Re: draft-ietf-v6ops-cpe-simple-security-06

[Rémi Després <remi.despres@free.fr>]

James,

After reading draft-ietf-v6ops-cpe-simple-security-05, I am convinced  
that a even lower security level is worth adding to the draft.
It would be much simpler, but yet sufficient for many unmanaged sites.
Also, it could be deployed more rapidly, possibly without needing a  
major release in some CPEs.

In your draft, it could be added as "minimal security" (for example),  
to distinguish it from "simple security".

SPECIFICATION

The IPv6 "minimal" security protection is defined as follows:

Rx. An incoming IPv6 packet MUST BE REJECTED if it has a destination  
port that is:
- a well known or registered port (i.e. is < 49152), and
- not explicitly authorized for IPv4 port forwarding .

Ry. An incoming IPv6 packet MUST BE FORWARDED if:
- it is not subject to R1, and
- it's source address is anycast and doesn't start with the site IPv6  
prefix.

ORIGIN OF THE PROPOSAL

In my home office, the CPE offers native IPv6 without any IPv6- 
specific security mechanism.
This is acceptable for my daily use of IPv6 because the internal  
firewall of my computer (a Mac) is active.

But I once faced the following security problem (which could be  
permanent if it had not been for a temporary experiment):
- I had to open the Mac to incoming VNC connections from another  
computer of the site.
- If I had opened the VNC port in the Mac without disabling IPv6,  
this would have opened it also for connections from any host of the  
IPv6 global Internet.
- I therefore had to first deactivate IPv6 in the Mac (and reactivate  
it when I could close again the VNC port in the Mac).

In IPv4, there is no such problem because the NAT filters incoming  
packets having the VNC port as destination port (among many others).

DISCUSSION

With just rules Rx and Ry above, the level of security achieved,  
although not identical with that  achieved in IPv4 with CPE NATs, is   
similar.
A tentative incoming connection in IPv6 on a dynamic port would not  
be filtered by the CPE (as it is in IPv4 by the CPE NAT) but,  
matching no existing connection in the destination host, would be  
ignored there.
With this minimal IPv6 security, the risk that early IPv6 users face  
bad security surprises can be eliminated without waiting for the  
deployment of more flexible filtering mechanisms like that described  
in your draft.

Personally, I  miss this minimal level of protection.
I also believe that, in the foreseeable future, it will remain  
sufficient for me.

Thoughts?

Regards,

RD







Le 19 juin 09 à 01:11, james woodyatt a écrit :

> everyone--
>
> Our last adventure with this draft was over a month ago, and I've  
> recently updated the draft in response to the comments that came up  
> in the working group at the time.  I think I covered all the  
> outstanding issues, but there might still be some points of  
> controversy remaining to discuss.
>
> I'd like very much to have all the remaining issues resolved before  
> I travel to Stockholm.  Would the Chair please invite the working  
> group to give this latest revision some consideration along the  
> lines of another Last Call or whatever is appropriate?  Thanks.
>
>
> --
> james woodyatt <jhw@apple.com>
> member of technical staff, communications engineering