[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
draft-ietf-v6ops-cpe-simple-security filtering inside tunnels
- To: IPv6 Operations <v6ops@ops.ietf.org>
- Subject: draft-ietf-v6ops-cpe-simple-security filtering inside tunnels
- From: james woodyatt <jhw@apple.com>
- Date: Tue, 28 Jul 2009 17:27:17 +0200
everyone--
In the discussion of draft-ietf-v6ops-cpe-simple-security at the
meeting session today, I conducted a hum to see what the working group
thought about the three separate alternatives for dealing with IP-in-
IP and GREv1 tunnels.
The alternatives polled:
- No change, i.e. recommend to allow inbound/outbound without
filtering inside tunnels.
- Remove the recommendation to allow inbound tunnel initiations by
DEFAULT.
- Work with the VPN/FW community to refine language to recommend
filtering inside tunnels.
The strength of the hums on these three alternatives were just about
equal.
The chair then asked for another hum about where we preferred "to not
do that," which we clarified afterward was about whether the working
group preferred to recommend something other than filtering inside
tunnels. That hum seemed noticeably stronger than the other three hums.
So, we're going to have to hash this out on the list, and probably
have more discussion about this in Hiroshima. Grmf.
As the editor, I'd like to invite the proponents of filtering inside
tunnels to propose some text for the working group to consider. We
can all discuss those ideas here, and I'll do my best to help
facilitate the emergence of a consensus.
--
james woodyatt <jhw@apple.com>
member of technical staff, communications engineering