IETF Logo Mail Archive

Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03

Brian E Carpenter <brian.e.carpenter@gmail.com> Sun, 24 August 2008 21:10 UTC

Return-Path: <owner-v6ops@ops.ietf.org>
X-Original-To: ietfarch-v6ops-archive@core3.amsl.com
Delivered-To: ietfarch-v6ops-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9BC0E3A69A6 for <ietfarch-v6ops-archive@core3.amsl.com>; Sun, 24 Aug 2008 14:10:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.919
X-Spam-Level: *
X-Spam-Status: No, score=1.919 tagged_above=-999 required=5 tests=[BAYES_40=-0.185, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lgl1BMXphsr9 for <ietfarch-v6ops-archive@core3.amsl.com>; Sun, 24 Aug 2008 14:10:31 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 84EB23A6937 for <v6ops-archive@lists.ietf.org>; Sun, 24 Aug 2008 14:10:28 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-v6ops@ops.ietf.org>) id 1KXMld-000HqN-Ah for v6ops-data@psg.com; Sun, 24 Aug 2008 21:04:57 +0000
Received: from [209.85.198.226] (helo=rv-out-0506.google.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <brian.e.carpenter@gmail.com>) id 1KXMlZ-000Hpl-Q2 for v6ops@ops.ietf.org; Sun, 24 Aug 2008 21:04:55 +0000
Received: by rv-out-0506.google.com with SMTP id b25so1382043rvf.41 for <v6ops@ops.ietf.org>; Sun, 24 Aug 2008 14:04:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :organization:user-agent:mime-version:to:cc:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=PsUhz7FHGLd6o0PGcGHJAnE2/9AMvVrMN5egQ8l/360=; b=uxGxvQPcTAdL8UdkvhNZZVhz2UsGAMjWHwOzEtQKcW/ImUmM6TeaoFsjZLEO9Ww+X4 elMCVpH5/+EjE8KWwEOJUpMH/1z02IBvYXwzHMv6Z1Zlh57iDYVihr0J9kJtP9568uGM qWlqXz26dOpQp/1EgEqephVVZyKwQwp1PMTzM=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; b=xdeV794CcjpGKcB6cvW5WFfJf0gElq4EGF/hD+OtPZenMt461ur1yr0/YB8Cks3Olv 8X/3S1xIw6Rnyl0jCUEMvARdRAIRFYLJEnkBKwK5VcAYmkhHNiAgRBOE5b7aOXvGUDnd jEBvWGgKLFgIn/exxC0w8n1/c02MAl5lCnits=
Received: by 10.115.88.1 with SMTP id q1mr2785226wal.122.1219611892358; Sun, 24 Aug 2008 14:04:52 -0700 (PDT)
Received: from ?130.216.38.124? ( [130.216.38.124]) by mx.google.com with ESMTPS id l30sm5240269waf.25.2008.08.24.14.04.50 (version=SSLv3 cipher=RC4-MD5); Sun, 24 Aug 2008 14:04:51 -0700 (PDT)
Message-ID: <48B1CCE8.1070305@gmail.com>
Date: Mon, 25 Aug 2008 09:04:40 +1200
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>
CC: jhw@apple.com, IPv6 Operations <v6ops@ops.ietf.org>
Subject: Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
References: <20080824204553.08131c65.ipng@69706e6720323030352d30312d31340a.nosense.org>
In-Reply-To: <20080824204553.08131c65.ipng@69706e6720323030352d30312d31340a.nosense.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Sender: owner-v6ops@ops.ietf.org
Precedence: bulk
List-ID: <v6ops.ops.ietf.org>

Hi Mark,

On 2008-08-24 23:15, Mark Smith wrote:
...
> 2.2.  Internet Layer Protocols
> 
> "Therefore, this document recommends the DEFAULT operating mode for
> residential IPv6 simple security is to permit all virtual private
> networking tunnel protocols to pass through the stateful filtering
> function.  These include IPsec transport and tunnel modes as well as
> other IP-in-IP protocols."
> 
> Would it be better to restrict this to authenticated tunnelling
> protocols? Wrapping a malicious packet inside a GRE or IP packet and
> having the CPE blindly forward it would seem to me to be a really
> simple and easy way to bypass all the security mechanisms that this
> draft is defining.

I would object to that. That amounts to default-deny for all
the commonly used ways of bypassing ISPs that don't support
IPv6, and that would be a Bad Thing.

I think a recommendation that CPEs should document and warn about
such risks is a good idea, rather in the manner of personal
firewalls that alert you the first time you try to tunnel out
with Protocol 41, but remember when you click OK. Can we recommend
default-warn rather than either default-deny or default-allow?

...
> A few thoughts related to general tunnel security. Is it appropriate for
> this draft to document...

How about referring to draft-ietf-v6ops-tunnel-security-concerns?
We should probably concentrate those issues in one place.

   Brian

v2.23.0 | Report a Bug | By Email