IETF Logo Mail Archive

Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03

Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org> Mon, 25 August 2008 11:43 UTC

Return-Path: <owner-v6ops@ops.ietf.org>
X-Original-To: ietfarch-v6ops-archive@core3.amsl.com
Delivered-To: ietfarch-v6ops-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9B2A028C99A for <ietfarch-v6ops-archive@core3.amsl.com>; Mon, 25 Aug 2008 04:43:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.677
X-Spam-Level:
X-Spam-Status: No, score=-0.677 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_EQ_AU=0.377, RCVD_IN_DNSWL_LOW=-1, RDNS_NONE=0.1, RELAY_IS_203=0.994]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EQUetT39z9tE for <ietfarch-v6ops-archive@core3.amsl.com>; Mon, 25 Aug 2008 04:43:27 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id C92F228C9D3 for <v6ops-archive@lists.ietf.org>; Mon, 25 Aug 2008 04:43:26 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-v6ops@ops.ietf.org>) id 1KXaOy-000EhA-A7 for v6ops-data@psg.com; Mon, 25 Aug 2008 11:38:28 +0000
Received: from [203.6.132.83] (helo=levanto.mail.adnap.net.au) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <ipng@69706e6720323030352d30312d31340a.nosense.org>) id 1KXaOu-000EgU-4r for v6ops@ops.ietf.org; Mon, 25 Aug 2008 11:38:26 +0000
Received: from 219-90-160-185.ip.adam.com.au ([219.90.160.185] helo=mail.nosense.org) by levanto.mail.adnap.net.au with esmtp (Exim 4.63 (FreeBSD)) (envelope-from <ipng@69706e6720323030352d30312d31340a.nosense.org>) id 1KXaOn-0001Cc-Fl; Mon, 25 Aug 2008 21:08:17 +0930
Received: from ubu.nosense.org (localhost.localdomain [127.0.0.1]) by mail.nosense.org (Postfix) with SMTP id 889FAC34B; Mon, 25 Aug 2008 21:08:15 +0930 (CST)
Date: Mon, 25 Aug 2008 21:08:15 +0930
From: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
Cc: jhw@apple.com, IPv6 Operations <v6ops@ops.ietf.org>
Subject: Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
Message-Id: <20080825210815.b3444f94.ipng@69706e6720323030352d30312d31340a.nosense.org>
In-Reply-To: <48B1CCE8.1070305@gmail.com>
References: <20080824204553.08131c65.ipng@69706e6720323030352d30312d31340a.nosense.org> <48B1CCE8.1070305@gmail.com>
X-Mailer: Sylpheed 2.5.0 (GTK+ 2.12.11; i686-pc-linux-gnu)
X-Location: Lower Mitcham, South Australia, 5062
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Sender: owner-v6ops@ops.ietf.org
Precedence: bulk
List-ID: <v6ops.ops.ietf.org>

Hi Brian,

On Mon, 25 Aug 2008 09:04:40 +1200
Brian E Carpenter <brian.e.carpenter@gmail.com> wrote:

> Hi Mark,
> 
> On 2008-08-24 23:15, Mark Smith wrote:
> ...
> > 2.2.  Internet Layer Protocols
> > 
> > "Therefore, this document recommends the DEFAULT operating mode for
> > residential IPv6 simple security is to permit all virtual private
> > networking tunnel protocols to pass through the stateful filtering
> > function.  These include IPsec transport and tunnel modes as well as
> > other IP-in-IP protocols."
> > 
> > Would it be better to restrict this to authenticated tunnelling
> > protocols? Wrapping a malicious packet inside a GRE or IP packet and
> > having the CPE blindly forward it would seem to me to be a really
> > simple and easy way to bypass all the security mechanisms that this
> > draft is defining.
> 
> I would object to that. That amounts to default-deny for all
> the commonly used ways of bypassing ISPs that don't support
> IPv6, and that would be a Bad Thing.
> 

I've been reading this draft from the perspective that it was only
describing native IPv6 operation within CPE, not IPv6 over IPv4
transition methods as well, so my comments were from the point of view
of the exterior tunnel header being IPv6. In that tunnelled-over-IPv6
scenario, I'd still argue for only allowing authenticated tunnelled
protocols to transit the CPE without any stateful inspection.

OTOH, if the draft is also covering firewalling requirements to allow
IPv6 over IPv4, then I support what you're saying for that scenario. If
the draft is covering IPv6 over IPv4 methods and therefore the
consequent IPv4 firewalling requirements, then I think that needs to be
made more obvious in the draft.

> I think a recommendation that CPEs should document and warn about
> such risks is a good idea, rather in the manner of personal
> firewalls that alert you the first time you try to tunnel out
> with Protocol 41, but remember when you click OK. Can we recommend
> default-warn rather than either default-deny or default-allow?
> 
> ...
> > A few thoughts related to general tunnel security. Is it appropriate for
> > this draft to document...
> 
> How about referring to draft-ietf-v6ops-tunnel-security-concerns?
> We should probably concentrate those issues in one place.
> 

I certainly agree, I haven't yet come across that draft. I'll have a
look at it.

Thanks,
Mark.

v2.23.0 | Report a Bug | By Email