[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03

To: Dan Wing <dwing@cisco.com>
Subject: Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Date: Tue, 26 Aug 2008 09:01:23 +1200
Cc: 'Mark Smith' <ipng@69706e6720323030352d30312d31340a.nosense.org>, jhw@apple.com, 'IPv6 Operations' <v6ops@ops.ietf.org>
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; b=AjTOGcSMlJzrqzplvuuriaBn08KnQkgItqQxd4iZdvAC/se2vFKDWkrjJ2fp3TJ69G RtYnFIbPJW5lj7syycu5ViyYV9D30ci+a3v55C+6KZWJSxxY55DoAdu6/YoW+18dG/PT VfyPNTYfL4wAY7lER0h+YYCpB2fg38nTWxt7s=
In-reply-to: <01cd01c90672$a57c8790$c2f0200a@cisco.com>
Organization: University of Auckland
References: <20080824204553.08131c65.ipng@69706e6720323030352d30312d31340a.nosense.org> <48B1CCE8.1070305@gmail.com> <01af01c9065b$b4602440$c2f0200a@cisco.com> <48B23391.1090503@gmail.com> <01cd01c90672$a57c8790$c2f0200a@cisco.com>
User-agent: Thunderbird 2.0.0.6 (Windows/20070728)

On 2008-08-25 17:23, Dan Wing wrote:
>>> You're saying that the Simple CPE Security document is not intended
>>> to provide security, but rather intended to provide a way to receive
>>> unsolicited IPv6 traffic through non-IPv6-capable SPs?
>> If a host behind the CPE chooses to set up an IPv6 tunnel to
>> an IPv6-supporting ISP, I don't see that the tunnel is anybody's
>> business but the host's. So yes, in that case I think the CPE
>> should step back, because the host *is* soliciting incoming
>> packets.
> 
> But in that case, the host behind the CPE initiated the 
> communication to the tunnel.  For that to work, I do not
> believe it requires the CPE to allow unsolicited *incoming* 
> traffic from the Internet (as currently written in 
> draft-ietf-v6ops-cpe-simple-security-03.txt R19, R20, and R21).

How does it know that a Protocol 41 packet is unsolicited?
An IPv4 router takes no part in IPv6 tunnel setup. Either it
allows Protocol 41 or it doesn't, as far as I can see.

Note, I'm not talking about *-in-IPv6 tunnels.

    Brian

Follow-Ups:
- RE: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
  - From: "Dan Wing" <dwing@cisco.com>

References:
- Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
  - From: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>
- Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
  - From: Brian E Carpenter <brian.e.carpenter@gmail.com>
- RE: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
  - From: "Dan Wing" <dwing@cisco.com>
- Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
  - From: Brian E Carpenter <brian.e.carpenter@gmail.com>
- RE: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
  - From: "Dan Wing" <dwing@cisco.com>

Prev by Date: Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
Next by Date: RE: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
Previous by thread: RE: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
Next by thread: RE: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
Index(es):
- Date
- Thread