[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPv6-PMP?

To: v6ops@ops.ietf.org
Subject: Re: IPv6-PMP?
From: james woodyatt <jhw@apple.com>
Date: Wed, 11 Apr 2007 10:21:50 -0700
In-reply-to: <200704111052.05934@auguste.remlab.net>
References: <E1H56s6-0007us-HB@stiedprstage1.ietf.org> <8325F32F-5635-4F49-87CA-C67A0E866575@apple.com> <20070411061414.GQ63243@Space.Net> <200704111052.05934@auguste.remlab.net>

On Apr 11, 2007, at 00:52, Rémi Denis-Courmont wrote:

- many people seem to think that a disaster will happen if the NATsside effect security vanishes, and they won't switch to IPv6 ifthere is no "stateful firewall" (regardless of the fact that mostmalware is now transmitted through upper layers that won't careabout stateful firewalls).

I'm trying to find somebody with some technical expertise, and whocan speak authoritatively on the subject, who *DOESN'T* believe this.

+ Microsoft's recommendations for Internet gateway deviceimplementers call for this.+ The NAP draft in this working group calls for this, and I'm toldthis the result of an IETF consensus.+ Apple received nothing but negative criticism for shipping AirPortExtreme without this side effect on the IPv6 side. (The U.S.Department of Homeland Security called it a "design error".)

Is there anyone on the IESG or the IAB who will speak up about this?Anyone? You'll forgive me if I don't hold my breath.

(Yes, I know.  People will yell at you if you don't have "IPv6
firewall!!" on the product's data sheet.  But some half-informed
people will yell at you anyway... :( )
Hmm, some product managers in NetworkBoxCorp will read that IPv6CPEs need a "stateful firewall" because IETF said so. So they'llput it to the requirements list, and voilà, it has to be there inevery IPv6 CPEs.


This has already happened.  I was in the room.

Worse, the security team at $CORPORATION has issued a securityadvisory to the effect that not having the "stateful firewall"enabled exposes local network nodes to remote attack and instructscustomers to take steps to enable it, and changed the factoryconfiguration to match the advised behavior. This means that everybox from $CORPORATION for the foreseeable future will ship with the"stateful firewall" enabled in the default configuration, and userswill never be comfortable turning it off. Indeed, the manufactureris advising them *not* to turn it off.


This isn't hypothetical.  It's the reality today.

And then, IPv6 is completely useless, since it has the exact sameconnectivity problems as IPv4+NAT: outbound TCP works; UDP worksthrough hole punching if you know the peer address/port. InboundTCP does not work (so COMEDIA SIP does not), unsolicited UDP doesnot work. So IPv6 becomes pretty useless, while it remains verycostly an upgrade.

Unless we do something. I'm proposing that we consider extendingICMP to support automatically opening pinholes in the defaultgateway's stateful packet filter. Does anybody have any alternativeto consider?



--
j h woodyatt <jhw@apple.com>

Follow-Ups:
- Re: IPv6-PMP?
  - From: Rémi Denis-Courmont <rdenis@simphalempin.com>

References:
- I-D ACTION:draft-ietf-v6ops-nap-06.txt
  - From: Internet-Drafts@ietf.org
- Re: IPv6-PMP?
  - From: james woodyatt <jhw@apple.com>
- Re: IPv6-PMP?
  - From: Gert Doering <gert@space.net>
- Re: IPv6-PMP?
  - From: Rémi Denis-Courmont <rdenis@simphalempin.com>

Prev by Date: Re: IPv6-PMP?
Next by Date: Re: IPv6-PMP?
Previous by thread: Re: IPv6-PMP?
Next by thread: Re: IPv6-PMP?
Index(es):
- Date
- Thread