IETF Logo Mail Archive

Re: SECDIR review: draft-ietf-v6ops-tunnel-concerns

Suresh Krishnan <suresh.krishnan@ericsson.com> Tue, 21 October 2008 15:24 UTC

Return-Path: <owner-v6ops@ops.ietf.org>
X-Original-To: ietfarch-v6ops-archive@core3.amsl.com
Delivered-To: ietfarch-v6ops-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 026C93A6AD9 for <ietfarch-v6ops-archive@core3.amsl.com>; Tue, 21 Oct 2008 08:24:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.402
X-Spam-Level:
X-Spam-Status: No, score=-5.402 tagged_above=-999 required=5 tests=[AWL=-0.907, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lh1dCwckGkmU for <ietfarch-v6ops-archive@core3.amsl.com>; Tue, 21 Oct 2008 08:24:48 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 6CD6A3A6834 for <v6ops-archive@lists.ietf.org>; Tue, 21 Oct 2008 08:24:48 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-v6ops@ops.ietf.org>) id 1KsJ1i-000O2F-Fc for v6ops-data@psg.com; Tue, 21 Oct 2008 15:20:06 +0000
Received: from [198.24.6.3] (helo=imr2.ericy.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <suresh.krishnan@ericsson.com>) id 1KsJ1b-000O0o-6z for v6ops@ops.ietf.org; Tue, 21 Oct 2008 15:20:03 +0000
Received: from eusrcmw751.eamcs.ericsson.se (eusrcmw751.exu.ericsson.se [138.85.77.51]) by imr2.ericy.com (8.13.1/8.13.1) with ESMTP id m9LFJEIN006257; Tue, 21 Oct 2008 10:19:16 -0500
Received: from eusrcmw750.eamcs.ericsson.se ([138.85.77.50]) by eusrcmw751.eamcs.ericsson.se with Microsoft SMTPSVC(6.0.3790.1830); Tue, 21 Oct 2008 10:19:15 -0500
Received: from [142.133.10.113] ([142.133.10.113]) by eusrcmw750.eamcs.ericsson.se with Microsoft SMTPSVC(6.0.3790.1830); Tue, 21 Oct 2008 10:19:15 -0500
Message-ID: <48FDF264.1030006@ericsson.com>
Date: Tue, 21 Oct 2008 11:16:52 -0400
From: Suresh Krishnan <suresh.krishnan@ericsson.com>
User-Agent: Thunderbird 2.0.0.17 (X11/20080925)
MIME-Version: 1.0
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
CC: Nathan Ward <v6ops@daork.net>, Kurt Zeilenga <Kurt.Zeilenga@Isode.com>, Pasi Eronen <Pasi.Eronen@nokia.com>, Tim Polk <tim.polk@nist.gov>, secdir@mit.edu, Jim_Hoagland@symantec.com, dthaler@microsoft.com, v6ops@ops.ietf.org
Subject: Re: SECDIR review: draft-ietf-v6ops-tunnel-concerns
References: <8B128AB2-BBD9-49B9-A837-F00DD80BF5D3@Isode.com> <48F2C29B.8090900@ericsson.com> <D6947E23-5209-4767-882A-7EBA645B3DCB@daork.net> <48F8EE0D.4060307@ericsson.com> <48FB9A79.8040407@gmail.com>
In-Reply-To: <48FB9A79.8040407@gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 21 Oct 2008 15:19:15.0549 (UTC) FILETIME=[612E20D0:01C93390]
Sender: owner-v6ops@ops.ietf.org
Precedence: bulk
List-ID: <v6ops.ops.ietf.org>

Hi Brian,
   Thanks for your comments. Please see responses inline.

Brian E Carpenter wrote:
> ...
>>> Why tunnelling over UDP or TCP? Why not tunnelling in IP as in 6to4?
>>> I don't imagine that UDP makes it any more difficult to inspect than
>>> an IP protocol.
>>>
>>> I think this statement should be changed to "Tunnelling through a
>>> security device (ie. firewall) is not recommended for.. " etc.
>> Sounds good. We will make this change.
> 
> Now you have me worried enough to say something I've been feeling
> ever since I really read this draft carefully.
> 
> To exaggerate, <sarcasm> why not just rename it "tunneling considered
> harmful" and chop it down to one paragraph? </sarcasm>

The draft is about security concerns with tunnels. It discusses concerns 
and associated recommendations if the concern is considered valid by an 
admin. It was not our goal to say "tunneling considered harmful" but 
rather to say "If you want to do foo, tunneling might prevent you from 
doing foo. So disable tunnels" or "If you don't want your users to do 
foo, tunneling might allow them to do foo. So disable tunnels".

> 
> I think there's a real risk of this document being misunderstood
> by typical site IT managers, and being used simply as an excuse
> to block all kinds of tunnel-based v4/v6 coexistence. But tunnels
> are a legitimate coexistence strategy. I'd much rather see
> this document talking more about how to make the use of tunnels
> safe as part of v4/v6 coexistence. There is some of that material
> in the document, but the impression the draft leaves is now of
> a succession of warnings to block tunnels.

Although the draft started out as security concerns related to Teredo 
tunnels, it has been generalized to all kinds of tunnels and not limited 
to v4/v6 transition tunnels. The draft lists problems and possible 
solutions to those problems. If you think there is a problem with the 
tone of the document, I am sure we can work on fixing it, but I 
sincerely believe that all the stated concerns are real and not FUD.

Thanks
Suresh

v2.23.0 | Report a Bug | By Email