IETF Logo Mail Archive

Re: [v6ops] new draft: draft-ietf-v6ops-6204bis

Tassos Chatzithomaoglou <achatz@forthnetgroup.gr> Sat, 15 October 2011 08:32 UTC

Return-Path: <achatz@forthnetgroup.gr>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 600B321F8B18 for <v6ops@ietfa.amsl.com>; Sat, 15 Oct 2011 01:32:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.72
X-Spam-Level:
X-Spam-Status: No, score=-1.72 tagged_above=-999 required=5 tests=[AWL=-0.579, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_HTML_ONLY=1.457]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gOMTHFwKORKo for <v6ops@ietfa.amsl.com>; Sat, 15 Oct 2011 01:32:36 -0700 (PDT)
Received: from mx-out.forthnet.gr (mx-out.forthnet.gr [193.92.150.115]) by ietfa.amsl.com (Postfix) with ESMTP id 8922521F8B0A for <v6ops@ietf.org>; Sat, 15 Oct 2011 01:32:35 -0700 (PDT)
Received: from mx-av-03.forthnet.gr (mx-av.forthnet.gr [193.92.150.27]) by mx-out-03.forthnet.gr (8.14.4/8.14.4) with ESMTP id p9F8WXq4024157; Sat, 15 Oct 2011 11:32:33 +0300
Received: from MX-IN-05.forthnet.gr (mx-in-05.forthnet.gr [193.92.150.30]) by mx-av-03.forthnet.gr (8.14.3/8.14.3) with ESMTP id p9F8WXuV003956; Sat, 15 Oct 2011 11:32:33 +0300
Received: from [192.168.1.2] (194.219.113.15.dsl.dyn.forthnet.gr [194.219.113.15]) (authenticated bits=0) by MX-IN-05.forthnet.gr (8.14.4/8.14.4) with ESMTP id p9F8WUJR001481; Sat, 15 Oct 2011 11:32:31 +0300
Authentication-Results: MX-IN-05.forthnet.gr smtp.mail=achatz@forthnetgroup.gr; auth=pass (PLAIN)
Message-ID: <4E994515.6020204@forthnetgroup.gr>
Date: Sat, 15 Oct 2011 11:32:21 +0300
From: Tassos Chatzithomaoglou <achatz@forthnetgroup.gr>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20110928 Firefox/7.0.1 SeaMonkey/2.4.1
MIME-Version: 1.0
To: "Hemant Singh (shemant)" <shemant@cisco.com>
References: <4E974F1A.2030008@forthnetgroup.gr> <5B6B2B64C9FE2A489045EEEADDAFF2C3030A4156@XMB-RCD-109.cisco.com> <5B6B2B64C9FE2A489045EEEADDAFF2C303130390@XMB-RCD-109.cisco.com> <4E98CCB2.2050100@forthnetgroup.gr> <5B6B2B64C9FE2A489045EEEADDAFF2C3031303D8@XMB-RCD-109.cisco.com>
In-Reply-To: <5B6B2B64C9FE2A489045EEEADDAFF2C3031303D8@XMB-RCD-109.cisco.com>
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Cc: v6ops@ietf.org, draft-ietf-v6ops-6204bis@tools.ietf.org
Subject: Re: [v6ops] new draft: draft-ietf-v6ops-6204bis
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/v6ops>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Oct 2011 08:32:37 -0000



    

    Hemant Singh (shemant) wrote on 15/10/2011 03:03:
    

      
      
      
      

        
 

        
 

        

          

            
From:
                Tassos Chatzithomaoglou [mailto:achatz@forthnetgroup.gr]
                

                Sent: Friday, October 14, 2011 7:59 PM

                To: Hemant Singh (shemant)

                Cc: v6ops@ietf.org;
                draft-ietf-v6ops-6204bis@tools.ietf.org

                Subject: Re: [v6ops] new draft:
                draft-ietf-v6ops-6204bis

          

        

        
 

        


          >Since the CPE is also a
          tunnel endpoint, i believe ingress filtering of tunneled
          traffic should be implemented after the decapsulation of
          the traffic, before reaching the LAN.

          >i.e. in case of
          DS-Lite, in the ingress direction, after the IPv6 tunnel
          header is removed, IPv4 traffic should be inspected like it
          would be if it was coming from an IPv4 native interface. 

        
 

        
Ah,
            certainly!  I assumed we were discussing inspecting tunneled
            traffic vs. native and that is why I was wondering.    I do
            think any security filter inside the CE router will inspect
            all IPv4 or IPv6 packets whether the packets were
            decapsulated from a tunnel or were native IP packets.  If
            this is not obvious, we can certainly consider adding a
            sentence to make this one blatantly clear.

        
 

        
Thanks,

        
 

        
Hemant 
            

        
 

      

    

    

    I gave it a second thought and i'm thinking that without port
    forwarding the chances of needing a firewall for decapsulated IPv4
    traffic is low in case of DS-Lite.

    RFC 4863 describes very nicely the perceived benefits of NAT (which
    on this case will happen on the AFTR), and since we are not (are
    we?) including any reference to port forwarding mechanisms, IPv4
    attack vectors to the CPE through DS-Lite are low (but existent).

    On the other hand, in the 6rd scenario, there is no (need for) NAT
    happening on IPv6 traffic on the BR, so an IPv6 firewall for
    filtering ingress decapsulated IPv4=>IPv6 traffic on the CPE is
    surely needed.

    Maybe, you would like to differentiate those scenarios in your text.

    

    --

    Tassos

    

  


      
    

    

      
    


 




            


        



      
 


      

        
      

          
    
 

    


 

    



    






    

    


    
  
    
  

      
v2.23.0 | Report a Bug | By Email