IETF Logo Mail Archive

Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-security WGLC

Joe Touch <touch@isi.edu> Mon, 18 November 2013 08:09 UTC

Return-Path: <touch@isi.edu>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C79911E810B for <v6ops@ietfa.amsl.com>; Mon, 18 Nov 2013 00:09:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.602
X-Spam-Level:
X-Spam-Status: No, score=-104.602 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_13=0.6, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TEyhUM-teSy3 for <v6ops@ietfa.amsl.com>; Mon, 18 Nov 2013 00:09:49 -0800 (PST)
Received: from boreas.isi.edu (boreas.isi.edu [128.9.160.161]) by ietfa.amsl.com (Postfix) with ESMTP id 514C611E80F2 for <v6ops@ietf.org>; Mon, 18 Nov 2013 00:09:49 -0800 (PST)
Received: from [192.168.1.110] (24.115.166.40.res-cmts.flt.ptd.net [24.115.166.40]) (authenticated bits=0) by boreas.isi.edu (8.13.8/8.13.8) with ESMTP id rAI891Jw023258 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Mon, 18 Nov 2013 00:09:11 -0800 (PST)
References: <201311101900.rAAJ0AR6025350@irp-view13.cisco.com> <CAB0C4xOfz_JAjEEJZ-Zz7MBEyZhVzrAE+8Ghf1ggC3+9pyHmNg@mail.gmail.com> <989B8ED6-273E-45D4-BFD8-66A1793A1C9F@cisco.com> <alpine.DEB.2.02.1311130329180.26054@uplift.swm.pp.se> <CAB0C4xOd-ryBXe4O3XoLTLDw-XuOV==X0nkRg5y3aPXCtf+Gow@mail.gmail.com> <alpine.DEB.2.02.1311140639140.5805@uplift.swm.pp.se> <5FC5FC3F-B933-4ACE-A7A9-00A1E275B4EF@cisco.com> <CAB0C4xMhxnev+NHx_Vzdjvrp9zE0jj7avsb9zUFGRKhQFne14A@mail.gmail.com> <alpine.DEB.2.02.1311140935510.5805@uplift.swm.pp.se> <CAB0C4xM_eN7x-4G6YYku+t=X_w3c7LiEU6AR1EDvhT6Kea_hqw@mail.gmail.com> <1384583413.2103.YahooMailNeo@web142501.mail.bf1.yahoo.com> <CAB0C4xPR6dhFcEwAtw57PufAWLWZ2=Dkk+aOn11YY1HR8hK-KA@mail.gmail.com>
In-Reply-To: <CAB0C4xPR6dhFcEwAtw57PufAWLWZ2=Dkk+aOn11YY1HR8hK-KA@mail.gmail.com>
Mime-Version: 1.0 (1.0)
Content-Transfer-Encoding: 7bit
Content-Type: multipart/alternative; boundary="Apple-Mail-43075C1B-22E6-426D-9651-6D53ABC1217A"
Message-Id: <E771DDB9-9701-4907-AB43-734F20D1EB6E@isi.edu>
X-Mailer: iPhone Mail (11B554a)
From: Joe Touch <touch@isi.edu>
Date: Mon, 18 Nov 2013 03:09:01 -0500
To: Marc Lampo <marc.lampo.ietf@gmail.com>
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: "v6ops@ietf.org WG" <v6ops@ietf.org>
Subject: Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-security WGLC
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Nov 2013 08:09:55 -0000


> On Nov 18, 2013, at 2:42 AM, Marc Lampo <marc.lampo.ietf@gmail.com> wrote:
> 
> Probably true - all of your points - but, INHO, this does not imply that the Internet should get access by default to most ports.

If it doesn't it isn't on the Internet. 

Many devices are - at best - tethered to the Internet by a proxy.  But that doesn't make it either right or sufficient.  

> And RFC 6092, REC-31 (for TCP), satisfies those needs.
> 
> But if the Internet can access an internal device, that should first be allowed by the "operator" of the CPE, as per RFC 6092, REC-48.
> And whoever is OK with that (open) policy, can make use of RFC 6092, REC-49, and go for "transparent" mode.
> 
> I acknowledge other contributions in this list stating that any device can end up with infected/hostile neighbors in the local network,
> but is this a reason/excuse to have a "mostly open policy for incoming traffic" ?
> 
> So, personally I cannot support publishing this draft as a WG document because it is, at least partly - but then : on an important point,
> in contradiction with RFC 6092.

See the beginning of sec 1.2 of that doc.  It informational only, despite the use of requirements language. 

> I would be more in favor if the approach chosen (blocking some ports) would have been to strengthen RFC 6092, REC-49 :
> "transparent mode", but not for all ports.

RFC 6092 carries zero weight. If you want to strengthen it, you need to start by having it be reconsidered and ultimately reissued as BCP or some such.  

Joe

> 
> 
>> On Sat, Nov 16, 2013 at 7:30 AM, Mark ZZZ Smith <markzzzsmith@yahoo.com.au> wrote:
>> 
>> >________________________________
>> > From: Marc Lampo <marc.lampo.ietf@gmail.com>
>> >To: Mikael Abrahamsson <swmike@swm.pp.se>
>> >Cc: "v6ops@ietf.org WG" <v6ops@ietf.org>
>> >Sent: Thursday, 14 November 2013 9:50 PM
>> >Subject: Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-security WGLC
>> >
>> >
>> >
>> >I realise now that "unsolicited" is a word allowing multiple interpretations (but also used in RFC 6092).  But we seem to have got it right.
>> >
>> >Anyway, the fact that some service, on an internal device, is willing to accept connections on port XYZ,
>> >does not, in my opinion, imply that those connections may also come from the outside Internet.
>> >Back to the example with the refrigerator :
>> >suppose it has a service (port XYZ) that allows it to be queried for its contents.
>> 
>> >Probably great when one is at home, but does this mean accessible from anywhere on the Internet ?
>> >
>> >In my opinion : not before the owner has explicitly instructed his CPE to allow incoming connections (RFC 6092, REC-48).
>> >
>> 
>> Actually, I think you're probably going to want your refrigerator to be able to access the Internet, as well as your toaster, answering machine, rice cooker, washing machine etc.
>> 
>> I think appliances, if they aren't already, are going to become computers, with as much done via software/firmware as possible, instead of hardware, because hardware is much harder and more expensive to change, both during development and after it is sold to the customer.
>> 
>> However, software/firmware is still hard to change if the customer has to either take it back to the manufacturer, or plug a PC or USB stick into it to update the software/firmware. Having the device be able to update itself over the Internet will be both much more user/customer friendly and much cheaper for the manufacturer. 
>> 
>> So manufacturers have an incentive to make their appliances be able to attach to the Internet, and their customers have an incentive to attach them. As with tablets and smartphones, the manufacturer won't be able to vouch for the existence of any upstream network "firewalls", nor will they successfully be able to ask the customer of their existence, so the manufacturer will have to assume the worst, and therefore harden the appliance against publicly addressed unfettered Internet access.
>> 
>> Regards,
>> Mark.
> 
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops

v2.23.0 | Report a Bug | By Email