[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-ietf-v6ops-cpe-simple-security: filtering encapsulated flows

To: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>
Subject: Re: draft-ietf-v6ops-cpe-simple-security: filtering encapsulated flows
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Date: Mon, 24 Aug 2009 08:56:21 +1200
Cc: james woodyatt <jhw@apple.com>, IPv6 Operations <v6ops@ops.ietf.org>
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; b=PxMyD0eeM9VTnlBs3unp0PXu8AWMy1mEEhnP1+X2lr+pgF7N6E6GnxxXChcMziAfea uuRmgOUu6ysLp75n57GHE+3arvu68srX7QcSV51/4IFHWHBo/63gZ3LHa8dmV8+AJa0u Zs2/KLlg6FUkctVV5dipeIBdEKppv1j1XFCWs=
In-reply-to: <20090823184516.a8667014.ipng@69706e6720323030352d30312d31340a.nosense.org>
Organization: University of Auckland
References: <805241AA-DC9A-4498-9D54-8D491DD62A0D@apple.com> <2D21500B-207B-43FB-9728-8A7BCEC82CB1@apple.com> <7F9A6D26EB51614FBF9F81C0DA4CFEC80158E120B3E6@il-ex01.ad.checkpoint.com> <47CF65DB-E3E1-4666-B1E9-51A49B372AD5@apple.com> <390865C6-3343-4C31-9767-6E0FCA4481DD@suspicious.org> <ADAD4E36-7059-40F5-B964-607F065639FE@apple.com> <20090823184516.a8667014.ipng@69706e6720323030352d30312d31340a.nosense.org>
User-agent: Thunderbird 2.0.0.6 (Windows/20070728)

On 2009-08-23 21:15, Mark Smith wrote:
> On Sat, 22 Aug 2009 22:33:37 -0700
> james woodyatt <jhw@apple.com> wrote:
> 
>> On Aug 22, 2009, at 21:58, Truman Boyes wrote:
>>> This is quite confusing from an implementation perspective; security  
>>> is not explicitly increased by prohibiting non-encrypted tunnels but  
>>> allowing encrypted (ESP or AH) traffic flows. Wouldn't this simply  
>>> serve as a driver to make all tunnel encapsulations use ESP/AH?
>> Yes.  I'm not sure I can explain how this is supposed to increase  
>> security, but if consensus in the working group emerges around these  
>> recommendations and the draft can proceed through working group last  
>> call, then that's good enough for me.
>>
> 
> Maybe I haven't fully understood the question, however isn't the answer
> as simple as the benefits of IPsec over cleartext? Even the
> better-than-nothing-mode of IPsec, while vulnerable to
> man-in-the-middle attacks during session setup, has a much smaller
> window of opportunity for exploitation over clear text traffic.

Not to mention the fact that other secure VPN techniques such as
IP-over-TLS will still be fine through a conforming CPE.

    Brian

References:
- draft-ietf-v6ops-cpe-simple-security: filtering encapsulated flows
  - From: james woodyatt <jhw@apple.com>
- Re: draft-ietf-v6ops-cpe-simple-security: filtering encapsulated flows
  - From: james woodyatt <jhw@apple.com>
- RE: draft-ietf-v6ops-cpe-simple-security: filtering encapsulated flows
  - From: Yaron Sheffer <yaronf@checkpoint.com>
- Re: draft-ietf-v6ops-cpe-simple-security: filtering encapsulated flows
  - From: james woodyatt <jhw@apple.com>
- Re: draft-ietf-v6ops-cpe-simple-security: filtering encapsulated flows
  - From: Truman Boyes <truman@suspicious.org>
- Re: draft-ietf-v6ops-cpe-simple-security: filtering encapsulated flows
  - From: james woodyatt <jhw@apple.com>
- Re: draft-ietf-v6ops-cpe-simple-security: filtering encapsulated flows
  - From: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>

Prev by Date: RE: draft-ietf-v6ops-cpe-simple-security: filtering encapsulated flows
Next by Date: Re: Routing loop attacks using IPv6 tunnels
Previous by thread: Re: draft-ietf-v6ops-cpe-simple-security: filtering encapsulated flows
Next by thread: Re: draft-ietf-v6ops-cpe-simple-security: filtering encapsulated flows
Index(es):
- Date
- Thread