[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Simple Security - Layered Filtering should be in the document

To: IPv6 Operations <v6ops@ops.ietf.org>
Subject: Re: Simple Security - Layered Filtering should be in the document
From: james woodyatt <jhw@apple.com>
Date: Fri, 31 Jul 2009 11:43:04 +0200
In-reply-to: <7F9A6D26EB51614FBF9F81C0DA4CFEC80133E557CD52@il-ex01.ad.checkpoint.com>
References: <4a6f8b8b.0a1ad00a.2cb2.ffffcf87@mx.google.com> <alpine.LRH.2.00.0907291028310.18296@netcore.fi> <4a700e65.25e2660a.04e1.3841@mx.google.com> <04596BBA-8D7F-46A0-BC14-2E61A5779236@castlepoint.net> <4a70daeb.1aba720a.0d4f.ffffaa18@mx.google.com> <A3D24F72-5F71-4619-9736-0C0B61E14134@muada.com> <7F9A6D26EB51614FBF9F81C0DA4CFEC80133E557CD17@il-ex01.ad.checkpoint.com> <552C077C-34BC-48A4-B9C2-E1888DD8C8ED@muada.com> <4a729592.09a1660a.2552.ffff8b68@mx.google.com> <20090731072740.GH79272@Space.Net> <7F9A6D26EB51614FBF9F81C0DA4CFEC80133E557CD52@il-ex01.ad.checkpoint.com>

On Jul 31, 2009, at 11:18, Yaron Sheffer wrote:

Your argument is valid today. But once any tunnel-based transitionmechanismis standardized and widely adopted by commercial operating systems,therewill be untunneling done by default, with no security mechanismsattached.Note that IPsec requires access control from all implementations,but othermechanisms don't. So suddenly you have to be wary of "tunneledburglars",
too.

We already have two standard, automatic, transitional tunnelmechanisms: 6to4 and Teredo, both of which are explicitly treated inthe current draft. The DS-Lite protocol comes to mind as a thirdexample, but its automatic usage would have to be enabled directly bythe residential gateway with a DHCP6, which would be *stupid* becauseit would make infinitely more sense to terminate the DS-Lite tunnel inthe gateway directly.

It's hard to imagine why any new transitional tunnel mechanisms mightneed to be developed, widely deployed and enabled in ubiquitousdefault platform configurations.

Do you know about something else that the rest of us don't? Pleaseshare.



--
james woodyatt <jhw@apple.com>
member of technical staff, communications engineering

References:
- Fwd: Simple Security - Layered Filtering should be in the document
  - From: "Gregory M. Lebovitz" <gregory.ietf@gmail.com>
- Re: Fwd: Simple Security - Layered Filtering should be in the document
  - From: Pekka Savola <pekkas@netcore.fi>
- Re: Fwd: Simple Security - Layered Filtering should be in the document
  - From: "Gregory M. Lebovitz" <gregory.ietf@gmail.com>
- Re: Simple Security - Layered Filtering should be in the document
  - From: Shane Amante <shane@castlepoint.net>
- Re: Simple Security - Layered Filtering should be in the document
  - From: "Gregory M. Lebovitz" <gregory.ietf@gmail.com>
- Re: Simple Security - Layered Filtering should be in the document
  - From: Iljitsch van Beijnum <iljitsch@muada.com>
- RE: Simple Security - Layered Filtering should be in the document
  - From: Yaron Sheffer <yaronf@checkpoint.com>
- Re: Simple Security - Layered Filtering should be in the document
  - From: Iljitsch van Beijnum <iljitsch@muada.com>
- Re: Simple Security - Layered Filtering should be in the document
  - From: "Gregory M. Lebovitz" <gregory.ietf@gmail.com>
- Re: Simple Security - Layered Filtering should be in the document
  - From: Gert Doering <gert@space.net>
- RE: Simple Security - Layered Filtering should be in the document
  - From: Yaron Sheffer <yaronf@checkpoint.com>

Prev by Date: RE: Simple Security - Layered Filtering should be in the document
Next by Date: Re: Simple Security - Layered Filtering should be in the document
Previous by thread: RE: Simple Security - Layered Filtering should be in the document
Next by thread: Re: Simple Security - Layered Filtering should be in the document
Index(es):
- Date
- Thread