Re: R41 in draft-ietf-v6ops-cpe-simple-security-07

[james woodyatt <jhw@apple.com>]

On Jul 28, 2009, at 20:36, Rémi Denis-Courmont wrote:
> That said, not to put the full blame of UPnP. Manual HTTP  
> configuration
> interfaces with default passwords are also prone to abuse -  
> regardless of
> UPnP. And really, I don't see any credible alternatives for vendors  
> to use.

I very much doubt that we need to worry overly much that UPnP IGD will  
ever have a protocol specification that complies with RFC 3979, RFC  
4879 and RFC 5378.  Therefore, the purpose of R41 can easily be  
inferred as being a circumlocution to say: don't use UPnP IGD.   
Vendors may choose to ignore recommendation R41 and deploy UPnP IGD  
anyway, but we won't be complicit if they do.

As long as the current treatment of IPsec AH, ESP and IKE remains in  
the draft as is, I have no objection as an individual contributor to  
removing recommendation R41.  It was originally inserted when the  
draft had a much more restrictive treatment of IPsec AH, ESP and IKE  
that would have rendered IPsec transport mode basically useless for  
most applications aimed at communicating with hosts in residential  
networks.  I even wrote draft-woodyatt-ald as a proposal for meeting  
recommendation R41 with a new protocol.  Once the treatment of IPsec  
and IKE changed in the IPv6 CPE Simple Security draft, I shelved all  
my work on ALD.


--
james woodyatt <jhw@apple.com>
member of technical staff, communications engineering