Re: [v6ops] RFC 6092 [was draft-ietf-v6ops-balanced-ipv6-security WGLC]

Brian E Carpenter <brian.e.carpenter@gmail.com> Thu, 21 November 2013 19:23 UTC

Message-ID: <528E5DC2.2040108@gmail.com>
Date: Fri, 22 Nov 2013 08:23:46 +1300
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Marc Lampo <marc.lampo.ietf@gmail.com>
References: <201311101900.rAAJ0AR6025350@irp-view13.cisco.com> <CAB0C4xOfz_JAjEEJZ-Zz7MBEyZhVzrAE+8Ghf1ggC3+9pyHmNg@mail.gmail.com> <989B8ED6-273E-45D4-BFD8-66A1793A1C9F@cisco.com> <5288FC15.5080508@globis.net> <CAKD1Yr1gQ8r80NxbJwxbNc8esm1ekk1JGMUoQo712CpvLJ8ogw@mail.gmail.com> <CAB0C4xOej1KhU2cA_edozG98V8ah1LgqDcu4RdwpXyQTRYRS_w@mail.gmail.com> <CAKD1Yr3uVmiS6Xqhx_qeFEeWnBkaax5CN2Zb5yu8CeML1tzBHA@mail.gmail.com> <CAB0C4xPYq4yvi+08_ogsg7VDt1pUBPkmnChp_K3jNvEoVKYBJg@mail.gmail.com> <528D10B7.8080201@gmail.com> <CAB0C4xMB3hQho6vQF8-FkP5tv456dgn5JZJjL4h30sfrgPXcbA@mail.gmail.com>
In-Reply-To: <CAB0C4xMB3hQho6vQF8-FkP5tv456dgn5JZJjL4h30sfrgPXcbA@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: Ray Hunter <v6ops@globis.net>, "v6ops@ietf.org WG" <v6ops@ietf.org>
Subject: Re: [v6ops] RFC 6092 [was draft-ietf-v6ops-balanced-ipv6-security WGLC]
Precedence: list

On 21/11/2013 19:51, Marc Lampo wrote:
> A pity that the text can be interpreted in various ways and that those lead
> to completely opposite results.

Well yes, I'd say that text is unclear and should have been fixed before
publication. However, when you think of how to implement it, the requirement
to wait at least 6 seconds tells you that (a) the firewall is stateful and
(b) there might be a response packet coming, so the firewall must have
forwarded the incoming SYN.

> 
> (written by a politician ? ;-)

No, just a careless engineer, and reviewed by other careless engineers!
We all share the blame ;-)

    Brian

> 
> 
> On Wed, Nov 20, 2013 at 8:42 PM, Brian E Carpenter <
> brian.e.carpenter@gmail.com> wrote:
> 
>> On 20/11/2013 22:37, Marc Lampo wrote:
>>> Yes, RFC 6092 recommends that unsolicited packets be dropped by default !
>>>
>>>   REC-34  By DEFAULT, a gateway MUST respond with an ICMPv6
>>>            "Destination Unreachable" error code 1 (Communication with
>>>            destination administratively prohibited), to any unsolicited
>>>            inbound SYN packet after waiting at least 6 seconds without
>>>            first forwarding the associated outbound SYN or SYN/ACK from
>>>            the interior peer.
>> Er, no, it recommends that unacknowledged unsolicited SYNs should cause
>> Destination Unreachable, if no TCP listener has responded after 6 seconds.
>> The gateway isn't dropping anything. It is required to be stateful for
>> 6 seconds in case there is a response.
>>
>>> "transparent mode" "MAY" be the default (which, in the context, I
>> interpret
>>> as a kind of "second choice")
>> That interpretation is not justified by RFC 2119.
>>
>>>    REC-49  Internet gateways with IPv6 simple security capabilities MUST
>>>            provide an easily selected configuration option that permits
>>>            a "transparent mode" of operation that forwards all
>>>            unsolicited flows regardless of forwarding direction, i.e.,
>>>            not to use the IPv6 simple security capabilities of the
>>>            gateway.  The transparent mode of operation MAY be the
>>>            default configuration.
>>    Brian
>>
>>
>

[v6ops] draft-ietf-v6ops-balanced-ipv6-security W… Fred Baker
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tarko Tikan
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Fred Baker (fred)
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Guillaume Leclanche
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Guillaume Leclanche
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… cb.list6
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ted Lemon
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… cb.list6
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tore Anderson
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tarko Tikan
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark ZZZ Smith
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ted Lemon
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tarko Tikan
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Fred Baker (fred)
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ted Lemon
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tarko Tikan
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Fred Baker (fred)
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark Andrews
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Brian E Carpenter
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Sander Steffann
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… joel jaeggli
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Fred Baker (fred)
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… joel jaeggli
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tassos Chatzithomaoglou
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Fred Baker (fred)
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… cb.list6
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Fred Baker (fred)
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark ZZZ Smith
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark ZZZ Smith
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tassos Chatzithomaoglou
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ray Hunter
[v6ops] draft-ietf-v6ops-balanced-ipv6-security W… Fred Baker
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Joe Touch
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… de =?iso-8859-1?q?Br=FCn?=, Markus
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Lorenzo Colitti
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark ZZZ Smith
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Lorenzo Colitti
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ray Hunter
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Lorenzo Colitti
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ray Hunter
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Lorenzo Colitti
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Lorenzo Colitti
[v6ops] RFC 6092 [was draft-ietf-v6ops-balanced-i… Brian E Carpenter
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark ZZZ Smith
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark ZZZ Smith
Re: [v6ops] RFC 6092 [was draft-ietf-v6ops-balanc… Marc Lampo
Re: [v6ops] RFC 6092 [was draft-ietf-v6ops-balanc… Lorenzo Colitti
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ray Hunter
Re: [v6ops] RFC 6092 [was draft-ietf-v6ops-balanc… Brian E Carpenter
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ray Hunter
Re: [v6ops] RFC 6092 [was draft-ietf-v6ops-balanc… cb.list6
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Brian E Carpenter