Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-security WGLC

Marc Lampo <marc.lampo.ietf@gmail.com> Wed, 20 November 2013 09:37 UTC

MIME-Version: 1.0
In-Reply-To: <CAKD1Yr3uVmiS6Xqhx_qeFEeWnBkaax5CN2Zb5yu8CeML1tzBHA@mail.gmail.com>
References: <201311101900.rAAJ0AR6025350@irp-view13.cisco.com> <CAB0C4xOfz_JAjEEJZ-Zz7MBEyZhVzrAE+8Ghf1ggC3+9pyHmNg@mail.gmail.com> <989B8ED6-273E-45D4-BFD8-66A1793A1C9F@cisco.com> <5288FC15.5080508@globis.net> <CAKD1Yr1gQ8r80NxbJwxbNc8esm1ekk1JGMUoQo712CpvLJ8ogw@mail.gmail.com> <CAB0C4xOej1KhU2cA_edozG98V8ah1LgqDcu4RdwpXyQTRYRS_w@mail.gmail.com> <CAKD1Yr3uVmiS6Xqhx_qeFEeWnBkaax5CN2Zb5yu8CeML1tzBHA@mail.gmail.com>
Date: Wed, 20 Nov 2013 10:37:13 +0100
Message-ID: <CAB0C4xPYq4yvi+08_ogsg7VDt1pUBPkmnChp_K3jNvEoVKYBJg@mail.gmail.com>
From: Marc Lampo <marc.lampo.ietf@gmail.com>
To: Lorenzo Colitti <lorenzo@google.com>
Content-Type: multipart/alternative; boundary="001a113378d8a66fc604eb988623"
Cc: Ray Hunter <v6ops@globis.net>, "v6ops@ietf.org WG" <v6ops@ietf.org>
Subject: Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-security WGLC
Precedence: list

Yes, RFC 6092 recommends that unsolicited packets be dropped by default !

  REC-34  By DEFAULT, a gateway MUST respond with an ICMPv6
           "Destination Unreachable" error code 1 (Communication with
           destination administratively prohibited), to any unsolicited
           inbound SYN packet after waiting at least 6 seconds without
           first forwarding the associated outbound SYN or SYN/ACK from
           the interior peer.

"transparent mode" "MAY" be the default (which, in the context, I interpret
as a kind of "second choice")

   REC-49  Internet gateways with IPv6 simple security capabilities MUST
           provide an easily selected configuration option that permits
           a "transparent mode" of operation that forwards all
           unsolicited flows regardless of forwarding direction, i.e.,
           not to use the IPv6 simple security capabilities of the
           gateway.  The transparent mode of operation MAY be the
           default configuration.





On Wed, Nov 20, 2013 at 9:10 AM, Lorenzo Colitti <lorenzo@google.com> wrote:

> On Wed, Nov 20, 2013 at 5:01 PM, Marc Lampo <marc.lampo.ietf@gmail.com>wrote:
>
>> This document states, for several recommendations in RFC 6092, exactly
>> the opposite of that document.
>>
>
> Which ones? Obviously you're not suggesting that RFC 6092 recommends that
> unsolicited inbound packets be dropped by default, right? Because it
> doesn't say that.
>
>
>> In addition, as I touched in my very first reaction, this draft lists a
>> number of threats - section 2.
>>  But, in my opinion, none of those threats are addressed by the rules
>> for balanced security - section 3.1.
>>  (my first comment only referred to the last threat on covert channels,
>> but I must rephrase)
>>
>
> Do you have text to suggest?
>
>
>> In reply to the question : yes, personally I would be happier if the ISP
>> dropped all unsolicited packets towards my network (except IPsec).
>>
>
> And there are people in this working group that will never agree with you.
> For example, I will never agree with you.
>
> But fortunately, that has no relevance on this document. Since this
> document does not recommend a security policy, saying "I don't like the
> security policy" (which is your opinion, and one you're perfectly entitled
> to) is not a valid reason not to publish this document.
>

[v6ops] draft-ietf-v6ops-balanced-ipv6-security W… Fred Baker
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tarko Tikan
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Fred Baker (fred)
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Guillaume Leclanche
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Guillaume Leclanche
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… cb.list6
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ted Lemon
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… cb.list6
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tore Anderson
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tarko Tikan
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark ZZZ Smith
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ted Lemon
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tarko Tikan
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Fred Baker (fred)
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ted Lemon
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tarko Tikan
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Fred Baker (fred)
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark Andrews
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Brian E Carpenter
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Sander Steffann
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… joel jaeggli
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Fred Baker (fred)
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… joel jaeggli
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tassos Chatzithomaoglou
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Fred Baker (fred)
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… cb.list6
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Fred Baker (fred)
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark ZZZ Smith
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark ZZZ Smith
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Tassos Chatzithomaoglou
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ray Hunter
[v6ops] draft-ietf-v6ops-balanced-ipv6-security W… Fred Baker
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Joe Touch
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mikael Abrahamsson
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… de =?iso-8859-1?q?Br=FCn?=, Markus
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Lorenzo Colitti
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark ZZZ Smith
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Lorenzo Colitti
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ray Hunter
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Lorenzo Colitti
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Marc Lampo
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ray Hunter
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Lorenzo Colitti
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Lorenzo Colitti
[v6ops] RFC 6092 [was draft-ietf-v6ops-balanced-i… Brian E Carpenter
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark ZZZ Smith
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Mark ZZZ Smith
Re: [v6ops] RFC 6092 [was draft-ietf-v6ops-balanc… Marc Lampo
Re: [v6ops] RFC 6092 [was draft-ietf-v6ops-balanc… Lorenzo Colitti
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ray Hunter
Re: [v6ops] RFC 6092 [was draft-ietf-v6ops-balanc… Brian E Carpenter
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Ray Hunter
Re: [v6ops] RFC 6092 [was draft-ietf-v6ops-balanc… cb.list6
Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-securi… Brian E Carpenter