IETF Logo Mail Archive

Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03

Brian E Carpenter <brian.e.carpenter@gmail.com> Mon, 25 August 2008 04:26 UTC

Return-Path: <owner-v6ops@ops.ietf.org>
X-Original-To: ietfarch-v6ops-archive@core3.amsl.com
Delivered-To: ietfarch-v6ops-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 82E7C3A68A4 for <ietfarch-v6ops-archive@core3.amsl.com>; Sun, 24 Aug 2008 21:26:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.186
X-Spam-Level:
X-Spam-Status: No, score=0.186 tagged_above=-999 required=5 tests=[AWL=0.681, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z0Fd7pPz6UYk for <ietfarch-v6ops-archive@core3.amsl.com>; Sun, 24 Aug 2008 21:26:47 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 835C53A6879 for <v6ops-archive@lists.ietf.org>; Sun, 24 Aug 2008 21:26:45 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-v6ops@ops.ietf.org>) id 1KXTbQ-0001PD-FQ for v6ops-data@psg.com; Mon, 25 Aug 2008 04:22:52 +0000
Received: from [74.125.44.29] (helo=yx-out-2324.google.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <brian.e.carpenter@gmail.com>) id 1KXTbM-0001MG-KV for v6ops@ops.ietf.org; Mon, 25 Aug 2008 04:22:50 +0000
Received: by yx-out-2324.google.com with SMTP id 8so812084yxb.71 for <v6ops@ops.ietf.org>; Sun, 24 Aug 2008 21:22:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :organization:user-agent:mime-version:to:cc:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=J53Cp3t3v96h57z27gLkbh6wXyjwj7MgLZqKcPTTeGg=; b=s5DosIkyXEM7BK/QPLHz7QqxrCy3cHWUOxoF3uddgtbbiAHJ57d8fQkUooiordlmj8 lritnJTGe9+0+oy7Tp5VFpDqyqBl+R/3Bwqf9KHoqBu0/rXKCBMItzZIEbbLct+JMVAa qg5CIGOw9nlog6Ntr9wVukZjm/gJCzIJ9TS1Q=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; b=H20M4ceqnDX3JSCCdd9lCctxnSqDd42oL5X6k/ATGzUXcigmabuU5CuJtoUGQm7Vf8 p5sNMin/F3TM//Sa3TLHp2Uj+bjJ43Wx/xpAWoMDCqeIzRaXukHMqdz5vN8KVlu8LEnU HurOjI/Pk9gp7UPwcXDW6FepyOT780zJyYzfA=
Received: by 10.115.22.1 with SMTP id z1mr2977201wai.99.1219638166286; Sun, 24 Aug 2008 21:22:46 -0700 (PDT)
Received: from ?130.216.38.124? ( [130.216.38.124]) by mx.google.com with ESMTPS id v32sm5724459wah.19.2008.08.24.21.22.43 (version=SSLv3 cipher=RC4-MD5); Sun, 24 Aug 2008 21:22:45 -0700 (PDT)
Message-ID: <48B23391.1090503@gmail.com>
Date: Mon, 25 Aug 2008 16:22:41 +1200
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Dan Wing <dwing@cisco.com>
CC: 'Mark Smith' <ipng@69706e6720323030352d30312d31340a.nosense.org>, jhw@apple.com, 'IPv6 Operations' <v6ops@ops.ietf.org>
Subject: Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
References: <20080824204553.08131c65.ipng@69706e6720323030352d30312d31340a.nosense.org> <48B1CCE8.1070305@gmail.com> <01af01c9065b$b4602440$c2f0200a@cisco.com>
In-Reply-To: <01af01c9065b$b4602440$c2f0200a@cisco.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Sender: owner-v6ops@ops.ietf.org
Precedence: bulk
List-ID: <v6ops.ops.ietf.org>

On 2008-08-25 14:38, Dan Wing wrote:
>  
> 
>> -----Original Message-----
>> From: owner-v6ops@ops.ietf.org 
>> [mailto:owner-v6ops@ops.ietf.org] On Behalf Of Brian E Carpenter
>> Sent: Sunday, August 24, 2008 2:05 PM
>> To: Mark Smith
>> Cc: jhw@apple.com; IPv6 Operations
>> Subject: Re: Some suggestions for 
>> draft-ietf-v6ops-cpe-simple-security-03
>>
>> Hi Mark,
>>
>> On 2008-08-24 23:15, Mark Smith wrote:
>> ...
>>> 2.2.  Internet Layer Protocols
>>>
>>> "Therefore, this document recommends the DEFAULT operating mode for
>>> residential IPv6 simple security is to permit all virtual private
>>> networking tunnel protocols to pass through the stateful filtering
>>> function.  These include IPsec transport and tunnel modes as well as
>>> other IP-in-IP protocols."
>>>
>>> Would it be better to restrict this to authenticated tunnelling
>>> protocols? Wrapping a malicious packet inside a GRE or IP packet and
>>> having the CPE blindly forward it would seem to me to be a really
>>> simple and easy way to bypass all the security mechanisms that this
>>> draft is defining.
>> I would object to that. That amounts to default-deny for all
>> the commonly used ways of bypassing ISPs that don't support
>> IPv6, and that would be a Bad Thing.
> 
> You're saying that the Simple CPE Security document is not intended
> to provide security, but rather intended to provide a way to receive
> unsolicited IPv6 traffic through non-IPv6-capable SPs?

If a host behind the CPE chooses to set up an IPv6 tunnel to
an IPv6-supporting ISP, I don't see that the tunnel is anybody's
business but the host's. So yes, in that case I think the CPE
should step back, because the host *is* soliciting incoming
packets.

    Brian

> 
> -d
> 
>> I think a recommendation that CPEs should document and warn about
>> such risks is a good idea, rather in the manner of personal
>> firewalls that alert you the first time you try to tunnel out
>> with Protocol 41, but remember when you click OK. Can we recommend
>> default-warn rather than either default-deny or default-allow?
>>
>> ...
>>> A few thoughts related to general tunnel security. Is it 
>>> appropriate for this draft to document...
>> How about referring to draft-ietf-v6ops-tunnel-security-concerns?
>> We should probably concentrate those issues in one place.
>>
>>    Brian
>>
> 
>

v2.23.0 | Report a Bug | By Email