Re: [v6ops] draft-ietf-v6ops-mobile-device-profile last call- "harmfully broad"?

[<mohamed.boucadair@orange.com>]

Hi James,

Thank you for raising this point as it helps to clarify a confusion.

This document DOES NOT RECOMMENT RFC6092 for tethered hosts.

I guess you are referring to this item:

   L_REC#2:  The cellular CPE must be compliant with the requirements
             specified in [RFC7084<http://tools.ietf.org/html/rfc7084>].

                There are several deployments, particularly in emerging
                countries, that relies on mobile networks to provide
                broadband services (e.g., customers are provided with
                mobile CPEs).

                Note, this profile does not require IPv4 service
                continuity techniques listed in [RFC7084<http://tools.ietf.org/html/rfc7084>] because those
                are specific to fixed networks.  IPv4 service continuity
                techniques specific to the mobile networks are included
                in this profile.

This is about cellular ** CPE ** not tethered devices (You may noticed that this item used explicitly “cellular CPE” while other items in this section uses “cellular device”). RFC7084 is required for this case to ensure a functional parity with fixed CPEs.

BTW, the text you suggested about RFC6092 is in the draft:


   In the case of cellular devices that provide LAN features, compliance

   with L_REC#2 entails compliance with [RFC7084<http://tools.ietf.org/html/rfc7084>], which in turn

   recommends compliance with Recommended Simple Security Capabilities

   in Customer Premises Equipment (CPE) for Providing Residential IPv6

   Internet Service [RFC6092<http://tools.ietf.org/html/rfc6092>].  Therefore, the security considerations

   in Section 6 of [RFC6092]<http://tools.ietf.org/html/rfc6092#section-6> are relevant.  In particular, it bears

   repeating here that the true impact of stateful filtering may be a

   reduction in security, and that IETF make no statement, expressed or

   implied, as to whether using the capabilities described in any of

   these documents ultimately improves security for any individual users

   or for the Internet community as a whole.

Are you suggesting that a mobile CPE should not have the same functionalities as the fixed one, and therefore RFC7084 should not be cited in this I-D? Or you are suggesting that RFC7084 is harmful?

Thank you.

Cheers,
Med

De : James Woodyatt [mailto:jhw@nestlabs.com]
Envoyé : mercredi 11 février 2015 18:51
À : BOUCADAIR Mohamed IMT/OLN
Cc : IPv6 Ops WG
Objet : Re: [v6ops] draft-ietf-v6ops-mobile-device-profile last call- "harmfully broad"?

On Wed, Feb 11, 2015 at 4:09 AM, <mohamed.boucadair@orange.com<mailto:mohamed.boucadair@orange.com>> wrote:

Which items are not technically justified?

Others may have other items that bug them, and additional items may spring to my mind later if I put my mind to it, but I see no technical justification to recommend a simple firewall by default for tethered hosts according to RFC 6092. I consider that recommendation to be actively harmful.


--
james woodyatt <jhw@nestlabs.com<mailto:jhw@nestlabs.com>>
Nest Labs, Communications Engineering