[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03

To: "'Gert Doering'" <gert@space.net>, "'Rémi Després'" <remi.despres@free.fr>
Subject: RE: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
From: "Dan Wing" <dwing@cisco.com>
Date: Wed, 27 Aug 2008 07:47:05 -0700
Cc: "'Truman Boyes'" <truman@suspicious.org>, "'Brian E Carpenter'" <brian.e.carpenter@gmail.com>, "'Mark Smith'" <ipng@69706e6720323030352d30312d31340a.nosense.org>, <jhw@apple.com>, "'IPv6 Operations'" <v6ops@ops.ietf.org>
In-reply-to: <20080827091221.GY19694@Space.Net>
References: <01cd01c90672$a57c8790$c2f0200a@cisco.com> <48B31DA3.6080001@gmail.com> <07d201c906f7$50a85e30$c2f0200a@cisco.com> <48B32B43.5010103@gmail.com> <084c01c906fe$f9bf1840$c2f0200a@cisco.com> <48B33430.40704@gmail.com> <A31EB889-2BD9-4283-A408-AB6DCC1D568A@suspicious.org> <08be01c90712$d876cd40$c2f0200a@cisco.com> <20080826114919.GN19694@Space.Net> <48B51578.6000602@free.fr> <20080827091221.GY19694@Space.Net>

 

> -----Original Message-----
> From: Gert Doering [mailto:gert@space.net] 
> Sent: Wednesday, August 27, 2008 2:12 AM
> To: Rémi Després
> Cc: Gert Doering; Dan Wing; 'Truman Boyes'; 'Brian E 
> Carpenter'; 'Mark Smith'; jhw@apple.com; 'IPv6 Operations'
> Subject: Re: Some suggestions for 
> draft-ietf-v6ops-cpe-simple-security-03
> 
> Hi,
> 
> On Wed, Aug 27, 2008 at 10:51:04AM +0200, Rémi Després wrote:
> > >What is "internal to external" is inevitably "external to 
> internal" to
> > >someone else.
> > >
> > >How do you solve "tunneling is permitted if solicited from 
> the inside" for 
> > >the
> > >
> > >  Host A --- CPE A ----[Internet]---- CBE B --- Host B
> > >
> > >case?
> > 
> > In my understanding, there is no ambiguity.
> [..]
> >
> > Filtering control, if not dministrative, should always come 
> from the 
> > internal side (from A to CPE A, from B to CPE B).
> 
> Staying in the context of the original discussion: if you 
> want to permit
> tunneled packets for IPv6 (or other) purposes, but at the 
> same time insist
> that "packets must be solicited from the internal side", how 
> do you make
> the scenario above work?
>
> That was my whole point.  The argument "the CPE will know 
> what the host
> wants to receive" doesn't work for enduser-to-enduser traffic, unless
> you have a signalling mechanism.  

Right - we need a signaling mechanism (something like Apple's
ALD, which is described in the draft).

> Or you just permit tunnels.

I don't understand why a tunnel should get an excemption from 
Simple Security.  A tunnel can be used as an attack vector as
easily as native protocols (Netbios, FTP, HTTP, or NFS server).

-d

> Gert Doering
>         -- NetMaster
> -- 
> Total number of prefixes smaller than registry allocations:  128645
> 
> SpaceNet AG                        Vorstand: Sebastian v. Bomhard
> Joseph-Dollinger-Bogen 14          Aufsichtsratsvors.: A. 
> Grundner-Culemann
> D-80807 Muenchen                   HRB: 136055 (AG Muenchen)
> Tel: +49 (89) 32356-444            USt-IdNr.: DE813185279
>

References:
- RE: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
  - From: "Dan Wing" <dwing@cisco.com>
- Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
  - From: Brian E Carpenter <brian.e.carpenter@gmail.com>
- RE: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
  - From: "Dan Wing" <dwing@cisco.com>
- Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
  - From: Brian E Carpenter <brian.e.carpenter@gmail.com>
- RE: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
  - From: "Dan Wing" <dwing@cisco.com>
- Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
  - From: Brian E Carpenter <brian.e.carpenter@gmail.com>
- Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
  - From: Truman Boyes <truman@suspicious.org>
- RE: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
  - From: "Dan Wing" <dwing@cisco.com>
- Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
  - From: Gert Doering <gert@space.net>
- Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
  - From: Rémi Després <remi.despres@free.fr>
- Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
  - From: Gert Doering <gert@space.net>

Prev by Date: Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
Next by Date: RE: But are we talking IPv6 only? That's how I read the draft. (Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03)
Previous by thread: Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
Next by thread: But are we talking IPv6 only? That's how I read the draft. (Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03)
Index(es):
- Date
- Thread