Re: I-D.ietf-v6ops-cpe-simple-security-09
Brian E Carpenter <brian.e.carpenter@gmail.com> Mon, 22 March 2010 14:33 UTC
Return-Path: <owner-v6ops@ops.ietf.org>
X-Original-To: ietfarch-v6ops-archive@core3.amsl.com
Delivered-To: ietfarch-v6ops-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 837D73A688F for <ietfarch-v6ops-archive@core3.amsl.com>; Mon, 22 Mar 2010 07:33:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.372
X-Spam-Level:
X-Spam-Status: No, score=0.372 tagged_above=-999 required=5 tests=[AWL=-0.263, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x8AltlbPCu-5 for <ietfarch-v6ops-archive@core3.amsl.com>; Mon, 22 Mar 2010 07:33:05 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 48F043A681F for <v6ops-archive@lists.ietf.org>; Mon, 22 Mar 2010 07:32:57 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.71 (FreeBSD)) (envelope-from <owner-v6ops@ops.ietf.org>) id 1Ntick-000OLI-Lf for v6ops-data0@psg.com; Mon, 22 Mar 2010 14:28:58 +0000
Received: from [72.14.220.157] (helo=fg-out-1718.google.com) by psg.com with esmtp (Exim 4.71 (FreeBSD)) (envelope-from <brian.e.carpenter@gmail.com>) id 1Ntich-000OKu-Vi for v6ops@ops.ietf.org; Mon, 22 Mar 2010 14:28:56 +0000
Received: by fg-out-1718.google.com with SMTP id d23so479790fga.17 for <v6ops@ops.ietf.org>; Mon, 22 Mar 2010 07:28:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :organization:user-agent:mime-version:to:cc:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=C1t4jhglYdL3wBK7fUQoNc5LwP4Z78H/ybkoA41pUBg=; b=ppvXrol/ulh8Pc6vPXSi9y69iJm9fhCG9Ov2Zn6dTi2ymFr3Nnn6UyqEVmlRkUO49r t4KmNDA7cNJYPGUZ+eHHOmBRnRff4vXDwAwHSfWlFX9kfPXHnwXfyQlrHH67zHOa7ab3 vwnV/jknpPwal0b/JDpy9FA7A++pb8aSdjaj4=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; b=pzptFrqZEmgUloJJ3uuzwR/2cNpDRrm+3WSzMnPPBL44rCiiu/lcL4wvpzdVnExVMc FRMzGiVptVMf++TRUzdX4xMJfEcfu/w21kcqVDaJpjhaPOYL1bKihJscuI6Np9U+jqv6 JfhZJY1qRR7Gb0SiUhpKyS35BgOWp+UguUBIY=
Received: by 10.87.47.3 with SMTP id z3mr4066029fgj.70.1269268134642; Mon, 22 Mar 2010 07:28:54 -0700 (PDT)
Received: from [130.129.27.105] (dhcp-wireless-open-abg-27-105.meeting.ietf.org [130.129.27.105]) by mx.google.com with ESMTPS id 15sm142223fxm.15.2010.03.22.07.28.52 (version=SSLv3 cipher=RC4-MD5); Mon, 22 Mar 2010 07:28:53 -0700 (PDT)
Message-ID: <4BA77EA0.1030706@gmail.com>
Date: Tue, 23 Mar 2010 03:28:48 +1300
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: james woodyatt <jhw@apple.com>
CC: IPv6 Operations <v6ops@ops.ietf.org>
Subject: Re: I-D.ietf-v6ops-cpe-simple-security-09
References: <D6F5ACD2-EB43-477E-9F48-AC3EDB3F7EB4@apple.com> <4BA3BBCF.2090903@cisco.com> <4BA3D1B3.4010501@gmail.com> <4BA3DAAA.10000@cisco.com> <4BA40DD1.7080306@gmail.com> <6C168711-6A34-4487-9911-92766513183C@apple.com> <4BA522E8.7050504@cisco.com> <4BA56626.20606@gmail.com> <20100321133831.GL69383@Space.Net> <4BA6575D.7070300@gmail.com> <4BA670ED.1020302@cisco.com> <D69F1DE6-D24D-45AA-95D0-99B63E62A1EE@apple.com> <4BA68F61.7020005@cisco.com> <4BA69A3D.7@gmail.com> <FF6C57C8-664B-40F1-B071-CF794ED2A8FE@apple.com>
In-Reply-To: <FF6C57C8-664B-40F1-B071-CF794ED2A8FE@apple.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Sender: owner-v6ops@ops.ietf.org
Precedence: bulk
List-ID: <v6ops.ops.ietf.org>
I don't think we should really be doing textual analysis of an informational document, but since you quoted it: On 2010-03-22 18:19, james woodyatt wrote: ... > I would have expected an author of RFC 4864 to quote the following excerpt from Section 4.2 instead: > > To implement simple security for IPv6 in, for example, a DSL or cable > modem-connected home network, the broadband gateway/router should be > equipped with stateful firewall capabilities. These should provide a > default configuration where incoming traffic is limited to return > traffic resulting from outgoing packets (sometimes known as > reflective session state). There should also be an easy interface > that allows users to create inbound 'pinholes' for specific purposes > such as online gaming. Correct, and (given what was already quoted from the abstract) I have always read that paragraph to start implicitly with the words "If you want to... " and understood "simple security" to refer to the preceding text that describes NATs as providing "simple security" via default deny. And that was because we believed that many network managers wanted exactly that and believed that NAT66 was the way to achieve it. So we wanted to document how to achieve the same effect without NAT. Obviously, if you don't want that effect, don't implement draft-ietf-v6ops-cpe-simple-security, or use its REC-41 option. Brian
- I-D.ietf-v6ops-cpe-simple-security-09 james woodyatt
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Baugher
- Re: I-D.ietf-v6ops-cpe-simple-security-09 james woodyatt
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Fred Baker
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Fred Baker
- Re: I-D.ietf-v6ops-cpe-simple-security-09 james woodyatt
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Baugher
- Re: I-D.ietf-v6ops-cpe-simple-security-09 james woodyatt
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Baugher
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Baugher
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Ole Troan
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Baugher
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Baugher
- RE: I-D.ietf-v6ops-cpe-simple-security-09 STARK, BARBARA H (ATTLABS)
- Re: I-D.ietf-v6ops-cpe-simple-security-09 james woodyatt
- Fwd: I-D.ietf-v6ops-cpe-simple-security-09 - ICMP… Rémi Després
- Re: I-D.ietf-v6ops-cpe-simple-security-09 - ICMP … james woodyatt
- Re: I-D.ietf-v6ops-cpe-simple-security-09 - ICMP … Rémi Després
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Brian E Carpenter
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Smith
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Brian E Carpenter
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 james woodyatt
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Brian E Carpenter
- Re: I-D.ietf-v6ops-cpe-simple-security-09 james woodyatt
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Fred Baker
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Fred Baker
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Fred Baker
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Shane Amante
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Smith
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Cameron Byrne
- Re: I-D.ietf-v6ops-cpe-simple-security-09 james woodyatt
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Smith
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Gert Doering
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Brian E Carpenter
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Smith
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 james woodyatt
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Brian E Carpenter
- Re: I-D.ietf-v6ops-cpe-simple-security-09 james woodyatt
- Status of RFC 4864 (was Re: I-D.ietf-v6ops-cpe-si… Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Smith
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Ole Troan
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Brian E Carpenter