[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
Hi Brian,
On Mon, 25 Aug 2008 09:04:40 +1200
Brian E Carpenter <brian.e.carpenter@gmail.com> wrote:
> Hi Mark,
>
> On 2008-08-24 23:15, Mark Smith wrote:
> ...
> > 2.2. Internet Layer Protocols
> >
> > "Therefore, this document recommends the DEFAULT operating mode for
> > residential IPv6 simple security is to permit all virtual private
> > networking tunnel protocols to pass through the stateful filtering
> > function. These include IPsec transport and tunnel modes as well as
> > other IP-in-IP protocols."
> >
> > Would it be better to restrict this to authenticated tunnelling
> > protocols? Wrapping a malicious packet inside a GRE or IP packet and
> > having the CPE blindly forward it would seem to me to be a really
> > simple and easy way to bypass all the security mechanisms that this
> > draft is defining.
>
> I would object to that. That amounts to default-deny for all
> the commonly used ways of bypassing ISPs that don't support
> IPv6, and that would be a Bad Thing.
>
I've been reading this draft from the perspective that it was only
describing native IPv6 operation within CPE, not IPv6 over IPv4
transition methods as well, so my comments were from the point of view
of the exterior tunnel header being IPv6. In that tunnelled-over-IPv6
scenario, I'd still argue for only allowing authenticated tunnelled
protocols to transit the CPE without any stateful inspection.
OTOH, if the draft is also covering firewalling requirements to allow
IPv6 over IPv4, then I support what you're saying for that scenario. If
the draft is covering IPv6 over IPv4 methods and therefore the
consequent IPv4 firewalling requirements, then I think that needs to be
made more obvious in the draft.
> I think a recommendation that CPEs should document and warn about
> such risks is a good idea, rather in the manner of personal
> firewalls that alert you the first time you try to tunnel out
> with Protocol 41, but remember when you click OK. Can we recommend
> default-warn rather than either default-deny or default-allow?
>
> ...
> > A few thoughts related to general tunnel security. Is it appropriate for
> > this draft to document...
>
> How about referring to draft-ietf-v6ops-tunnel-security-concerns?
> We should probably concentrate those issues in one place.
>
I certainly agree, I haven't yet come across that draft. I'll have a
look at it.
Thanks,
Mark.