Re: Simple Security - Layered Filtering should be in the document

[james woodyatt <jhw@apple.com>]

On Jul 29, 2009, at 01:36, Gregory M. Lebovitz wrote:
> Layered filtering should be included in the document. It is an  
> OPTION that people really need in an environment where the use of  
> tunneling is growing rapidly. I would appreciate it if others who  
> agree would ack this email to the list.
>
> I volunteer to write the text needed to achieve this. I believe  
> Yaron Shaffer would help as well.

Before we get too far into this, I think it's important to note that  
there are two separate concerns regarding the treatment of IP-in-IP  
and GREv1 tunnels by IPv6 Simple Security.

+ Whether to disallow inbound tunnel initiations by DEFAULT.

+ Whether to write recommendations for applying stateful filters to  
the encapsulated content in tunnels.

The answer to each of these questions is independent of the other.   
The complication that I predict will consume an excessive quantity of  
time and mindshare is that the DEFAULT forwarding policy for  
encapsulated flow initiations need not-- and probably SHOULD NOT-- be  
identical to the forwarding policy for non-encapsulated flow  
initiations.  Setting a DEFAULT policy for encapsulated flow  
initiations may not even be really possible to specify as a best  
current practice.

I'm not even aware of any examples of actual current practice in IPv6  
firewalls.  What do enterprise IPv6 firewalls do here in the DEFAULT  
configuration?  Probably DENY ALL, I expect... the assumption being  
that enterprise gear is always configured by experts prior to  
deployment.  That's not the case for residential simple security, so  
we have to be more careful.

What do you propose?


--
james woodyatt <jhw@apple.com>
member of technical staff, communications engineering