IETF Logo Mail Archive

Re: I-D.ietf-v6ops-cpe-simple-security-09

Brian E Carpenter <brian.e.carpenter@gmail.com> Sun, 21 March 2010 22:18 UTC

Return-Path: <owner-v6ops@ops.ietf.org>
X-Original-To: ietfarch-v6ops-archive@core3.amsl.com
Delivered-To: ietfarch-v6ops-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5B5613A689F for <ietfarch-v6ops-archive@core3.amsl.com>; Sun, 21 Mar 2010 15:18:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.284
X-Spam-Level:
X-Spam-Status: No, score=0.284 tagged_above=-999 required=5 tests=[AWL=-0.351, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ajxEqiXdGRuv for <ietfarch-v6ops-archive@core3.amsl.com>; Sun, 21 Mar 2010 15:18:07 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 9A9F33A677D for <v6ops-archive@lists.ietf.org>; Sun, 21 Mar 2010 15:18:04 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.71 (FreeBSD)) (envelope-from <owner-v6ops@ops.ietf.org>) id 1NtTPh-0002ED-CR for v6ops-data0@psg.com; Sun, 21 Mar 2010 22:14:29 +0000
Received: from [209.85.210.184] (helo=mail-yx0-f184.google.com) by psg.com with esmtp (Exim 4.71 (FreeBSD)) (envelope-from <brian.e.carpenter@gmail.com>) id 1NtTPb-0002Di-BG for v6ops@ops.ietf.org; Sun, 21 Mar 2010 22:14:23 +0000
Received: by yxe14 with SMTP id 14so2382278yxe.5 for <v6ops@ops.ietf.org>; Sun, 21 Mar 2010 15:14:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :organization:user-agent:mime-version:to:cc:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=GAWjzcn3Agz2jJI3mLpMxEbTWFNt+X2nZE22YcwJOGk=; b=bPTNnmqOBTl9qM/7cGsioXszUZ1OCdkEApz5O9ZUtfxcmmtUQReU0OpOqYP+Yo1t/T o4B1wWF6j+75GZCoPmDSVw36BmQRcw9ThdmFsw9/0xEqrjevw7s1f/zNvx+2DSS7ggHl a+U3qmA3I1oqnCVQM7/MjIohC7/G47KEFbIXE=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; b=cg2T4g2AdqP1J930n75UcXLaSYRy2zXwF3VZ9jyzikeCuOssnrq8LBfAuhfciaKfQC Xt5x8214CQrATJkTqZiijhZd6DwMU5iWO1fp5eOc0tOJ7kUd3SoO48FBNwpZy8rqpNi1 HdC3T+Q/x46HMUa5frGmoztXIa6iHAsuqughk=
Received: by 10.150.174.9 with SMTP id w9mr3674338ybe.0.1269209662441; Sun, 21 Mar 2010 15:14:22 -0700 (PDT)
Received: from [130.129.24.199] ([130.129.24.199]) by mx.google.com with ESMTPS id 7sm306100yxd.44.2010.03.21.15.14.21 (version=SSLv3 cipher=RC4-MD5); Sun, 21 Mar 2010 15:14:21 -0700 (PDT)
Message-ID: <4BA69A3D.7@gmail.com>
Date: Mon, 22 Mar 2010 11:14:21 +1300
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Mark Townsley <townsley@cisco.com>
CC: james woodyatt <jhw@apple.com>, Gert Doering <gert@space.net>, IPv6 Operations <v6ops@ops.ietf.org>
Subject: Re: I-D.ietf-v6ops-cpe-simple-security-09
References: <D6F5ACD2-EB43-477E-9F48-AC3EDB3F7EB4@apple.com> <4BA3BBCF.2090903@cisco.com> <4BA3D1B3.4010501@gmail.com> <4BA3DAAA.10000@cisco.com> <4BA40DD1.7080306@gmail.com> <6C168711-6A34-4487-9911-92766513183C@apple.com> <4BA522E8.7050504@cisco.com> <4BA56626.20606@gmail.com> <20100321133831.GL69383@Space.Net> <4BA6575D.7070300@gmail.com> <4BA670ED.1020302@cisco.com> <D69F1DE6-D24D-45AA-95D0-99B63E62A1EE@apple.com> <4BA68F61.7020005@cisco.com>
In-Reply-To: <4BA68F61.7020005@cisco.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Sender: owner-v6ops@ops.ietf.org
Precedence: bulk
List-ID: <v6ops.ops.ietf.org>

On 2010-03-22 10:28, Mark Townsley wrote:
> On 3/21/10 9:29 PM, james woodyatt wrote:
>> On Mar 21, 2010, at 12:18, Mark Townsley <townsley@cisco.com> wrote:
>>> On 3/21/10 6:29 PM, Brian E Carpenter wrote:
>>>>
>>>>
>>>> So, I'm wondering what's really wrong with:
>>>>
>>>>   REC-41  Gateways MUST provide an easily selected configuration option
>>>>       that permits operation in a mode that forwards all unsolicited
>>>>       flows regardless of forwarding direction.
>>>>
>>> The problem is the default, which is not to permit this.
>>>>
>>
>>
>> That problem is inherited from RFC 4864, which this draft is not
>> intended to reverse.
> Why not, if that is the current consensus? We've reversed the text of
> IETF standards track documents before, much less Informational documents
> that are not a standard of any kind.

As a co-author of 4864, let me agree violently. It's not a BCP.
Even if it was, consensus could reverse it.

What 4864 says is: NATs weren't designed as security devices but they
provide simple security by blocking everything incoming by default.
To implement simple security for v6 you should do it with a stateful
firewall.

It doesn't say that CPEs MUST do this. It leaves that choice open, as
an informational document.

    Brian

v2.23.0 | Report a Bug | By Email