RE: draft-ietf-v6ops-cpe-simple-security: filtering encapsulated flows
Yaron Sheffer <yaronf@checkpoint.com> Sun, 23 August 2009 10:53 UTC
Return-Path: <owner-v6ops@ops.ietf.org>
X-Original-To: ietfarch-v6ops-archive@core3.amsl.com
Delivered-To: ietfarch-v6ops-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E572D3A67EF for <ietfarch-v6ops-archive@core3.amsl.com>; Sun, 23 Aug 2009 03:53:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.205
X-Spam-Level:
X-Spam-Status: No, score=-1.205 tagged_above=-999 required=5 tests=[AWL=-0.710, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DqezDjvGV0UF for <ietfarch-v6ops-archive@core3.amsl.com>; Sun, 23 Aug 2009 03:53:27 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id ABC723A6870 for <v6ops-archive@lists.ietf.org>; Sun, 23 Aug 2009 03:53:26 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-v6ops@ops.ietf.org>) id 1MfAdw-0001FR-Ow for v6ops-data0@psg.com; Sun, 23 Aug 2009 10:49:48 +0000
Received: from [194.29.32.54] (helo=dlpdemo.checkpoint.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <yaronf@checkpoint.com>) id 1MfAdr-0001DB-5D for v6ops@ops.ietf.org; Sun, 23 Aug 2009 10:49:45 +0000
Received: by dlpdemo.checkpoint.com (Postfix, from userid 105) id B387329C002; Sun, 23 Aug 2009 13:49:55 +0300 (IDT)
Received: from michael.checkpoint.com (michael.checkpoint.com [194.29.32.68]) by dlpdemo.checkpoint.com (Postfix) with ESMTP id 62CEF200440; Sun, 23 Aug 2009 13:49:55 +0300 (IDT)
X-CheckPoint: {4A911DA8-0-14201DC2-1FFFF}
Received: from il-ex01.ad.checkpoint.com (localhost [127.0.0.1]) by michael.checkpoint.com (8.12.10+Sun/8.12.10) with ESMTP id n7NAnU3f001191; Sun, 23 Aug 2009 13:49:31 +0300 (IDT)
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([194.29.32.26]) with mapi; Sun, 23 Aug 2009 13:49:30 +0300
From: Yaron Sheffer <yaronf@checkpoint.com>
To: james woodyatt <jhw@apple.com>, IPv6 Operations <v6ops@ops.ietf.org>
Date: Sun, 23 Aug 2009 13:49:28 +0300
Subject: RE: draft-ietf-v6ops-cpe-simple-security: filtering encapsulated flows
Thread-Topic: draft-ietf-v6ops-cpe-simple-security: filtering encapsulated flows
Thread-Index: AcojYRi9tfxLVAXeT0yRoxcyLnz4QgAfZWDQ
Message-ID: <7F9A6D26EB51614FBF9F81C0DA4CFEC80158E120B466@il-ex01.ad.checkpoint.com>
References: <805241AA-DC9A-4498-9D54-8D491DD62A0D@apple.com> <2D21500B-207B-43FB-9728-8A7BCEC82CB1@apple.com> <7F9A6D26EB51614FBF9F81C0DA4CFEC80158E120B3E6@il-ex01.ad.checkpoint.com> <47CF65DB-E3E1-4666-B1E9-51A49B372AD5@apple.com>
In-Reply-To: <47CF65DB-E3E1-4666-B1E9-51A49B372AD5@apple.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_0043_01CA23F8.88824220"
MIME-Version: 1.0
Sender: owner-v6ops@ops.ietf.org
Precedence: bulk
List-ID: <v6ops.ops.ietf.org>
Hi James, You are right. In view of R20 and R21, I would prefer sec. 3.2.7 to be removed. I think the extra complexity of intra-tunnel inspection of packets-in-IPv6-in-IPv6 cannot be justified. Thanks, Yaron > -----Original Message----- > From: owner-v6ops@ops.ietf.org [mailto:owner-v6ops@ops.ietf.org] On Behalf > Of james woodyatt > Sent: Saturday, August 22, 2009 22:04 > To: IPv6 Operations > Subject: Re: draft-ietf-v6ops-cpe-simple-security: filtering encapsulated > flows > > On Aug 22, 2009, at 04:01, Yaron Sheffer wrote: > > > > In other words, the CPE is only required to verify that the *outer* > > packet > > is protected; if it is not protected, the standard internal- > > initiator policy > > applies, plus the gateway should drop suspicious GRE and IP-IP > > tunnels. > > Ah, I think I see where the confusion is arising. The recommendation > to allow IPsec AH and ESP transport mode in both directions suffice to > police the outer packet header chain. > > R20 In their DEFAULT operating mode, IPv6 gateways MUST NOT prohibit > the forwarding of packets, to and from legitimate node addresses, > with destination extension headers of type "Authenticated Header > (AH)" [RFC4302] in their outer IP extension header chain. > > R21 In their DEFAULT operating mode, IPv6 gateways MUST NOT prohibit > the forwarding of packets, to and from legitimate node addresses, > with an upper layer protocol of type "Encapsulating Security > Payload (ESP)" [RFC4303] in their outer IP extension header > chain. > > What you would prefer to see is that section 3.2.7 be deleted in its > entirety, which is precisely what I proposed at IETF 75 in Stockholm, > and which failed to achieve consensus. Perhaps, after further > discussion, this option will seem sensible to a larger fraction of > participants? > > However, I should note that allowing outbound tunnel initiations still > doesn't address the concern I described in my previous message. > > [My proposed text for section 3.2.7 to address this concern.] > >> > > >> While residential IPv6 gateways are not expected to prohibit > >> virtual private networks from operating with tunnel endpoints > >> located at interior nodes, it is important to protect interior > >> networks from being reachable through routes created remotely by > >> exploiting vulnerable interior hosts. Therefore, residential IPv6 > >> gateways are expected to require tunnel encapsulations to be > >> protected by a cryptographic protocol. > > If the perception is that flows encapsulated in tunnels must be > subject to a stateful filtering regime to protect the interior network > against exploits against vulnerable tunnel endpoint hosts, and if > requiring such encapsulated flows to be encrypted with IPsec-in-IPv6- > in-IPv6 is regarded as an acceptable way to meet the perceived need to > protect all encapsulated flows with a cryptographic protocol, then > simply treating outbound tunnel initiations as any other unrecognized > protocol would be insufficient to address the objections in the > working group to taking this draft to Last Call. > > How should we proceed? > > > -- > james woodyatt <jhw@apple.com> > member of technical staff, communications engineering > > > > > Scanned by Check Point Total Security Gateway.
- draft-ietf-v6ops-cpe-simple-security: filtering e… james woodyatt
- Re: draft-ietf-v6ops-cpe-simple-security: filteri… james woodyatt
- RE: draft-ietf-v6ops-cpe-simple-security: filteri… Yaron Sheffer
- Re: draft-ietf-v6ops-cpe-simple-security: filteri… james woodyatt
- Re: draft-ietf-v6ops-cpe-simple-security: filteri… Truman Boyes
- Re: draft-ietf-v6ops-cpe-simple-security: filteri… james woodyatt
- Re: draft-ietf-v6ops-cpe-simple-security: filteri… Mark Smith
- RE: draft-ietf-v6ops-cpe-simple-security: filteri… Yaron Sheffer
- Re: draft-ietf-v6ops-cpe-simple-security: filteri… Brian E Carpenter
- Re: draft-ietf-v6ops-cpe-simple-security: filteri… Mark Baugher
- Re: draft-ietf-v6ops-cpe-simple-security: filteri… james woodyatt
- Re: draft-ietf-v6ops-cpe-simple-security: filteri… Mark Smith