IETF Logo Mail Archive

Re: But are we talking IPv6 only? That's how I read the draft. (Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03)

james woodyatt <jhw@apple.com> Thu, 28 August 2008 01:02 UTC

Return-Path: <owner-v6ops@ops.ietf.org>
X-Original-To: ietfarch-v6ops-archive@core3.amsl.com
Delivered-To: ietfarch-v6ops-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2FD9C3A6BE2 for <ietfarch-v6ops-archive@core3.amsl.com>; Wed, 27 Aug 2008 18:02:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.495
X-Spam-Level:
X-Spam-Status: No, score=-104.495 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RrkSxvstmxFy for <ietfarch-v6ops-archive@core3.amsl.com>; Wed, 27 Aug 2008 18:02:18 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 4433C3A68BA for <v6ops-archive@lists.ietf.org>; Wed, 27 Aug 2008 18:02:18 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-v6ops@ops.ietf.org>) id 1KYVm9-000NG0-5n for v6ops-data@psg.com; Thu, 28 Aug 2008 00:54:13 +0000
Received: from [17.254.13.23] (helo=mail-out4.apple.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <jhw@apple.com>) id 1KYVm5-000NFU-Id for v6ops@ops.ietf.org; Thu, 28 Aug 2008 00:54:11 +0000
Received: from relay12.apple.com (relay12.apple.com [17.128.113.53]) by mail-out4.apple.com (Postfix) with ESMTP id 1E2AE3A2F333; Wed, 27 Aug 2008 17:54:08 -0700 (PDT)
Received: from relay12.apple.com (unknown [127.0.0.1]) by relay12.apple.com (Symantec Mail Security) with ESMTP id 029F1464002; Wed, 27 Aug 2008 17:54:08 -0700 (PDT)
X-AuditID: 11807135-a4defbb000001321-b5-48b5f72f5b90
Received: from il0602f-dhcp90.apple.com (il0602f-dhcp90.apple.com [17.206.50.90]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by relay12.apple.com (Apple SCV relay) with ESMTP id D9008420004; Wed, 27 Aug 2008 17:54:07 -0700 (PDT)
Cc: Dan Wing <dwing@cisco.com>
Message-Id: <F0E4B018-AA5E-4344-A40B-3F6D974B7EA1@apple.com>
From: james woodyatt <jhw@apple.com>
To: IPv6 Operations <v6ops@ops.ietf.org>
In-Reply-To: <0e6001c908a2$b8fcf700$c2f0200a@cisco.com>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v928.1)
Subject: Re: But are we talking IPv6 only? That's how I read the draft. (Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03)
Date: Wed, 27 Aug 2008 17:54:07 -0700
References: <20080824204553.08131c65.ipng@69706e6720323030352d30312d31340a.nosense.org> <48B1CCE8.1070305@gmail.com> <01af01c9065b$b4602440$c2f0200a@cisco.com> <48B23391.1090503@gmail.com> <01cd01c90672$a57c8790$c2f0200a@cisco.com> <48B31DA3.6080001@gmail.com> <07d201c906f7$50a85e30$c2f0200a@cisco.com> <48B32B43.5010103@gmail.com> <084c01c906fe$f9bf1840$c2f0200a@cisco.com> <48B33430.40704@gmail.com> <A31EB889-2BD9-4283-A408-AB6DCC1D568A@suspicious.org> <08be01c90712$d876cd40$c2f0200a@cisco.com> <20080827194713.23271bd1.ipng@69706e6720323030352d30312d31340a.nosense.org> <CD947C45-58F7-47F1-807F-A276490B1E39@apple.com> <0e6001c908a2$b8fcf700$c2f0200a@cisco.com>
X-Mailer: Apple Mail (2.928.1)
X-Brightmail-Tracker: AAAAAA==
Sender: owner-v6ops@ops.ietf.org
Precedence: bulk
List-ID: <v6ops.ops.ietf.org>

On Aug 27, 2008, at 17:12, Dan Wing wrote:
> [I wrote:]
>> On Aug 27, 2008, at 03:17, Mark Smith wrote:
>>> * Native IPv6 CPE security, plus IPv4 security/functionality
>>> requirements to support IPv6 transition via IPv4 tunnelling
>>
>> It was my understanding that this is the proper scope, not the
>> alternatives you mentioned.
>
> If the scope includes IPv6-over-IPv4 tunnels, then there are two
> network topologies:
>
>  1.  CPE gets a single IPv4 address and is an IPv4 NAPT, or
>  2.  the residential user gets one IPv4 address for each
>      device in their home that wants to do a IPv6-over-IPv4
>      tunnel.
>
> If (1), I don't see how unsolicited incoming packets can be
> directed to the correct host behind the IPv4 NAPT.
>
> If (2), we are outside the realm of simple residential networks --  
> they only
> have one IPv4 address.  We can't plan for more to become common as  
> we approach
> IPv4 exhaustion.
>
> Is there another network topology that I am missing?

Ah.   I see the confusion.  In the scope of the whole draft, we are  
talking about CPE that can include dual-stack transition mechanisms.   
In the specific scope of R23, the words "upper layer protocol" are  
intended to imply only IPv6 as the outer layer (which may itself be  
tunneled in an IPv4 transition mechanism, but the filtering  
recommendations in this draft are intended for use in applying filters  
inside the tunnel, not to the outside).

We are not trying to make recommendations about IPv4 simple security  
in this draft.  This could be made more clear.


--
james woodyatt <jhw@apple.com>
member of technical staff, communications engineering

v2.23.0 | Report a Bug | By Email