[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SECDIR review: draft-ietf-v6ops-tunnel-concerns-00

To: Suresh Krishnan <suresh.krishnan@ericsson.com>
Subject: Re: SECDIR review: draft-ietf-v6ops-tunnel-concerns-00
From: Nathan Ward <v6ops@daork.net>
Date: Mon, 13 Oct 2008 20:41:37 +1300
Cc: Kurt Zeilenga <Kurt.Zeilenga@Isode.com>, Pasi Eronen <Pasi.Eronen@nokia.com>, Tim Polk <tim.polk@nist.gov>, secdir@mit.edu, Jim_Hoagland@symantec.com, dthaler@microsoft.com, v6ops@ops.ietf.org
In-reply-to: <48F2C29B.8090900@ericsson.com>
References: <8B128AB2-BBD9-49B9-A837-F00DD80BF5D3@Isode.com> <48F2C29B.8090900@ericsson.com>

On 13/10/2008, at 4:38 PM, Suresh Krishnan wrote:

 One simple method to do that is easy to employ for many tunnel
  protocols is to block outbound packets to the UDP or TCP port used
  (e.g., UDP port 3544 for Teredo, UDP port 1701 for L2TP, etc.).
The description of this method is not precise. Is the method toblock dest ports, with these source ports, or either, or both?
The method is to block destination ports. We have changed thissentence
to read
(e.g., destination UDP port is 3544 for Teredo, UDP port 1701 for
  L2TP, etc.)


This makes me squirm a bit.

It seems silly to promote blocking discrete ports, when a user couldsimply run their own Teredo server on a different port and tunnel outwith that, or run any other proxy or tunnel server of some kind on anyport they wanted. We've all run PPP over SSH before, it's not hard todo this stuff, there are tools to do it automatically.

If an organisation is concerned about people tunnelling through theirfirewalls, they must use default-deny if they want to have any effect.

In 3.1.3,
Tunneling over UDP or TCP (including HTTP) to reach the Internetis
  not recommended as a solution for managed networks.
First, I'm going to read the sentence as if the word 'managed' wasnot used as I think all networks on the Internet are 'managed' tosome degree. If the authors had a particular definition of theterm 'managed network' in mind, they should define it.So reading the sentence without the term 'managed', this isbasically a general applicability statement that use of tunnelingover UDP or TCP is not recommend for use to 'reach the Internet'.I don't see this recommendation as being appropriate given the issue.
We have changed this text to read

"  Tunneling over UDP or TCP (including HTTP) to reach the Internet is
  not recommended as a solution for networks that wish to enforce
  security polcies on the user traffic.  (Windows, for example,
  disables Teredo by default if it detects that it is within an
  enterprise network that contains a Windows domain controller.)"


Why tunnelling over UDP or TCP? Why not tunnelling in IP as in 6to4?

I don't imagine that UDP makes it any more difficult to inspect thanan IP protocol.

I think this statement should be changed to "Tunnelling through asecurity device (ie. firewall) is not recommended for.. " etc.



--
Nathan Ward

Follow-Ups:
- Re: SECDIR review: draft-ietf-v6ops-tunnel-concerns-00
  - From: Suresh Krishnan <suresh.krishnan@ericsson.com>

References:
- Re: SECDIR review: draft-ietf-v6ops-tunnel-concerns-00
  - From: Suresh Krishnan <suresh.krishnan@ericsson.com>

Prev by Date: Re: SECDIR review: draft-ietf-v6ops-tunnel-concerns-00
Next by Date: Re: some real life data
Previous by thread: Re: SECDIR review: draft-ietf-v6ops-tunnel-concerns-00
Next by thread: Re: SECDIR review: draft-ietf-v6ops-tunnel-concerns-00
Index(es):
- Date
- Thread