[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
But are we talking IPv6 only? That's how I read the draft. (Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03)
On Mon, 25 Aug 2008 17:29:47 -0700
"Dan Wing" <dwing@cisco.com> wrote:
> > On 25/08/2008, at 6:37 PM, Brian E Carpenter wrote:
> > > But blocking tunnels by default, although it's simple, also
> > > blocks innovation. That worries me.
> > >
> > > Brian
> >
> > I agree with this stance. Blocking tunnels, although possibly more
> > secure is going to make it very difficult to solve real world
> > problems. We have enough trouble today with IPv4 Port forwarding in
> > CPEs and the fact that some devices do not by default pass VPN
> > traffic. I believe internal to external tunnel flow/solicitation
> > should be permitted by default.
>
> Internalt to external is permitted, by default, in the current document.
>
> We are discussing external to internal.
>
external to interal what? IPv6 in IPv4, IPv6 in GRE in IPv4, IPv6 in
IPsec in IPv4, IPv6 in L2TP in IPv4, IPv6 in IPv6, IPv6 in GRE in IPv6
etc. etc.
The draft seems to be limited to specifying IPv6 only CPE
security functionality. My comments about limiting uninspected
inbound tunnel encapsuluation to authenticated protocols were only
regarding IPv6 in IPv6 (or IPsec over IPv6, or GRE over IPv6)
tunneling. No IPv4 involved or seen.
All the discussion that has occured since seems to be discussing IPv6
over IPv4, and IMHO that is not within scope the way the draft
is currently written.
So it seems to me that before this discussion goes on too much more, we
should agree on exactly what we're talking about and what we understand
the draft is to cover. Namely, is it:
* IPv6 only CPE security functionality
* Native IPv6 CPE security, plus IPv4 security/functionality
requirements to support IPv6 transition via IPv4 tunnelling
* Native IPv6, plus IPv4 security/functionality requirements to support
IPv6 transition, and IPv4 security in both IPv4 NAT and Non-NAT
scenarios.
I certainly think the last point is out of scope. However, if the
second one is the scope, then I think the draft will have to deal with
and specify all the various IPv4 NAT/NAPT/No NAT tunnelling scenarios
and security issues related to tunnelling IPv6 over IPv4.
Regards,
Mark.