[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03

To: "'Brian E Carpenter'" <brian.e.carpenter@gmail.com>
Subject: RE: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
From: "Dan Wing" <dwing@cisco.com>
Date: Mon, 25 Aug 2008 15:07:33 -0700
Cc: "'Mark Smith'" <ipng@69706e6720323030352d30312d31340a.nosense.org>, <jhw@apple.com>, "'IPv6 Operations'" <v6ops@ops.ietf.org>
In-reply-to: <48B32B43.5010103@gmail.com>
References: <20080824204553.08131c65.ipng@69706e6720323030352d30312d31340a.nosense.org> <48B1CCE8.1070305@gmail.com> <01af01c9065b$b4602440$c2f0200a@cisco.com> <48B23391.1090503@gmail.com> <01cd01c90672$a57c8790$c2f0200a@cisco.com> <48B31DA3.6080001@gmail.com> <07d201c906f7$50a85e30$c2f0200a@cisco.com> <48B32B43.5010103@gmail.com>

> >> How does it know that a Protocol 41 packet is unsolicited?
> > 
> > The same way it knows a non-protocol 41 packet is solicited: the
> > host sends a packet first -- the host being protected by the CPE 
> > doing Simple Security.
> 
> How does that work if Host A (behind the CPE) has informed Host X
> (outside) of the tunneled address of Host B (also behind the CPE)?
> In other words A has solicited X to send a packet to B.

The network diagram would look like this, I believe:

              +-----+
    Host A ---+     |
              + CPE +--------- Internet ------  Host X
    Host B ---+     |
              +-----+
 

If the CPE is providing security -- as this draft is titled -- the
traffic from X to B would be blocked.  

To permit such traffic, B would need a way to tell the CPE to allow 
such traffic from X (or to allow arbitrary traffic from any host 
on the Internet).  This is described in Section 3.4 of 
draft-ietf-v6ops-cpe-simple-security-03 (where James mentions 
Apple's ALD") but, to my knowledge, has not received much 
attention and I do not know if it has working group consensus.

-d

Follow-Ups:
- Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
  - From: Brian E Carpenter <brian.e.carpenter@gmail.com>

References:
- Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
  - From: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>
- Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
  - From: Brian E Carpenter <brian.e.carpenter@gmail.com>
- RE: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
  - From: "Dan Wing" <dwing@cisco.com>
- Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
  - From: Brian E Carpenter <brian.e.carpenter@gmail.com>
- RE: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
  - From: "Dan Wing" <dwing@cisco.com>
- Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
  - From: Brian E Carpenter <brian.e.carpenter@gmail.com>
- RE: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
  - From: "Dan Wing" <dwing@cisco.com>
- Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
  - From: Brian E Carpenter <brian.e.carpenter@gmail.com>

Prev by Date: Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
Next by Date: Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
Previous by thread: Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
Next by thread: Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
Index(es):
- Date
- Thread