IETF Logo Mail Archive

Re: I-D.ietf-v6ops-cpe-simple-security-09

Mark Townsley <townsley@cisco.com> Mon, 22 March 2010 10:24 UTC

Return-Path: <owner-v6ops@ops.ietf.org>
X-Original-To: ietfarch-v6ops-archive@core3.amsl.com
Delivered-To: ietfarch-v6ops-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0080B3A6805 for <ietfarch-v6ops-archive@core3.amsl.com>; Mon, 22 Mar 2010 03:24:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.986
X-Spam-Level:
X-Spam-Status: No, score=-5.986 tagged_above=-999 required=5 tests=[AWL=-1.821, BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, J_CHICKENPOX_13=0.6, RCVD_IN_DNSWL_HI=-8, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rZBq-0Gy-Mrq for <ietfarch-v6ops-archive@core3.amsl.com>; Mon, 22 Mar 2010 03:24:19 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id F00BA28C0FD for <v6ops-archive@lists.ietf.org>; Mon, 22 Mar 2010 03:22:17 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.71 (FreeBSD)) (envelope-from <owner-v6ops@ops.ietf.org>) id 1Ntehm-000J1g-Hr for v6ops-data0@psg.com; Mon, 22 Mar 2010 10:17:54 +0000
Received: from [171.68.10.87] (helo=sj-iport-5.cisco.com) by psg.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.71 (FreeBSD)) (envelope-from <townsley@cisco.com>) id 1Ntehj-000J1J-MK for v6ops@ops.ietf.org; Mon, 22 Mar 2010 10:17:51 +0000
Authentication-Results: sj-iport-5.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AvsEAIXgpkurR7Hu/2dsb2JhbACbK3OhcZd2hH0EhiE
X-IronPort-AV: E=Sophos;i="4.51,286,1267401600"; d="scan'208";a="170156878"
Received: from sj-core-5.cisco.com ([171.71.177.238]) by sj-iport-5.cisco.com with ESMTP; 22 Mar 2010 10:17:50 +0000
Received: from iwan-view3.cisco.com (iwan-view3.cisco.com [171.70.65.13]) by sj-core-5.cisco.com (8.13.8/8.14.3) with ESMTP id o2MAHo1Q005547; Mon, 22 Mar 2010 10:17:50 GMT
Received: from ams-townsley-8715.cisco.com (ams-townsley-8715.cisco.com [10.55.233.230]) by iwan-view3.cisco.com (8.11.2/CISCO.WS.1.2) with ESMTP id o2MAHmY08829; Mon, 22 Mar 2010 03:17:49 -0700 (PDT)
Message-ID: <4BA743CB.2070707@cisco.com>
Date: Mon, 22 Mar 2010 11:17:47 +0100
From: Mark Townsley <townsley@cisco.com>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.8) Gecko/20100227 Thunderbird/3.0.3
MIME-Version: 1.0
To: james woodyatt <jhw@apple.com>
CC: IPv6 Operations <v6ops@ops.ietf.org>
Subject: Re: I-D.ietf-v6ops-cpe-simple-security-09
References: <D6F5ACD2-EB43-477E-9F48-AC3EDB3F7EB4@apple.com> <4BA3BBCF.2090903@cisco.com> <4BA3D1B3.4010501@gmail.com> <4BA3DAAA.10000@cisco.com> <4BA40DD1.7080306@gmail.com> <6C168711-6A34-4487-9911-92766513183C@apple.com> <4BA522E8.7050504@cisco.com> <4BA56626.20606@gmail.com> <20100321133831.GL69383@Space.Net> <4BA6575D.7070300@gmail.com> <4BA670ED.1020302@cisco.com> <D69F1DE6-D24D-45AA-95D0-99B63E62A1EE@apple.com> <4BA68F61.7020005@cisco.com> <4BA69A3D.7@gmail.com> <FF6C57C8-664B-40F1-B071-CF794ED2A8FE@apple.com>
In-Reply-To: <FF6C57C8-664B-40F1-B071-CF794ED2A8FE@apple.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
Sender: owner-v6ops@ops.ietf.org
Precedence: bulk
List-ID: <v6ops.ops.ietf.org>

James, if anyone who suggested to you that RFC 4864 or any Informational 
document represented the consensus of the IETF, you were sadly misled. 
However, if it is true what you say that, "this document should it be 
published in the RFC series is very likely to become the Law of the 
Internet pretty much overnight" then we better be sure we have consensus 
on what it says.

I do not want to see the IETF recommending a default-deny rule on IPv6 
residential gateways, and I regret that RFC 4864 has been interpreted as 
recommending this with any authority in the past. I've offered one 
admittedly imperfect compromise, but I find it better than wishing for a 
pin-hole protocol that doesn't exist and may never in a ubiquitous and 
interoperable manner. Even if such a protocol did exist, there are very 
legitimate security concerns about the effectiveness of operating what 
is essentially a distributed IP-stack between the host and RG vs. using 
a local firewall on the host. These have been brought up, but not fully 
discussed in this document or on the list.

Bottom line: I think that the IETF should not publish any documents 
implying a default-deny rule as a recommended practice and default 
setting for IPv6 residential gateways. I think it is fine to describe 
how this should work should it be turned on, and that a configuration 
knob MUST exist, but the default should be set in a way that ensures it 
is "beneficial" and "not harmful to the Internet as a whole" (RFC 3935, 
BCP 95).

The market always makes the final decision, and if it decides that 
customers want, or vendors want to sell, equipment with a default 
setting that breaks end-to-end transparency, there is no stopping this 
from happening. But, the IETF doesn't have to help it happen. I think 
the simple-security document, as a whole, doesn't risk being ignored if 
it leans a bit toward favoring IPv6 end-to-end transparency vs. IPv4 
status quo in this one case.

- Mark


On 3/22/10 6:19 AM, james woodyatt wrote:
> On Mar 21, 2010, at 15:14, Brian E Carpenter wrote:
>    
>> On 2010-03-22 10:28, Mark Townsley wrote:
>>      
>>> Why not, if that is the current consensus? We've reversed the text of
>>> IETF standards track documents before, much less Informational documents
>>> that are not a standard of any kind.
>>>        
> The design team was directed by the chair to write a draft that detailed the recommendation in Section 4.2 of RFC 4864 for a stateful filter in residential IPv6 CPE routers, and we were not instructed that revisiting the recommendation with an eye toward reversing it was explicitly within our ambit.
>
>    
>> As a co-author of 4864, let me agree violently. It's not a BCP.
>> Even if it was, consensus could reverse it.
>>
>> What 4864 says is: NATs weren't designed as security devices but they
>> provide simple security by blocking everything incoming by default.
>> To implement simple security for v6 you should do it with a stateful
>> firewall.
>>      
> I would have expected an author of RFC 4864 to quote the following excerpt from Section 4.2 instead:
>
>     To implement simple security for IPv6 in, for example, a DSL or cable
>     modem-connected home network, the broadband gateway/router should be
>     equipped with stateful firewall capabilities.  These should provide a
>     default configuration where incoming traffic is limited to return
>     traffic resulting from outgoing packets (sometimes known as
>     reflective session state).  There should also be an easy interface
>     that allows users to create inbound 'pinholes' for specific purposes
>     such as online gaming.
>
> That paragraph is the whole reason that I-D.ietf-v6ops-cpe-simple-security exists today.  Note the use of the word "should" in the verb phrase of the second sentence.  It sure looks to me like it makes a value judgment that IPv6 Simple Security in unmanaged home routers is considered helpful.
>
> When I first read Section 4.2 of the Internet Draft that would become RFC 4864, just a little over three years ago, I sent<http://ops.ietf.org/lists/v6ops/v6ops.2007/msg00055.html>  to the V6OPS list to surface what I thought, at the time, was an oversight.  Note that I was objecting to the use of the word "should" in that paragraph.  I thought RFC 4864 should not be making such a recommendation, and I believed that the authors must have been mistaken to include it in an Informational category document.
>
> Alas, I later learned that this recommendation was quite deliberate and *NOT* open for discussion anymore.  I withdrew my objection soon thereafter, after one of the authors expressed "violent" disagreement with me, because I came to believe my personal misgivings about this recommendation weren't shared by the majority of IETF participants.  I still think only a small minority of participants agrees with me.
>
>    
>> It doesn't say that CPEs MUST do this. It leaves that choice open, as an informational document.
>>      
> No, it doesn't say that CPE routers MUST do this, but it does go out of its way to say that CPE routers "should" do this.
>
> More importantly, other specifications which reference RFC 4864 as if it's morally equivalent to a proposed standard *do* say that CPE routers MUST do this.  While categorized as Informational, the language in I-D.ietf-v6ops-cpe-simple-security is deliberately crafted to be easily cited by other SDO's in requirement specifications, which are expecting to describe not just the CPE routers MUST do this, but HOW they will do this.  I am aware of at least two other SDO's that are preparing exactly that.
>
> So, while it's true that neither RFC 4864 nor I-D.ietf-v6ops-cpe-simple-security say that CPE routers MUST implement a "default deny" stateful filtering regime, the common law is congealing around this as a requirement as we speak.  So, despite the fact that this draft is Informational and not BCP or Proposed Standard, what we say in this document should it be published in the RFC series is very likely to become the Law of the Internet pretty much overnight, and I think that pretending otherwise would be awfully naïve.
>
>
> --
> james woodyatt<jhw@apple.com>
> member of technical staff, communications engineering
>
>
>
>
>

v2.23.0 | Report a Bug | By Email