Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-security WGLC

"Fred Baker (fred)" <fred@cisco.com> Wed, 13 November 2013 16:46 UTC

From: "Fred Baker (fred)" <fred@cisco.com>
To: Tarko Tikan <tarko@lanparty.ee>
Thread-Topic: [v6ops] draft-ietf-v6ops-balanced-ipv6-security WGLC
Thread-Index: AQHO4I/sAG11bn7zoUqMRCwrKgQsrA==
Date: Wed, 13 Nov 2013 16:46:38 +0000
Message-ID: <6FE564A3-7FD9-4E17-9910-5B08B9FCA2EF@cisco.com>
References: <201311101900.rAAJ0AR6025350@irp-view13.cisco.com> <CAB0C4xOfz_JAjEEJZ-Zz7MBEyZhVzrAE+8Ghf1ggC3+9pyHmNg@mail.gmail.com> <989B8ED6-273E-45D4-BFD8-66A1793A1C9F@cisco.com> <52833B8F.10708@lanparty.ee>
In-Reply-To: <52833B8F.10708@lanparty.ee>
Accept-Language: en-US
Content-Language: en-US
Content-Type: multipart/signed; boundary="Apple-Mail=_822ED0EF-0C28-44D5-A1C0-1349E0C89BE0"; protocol="application/pgp-signature"; micalg="pgp-sha1"
MIME-Version: 1.0
Cc: "<v6ops@ietf.org>" <v6ops@ietf.org>
Subject: Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-security WGLC
Precedence: list

On Nov 13, 2013, at 12:42 AM, Tarko Tikan <tarko@lanparty.ee>
 wrote:

> hey,
> 
>> From my perspective, I think I would prefer that the firewall - if implemented - blocked everything, and applications within the network advised the firewall(s) of traffic that they are willing to receive. If a potential session has no willing counterpart within my network, I don't see the argument for letting the first packet in.
> 
> That would be preferred but as already discussed, there are no suitable protocols (and implementations) for deployment today. And recommending to block all inbound sessions by default is not good idea with IPv6 end2end mentality.
> 
> To improve on the idea - I don't see why application should signal to CPE, firewalling in CPE is useless against ddos attacks. I'd prefer application to signal to edge routers and have firewall there, this way to-be-denied packets never make it to CPE and will not congest AN uplinks.

The action of the application would  be the same, right? If the user has a managed service, one can easily imagine the upstream firewall/router doing this. That simply says where the PCP traffic would go to.

The "IPv6 end2end mentality", I would argue, doesn't come into play here. The phrase "end to end" implies having multiple endpoints. If there is no application in the network prepared to be the receiving end, the sending end can do whatever it likes - there is nobody to talk with. And from a policy perspective, even if there is someone that *could* talk (the HTTP server on my phone, designed for management use), that doesn't imply that I want it to. I'm fine with saying there will be no impedance of traffic that is useful and fits policy. As far as I know, firewalls aren't supposed to block that anyway.

Attachment: signature.asc

[v6ops] draft-ietf-v6ops-balanced-ipv6-security W… Fred Baker
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tarko Tikan
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Fred Baker (fred)
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Guillaume Leclanche
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Guillaume Leclanche
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… cb.list6
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ted Lemon
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… cb.list6
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tore Anderson
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tarko Tikan
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark ZZZ Smith
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ted Lemon
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tarko Tikan
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Fred Baker (fred)
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ted Lemon
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tarko Tikan
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Fred Baker (fred)
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark Andrews
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Brian E Carpenter
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Sander Steffann
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… joel jaeggli
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Fred Baker (fred)
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… joel jaeggli
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tassos Chatzithomaoglou
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Fred Baker (fred)
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… cb.list6
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Fred Baker (fred)
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark ZZZ Smith
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark ZZZ Smith
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tassos Chatzithomaoglou
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ray Hunter
[v6ops] draft-ietf-v6ops-balanced-ipv6-security W… Fred Baker
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Joe Touch
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… de =?iso-8859-1?q?Br=FCn?=, Markus
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Lorenzo Colitti
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark ZZZ Smith
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Lorenzo Colitti
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ray Hunter
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Lorenzo Colitti
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ray Hunter
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Lorenzo Colitti
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Lorenzo Colitti
[v6ops] RFC 6092 [was draft-ietf-v6ops-balanced-i… Brian E Carpenter
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark ZZZ Smith
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark ZZZ Smith
Re: [v6ops] RFC 6092 [was draft-ietf-v6ops-balanc… Marc Lampo
Re: [v6ops] RFC 6092 [was draft-ietf-v6ops-balanc… Lorenzo Colitti
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ray Hunter
Re: [v6ops] RFC 6092 [was draft-ietf-v6ops-balanc… Brian E Carpenter
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ray Hunter
Re: [v6ops] RFC 6092 [was draft-ietf-v6ops-balanc… cb.list6
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Brian E Carpenter

Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-security WGLC

Attachment: signature.asc