[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
Brian E Carpenter wrote:
> On 2008-08-26 10:07, Dan Wing wrote:
> >>>> How does it know that a Protocol 41 packet is unsolicited?
> >>> The same way it knows a non-protocol 41 packet is solicited: the
> >>> host sends a packet first -- the host being protected by the CPE
> >>> doing Simple Security.
> >> How does that work if Host A (behind the CPE) has informed Host X
> >> (outside) of the tunneled address of Host B (also behind the CPE)?
> >> In other words A has solicited X to send a packet to B.
> >
> > The network diagram would look like this, I believe:
> >
> > +-----+
> > Host A ---+ |
> > + CPE +--------- Internet ------ Host X
> > Host B ---+ |
> > +-----+
> >
> >
> > If the CPE is providing security -- as this draft is titled -- the
> > traffic from X to B would be blocked.
> >
> > To permit such traffic, B would need a way to tell the CPE to allow
> > such traffic from X (or to allow arbitrary traffic from any host
> > on the Internet). This is described in Section 3.4 of
> > draft-ietf-v6ops-cpe-simple-security-03 (where James mentions
> > Apple's ALD") but, to my knowledge, has not received much
> > attention and I do not know if it has working group consensus.
>
> The thing is that it can't meet any reasonable definition of
> 'simple'...
>
> But blocking tunnels by default, although it's simple, also
> blocks innovation. That worries me.
Would your worry go away if the IETF initiated a standards effort around
something like Apple's ALD (draft-woodyatt-ald-03.txt)?
-d