[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Distinguishing minimum- from simple- security in IPv6 CPEs ?
- To: James Woodyatt <jhw@apple.com>
- Subject: Distinguishing minimum- from simple- security in IPv6 CPEs ?
- From: Rémi Després <remi.despres@free.fr>
- Date: Fri, 24 Apr 2009 16:40:04 +0200
- Cc: v6ops <v6ops@ops.ietf.org>
- User-agent: Thunderbird 2.0.0.21 (Macintosh/20090302)
James,
After reading draft-ietf-v6ops-cpe-simple-security-05, I believe there
should be room for a lower security level than the one described. As
explained below, it would be sufficient in many unmanaged sites, and it
could be deployed more rapidly so that IPv6 user experience can bettered
quickly.
A PROPOSAL is then to describe it in the draft, calling it for example
"minimal" to distinguish it from "simple".
RATIONALE FOR THE PROPOSAL
The IPv6 I use everyday from my home office is via a CPE that has no
IPv6 security mechanism.
I am not worried about it because the internal firewall of my Mac is
active, but I found the following problem:
- When I wished to open the Mac to incoming VNC connections for an
intra-site usage, I had to first deactivate IPv6 in the Mac to avoid
opening it also for intrusions from the outside Internet.
There is no such problem in IPv4 because the CPE has its NAT44s which
accepts incoming TCP connections only if their destination ports:
- have been explicitly authorized (by configuration or some port
assignment protocol)
- OR have been opened by some outgoing connections (with interior ports
that are in this case ephemeral ports, i.e. beyond 49151).
SPECIFICATION
The IPv6 "minimal" security protection which IMHO should be sufficient
in many unmanaged CPEs like mine is as follows:
1. Incoming IPv6 TCP connections MUST be rejected if targeting ports are
below 49152 AND have not been explicitly authorized in IPv4.
2. All other packets MUST be forwarded if their source addresses are
unicast and compatible with the CPE side they come from. (Packets MAY be
discarded if their source addresses belong to the other CPE side, or are
multicast.)
That's it.
Rule 2 is to ensure that, in this mode, no permanent or intermittent
connectivity breaches are possible, and to consequently facilitate
debugging by avoiding issues like timer values, endpoint independent vs
address dependent filtering etc.
To implement rule 1, CPEs only need to silently discard incoming IPv6
TCP SYNs that are both without ACK and with destination ports not
authorized in IPv4. Upgrades for this should typically be feasible by
vendors without needing major releases.
In CPEs that support the currently described "simple" security level in
addition to this "minimal" security level, the choice of which one is by
default can IMHO remain a vendor choice.
Regards,
RD