID: <4BA77EA0.1030706@gmail.com>
Date: Tue, 23 Mar 2010 03:28:48 +1300
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: james woodyatt <jhw@apple.com>
CC: IPv6 Operations <v6ops@ops.ietf.org>
Subject: Re: I-D.ietf-v6ops-cpe-simple-security-09
References: <D6F5ACD2-EB43-477E-9F48-AC3EDB3F7EB4@apple.com> <4BA3BBCF.2090903@cisco.com> <4BA3D1B3.4010501@gmail.com> <4BA3DAAA.10000@cisco.com> <4BA40DD1.7080306@gmail.com> <6C168711-6A34-4487-9911-92766513183C@apple.com> <4BA522E8.7050504@cisco.com> <4BA56626.20606@gmail.com> <20100321133831.GL69383@Space.Net> <4BA6575D.7070300@gmail.com> <4BA670ED.1020302@cisco.com> <D69F1DE6-D24D-45AA-95D0-99B63E62A1EE@apple.com> <4BA68F61.7020005@cisco.com> <4BA69A3D.7@gmail.com> <FF6C57C8-664B-40F1-B071-CF794ED2A8FE@apple.com>
In-Reply-To: <FF6C57C8-664B-40F1-B071-CF794ED2A8FE@apple.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Sender: owner-v6ops@ops.ietf.org
Precedence: bulk
List-ID: <v6ops.ops.ietf.org>

I don't think we should really be doing textual analysis
of an informational document, but since you quoted it:

On 2010-03-22 18:19, james woodyatt wrote:
...
> I would have expected an author of RFC 4864 to quote the following excerpt from Section 4.2 instead:
> 
>    To implement simple security for IPv6 in, for example, a DSL or cable
>    modem-connected home network, the broadband gateway/router should be
>    equipped with stateful firewall capabilities.  These should provide a
>    default configuration where incoming traffic is limited to return
>    traffic resulting from outgoing packets (sometimes known as
>    reflective session state).  There should also be an easy interface
>    that allows users to create inbound 'pinholes' for specific purposes
>    such as online gaming.

Correct, and (given what was already quoted from the abstract) I have always
read that paragraph to start implicitly with the words

"If you want to... "

and understood "simple security" to refer to the preceding text that
describes NATs as providing "simple security" via default deny.
And that was because we believed that many network managers wanted
exactly that and believed that NAT66 was the way to achieve it.
So we wanted to document how to achieve the same effect without NAT.
Obviously, if you don't want that effect, don't implement
draft-ietf-v6ops-cpe-simple-security, or use its REC-41 option.

       Brian

v2.23.0 | Report a Bug | By Email