Re: draft-ietf-v6ops-cpe-simple-security: filtering encapsulated flows

[james woodyatt <jhw@apple.com>]

On Aug 21, 2009, at 14:26, james woodyatt wrote:
> [I wrote:]
> > R24: In their DEFAULT operating mode, IPv6 gateways MUST prohibit  
> > the forwarding of packets to and from interior node addresses with  
> > upper layer protocol of type IP version 6 and without Encapsulated  
> > Security Payload (ESP) or Authenticated Header (AH) extension  
> > headers.  A configuration option MUST be provided for lifting this  
> > prohibition.

Ugh.  This needs wordsmithing.

How about this instead:

> R24: In their DEFAULT operating mode, IPv6 gateways MUST prohibit  
> the forwarding of packets to and from interior node addresses with  
> upper layer protocol of type IP version 6 unless the encapsulated  
> packets have Encapsulated Security Payload (ESP) or Authenticated  
> Header (AH) extension headers.  A configuration option MUST be  
> provided for lifting this prohibition.

I think that more clearly defines the regime I'm proposing.


--
james woodyatt <jhw@apple.com>
member of technical staff, communications engineering