[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comments on draft-ietf-v6ops-tunnel-security-concerns-00.txt

To: Gabi Nakibly <gnakibly@yahoo.com>
Subject: Re: Comments on draft-ietf-v6ops-tunnel-security-concerns-00.txt
From: Suresh Krishnan <suresh.krishnan@ericsson.com>
Date: Mon, 04 Aug 2008 17:26:21 -0400
Cc: v6ops@ops.ietf.org
In-reply-to: <939381.79593.qm@web45501.mail.sp1.yahoo.com>
References: <939381.79593.qm@web45501.mail.sp1.yahoo.com>
User-agent: Thunderbird 2.0.0.14 (X11/20080505)

Hi Gabi,
  Thanks for your comments. Please find responses inline

Gabi Nakibly wrote:

Hello,
I have some general comments concerningdraft-ietf-v6ops-tunnel-security-concerns-00.txt.1) In the Introduction the draft mentions tunnels that go through NATsand it seems that it is focused solely on such tunnels. However, thereare some security vulnerabilities discussed throughout the draft(specifically in sections 2 and 3) that relate to tunnels in general. Ithink the draft should be positioned to address tunnels in general.

We have come to the same conclusion as you and we are trying to get thisreviewed on a broader stage (such as intarea).

2) What is the relation of this draft to RFC4942 ("IPv6 transitionsecurity considerations")? Will it update this RFC? There is someconsiderable overlap between section 3 of the RFC and the draft.The draft elaborates on issues which are already mentioned in section3 of the RFC and there are some points mentioned in the RFC which arenot raised in the draft. For example, using tunnels to make sure thatthe Hop Limit = 255. Of course, there some issues in the draft which arenot mentioned in the RFC.

These two documents are largely independent. 4942 mainly covers issueswith the IPv6 transition while the tunnel sec document covers also othergeneric tunneling related security issues. Also the tunnel secdocument goes into more detail about the issues.

3) The major recommendation of the draft is in 3.1.3: "Tunneling overUDP or TCP (including HTTP) to reach the Internet is not recommended asa solution for managed networks.". Why is this recommendation relevantonly to managed networks? It seems that in unmanaged environments (homeor SOHO) the use of such tunnels will have similar effects.

It is an issue since managed networks may wish to enforce some kind ofpolicy on the user initiated traffic and this becomes difficult in thepresence of tunnels.

4) How the above recommendation settles with the softwire group'srecommendation to use LT2P tunnels in the hub and spoke scenario(http://www.ietf.org/internet-drafts/draft-ietf-softwire-hs-framework-l2tpv2-09.txt)?


We have not looked at this document yet. Thanks for the pointer.

Thanks
Suresh

References:
- Comments on draft-ietf-v6ops-tunnel-security-concerns-00.txt
  - From: Gabi Nakibly <gnakibly@yahoo.com>

Prev by Date: Fwd: Please ask your WG...
Next by Date: Re: Open issues list? [Re: New (-02) version of IPv6 CPE Router draft is available for review]
Previous by thread: Comments on draft-ietf-v6ops-tunnel-security-concerns-00.txt
Next by thread: changes to draft-ietf-v6ops-nat64-pb-statement-req-00.txt
Index(es):
- Date
- Thread