[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-ietf-v6ops-cpe-simple-security: filtering encapsulated flows

To: IPv6 Operations <v6ops@ops.ietf.org>
Subject: Re: draft-ietf-v6ops-cpe-simple-security: filtering encapsulated flows
From: james woodyatt <jhw@apple.com>
Date: Mon, 24 Aug 2009 11:59:21 -0700
In-reply-to: <C6F4A79B-EAAB-469D-B9A5-F29182A5EC6D@cisco.com>
References: <805241AA-DC9A-4498-9D54-8D491DD62A0D@apple.com> <2D21500B-207B-43FB-9728-8A7BCEC82CB1@apple.com> <7F9A6D26EB51614FBF9F81C0DA4CFEC80158E120B3E6@il-ex01.ad.checkpoint.com> <47CF65DB-E3E1-4666-B1E9-51A49B372AD5@apple.com> <390865C6-3343-4C31-9767-6E0FCA4481DD@suspicious.org> <ADAD4E36-7059-40F5-B964-607F065639FE@apple.com> <20090823184516.a8667014.ipng@69706e6720323030352d30312d31340a.nosense.org> <C6F4A79B-EAAB-469D-B9A5-F29182A5EC6D@cisco.com>

On Aug 24, 2009, at 11:33, Mark Baugher wrote:

The node that accepts the IKE phase 1 presumably has some acl orcredential requirement to control access - or could have. I thoughtthat this was the idea behind the original recommendation.

I'm always getting confused about whether we're presuming that theinterior node is well secured or that the interior node has somehypothetical vulnerability that can be remotely exploited to obtainaccess to the rest of the interior network. I'm often making thewrong assumption in the wrong context, and I suspect I just don't havesufficient network security expertise to know which assumption to makein what scenario.

Hence, my tendency to defer to the people with more credible claims tosuch expertise. Let them take the heat for mistakes of thatcategory. That's what they get paid to do.



--
james woodyatt <jhw@apple.com>
member of technical staff, communications engineering

Follow-Ups:
- Re: draft-ietf-v6ops-cpe-simple-security: filtering encapsulated flows
  - From: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>

References:
- draft-ietf-v6ops-cpe-simple-security: filtering encapsulated flows
  - From: james woodyatt <jhw@apple.com>
- Re: draft-ietf-v6ops-cpe-simple-security: filtering encapsulated flows
  - From: james woodyatt <jhw@apple.com>
- RE: draft-ietf-v6ops-cpe-simple-security: filtering encapsulated flows
  - From: Yaron Sheffer <yaronf@checkpoint.com>
- Re: draft-ietf-v6ops-cpe-simple-security: filtering encapsulated flows
  - From: james woodyatt <jhw@apple.com>
- Re: draft-ietf-v6ops-cpe-simple-security: filtering encapsulated flows
  - From: Truman Boyes <truman@suspicious.org>
- Re: draft-ietf-v6ops-cpe-simple-security: filtering encapsulated flows
  - From: james woodyatt <jhw@apple.com>
- Re: draft-ietf-v6ops-cpe-simple-security: filtering encapsulated flows
  - From: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>
- Re: draft-ietf-v6ops-cpe-simple-security: filtering encapsulated flows
  - From: Mark Baugher <mbaugher@cisco.com>

Prev by Date: Re: draft-ietf-v6ops-cpe-simple-security: filtering encapsulated flows
Next by Date: RE: Routing loop attacks using IPv6 tunnels
Previous by thread: Re: draft-ietf-v6ops-cpe-simple-security: filtering encapsulated flows
Next by thread: Re: draft-ietf-v6ops-cpe-simple-security: filtering encapsulated flows
Index(es):
- Date
- Thread