[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: REVIEW NEEDED: draft-durand-v6ops-assisted-tunneling-requirements-00.txt

To: Pekka Savola <pekkas@netcore.fi>
Subject: Re: REVIEW NEEDED: draft-durand-v6ops-assisted-tunneling-requirements-00.txt
From: Jeroen Massar <jeroen@unfix.org>
Date: 30 Apr 2004 16:36:49 +0200
Cc: v6ops@ops.ietf.org, Alain Durand <Alain.Durand@Sun.COM>
In-reply-to: <Pine.LNX.4.44.0404301540010.17348-100000@netcore.fi>
Organization: Unfix
References: <Pine.LNX.4.44.0404301540010.17348-100000@netcore.fi>

On Fri, 2004-04-30 at 14:49, Pekka Savola wrote:
> (co-chair hat on)
> 
> As there was slight preference to having this as WG item, and it is
> very important to gain consensus on the requirements for a tunnel
> server solution, please publish the next revision under 
> draft-ietf-v6ops -label, making this a WG item.
> 
> The WG participants are already urged to review and provide feedback
> on the document.  If you want to "catch" this revision cycle, please
> send your comments by next Wednesday, 5th May.

You have my 'vote' too for making this document a WG item.

My comments:

4 mentions "(initial tryout)" is that in the wording of "try
unauthenticated first, then authenticated" or is it meant for something
else? 4 also mentions that the 'unauthenticated' mode can be aimed for
tryout. Does this mean that using source IP is 'authenticated'?

4.2: The 'non-authenticated' part should be taken away here as it should
also be available for authenticated modes. Eg user knows his user/pass
for the ISP and then runs the tool(tm) or automatically, tool pops up
and notices "I automatically found Example ISP, can you login"?

4.4: s/victim's uplink/victim's downlink/
or better 'link' as it can be done two way.

Though I do not know of many protocols that will actually send a lot of
traffic to a host without asking for a ack every now and then ;)
Multicast is not that widely deployed unfortunatly though that would
still ask for keepalives from the 
One base item of course: ingress filtering, to which I would also add
that the Tunnel Servers should do egress filtering, limiting what the
tunnel can send onto the internet unless there is an agreement with the
ISP that it is allowed to send other prefixes. Note that this is
currently a big problem in the IPv6 Internet, where a lot of ISP's allow
any prefix to be sent onto the internet -> spoofing, not only 'transit'.

Also in 4.4:
s/IPv4 return routability checks/IPv6 return routability checks/

I like the 'clear text password is out' btw. IMHO MD5 suffices for most
setups, SHA1 or up could be used instead, there thus should be a
possiblity to select a authentication protocol.

Greets,
 Jeroen

Attachment: signature.asc
Description: This is a digitally signed message part

References:
- REVIEW NEEDED: draft-durand-v6ops-assisted-tunneling-requirements-00.txt
  - From: Pekka Savola <pekkas@netcore.fi>

Prev by Date: Re: I-D ACTION:draft-palet-v6ops-auto-trans-00.txt
Next by Date: Re: I-D ACTION:draft-palet-v6ops-auto-trans-00.txt
Previous by thread: REVIEW NEEDED: draft-durand-v6ops-assisted-tunneling-requirements-00.txt
Next by thread: Re: REVIEW NEEDED: draft-durand-v6ops-assisted-tunneling-requirements-00.txt
Index(es):
- Date
- Thread