IETF Logo Mail Archive

Re: I-D.ietf-v6ops-cpe-simple-security-09

Mark Townsley <townsley@cisco.com> Sat, 20 March 2010 07:09 UTC

Return-Path: <owner-v6ops@ops.ietf.org>
X-Original-To: ietfarch-v6ops-archive@core3.amsl.com
Delivered-To: ietfarch-v6ops-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 190343A67C0 for <ietfarch-v6ops-archive@core3.amsl.com>; Sat, 20 Mar 2010 00:09:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.082
X-Spam-Level:
X-Spam-Status: No, score=-8.082 tagged_above=-999 required=5 tests=[AWL=-1.317, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, J_CHICKENPOX_13=0.6, RCVD_IN_DNSWL_HI=-8, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ulHjOluPGO6g for <ietfarch-v6ops-archive@core3.amsl.com>; Sat, 20 Mar 2010 00:09:44 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 131343A684B for <v6ops-archive@lists.ietf.org>; Sat, 20 Mar 2010 00:09:43 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.71 (FreeBSD)) (envelope-from <owner-v6ops@ops.ietf.org>) id 1NssjQ-000Ju4-JH for v6ops-data0@psg.com; Sat, 20 Mar 2010 07:04:24 +0000
Received: from [171.68.10.87] (helo=sj-iport-5.cisco.com) by psg.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.71 (FreeBSD)) (envelope-from <townsley@cisco.com>) id 1NssjM-000Jrw-UA for v6ops@ops.ietf.org; Sat, 20 Mar 2010 07:04:21 +0000
Authentication-Results: sj-iport-5.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-AV: E=Sophos;i="4.51,278,1267401600"; d="scan'208";a="169514197"
Received: from sj-core-3.cisco.com ([171.68.223.137]) by sj-iport-5.cisco.com with ESMTP; 20 Mar 2010 07:04:20 +0000
Received: from iwan-view3.cisco.com (iwan-view3.cisco.com [171.70.65.13]) by sj-core-3.cisco.com (8.13.8/8.14.3) with ESMTP id o2K74KLe024688; Sat, 20 Mar 2010 07:04:20 GMT
Received: from ams-townsley-8715.cisco.com (ams-townsley-8715.cisco.com [10.55.233.230]) by iwan-view3.cisco.com (8.11.2/CISCO.WS.1.2) with ESMTP id o2K74IY22800; Sat, 20 Mar 2010 00:04:18 -0700 (PDT)
Message-ID: <4BA47371.5080802@cisco.com>
Date: Sat, 20 Mar 2010 08:04:17 +0100
From: Mark Townsley <townsley@cisco.com>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.8) Gecko/20100227 Thunderbird/3.0.3
MIME-Version: 1.0
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
CC: IPv6 Operations <v6ops@ops.ietf.org>, james woodyatt <jhw@apple.com>, "Eric Vyncke (evyncke)" <evyncke@cisco.com>
Subject: Re: I-D.ietf-v6ops-cpe-simple-security-09
References: <D6F5ACD2-EB43-477E-9F48-AC3EDB3F7EB4@apple.com> <4BA3BBCF.2090903@cisco.com> <4BA3D1B3.4010501@gmail.com> <4BA3DAAA.10000@cisco.com> <4BA40DD1.7080306@gmail.com>
In-Reply-To: <4BA40DD1.7080306@gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Sender: owner-v6ops@ops.ietf.org
Precedence: bulk
List-ID: <v6ops.ops.ietf.org>

On 3/20/10 12:50 AM, Brian E Carpenter wrote:
> Mark,
>
> I dislike 'default deny' as much as anyone. After all,
> I'm an author of RFC 4864.
>
> But I'm afraid that the simplicity of 'default deny' has long
> ago won the hearts and minds of enterprise network managers.
>    
The Enterprise edge is very different than the Residential edge. This 
draft is targeting the Residential edge.

- Mark
> I can see the virtues of rate limiting, but I see it as too
> contentious to attempt to get it into the *simple* security
> draft. Sadly.
>
> Regards
>     Brian
>
> On 2010-03-20 09:12, Mark Townsley wrote:
>    
>> On 3/19/10 8:34 PM, Brian E Carpenter wrote:
>>      
>>> Mark, I'm not going to reply to your specific question.
>>>
>>>        
>> That's too bad.
>>      
>>> The one most clear result from the ISP survey I will report
>>> on during the IETF is that the biggest gap in products holding
>>> up general v6 deployment is CPE.
>>>
>>>        
>> Understood.
>>      
>>> I think it's a matter of great urgency to get this draft
>>> out as an RFC; it's a couple of years too late.
>>>
>>>        
>> It's more the implementations that are late, but I get your point.
>>      
>>> So I want to say: let's not add *anything*. Let's just
>>> push it out in a matter of weeks.
>>>
>>>        
>> All we are doing is talking about allowing what is now a binary on/off
>> in the draft now to be a variable between 0 and some maximum instead.
>> The default could still well be what we have now, 0, though I would like
>> it to be something else.
>>
>> I'm not sure that leaving this out will help advance the draft more
>> quickly. Folks like me, who are quite happy with their native IPv6
>> service for the past couple of years with no IPv6 firewall, think of
>> cpe-simple-security as a sword in the heart of IPv6 and end-to-end
>> transparency. Including "Rule 7" is something that would go a long way
>> towards at least me stepping back and not making an enormous ruckus when
>> this draft hits last call.
>>
>> We've already talked about the idea in v6ops, it's been documented in a
>> draft for at least a little while, and after Hiroshima I got some
>> indication that this was something people would like to have. The basic
>> concept comes from Dave Oran, who included it in various presentations
>> for years.
>>
>> So, aside of your fears of changing anything in the draft at all, what
>> do you think of the idea?
>>
>> - Mark
>>      
>>> The same applies to draft-ietf-v6ops-ipv6-cpe-router
>>> of course.
>>>
>>> Regards
>>>      Brian Carpenter
>>>
>>> On 2010-03-20 07:00, Mark Townsley wrote:
>>>
>>>        
>>>> I would like to propose some form of "ParanoidOpeness" (Rule #7) from
>>>> draft-vyncke-advanced-ipv6-security-01 to be brought into the
>>>> simple-security draft.
>>>>
>>>> The basic idea is that rather than blocking otherwise unauthorized
>>>> inbound connections outright, the CPE rate-limits them according to a
>>>> variable setting. When that setting is 0, all incoming packets are
>>>> dropped. When set to its maximum, all packets are permitted (as if the
>>>> firewall function is configured off). In-between, the CPE rate-limits
>>>> incoming packets to reduce probing of the home network, but to allow
>>>> just enough packets through that, if a host inside responds, a pinhole
>>>> is opened for the communication to occur. Of course, the hard part is
>>>> what the default setting should be, but I'd like to get a sense first of
>>>> whether we can bring this function in.
>>>>
>>>> James, I think I remember you being warm to the idea in some (jabber?)
>>>> comments during the meeting in Hiroshima when I presented this first.
>>>>
>>>> Thanks,
>>>>
>>>> - Mark
>>>>
>>>> On 3/4/10 12:06 AM, james woodyatt wrote:
>>>>
>>>>          
>>>>> everyone--
>>>>>
>>>>> Once again, I'd like to ask for some discussion and feedback on this
>>>>> draft.  Is there any reason this revision of the draft should not
>>>>> proceed to Working Group Last Call at this time?
>>>>>
>>>>>
>>>>> -- 
>>>>> james woodyatt<jhw@apple.com>
>>>>> member of technical staff, communications engineering
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>            
>>>>
>>>>
>>>>          
>>>
>>>        
>>
>>      
>

v2.23.0 | Report a Bug | By Email