[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03



On 2008-08-26 12:11, Dan Wing wrote:
> Brian E Carpenter wrote:
>> On 2008-08-26 10:07, Dan Wing wrote:
>>>>>> How does it know that a Protocol 41 packet is unsolicited?
>>>>> The same way it knows a non-protocol 41 packet is solicited: the
>>>>> host sends a packet first -- the host being protected by the CPE 
>>>>> doing Simple Security.
>>>> How does that work if Host A (behind the CPE) has informed Host X
>>>> (outside) of the tunneled address of Host B (also behind the CPE)?
>>>> In other words A has solicited X to send a packet to B.
>>> The network diagram would look like this, I believe:
>>>
>>>               +-----+
>>>     Host A ---+     |
>>>               + CPE +--------- Internet ------  Host X
>>>     Host B ---+     |
>>>               +-----+
>>>  
>>>
>>> If the CPE is providing security -- as this draft is titled -- the
>>> traffic from X to B would be blocked.  
>>>
>>> To permit such traffic, B would need a way to tell the CPE to allow 
>>> such traffic from X (or to allow arbitrary traffic from any host 
>>> on the Internet).  This is described in Section 3.4 of 
>>> draft-ietf-v6ops-cpe-simple-security-03 (where James mentions 
>>> Apple's ALD") but, to my knowledge, has not received much 
>>> attention and I do not know if it has working group consensus.
>> The thing is that it can't meet any reasonable definition of
>> 'simple'...
>>
>> But blocking tunnels by default, although it's simple, also
>> blocks innovation. That worries me.
> 
> Would your worry go away if the IETF initiated a standards effort around
> something like Apple's ALD (draft-woodyatt-ald-03.txt)?

I believe that something like that is needed.

   Brian

P.S. I am about to disappear on vacation until Sept. 15.