Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
Brian E Carpenter <brian.e.carpenter@gmail.com> Sun, 24 August 2008 21:10 UTC
Return-Path: <owner-v6ops@ops.ietf.org>
X-Original-To: ietfarch-v6ops-archive@core3.amsl.com
Delivered-To: ietfarch-v6ops-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9BC0E3A69A6 for <ietfarch-v6ops-archive@core3.amsl.com>; Sun, 24 Aug 2008 14:10:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.919
X-Spam-Level: *
X-Spam-Status: No, score=1.919 tagged_above=-999 required=5 tests=[BAYES_40=-0.185, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lgl1BMXphsr9 for <ietfarch-v6ops-archive@core3.amsl.com>; Sun, 24 Aug 2008 14:10:31 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 84EB23A6937 for <v6ops-archive@lists.ietf.org>; Sun, 24 Aug 2008 14:10:28 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-v6ops@ops.ietf.org>) id 1KXMld-000HqN-Ah for v6ops-data@psg.com; Sun, 24 Aug 2008 21:04:57 +0000
Received: from [209.85.198.226] (helo=rv-out-0506.google.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <brian.e.carpenter@gmail.com>) id 1KXMlZ-000Hpl-Q2 for v6ops@ops.ietf.org; Sun, 24 Aug 2008 21:04:55 +0000
Received: by rv-out-0506.google.com with SMTP id b25so1382043rvf.41 for <v6ops@ops.ietf.org>; Sun, 24 Aug 2008 14:04:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :organization:user-agent:mime-version:to:cc:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=PsUhz7FHGLd6o0PGcGHJAnE2/9AMvVrMN5egQ8l/360=; b=uxGxvQPcTAdL8UdkvhNZZVhz2UsGAMjWHwOzEtQKcW/ImUmM6TeaoFsjZLEO9Ww+X4 elMCVpH5/+EjE8KWwEOJUpMH/1z02IBvYXwzHMv6Z1Zlh57iDYVihr0J9kJtP9568uGM qWlqXz26dOpQp/1EgEqephVVZyKwQwp1PMTzM=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; b=xdeV794CcjpGKcB6cvW5WFfJf0gElq4EGF/hD+OtPZenMt461ur1yr0/YB8Cks3Olv 8X/3S1xIw6Rnyl0jCUEMvARdRAIRFYLJEnkBKwK5VcAYmkhHNiAgRBOE5b7aOXvGUDnd jEBvWGgKLFgIn/exxC0w8n1/c02MAl5lCnits=
Received: by 10.115.88.1 with SMTP id q1mr2785226wal.122.1219611892358; Sun, 24 Aug 2008 14:04:52 -0700 (PDT)
Received: from ?130.216.38.124? ( [130.216.38.124]) by mx.google.com with ESMTPS id l30sm5240269waf.25.2008.08.24.14.04.50 (version=SSLv3 cipher=RC4-MD5); Sun, 24 Aug 2008 14:04:51 -0700 (PDT)
Message-ID: <48B1CCE8.1070305@gmail.com>
Date: Mon, 25 Aug 2008 09:04:40 +1200
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>
CC: jhw@apple.com, IPv6 Operations <v6ops@ops.ietf.org>
Subject: Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
References: <20080824204553.08131c65.ipng@69706e6720323030352d30312d31340a.nosense.org>
In-Reply-To: <20080824204553.08131c65.ipng@69706e6720323030352d30312d31340a.nosense.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Sender: owner-v6ops@ops.ietf.org
Precedence: bulk
List-ID: <v6ops.ops.ietf.org>
Hi Mark, On 2008-08-24 23:15, Mark Smith wrote: ... > 2.2. Internet Layer Protocols > > "Therefore, this document recommends the DEFAULT operating mode for > residential IPv6 simple security is to permit all virtual private > networking tunnel protocols to pass through the stateful filtering > function. These include IPsec transport and tunnel modes as well as > other IP-in-IP protocols." > > Would it be better to restrict this to authenticated tunnelling > protocols? Wrapping a malicious packet inside a GRE or IP packet and > having the CPE blindly forward it would seem to me to be a really > simple and easy way to bypass all the security mechanisms that this > draft is defining. I would object to that. That amounts to default-deny for all the commonly used ways of bypassing ISPs that don't support IPv6, and that would be a Bad Thing. I think a recommendation that CPEs should document and warn about such risks is a good idea, rather in the manner of personal firewalls that alert you the first time you try to tunnel out with Protocol 41, but remember when you click OK. Can we recommend default-warn rather than either default-deny or default-allow? ... > A few thoughts related to general tunnel security. Is it appropriate for > this draft to document... How about referring to draft-ietf-v6ops-tunnel-security-concerns? We should probably concentrate those issues in one place. Brian
- Fwd: Some suggestions for draft-ietf-v6ops-cpe-si… Fred Baker
- Some suggestions for draft-ietf-v6ops-cpe-simple-… Mark Smith
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… Brian E Carpenter
- RE: Some suggestions for draft-ietf-v6ops-cpe-sim… Dan Wing
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… Brian E Carpenter
- RE: Some suggestions for draft-ietf-v6ops-cpe-sim… Dan Wing
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… Mark Smith
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… EricLKlein
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… Brian E Carpenter
- RE: Some suggestions for draft-ietf-v6ops-cpe-sim… Dan Wing
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… Brian E Carpenter
- RE: Some suggestions for draft-ietf-v6ops-cpe-sim… Dan Wing
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… Brian E Carpenter
- RE: Some suggestions for draft-ietf-v6ops-cpe-sim… Dan Wing
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… Truman Boyes
- RE: Some suggestions for draft-ietf-v6ops-cpe-sim… Dan Wing
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… Brian E Carpenter
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… Gert Doering
- RE: Some suggestions for draft-ietf-v6ops-cpe-sim… Dan Wing
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… Rémi Després
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… Rémi Després
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… Gert Doering
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… Rémi Denis-Courmont
- But are we talking IPv6 only? That's how I read t… Mark Smith
- RE: Some suggestions for draft-ietf-v6ops-cpe-sim… teemu.savolainen
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… Rémi Després
- RE: Some suggestions for draft-ietf-v6ops-cpe-sim… Rémi Denis-Courmont
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… Rémi Denis-Courmont
- RE: Some suggestions for draft-ietf-v6ops-cpe-sim… Dan Wing
- RE: But are we talking IPv6 only? That's how I re… Dan Wing
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… james woodyatt
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… james woodyatt
- Re: But are we talking IPv6 only? That's how I re… james woodyatt
- RE: Some suggestions for draft-ietf-v6ops-cpe-sim… Dan Wing
- Re: But are we talking IPv6 only? That's how I re… Mark Smith
- Purpose of ALD (was Re: Some suggestions for draf… james woodyatt
- Re: But are we talking IPv6 only? That's how I re… james woodyatt
- RE: Purpose of ALD (was Re: Some suggestions for … Dan Wing
- RE: But are we talking IPv6 only? That's how I re… Dan Wing
- Re: But are we talking IPv6 only? That's how I re… james woodyatt
- RE: But are we talking IPv6 only? That's how I re… Dan Wing
- Re: But are we talking IPv6 only? That's how I re… Rémi Denis-Courmont
- RE: But are we talking IPv6 only? That's how I re… Templin, Fred L
- RE: But are we talking IPv6 only? That's how I re… Dan Wing
- RE: But are we talking IPv6 only? That's how I re… Templin, Fred L
- Re: But are we talking IPv6 only? That's how I re… james woodyatt
- RE: But are we talking IPv6 only? That's how I re… Templin, Fred L
- Re: But are we talking IPv6 only? That's how I re… james woodyatt
- RE: But are we talking IPv6 only? That's how I re… Templin, Fred L
- Re: But are we talking IPv6 only? That's how I re… Rémi Després
- RE: But are we talking IPv6 only? That's how I re… Dan Wing
- RE: But are we talking IPv6 only? That's how I re… Templin, Fred L
- Re: But are we talking IPv6 only? That's how I re… Rémi Després
- RE: But are we talking IPv6 only? That's how I re… Templin, Fred L
- RE: But are we talking IPv6 only? That's how I re… Dan Wing
- Re: But are we talking IPv6 only? That's how I re… Mark Smith
- Re: But are we talking IPv6 only? That's how I re… Mark Smith
- Re: tunnel protocols (draft-ietf-v6ops-cpe-simple… james woodyatt