Fwd: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
Fred Baker <fred@cisco.com> Sun, 24 August 2008 11:30 UTC
Return-Path: <owner-v6ops@ops.ietf.org>
X-Original-To: ietfarch-v6ops-archive@core3.amsl.com
Delivered-To: ietfarch-v6ops-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A43313A68FA for <ietfarch-v6ops-archive@core3.amsl.com>; Sun, 24 Aug 2008 04:30:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.006
X-Spam-Level:
X-Spam-Status: No, score=-103.006 tagged_above=-999 required=5 tests=[BAYES_05=-1.11, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pltL99sQOW2p for <ietfarch-v6ops-archive@core3.amsl.com>; Sun, 24 Aug 2008 04:30:33 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 6A7253A65A5 for <v6ops-archive@lists.ietf.org>; Sun, 24 Aug 2008 04:30:33 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-v6ops@ops.ietf.org>) id 1KXDhG-000ARB-Sm for v6ops-data@psg.com; Sun, 24 Aug 2008 11:23:50 +0000
Received: from [171.71.176.117] (helo=sj-iport-6.cisco.com) by psg.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.69 (FreeBSD)) (envelope-from <fred@cisco.com>) id 1KXDhC-000AQT-0h for v6ops@ops.ietf.org; Sun, 24 Aug 2008 11:23:48 +0000
X-IronPort-AV: E=Sophos;i="4.32,262,1217808000"; d="scan'208";a="145356713"
Received: from sj-dkim-2.cisco.com ([171.71.179.186]) by sj-iport-6.cisco.com with ESMTP; 24 Aug 2008 11:23:43 +0000
Received: from sj-core-2.cisco.com (sj-core-2.cisco.com [171.71.177.254]) by sj-dkim-2.cisco.com (8.12.11/8.12.11) with ESMTP id m7OBNhZ7014987 for <v6ops@ops.ietf.org>; Sun, 24 Aug 2008 04:23:43 -0700
Received: from xbh-sjc-221.amer.cisco.com (xbh-sjc-221.cisco.com [128.107.191.63]) by sj-core-2.cisco.com (8.13.8/8.13.8) with ESMTP id m7OBNhF1004271 for <v6ops@ops.ietf.org>; Sun, 24 Aug 2008 11:23:43 GMT
Received: from xfe-sjc-211.amer.cisco.com ([171.70.151.174]) by xbh-sjc-221.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Sun, 24 Aug 2008 04:23:43 -0700
Received: from stealth-10-32-244-221.cisco.com ([10.32.244.221]) by xfe-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Sun, 24 Aug 2008 04:23:43 -0700
Message-Id: <C4B976B3-03F8-490F-8C15-242654DFF58B@cisco.com>
From: Fred Baker <fred@cisco.com>
To: IPv6 Operations <v6ops@ops.ietf.org>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v926)
Subject: Fwd: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
Date: Sun, 24 Aug 2008 04:23:42 -0700
References: <20080824204553.08131c65.ipng@69706e6720323030352d30312d31340a.nosense.org>
X-Mailer: Apple Mail (2.926)
X-OriginalArrivalTime: 24 Aug 2008 11:23:43.0180 (UTC) FILETIME=[DDAC40C0:01C905DB]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=4471; t=1219577023; x=1220441023; c=relaxed/simple; s=sjdkim2002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=fred@cisco.com; z=From:=20Fred=20Baker=20<fred@cisco.com> |Subject:=20Fwd=3A=20Some=20suggestions=20for=20draft-ietf- v6ops-cpe-simple-security-03 |Sender:=20; bh=bTzFAgIGwhC8rK4YCdCN41DfqZdphPB5lhoT+WFr3KA=; b=VYdJRgeAGSDy3Q10caN/BgEJKByxPDnCoNhP+3Blenoepbl1HMzvurynrv yUA6G7vJuVI6TkrMcNxAfjoOztohhYbXcWCzehNM7uL5GLvcVrVsKVQmC5TI rkQLHim/Sz;
Authentication-Results: sj-dkim-2; header.From=fred@cisco.com; dkim=pass ( sig from cisco.com/sjdkim2002 verified; );
Sender: owner-v6ops@ops.ietf.org
Precedence: bulk
List-ID: <v6ops.ops.ietf.org>
Forwarding comments... Begin forwarded message: > From: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org> > Date: August 24, 2008 4:15:53 AM PDT > To: jhw@apple.com, v6ops-residential-cpe-design- > team@external.cisco.com > Subject: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03 > > Hi, > > I've finally found a bit of time to start having a read through the 03 > version of this draft. I haven't read through all of it yet, however > here are some starting suggestions: > > 2. Overview > > Change "requires" to "provides", just to continue to emphasise a bit > that the statefulness of NAT wasn't specifically designed into it: > > "Only the perceived security benefits associated with stateful packet > filtering, which NAT (requires|*provides*) as a side effect, are > thought relevant in the IPv6 residential usage scenario." > > > 2.2. Internet Layer Protocols > > "Therefore, this document recommends the DEFAULT operating mode for > residential IPv6 simple security is to permit all virtual private > networking tunnel protocols to pass through the stateful filtering > function. These include IPsec transport and tunnel modes as well as > other IP-in-IP protocols." > > Would it be better to restrict this to authenticated tunnelling > protocols? Wrapping a malicious packet inside a GRE or IP packet and > having the CPE blindly forward it would seem to me to be a really > simple and easy way to bypass all the security mechanisms that this > draft is defining. > > Authenticated protocols could still expose hosts to probing e.g. > probing a non-IPsec enabled host via IKE, which the CPE would > forward unrestricted, could generate an ICMPv6 Port Unreachable, > indicating a host's presence. Maybe the residential CPE should drop > these ICMPv6 messages in the outbound direction, hiding hosts that > don't > support the tunnelling method being requested from these sorts of > probes? > > A few thoughts related to general tunnel security. Is it appropriate > for > this draft to document that traffic arriving encapsulated should not > automatically be trusted, and therefore should also have firewalling > applied to it by the receiving host, after decapsulation? If the end > user has chosen to use a clear text tunnel encapsulation method e.g. > GRE, would there be any value in specifying that the CPE MAY inspect > the > interior traffic carried within the tunnel? Limiting the number of > encapsulation headers on a packet would also probably be something to > define in this case. IOW, if the CPE can inspect traffic, even though > it is encapsulated inside a tunnel, can we recommend that it should? > > "R2: Packets bearing in their outer IPv6 headers multicast destination > addresses of equal or narrower scope that the configured scope > boundary level of the gateway MUST NOT be forwarded in any > direction." > suggest to insert: > > ", excepting when the Residential Gateway is also acting as a VPN > tunnel end-point. In this case, traffic must not be forwarded toward > multicast destinations that are not known to be at the remote end of > the pre-established or prior-configured on-demand tunnel(s)." > > "R4: Outbound packets MUST NOT be forwarded if the source address in > their outer IPv6 header does not have a unicast prefix assigned for > use by globally reachable nodes on the interior network." > > similar to above, suggest to insert: > > ", excepting when the Residential Gateway is also acting as a VPN > tunnel end-point. In this case, traffic must not be forwarded to > unicast destinations that are not known to be at the remote end of the > pre-established or prior-configured on-demand tunnel(s)." > > "R4: Inbound packets MUST NOT be forwarded if the source address in > their outer IPv6 header has a global unicast prefix assigned for > use > by globally reachable nodes on the interior network." > > suggest to add tunnel end-point text as per above. > > > "R5: Packets MAY be discarded if the source and/or destination address > in the outer IPv6 header is a unique local address. By DEFAULT, > gateways SHOULD NOT forward packets across unique local address > scope boundaries." > > suggest to add tunnel end-point text as per above. > > > That's it for the moment, I'll continue reading through it over the > next few days. > > Regards, > Mark.
- Fwd: Some suggestions for draft-ietf-v6ops-cpe-si… Fred Baker
- Some suggestions for draft-ietf-v6ops-cpe-simple-… Mark Smith
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… Brian E Carpenter
- RE: Some suggestions for draft-ietf-v6ops-cpe-sim… Dan Wing
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… Brian E Carpenter
- RE: Some suggestions for draft-ietf-v6ops-cpe-sim… Dan Wing
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… Mark Smith
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… EricLKlein
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… Brian E Carpenter
- RE: Some suggestions for draft-ietf-v6ops-cpe-sim… Dan Wing
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… Brian E Carpenter
- RE: Some suggestions for draft-ietf-v6ops-cpe-sim… Dan Wing
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… Brian E Carpenter
- RE: Some suggestions for draft-ietf-v6ops-cpe-sim… Dan Wing
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… Truman Boyes
- RE: Some suggestions for draft-ietf-v6ops-cpe-sim… Dan Wing
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… Brian E Carpenter
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… Gert Doering
- RE: Some suggestions for draft-ietf-v6ops-cpe-sim… Dan Wing
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… Rémi Després
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… Rémi Després
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… Gert Doering
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… Rémi Denis-Courmont
- But are we talking IPv6 only? That's how I read t… Mark Smith
- RE: Some suggestions for draft-ietf-v6ops-cpe-sim… teemu.savolainen
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… Rémi Després
- RE: Some suggestions for draft-ietf-v6ops-cpe-sim… Rémi Denis-Courmont
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… Rémi Denis-Courmont
- RE: Some suggestions for draft-ietf-v6ops-cpe-sim… Dan Wing
- RE: But are we talking IPv6 only? That's how I re… Dan Wing
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… james woodyatt
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… james woodyatt
- Re: But are we talking IPv6 only? That's how I re… james woodyatt
- RE: Some suggestions for draft-ietf-v6ops-cpe-sim… Dan Wing
- Re: But are we talking IPv6 only? That's how I re… Mark Smith
- Purpose of ALD (was Re: Some suggestions for draf… james woodyatt
- Re: But are we talking IPv6 only? That's how I re… james woodyatt
- RE: Purpose of ALD (was Re: Some suggestions for … Dan Wing
- RE: But are we talking IPv6 only? That's how I re… Dan Wing
- Re: But are we talking IPv6 only? That's how I re… james woodyatt
- RE: But are we talking IPv6 only? That's how I re… Dan Wing
- Re: But are we talking IPv6 only? That's how I re… Rémi Denis-Courmont
- RE: But are we talking IPv6 only? That's how I re… Templin, Fred L
- RE: But are we talking IPv6 only? That's how I re… Dan Wing
- RE: But are we talking IPv6 only? That's how I re… Templin, Fred L
- Re: But are we talking IPv6 only? That's how I re… james woodyatt
- RE: But are we talking IPv6 only? That's how I re… Templin, Fred L
- Re: But are we talking IPv6 only? That's how I re… james woodyatt
- RE: But are we talking IPv6 only? That's how I re… Templin, Fred L
- Re: But are we talking IPv6 only? That's how I re… Rémi Després
- RE: But are we talking IPv6 only? That's how I re… Dan Wing
- RE: But are we talking IPv6 only? That's how I re… Templin, Fred L
- Re: But are we talking IPv6 only? That's how I re… Rémi Després
- RE: But are we talking IPv6 only? That's how I re… Templin, Fred L
- RE: But are we talking IPv6 only? That's how I re… Dan Wing
- Re: But are we talking IPv6 only? That's how I re… Mark Smith
- Re: But are we talking IPv6 only? That's how I re… Mark Smith
- Re: tunnel protocols (draft-ietf-v6ops-cpe-simple… james woodyatt