CPE Simple Security considered beneficial by RFC 4864

[james woodyatt <jhw@apple.com>]

everyone--

During my presentation of <draft-ietf-v6ops-cpe-simple-security> in  
the V6OPS group meeting here in Chicago today, some of the  
participants expressed the view that RFC 4864 doesn't "mandate" the  
use of stateful packet filters for IPv6 residential gateways.  I  
wasn't able to improvise a response to that concern on my feet, so  
this message will have to serve as my rebuttal.

p1. In section 4.2 "IPv6 and Simple Security" (bottom of page 15),  
RFC 4864 makes the following recommendation:

> To implement simple security for IPv6 in, for example, a DSL or  
> cable modem-connected home network, the broadband gateway/router  
> should be equipped with stateful firewall capabilities.  These  
> should provide a default configuration where incoming traffic is  
> limited to return traffic resulting from outgoing packets  
> (sometimes known as reflective session state).

Of particular note, this paragraph explicitly recommends that  
stateful filtering should be applied by *default*.  This was the  
subject of much kvetching on my part back in April (or was it May) on  
this list, due to a very embarrassing and related mistake on my part  
(which ultimately resulted in a U.S. Department of Homeland Security  
Advisory).  In the aftermath of that, I learned-- no, this was *NOT*  
an editorial oversight by the authors of RFC 4864, but rather a very  
deliberate recommendation that arose from the consensus of the  
Internet engineering community.

p2. In section 6.1 "Simple Security" (bottom of page 26), RFC 4864  
makes the following assertion:

> The basic security provided by a stateful firewall will require  
> some degree of default configuration and automation to mask the  
> technical complexity from a consumer who merely wants a secure  
> environment with working applications.  There is no reason a  
> stateful IPv6 firewall product cannot be shipped with default  
> protection that is equal to or better than that offered by today's  
> IPv4/NAT products.

The implication here is clear.  The IETF consensus is that "secure by  
default" is the recommendation for vendors of CPE with IPv6 Simple  
Security capabilities, where that means: a stateful packet filter,  
which delivers all the simple security goodness of IPv4/NAT, and  
which should be turned *ON* in the unconfigured mode of operation.

p3. In section 1 "Introduction" (middle of page 2), RFC 4864 *does* say:

> It should be noted that this document is 'informational', as it  
> discusses approaches that will work to accomplish the goals of the  
> network manager.  It is specifically not a Best Current Practice  
> (BCP) that is recommending any one approach or a manual on how to  
> configure a network.

When I came forward (prior to the AUTH48 event) with my confusion  
about the previously noted recommendations in what is now RFC 4864, I  
suggested that perhaps the second of the two sentences above should  
be dropped, since-- in fact-- the document does recommend a  
particular approach to configuring a network.  And not just *a*  
network, but the vast majority of all residential network  
installations where users do not customize the security configuration  
of their gateway appliances.

The response from the authors of RFC 4864 was to decline the  
opportunity to correct the document during its AUTH48 review.  I  
can't blame them for this, but I think it's possible that some  
participants in today's V6OPS meeting session may have been mislead  
by this incorrect caveat in the introduction section (as I predicted  
might happen).

-----

It's my sense of the mood of the participants in the room today that  
there may not really be a consensus around the recommendation to use  
stateful packet filtering by default at residential gateways.  It was  
certainly the subject of more debate than one would expect for an  
issue for which we are currently proceeding as if it was settled  
long, long ago.  That said, I'd like to note that we don't have any  
Internet drafts to reference when arguing for the position that these  
stateful packet filters are to be considered harmful.  Perhaps, if we  
had such a draft, we could bring it to the attention of the IAB, for  
example, and maybe the concerns about "Internet Fog" might then move  
beyond mumbling in hallways and whinging at the microphones and into  
the realm of formal proceedings to repudiate the positions already  
staked out in published RFC's.

In the absence of substantive objections, I think we should continue  
to proceed according to the documentation we have.



--
james woodyatt <jhw@apple.com>
member of technical staff, communications engineering