Re: [v6ops] draft-ietf-v6ops-mobile-device-profile last call- "harmfully broad"?

<mohamed.boucadair@orange.com> Thu, 12 February 2015 06:39 UTC

Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9970C1A9077 for <v6ops@ietfa.amsl.com>; Wed, 11 Feb 2015 22:39:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TAAdEhn1z_YB for <v6ops@ietfa.amsl.com>; Wed, 11 Feb 2015 22:39:39 -0800 (PST)
Received: from relais-inet.francetelecom.com (relais-ias92.francetelecom.com [193.251.215.92]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A0B21A9074 for <v6ops@ietf.org>; Wed, 11 Feb 2015 22:39:39 -0800 (PST)
Received: from omfedm06.si.francetelecom.fr (unknown [xx.xx.xx.2]) by omfedm09.si.francetelecom.fr (ESMTP service) with ESMTP id 3DA962DC25F; Thu, 12 Feb 2015 07:39:37 +0100 (CET)
Received: from Exchangemail-eme2.itn.ftgroup (unknown [10.114.31.30]) by omfedm06.si.francetelecom.fr (ESMTP service) with ESMTP id 19EE927C0AF; Thu, 12 Feb 2015 07:39:37 +0100 (CET)
Received: from OPEXCLILM23.corporate.adroot.infra.ftgroup ([169.254.2.231]) by OPEXCLILH02.corporate.adroot.infra.ftgroup ([10.114.31.30]) with mapi id 14.03.0224.002; Thu, 12 Feb 2015 07:39:37 +0100
From: <mohamed.boucadair@orange.com>
To: James Woodyatt <jhw@nestlabs.com>
Thread-Topic: [v6ops] draft-ietf-v6ops-mobile-device-profile last call- "harmfully broad"?
Thread-Index: AQHQRiNlJyo/dj7ROEKfd3r0ZcS7TZzsjIhg
Date: Thu, 12 Feb 2015 06:39:36 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B933004909864@OPEXCLILM23.corporate.adroot.infra.ftgroup>
References: <787AE7BB302AE849A7480A190F8B9330049091C2@OPEXCLILM23.corporate.adroot.infra.ftgroup> <CADhXe52o=Vxux1+G8_EXgE_-a3Mest_LD6Hzzqu=hDp3H++Ttw@mail.gmail.com>
In-Reply-To: <CADhXe52o=Vxux1+G8_EXgE_-a3Mest_LD6Hzzqu=hDp3H++Ttw@mail.gmail.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.168.234.1]
Content-Type: multipart/alternative; boundary="_000_787AE7BB302AE849A7480A190F8B933004909864OPEXCLILM23corp_"
MIME-Version: 1.0
X-PMX-Version: 6.0.3.2322014, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2015.2.12.3031
Archived-At: <http://mailarchive.ietf.org/arch/msg/v6ops/vYtabvHk0_aqFECf3rh6JxGPfUU>
Cc: IPv6 Ops WG <v6ops@ietf.org>
Subject: Re: [v6ops] draft-ietf-v6ops-mobile-device-profile last call- "harmfully broad"?
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Feb 2015 06:39:42 -0000

Hi James,

Thank you for raising this point as it helps to clarify a confusion.

This document DOES NOT RECOMMENT RFC6092 for tethered hosts.

I guess you are referring to this item:

   L_REC#2:  The cellular CPE must be compliant with the requirements
             specified in [RFC7084<http://tools.ietf.org/html/rfc7084>]4>].

                There are several deployments, particularly in emerging
                countries, that relies on mobile networks to provide
                broadband services (e.g., customers are provided with
                mobile CPEs).

                Note, this profile does not require IPv4 service
                continuity techniques listed in [RFC7084<http://tools.ietf.org/html/rfc7084>] because those
                are specific to fixed networks.  IPv4 service continuity
                techniques specific to the mobile networks are included
                in this profile.

This is about cellular ** CPE ** not tethered devices (You may noticed that this item used explicitly “cellular CPE” while other items in this section uses “cellular device”). RFC7084 is required for this case to ensure a functional parity with fixed CPEs.

BTW, the text you suggested about RFC6092 is in the draft:


   In the case of cellular devices that provide LAN features, compliance

   with L_REC#2 entails compliance with [RFC7084<http://tools.ietf.org/html/rfc7084>]4>], which in turn

   recommends compliance with Recommended Simple Security Capabilities

   in Customer Premises Equipment (CPE) for Providing Residential IPv6

   Internet Service [RFC6092<http://tools.ietf.org/html/rfc6092>]2>].  Therefore, the security considerations

   in Section 6 of [RFC6092]<http://tools.ietf.org/html/rfc6092#section-6> are relevant.  In particular, it bears

   repeating here that the true impact of stateful filtering may be a

   reduction in security, and that IETF make no statement, expressed or

   implied, as to whether using the capabilities described in any of

   these documents ultimately improves security for any individual users

   or for the Internet community as a whole.

Are you suggesting that a mobile CPE should not have the same functionalities as the fixed one, and therefore RFC7084 should not be cited in this I-D? Or you are suggesting that RFC7084 is harmful?

Thank you.

Cheers,
Med

De : James Woodyatt [mailto:jhw@nestlabs.com]
Envoyé : mercredi 11 février 2015 18:51
À : BOUCADAIR Mohamed IMT/OLN
Cc : IPv6 Ops WG
Objet : Re: [v6ops] draft-ietf-v6ops-mobile-device-profile last call- "harmfully broad"?

On Wed, Feb 11, 2015 at 4:09 AM, <mohamed.boucadair@orange.com<mailto:mohamed.boucadair@orange.com>> wrote:

Which items are not technically justified?

Others may have other items that bug them, and additional items may spring to my mind later if I put my mind to it, but I see no technical justification to recommend a simple firewall by default for tethered hosts according to RFC 6092. I consider that recommendation to be actively harmful.


--
james woodyatt <jhw@nestlabs.com<mailto:jhw@nestlabs.com>>
Nest Labs, Communications Engineering