Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-security WGLC
Marc Lampo <marc.lampo.ietf@gmail.com> Mon, 18 November 2013 07:42 UTC
Return-Path: <marc.lampo.ietf@gmail.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E9F2A11E85E9 for <v6ops@ietfa.amsl.com>; Sun, 17 Nov 2013 23:42:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y4lxxrKPVrMF for <v6ops@ietfa.amsl.com>; Sun, 17 Nov 2013 23:42:08 -0800 (PST)
Received: from mail-vb0-x230.google.com (mail-vb0-x230.google.com [IPv6:2607:f8b0:400c:c02::230]) by ietfa.amsl.com (Postfix) with ESMTP id DC34511E85E8 for <v6ops@ietf.org>; Sun, 17 Nov 2013 23:42:07 -0800 (PST)
Received: by mail-vb0-f48.google.com with SMTP id x16so127789vbf.21 for <v6ops@ietf.org>; Sun, 17 Nov 2013 23:42:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=93XNRwQzWPKkGPpdyKQfMWgzOqnpHr+YX0zOca6qO3Y=; b=sJ8VfeAtqH4JCxH8JuL+x3KUzV8PAW7YiIhi3UJY7sbSHF/KdMdWEBczte55INutFP gjqiJzwUTRHry7qQl8leZjYEliQOXlFLLKOXUIgMz+Slvzbt0ZFmTRDWeX8/7ckcSVSO /DoTf5B5d+wa+hzUB9/QAbHpSnN5ezn1zOfnnhnWZn4dl3bnMyumJLCytD/VlqofXfyT HykwxCYE9ZLZDPhTAI6to4cOro0nwne5RHf1dzaAbwEorM8aQTHUN9qHEVvc6JS+vknY 8GSaRTdLVKvmc5Mmi83bCPMjuh5/yVbgiX4+zDEvTVIEwHCeTVUPn+PXSqyyszwwiMpl acYQ==
MIME-Version: 1.0
X-Received: by 10.220.199.5 with SMTP id eq5mr14289572vcb.16.1384760527342; Sun, 17 Nov 2013 23:42:07 -0800 (PST)
Received: by 10.58.227.66 with HTTP; Sun, 17 Nov 2013 23:42:07 -0800 (PST)
In-Reply-To: <1384583413.2103.YahooMailNeo@web142501.mail.bf1.yahoo.com>
References: <201311101900.rAAJ0AR6025350@irp-view13.cisco.com> <CAB0C4xOfz_JAjEEJZ-Zz7MBEyZhVzrAE+8Ghf1ggC3+9pyHmNg@mail.gmail.com> <989B8ED6-273E-45D4-BFD8-66A1793A1C9F@cisco.com> <alpine.DEB.2.02.1311130329180.26054@uplift.swm.pp.se> <CAB0C4xOd-ryBXe4O3XoLTLDw-XuOV==X0nkRg5y3aPXCtf+Gow@mail.gmail.com> <alpine.DEB.2.02.1311140639140.5805@uplift.swm.pp.se> <5FC5FC3F-B933-4ACE-A7A9-00A1E275B4EF@cisco.com> <CAB0C4xMhxnev+NHx_Vzdjvrp9zE0jj7avsb9zUFGRKhQFne14A@mail.gmail.com> <alpine.DEB.2.02.1311140935510.5805@uplift.swm.pp.se> <CAB0C4xM_eN7x-4G6YYku+t=X_w3c7LiEU6AR1EDvhT6Kea_hqw@mail.gmail.com> <1384583413.2103.YahooMailNeo@web142501.mail.bf1.yahoo.com>
Date: Mon, 18 Nov 2013 08:42:07 +0100
Message-ID: <CAB0C4xPR6dhFcEwAtw57PufAWLWZ2=Dkk+aOn11YY1HR8hK-KA@mail.gmail.com>
From: Marc Lampo <marc.lampo.ietf@gmail.com>
To: Mark ZZZ Smith <markzzzsmith@yahoo.com.au>
Content-Type: multipart/alternative; boundary="047d7b5db26a54d0d104eb6eaff8"
Cc: "v6ops@ietf.org WG" <v6ops@ietf.org>
Subject: Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-security WGLC
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Nov 2013 07:42:09 -0000
Probably true - all of your points - but, INHO, this does not imply that the Internet should get access by default to most ports. And RFC 6092, REC-31 (for TCP), satisfies those needs. But if the Internet can access an internal device, that should first be allowed by the "operator" of the CPE, as per RFC 6092, REC-48. And whoever is OK with that (open) policy, can make use of RFC 6092, REC-49, and go for "transparent" mode. I acknowledge other contributions in this list stating that any device can end up with infected/hostile neighbors in the local network, but is this a reason/excuse to have a "mostly open policy for incoming traffic" ? So, personally I cannot support publishing this draft as a WG document because it is, at least partly - but then : on an important point, in contradiction with RFC 6092. I would be more in favor if the approach chosen (blocking some ports) would have been to strengthen RFC 6092, REC-49 : "transparent mode", but not for all ports. On Sat, Nov 16, 2013 at 7:30 AM, Mark ZZZ Smith <markzzzsmith@yahoo.com.au>wrote: > > >________________________________ > > From: Marc Lampo <marc.lampo.ietf@gmail.com> > >To: Mikael Abrahamsson <swmike@swm.pp.se> > >Cc: "v6ops@ietf.org WG" <v6ops@ietf.org> > >Sent: Thursday, 14 November 2013 9:50 PM > >Subject: Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-security WGLC > > > > > > > >I realise now that "unsolicited" is a word allowing multiple > interpretations (but also used in RFC 6092). But we seem to have got it > right. > > > >Anyway, the fact that some service, on an internal device, is willing to > accept connections on port XYZ, > >does not, in my opinion, imply that those connections may also come from > the outside Internet. > >Back to the example with the refrigerator : > >suppose it has a service (port XYZ) that allows it to be queried for its > contents. > > >Probably great when one is at home, but does this mean accessible from > anywhere on the Internet ? > > > >In my opinion : not before the owner has explicitly instructed his CPE to > allow incoming connections (RFC 6092, REC-48). > > > > Actually, I think you're probably going to want your refrigerator to be > able to access the Internet, as well as your toaster, answering machine, > rice cooker, washing machine etc. > > I think appliances, if they aren't already, are going to become computers, > with as much done via software/firmware as possible, instead of hardware, > because hardware is much harder and more expensive to change, both during > development and after it is sold to the customer. > > However, software/firmware is still hard to change if the customer has to > either take it back to the manufacturer, or plug a PC or USB stick into it > to update the software/firmware. Having the device be able to update itself > over the Internet will be both much more user/customer friendly and much > cheaper for the manufacturer. > > So manufacturers have an incentive to make their appliances be able to > attach to the Internet, and their customers have an incentive to attach > them. As with tablets and smartphones, the manufacturer won't be able to > vouch for the existence of any upstream network "firewalls", nor will they > successfully be able to ask the customer of their existence, so the > manufacturer will have to assume the worst, and therefore harden the > appliance against publicly addressed unfettered Internet access. > > Regards, > Mark. > >
- [v6ops] draft-ietf-v6ops-balanced-ipv6-security W… Fred Baker
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tarko Tikan
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Fred Baker (fred)
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Guillaume Leclanche
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Guillaume Leclanche
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… cb.list6
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ted Lemon
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… cb.list6
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tore Anderson
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tarko Tikan
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark ZZZ Smith
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ted Lemon
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tarko Tikan
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Fred Baker (fred)
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ted Lemon
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tarko Tikan
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Fred Baker (fred)
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark Andrews
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Brian E Carpenter
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Sander Steffann
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… joel jaeggli
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Fred Baker (fred)
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… joel jaeggli
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tassos Chatzithomaoglou
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Fred Baker (fred)
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… cb.list6
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Fred Baker (fred)
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark ZZZ Smith
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark ZZZ Smith
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tassos Chatzithomaoglou
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ray Hunter
- [v6ops] draft-ietf-v6ops-balanced-ipv6-security W… Fred Baker
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Joe Touch
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… de =?iso-8859-1?q?Br=FCn?=, Markus
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Lorenzo Colitti
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark ZZZ Smith
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Lorenzo Colitti
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ray Hunter
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Lorenzo Colitti
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ray Hunter
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Lorenzo Colitti
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Lorenzo Colitti
- [v6ops] RFC 6092 [was draft-ietf-v6ops-balanced-i… Brian E Carpenter
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark ZZZ Smith
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark ZZZ Smith
- Re: [v6ops] RFC 6092 [was draft-ietf-v6ops-balanc… Marc Lampo
- Re: [v6ops] RFC 6092 [was draft-ietf-v6ops-balanc… Lorenzo Colitti
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ray Hunter
- Re: [v6ops] RFC 6092 [was draft-ietf-v6ops-balanc… Brian E Carpenter
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ray Hunter
- Re: [v6ops] RFC 6092 [was draft-ietf-v6ops-balanc… cb.list6
- Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Brian E Carpenter