Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-security WGLC

Ray Hunter <v6ops@globis.net> Wed, 20 November 2013 08:10 UTC

Return-Path: <v6ops@globis.net>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 796661AE39B for <v6ops@ietfa.amsl.com>; Wed, 20 Nov 2013 00:10:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level:
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hhY7FXLoO3dN for <v6ops@ietfa.amsl.com>; Wed, 20 Nov 2013 00:10:39 -0800 (PST)
Received: from globis01.globis.net (RayH-1-pt.tunnel.tserv11.ams1.ipv6.he.net [IPv6:2001:470:1f14:62e::2]) by ietfa.amsl.com (Postfix) with ESMTP id 46D8B1AE38A for <v6ops@ietf.org>; Wed, 20 Nov 2013 00:10:39 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by globis01.globis.net (Postfix) with ESMTP id 2A2F0870070; Wed, 20 Nov 2013 09:10:32 +0100 (CET)
Received: from globis01.globis.net ([127.0.0.1]) by localhost (mail.globis.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NLst-nTwoUMi; Wed, 20 Nov 2013 09:10:32 +0100 (CET)
Received: from Rays-iMac-2.local (unknown [192.168.0.3]) (Authenticated sender: Ray.Hunter@globis.net) by globis01.globis.net (Postfix) with ESMTPA id F0926870040; Wed, 20 Nov 2013 09:10:31 +0100 (CET)
Message-ID: <528C6E76.1010704@globis.net>
Date: Wed, 20 Nov 2013 09:10:30 +0100
From: Ray Hunter <v6ops@globis.net>
User-Agent: Postbox 3.0.8 (Macintosh/20130427)
MIME-Version: 1.0
To: Lorenzo Colitti <lorenzo@google.com>
References: <201311101900.rAAJ0AR6025350@irp-view13.cisco.com> <CAB0C4xOfz_JAjEEJZ-Zz7MBEyZhVzrAE+8Ghf1ggC3+9pyHmNg@mail.gmail.com> <989B8ED6-273E-45D4-BFD8-66A1793A1C9F@cisco.com> <5288FC15.5080508@globis.net> <CAKD1Yr1gQ8r80NxbJwxbNc8esm1ekk1JGMUoQo712CpvLJ8ogw@mail.gmail.com>
In-Reply-To: <CAKD1Yr1gQ8r80NxbJwxbNc8esm1ekk1JGMUoQo712CpvLJ8ogw@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: "v6ops@ietf.org WG" <v6ops@ietf.org>
Subject: Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-security WGLC
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Nov 2013 08:10:40 -0000

> Lorenzo Colitti <mailto:lorenzo@google.com>
> 20 November 2013 07:50
> On Mon, Nov 18, 2013 at 2:25 AM, Ray Hunter <v6ops@globis.net> wrote:
>
>> Summary: I don't have answers to my own points below, but neither does
>> this draft, so whilst I welcome the authors sharing their experiences, I
>> can't support publishing it as-is as a v6ops WG document.
>>
>> The bottom line is that I wouldn't be happy if my own ISP adopted the
>> policy exactly as-documented in the draft.
>>
>
> Would you be happier if your ISP implemented the "simple security"
> recommendations in RFC 6092 and dropped all unsolicited packets to your
> network except IPsec?

Yes.

Provided the ISP gave me the ability to override that default setting
(either via a web site, PCP, UPnP, or some other mechanism)

At least I'd know for certain what ISP settings I needed to override.

They could even ask me to sign in blood in advance that all risks to my
equipment were my risk.

Whereas with this draft, we're going to have to merge two
vaguely-defined and time-variant security policies (my policy and the
ISP's policy).
If I open port 25 and the ISP closes it, which setting takes precedence?
And if the order that the requests arrive is different?
>
> I think we probably need something more sophisticated. And being
>> realistic, we're probably not yet ready to write it.
>>
>
> So let's not throw out the baby with the bathwater then? This group exists
> to share operational experience, and that is what this draft does. It does
> not make any recommendations; even the rules it presents are examples. I
> can't see anyone construing this as a recommendation or endorsement of any
> sort.
>
> We published RFC 6092. Why shouldn't we publish this one? It seems to me
> that there's no real difference between this document and RFC 6092;
> fundamentally, they both simply describe a security profile without making
> any claim about whether it is a recommended profile. If anything, at least
> this one has the advantage that it was deployed before it was
> standardized...
>
> I support this document.
>
>
> ------------------------------------------------------------------------


-- 
Regards,
RayH