Re: I-D.ietf-v6ops-cpe-simple-security-09
Mark Townsley <townsley@cisco.com> Mon, 22 March 2010 10:24 UTC
Return-Path: <owner-v6ops@ops.ietf.org>
X-Original-To: ietfarch-v6ops-archive@core3.amsl.com
Delivered-To: ietfarch-v6ops-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0080B3A6805 for <ietfarch-v6ops-archive@core3.amsl.com>; Mon, 22 Mar 2010 03:24:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.986
X-Spam-Level:
X-Spam-Status: No, score=-5.986 tagged_above=-999 required=5 tests=[AWL=-1.821, BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, J_CHICKENPOX_13=0.6, RCVD_IN_DNSWL_HI=-8, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rZBq-0Gy-Mrq for <ietfarch-v6ops-archive@core3.amsl.com>; Mon, 22 Mar 2010 03:24:19 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id F00BA28C0FD for <v6ops-archive@lists.ietf.org>; Mon, 22 Mar 2010 03:22:17 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.71 (FreeBSD)) (envelope-from <owner-v6ops@ops.ietf.org>) id 1Ntehm-000J1g-Hr for v6ops-data0@psg.com; Mon, 22 Mar 2010 10:17:54 +0000
Received: from [171.68.10.87] (helo=sj-iport-5.cisco.com) by psg.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.71 (FreeBSD)) (envelope-from <townsley@cisco.com>) id 1Ntehj-000J1J-MK for v6ops@ops.ietf.org; Mon, 22 Mar 2010 10:17:51 +0000
Authentication-Results: sj-iport-5.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AvsEAIXgpkurR7Hu/2dsb2JhbACbK3OhcZd2hH0EhiE
X-IronPort-AV: E=Sophos;i="4.51,286,1267401600"; d="scan'208";a="170156878"
Received: from sj-core-5.cisco.com ([171.71.177.238]) by sj-iport-5.cisco.com with ESMTP; 22 Mar 2010 10:17:50 +0000
Received: from iwan-view3.cisco.com (iwan-view3.cisco.com [171.70.65.13]) by sj-core-5.cisco.com (8.13.8/8.14.3) with ESMTP id o2MAHo1Q005547; Mon, 22 Mar 2010 10:17:50 GMT
Received: from ams-townsley-8715.cisco.com (ams-townsley-8715.cisco.com [10.55.233.230]) by iwan-view3.cisco.com (8.11.2/CISCO.WS.1.2) with ESMTP id o2MAHmY08829; Mon, 22 Mar 2010 03:17:49 -0700 (PDT)
Message-ID: <4BA743CB.2070707@cisco.com>
Date: Mon, 22 Mar 2010 11:17:47 +0100
From: Mark Townsley <townsley@cisco.com>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.8) Gecko/20100227 Thunderbird/3.0.3
MIME-Version: 1.0
To: james woodyatt <jhw@apple.com>
CC: IPv6 Operations <v6ops@ops.ietf.org>
Subject: Re: I-D.ietf-v6ops-cpe-simple-security-09
References: <D6F5ACD2-EB43-477E-9F48-AC3EDB3F7EB4@apple.com> <4BA3BBCF.2090903@cisco.com> <4BA3D1B3.4010501@gmail.com> <4BA3DAAA.10000@cisco.com> <4BA40DD1.7080306@gmail.com> <6C168711-6A34-4487-9911-92766513183C@apple.com> <4BA522E8.7050504@cisco.com> <4BA56626.20606@gmail.com> <20100321133831.GL69383@Space.Net> <4BA6575D.7070300@gmail.com> <4BA670ED.1020302@cisco.com> <D69F1DE6-D24D-45AA-95D0-99B63E62A1EE@apple.com> <4BA68F61.7020005@cisco.com> <4BA69A3D.7@gmail.com> <FF6C57C8-664B-40F1-B071-CF794ED2A8FE@apple.com>
In-Reply-To: <FF6C57C8-664B-40F1-B071-CF794ED2A8FE@apple.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
Sender: owner-v6ops@ops.ietf.org
Precedence: bulk
List-ID: <v6ops.ops.ietf.org>
James, if anyone who suggested to you that RFC 4864 or any Informational document represented the consensus of the IETF, you were sadly misled. However, if it is true what you say that, "this document should it be published in the RFC series is very likely to become the Law of the Internet pretty much overnight" then we better be sure we have consensus on what it says. I do not want to see the IETF recommending a default-deny rule on IPv6 residential gateways, and I regret that RFC 4864 has been interpreted as recommending this with any authority in the past. I've offered one admittedly imperfect compromise, but I find it better than wishing for a pin-hole protocol that doesn't exist and may never in a ubiquitous and interoperable manner. Even if such a protocol did exist, there are very legitimate security concerns about the effectiveness of operating what is essentially a distributed IP-stack between the host and RG vs. using a local firewall on the host. These have been brought up, but not fully discussed in this document or on the list. Bottom line: I think that the IETF should not publish any documents implying a default-deny rule as a recommended practice and default setting for IPv6 residential gateways. I think it is fine to describe how this should work should it be turned on, and that a configuration knob MUST exist, but the default should be set in a way that ensures it is "beneficial" and "not harmful to the Internet as a whole" (RFC 3935, BCP 95). The market always makes the final decision, and if it decides that customers want, or vendors want to sell, equipment with a default setting that breaks end-to-end transparency, there is no stopping this from happening. But, the IETF doesn't have to help it happen. I think the simple-security document, as a whole, doesn't risk being ignored if it leans a bit toward favoring IPv6 end-to-end transparency vs. IPv4 status quo in this one case. - Mark On 3/22/10 6:19 AM, james woodyatt wrote: > On Mar 21, 2010, at 15:14, Brian E Carpenter wrote: > >> On 2010-03-22 10:28, Mark Townsley wrote: >> >>> Why not, if that is the current consensus? We've reversed the text of >>> IETF standards track documents before, much less Informational documents >>> that are not a standard of any kind. >>> > The design team was directed by the chair to write a draft that detailed the recommendation in Section 4.2 of RFC 4864 for a stateful filter in residential IPv6 CPE routers, and we were not instructed that revisiting the recommendation with an eye toward reversing it was explicitly within our ambit. > > >> As a co-author of 4864, let me agree violently. It's not a BCP. >> Even if it was, consensus could reverse it. >> >> What 4864 says is: NATs weren't designed as security devices but they >> provide simple security by blocking everything incoming by default. >> To implement simple security for v6 you should do it with a stateful >> firewall. >> > I would have expected an author of RFC 4864 to quote the following excerpt from Section 4.2 instead: > > To implement simple security for IPv6 in, for example, a DSL or cable > modem-connected home network, the broadband gateway/router should be > equipped with stateful firewall capabilities. These should provide a > default configuration where incoming traffic is limited to return > traffic resulting from outgoing packets (sometimes known as > reflective session state). There should also be an easy interface > that allows users to create inbound 'pinholes' for specific purposes > such as online gaming. > > That paragraph is the whole reason that I-D.ietf-v6ops-cpe-simple-security exists today. Note the use of the word "should" in the verb phrase of the second sentence. It sure looks to me like it makes a value judgment that IPv6 Simple Security in unmanaged home routers is considered helpful. > > When I first read Section 4.2 of the Internet Draft that would become RFC 4864, just a little over three years ago, I sent<http://ops.ietf.org/lists/v6ops/v6ops.2007/msg00055.html> to the V6OPS list to surface what I thought, at the time, was an oversight. Note that I was objecting to the use of the word "should" in that paragraph. I thought RFC 4864 should not be making such a recommendation, and I believed that the authors must have been mistaken to include it in an Informational category document. > > Alas, I later learned that this recommendation was quite deliberate and *NOT* open for discussion anymore. I withdrew my objection soon thereafter, after one of the authors expressed "violent" disagreement with me, because I came to believe my personal misgivings about this recommendation weren't shared by the majority of IETF participants. I still think only a small minority of participants agrees with me. > > >> It doesn't say that CPEs MUST do this. It leaves that choice open, as an informational document. >> > No, it doesn't say that CPE routers MUST do this, but it does go out of its way to say that CPE routers "should" do this. > > More importantly, other specifications which reference RFC 4864 as if it's morally equivalent to a proposed standard *do* say that CPE routers MUST do this. While categorized as Informational, the language in I-D.ietf-v6ops-cpe-simple-security is deliberately crafted to be easily cited by other SDO's in requirement specifications, which are expecting to describe not just the CPE routers MUST do this, but HOW they will do this. I am aware of at least two other SDO's that are preparing exactly that. > > So, while it's true that neither RFC 4864 nor I-D.ietf-v6ops-cpe-simple-security say that CPE routers MUST implement a "default deny" stateful filtering regime, the common law is congealing around this as a requirement as we speak. So, despite the fact that this draft is Informational and not BCP or Proposed Standard, what we say in this document should it be published in the RFC series is very likely to become the Law of the Internet pretty much overnight, and I think that pretending otherwise would be awfully naïve. > > > -- > james woodyatt<jhw@apple.com> > member of technical staff, communications engineering > > > > >
- I-D.ietf-v6ops-cpe-simple-security-09 james woodyatt
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Baugher
- Re: I-D.ietf-v6ops-cpe-simple-security-09 james woodyatt
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Fred Baker
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Fred Baker
- Re: I-D.ietf-v6ops-cpe-simple-security-09 james woodyatt
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Baugher
- Re: I-D.ietf-v6ops-cpe-simple-security-09 james woodyatt
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Baugher
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Baugher
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Ole Troan
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Baugher
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Baugher
- RE: I-D.ietf-v6ops-cpe-simple-security-09 STARK, BARBARA H (ATTLABS)
- Re: I-D.ietf-v6ops-cpe-simple-security-09 james woodyatt
- Fwd: I-D.ietf-v6ops-cpe-simple-security-09 - ICMP… Rémi Després
- Re: I-D.ietf-v6ops-cpe-simple-security-09 - ICMP … james woodyatt
- Re: I-D.ietf-v6ops-cpe-simple-security-09 - ICMP … Rémi Després
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Brian E Carpenter
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Smith
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Brian E Carpenter
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 james woodyatt
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Brian E Carpenter
- Re: I-D.ietf-v6ops-cpe-simple-security-09 james woodyatt
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Fred Baker
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Fred Baker
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Fred Baker
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Shane Amante
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Smith
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Cameron Byrne
- Re: I-D.ietf-v6ops-cpe-simple-security-09 james woodyatt
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Smith
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Gert Doering
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Brian E Carpenter
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Smith
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 james woodyatt
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Brian E Carpenter
- Re: I-D.ietf-v6ops-cpe-simple-security-09 james woodyatt
- Status of RFC 4864 (was Re: I-D.ietf-v6ops-cpe-si… Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Smith
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Mark Townsley
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Ole Troan
- Re: I-D.ietf-v6ops-cpe-simple-security-09 Brian E Carpenter