[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03



Brian E Carpenter wrote:
> On 2008-08-26 10:07, Dan Wing wrote:
> >>>> How does it know that a Protocol 41 packet is unsolicited?
> >>> The same way it knows a non-protocol 41 packet is solicited: the
> >>> host sends a packet first -- the host being protected by the CPE 
> >>> doing Simple Security.
> >> How does that work if Host A (behind the CPE) has informed Host X
> >> (outside) of the tunneled address of Host B (also behind the CPE)?
> >> In other words A has solicited X to send a packet to B.
> > 
> > The network diagram would look like this, I believe:
> > 
> >               +-----+
> >     Host A ---+     |
> >               + CPE +--------- Internet ------  Host X
> >     Host B ---+     |
> >               +-----+
> >  
> > 
> > If the CPE is providing security -- as this draft is titled -- the
> > traffic from X to B would be blocked.  
> > 
> > To permit such traffic, B would need a way to tell the CPE to allow 
> > such traffic from X (or to allow arbitrary traffic from any host 
> > on the Internet).  This is described in Section 3.4 of 
> > draft-ietf-v6ops-cpe-simple-security-03 (where James mentions 
> > Apple's ALD") but, to my knowledge, has not received much 
> > attention and I do not know if it has working group consensus.
> 
> The thing is that it can't meet any reasonable definition of
> 'simple'...
> 
> But blocking tunnels by default, although it's simple, also
> blocks innovation. That worries me.

Would your worry go away if the IETF initiated a standards effort around
something like Apple's ALD (draft-woodyatt-ald-03.txt)?

-d