Re: [v6ops] I-D Action: draft-ietf-v6ops-balanced-ipv6-security-01.txt

[Marc Lampo <marc.lampo.ietf@gmail.com>]

Section 2, Threats, still lists 6 threats of which only one (the fourth) is
addressed by the proposed implementation and then, only partially.

In my opinion this is very misleading as Swisscoms customers might get the
impression their ISP's approach helps against the 5 other threats as well,
which it doesnot.
I'd delete the section altogether.

Kind regards,

Marc


On Fri, Dec 6, 2013 at 4:51 PM, Guillaume Leclanche <guillaume@leclanche.net
> wrote:

> Hello,
>
> This is a new version of the draft after having analyzed the WGLC
> comments and the Security Directorate review.
>
> A lot of text was modified to make sure that the document could not be
> mistaken for a recommendation. The filtering concept and examples are
> not changed, as the authors have chosen to stick to describing the
> documented practice.
>
> There are new mentions of PCP and UPnP, and the Security
> Considerations part was also detailed.
>
> Guillaume
>
> 2013/12/6  <internet-drafts@ietf.org>:
> >
> > A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> >  This draft is a work item of the IPv6 Operations Working Group of the
> IETF.
> >
> >         Title           : Balanced Security for IPv6 Residential CPE
> >         Author(s)       : Martin Gysi
> >                           Guillaume Leclanche
> >                           Eric Vyncke
> >                           Ragnar Anfinsen
> >         Filename        : draft-ietf-v6ops-balanced-ipv6-security-01.txt
> >         Pages           : 9
> >         Date            : 2013-12-06
> >
> > Abstract:
> >    This document describes how an IPv6 residential Customer Premise
> >    Equipment (CPE) can have a balanced security policy that allows for a
> >    mostly end-to-end connectivity while keeping the major threats
> >    outside of the home.  It is documenting an existing IPv6 deployment
> >    by Swisscom and allows all packets inbound/outbound EXCEPT for some
> >    layer-4 ports where attacks and vulnerabilities (such as weak
> >    passwords) are well-known.  The policy is a proposed set of rules
> >    that can be used as a default setting.  The set of blocked inbound
> >    and outbound ports is expected to be updated as threats come and go.
> >
> >
> > The IETF datatracker status page for this draft is:
> > https://datatracker.ietf.org/doc/draft-ietf-v6ops-balanced-ipv6-security
> >
> > There's also a htmlized version available at:
> > http://tools.ietf.org/html/draft-ietf-v6ops-balanced-ipv6-security-01
> >
> > A diff from the previous version is available at:
> >
> http://www.ietf.org/rfcdiff?url2=draft-ietf-v6ops-balanced-ipv6-security-01
> >
> >
> > Please note that it may take a couple of minutes from the time of
> submission
> > until the htmlized version and diff are available at tools.ietf.org.
> >
> > Internet-Drafts are also available by anonymous FTP at:
> > ftp://ftp.ietf.org/internet-drafts/
> >
> > _______________________________________________
> > v6ops mailing list
> > v6ops@ietf.org
> > https://www.ietf.org/mailman/listinfo/v6ops
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops
>