[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

draft-ietf-v6ops-cpe-simple-security-00

To: v6ops Operations <v6ops@ops.ietf.org>
Subject: draft-ietf-v6ops-cpe-simple-security-00
From: Iljitsch van Beijnum <iljitsch@muada.com>
Date: Tue, 4 Dec 2007 12:36:06 -0800

Looking at draft-ietf-v6ops-cpe-simple-security-00:

"The operational goals of security capabilities in Internet gatewaysare described with more detail in "Local Network Protection forIPv6" [IPv6-NAP], but they can be summarized as follows.

o Check all traffic to and from the public Internet for basic sanity,e.g. anti-spoofing and "martian" filters.o Allow tracking of application usage by source and destinationtransport addresses.o Provide a barrier against untrusted external influences on theinterior network by requiring filter state to be activated by trafficoriginating at interior network nodes.o Allow manually configured exceptions to the stateful filtering rulesaccording to network administration policy."

The first bullet is fairly obvious (although personally I've neverfelt the need to filter packets that are going to fail just fine ontheir own) but I'm not quite sure what the other bullets get at...


Some things that may deserve attention in the draft:

What about packets with unknown next headers?

On the one end you don't want bad guys to work around filters byinserting a header or two between the IPv4 and TCP or UDP headers, buton the other hand you don't want to make innovation impossible byfiltering out anything that didn't exist when the CPE was shipped.

An extra complication is that although there is a fairly standardextension header format, not all headers conform to this format, so itmay or may not be possible to look beyond an unknown header in a packet.

PMTUD is mentioned but no language about allowing the required packettoo big messages through. This is extremely important, PMTUD blackholes are a big problem, and some of the IPv4 worarounds aren'tavailable in IPv6. It may even be useful to allow the CPE to advertisea reduced MTU on the LAN side to work around upstream PMTUD breakage,although it wouldn't be a good idea to enable this by default, IMO.

Some other stuff that routinely cause trouble with at least somefirewalls: diffserv bits in the IP header, ECN, TCP options in generaland window scale in particular. Do we need to say anything aboutthese? (Some firewalls ignore the window scale option but then block"out of window" segments.)

Follow-Ups:
- Re: draft-ietf-v6ops-cpe-simple-security-00
  - From: james woodyatt <jhw@apple.com>

Prev by Date: Re: I-D Action:draft-van-beijnum-modified-nat-pt-02.txt
Next by Date: Re: new version of draft-narten-ipv6-3177bis-48boundary-03.txt
Previous by thread: draft-ietf-v6ops-addr-select-req to informational
Next by thread: Re: draft-ietf-v6ops-cpe-simple-security-00
Index(es):
- Date
- Thread