IETF Logo Mail Archive

Re: draft-ietf-v6ops-cpe-simple-security: filtering encapsulated flows

Mark Baugher <mbaugher@cisco.com> Mon, 24 August 2009 18:43 UTC

Return-Path: <owner-v6ops@ops.ietf.org>
X-Original-To: ietfarch-v6ops-archive@core3.amsl.com
Delivered-To: ietfarch-v6ops-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3AD7F28C2DC for <ietfarch-v6ops-archive@core3.amsl.com>; Mon, 24 Aug 2009 11:43:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.741
X-Spam-Level:
X-Spam-Status: No, score=-4.741 tagged_above=-999 required=5 tests=[AWL=-0.246, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QaK7MzOb38Q0 for <ietfarch-v6ops-archive@core3.amsl.com>; Mon, 24 Aug 2009 11:43:47 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 37D103A6AE0 for <v6ops-archive@lists.ietf.org>; Mon, 24 Aug 2009 11:43:47 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-v6ops@ops.ietf.org>) id 1MfeSN-000N1g-Rj for v6ops-data0@psg.com; Mon, 24 Aug 2009 18:39:51 +0000
Received: from [171.71.176.71] (helo=sj-iport-2.cisco.com) by psg.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.69 (FreeBSD)) (envelope-from <mbaugher@cisco.com>) id 1MfeSI-000N11-VD for v6ops@ops.ietf.org; Mon, 24 Aug 2009 18:39:49 +0000
Received: from sj-dkim-1.cisco.com ([171.71.179.21]) by sj-iport-2.cisco.com with ESMTP; 24 Aug 2009 18:33:32 +0000
Received: from sj-core-1.cisco.com (sj-core-1.cisco.com [171.71.177.237]) by sj-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id n7OIXW6m017007; Mon, 24 Aug 2009 11:33:32 -0700
Received: from xbh-sjc-211.amer.cisco.com (xbh-sjc-211.cisco.com [171.70.151.144]) by sj-core-1.cisco.com (8.13.8/8.14.3) with ESMTP id n7OIXVvA003396; Mon, 24 Aug 2009 18:33:32 GMT
Received: from xfe-sjc-212.amer.cisco.com ([171.70.151.187]) by xbh-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 24 Aug 2009 11:33:32 -0700
Received: from sjc-mbaugher-8717.cisco.com ([10.19.93.40]) by xfe-sjc-212.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 24 Aug 2009 11:33:31 -0700
Cc: james woodyatt <jhw@apple.com>, IPv6 Operations <v6ops@ops.ietf.org>
Message-Id: <C6F4A79B-EAAB-469D-B9A5-F29182A5EC6D@cisco.com>
From: Mark Baugher <mbaugher@cisco.com>
To: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>
In-Reply-To: <20090823184516.a8667014.ipng@69706e6720323030352d30312d31340a.nosense.org>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Subject: Re: draft-ietf-v6ops-cpe-simple-security: filtering encapsulated flows
Date: Mon, 24 Aug 2009 11:33:31 -0700
References: <805241AA-DC9A-4498-9D54-8D491DD62A0D@apple.com> <2D21500B-207B-43FB-9728-8A7BCEC82CB1@apple.com> <7F9A6D26EB51614FBF9F81C0DA4CFEC80158E120B3E6@il-ex01.ad.checkpoint.com> <47CF65DB-E3E1-4666-B1E9-51A49B372AD5@apple.com> <390865C6-3343-4C31-9767-6E0FCA4481DD@suspicious.org> <ADAD4E36-7059-40F5-B964-607F065639FE@apple.com> <20090823184516.a8667014.ipng@69706e6720323030352d30312d31340a.nosense.org>
X-Mailer: Apple Mail (2.936)
X-OriginalArrivalTime: 24 Aug 2009 18:33:31.0899 (UTC) FILETIME=[61B93CB0:01CA24E9]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=1328; t=1251138812; x=1252002812; c=relaxed/simple; s=sjdkim1004; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=mbaugher@cisco.com; z=From:=20Mark=20Baugher=20<mbaugher@cisco.com> |Subject:=20Re=3A=20draft-ietf-v6ops-cpe-simple-security=3A =20filtering=20encapsulated=20flows |Sender:=20; bh=TP0xfKVwwzuUwaHyevsDFMmZjtehoRVelmGyw9NGrQ8=; b=I3bMiBJnOWOG1C6iroUlkLQt0tpYGn2ldGKnIdUIYEnxDRzHVElSblC7hk U2sJ3Q+javHpqNTaKCLuYd9k09pn4HJhOtrs9ufaYP/48asWVEPr98/lhaUb ML5aUEA1fKzPwni18UETIKJQ8codxOBKsNQm/DwIm1yayUs1+LxsA=;
Authentication-Results: sj-dkim-1; header.From=mbaugher@cisco.com; dkim=pass ( sig from cisco.com/sjdkim1004 verified; );
Sender: owner-v6ops@ops.ietf.org
Precedence: bulk
List-ID: <v6ops.ops.ietf.org>

The node that accepts the IKE phase 1 presumably has some acl or  
credential requirement to control access - or could have.  I thought  
that this was the idea behind the original recommendation.

Mark

On 23/08/2009, at 2:15 AM, Mark Smith wrote:

> On Sat, 22 Aug 2009 22:33:37 -0700
> james woodyatt <jhw@apple.com> wrote:
>
>> On Aug 22, 2009, at 21:58, Truman Boyes wrote:
>>>
>>> This is quite confusing from an implementation perspective; security
>>> is not explicitly increased by prohibiting non-encrypted tunnels but
>>> allowing encrypted (ESP or AH) traffic flows. Wouldn't this simply
>>> serve as a driver to make all tunnel encapsulations use ESP/AH?
>>
>> Yes.  I'm not sure I can explain how this is supposed to increase
>> security, but if consensus in the working group emerges around these
>> recommendations and the draft can proceed through working group last
>> call, then that's good enough for me.
>>
>
> Maybe I haven't fully understood the question, however isn't the  
> answer
> as simple as the benefits of IPsec over cleartext? Even the
> better-than-nothing-mode of IPsec, while vulnerable to
> man-in-the-middle attacks during session setup, has a much smaller
> window of opportunity for exploitation over clear text traffic.
>
> Regards,
> Mark.
>
>
>
>

v2.23.0 | Report a Bug | By Email