Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03

[Brian E Carpenter <brian.e.carpenter@gmail.com>]

On 2008-08-26 09:12, Dan Wing wrote:
>> On 2008-08-25 17:23, Dan Wing wrote:
>>>>> You're saying that the Simple CPE Security document is 
>> not intended
>>>>> to provide security, but rather intended to provide a way 
>> to receive
>>>>> unsolicited IPv6 traffic through non-IPv6-capable SPs?
>>>> If a host behind the CPE chooses to set up an IPv6 tunnel to
>>>> an IPv6-supporting ISP, I don't see that the tunnel is anybody's
>>>> business but the host's. So yes, in that case I think the CPE
>>>> should step back, because the host *is* soliciting incoming
>>>> packets.
>>> But in that case, the host behind the CPE initiated the 
>>> communication to the tunnel.  For that to work, I do not
>>> believe it requires the CPE to allow unsolicited *incoming* 
>>> traffic from the Internet (as currently written in 
>>> draft-ietf-v6ops-cpe-simple-security-03.txt R19, R20, and R21).
>> How does it know that a Protocol 41 packet is unsolicited?
> 
> The same way it knows a non-protocol 41 packet is solicited: the
> host sends a packet first -- the host being protected by the CPE 
> doing Simple Security.

How does that work if Host A (behind the CPE) has informed Host X
(outside) of the tunneled address of Host B (also behind the CPE)?
In other words A has solicited X to send a packet to B.

   Brian
> 
> -d
> 
>> An IPv4 router takes no part in IPv6 tunnel setup. Either it
>> allows Protocol 41 or it doesn't, as far as I can see.
>>
>> Note, I'm not talking about *-in-IPv6 tunnels.
>>
>>     Brian
> 
>