[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
On 2008-08-26 12:11, Dan Wing wrote:
> Brian E Carpenter wrote:
>> On 2008-08-26 10:07, Dan Wing wrote:
>>>>>> How does it know that a Protocol 41 packet is unsolicited?
>>>>> The same way it knows a non-protocol 41 packet is solicited: the
>>>>> host sends a packet first -- the host being protected by the CPE
>>>>> doing Simple Security.
>>>> How does that work if Host A (behind the CPE) has informed Host X
>>>> (outside) of the tunneled address of Host B (also behind the CPE)?
>>>> In other words A has solicited X to send a packet to B.
>>> The network diagram would look like this, I believe:
>>>
>>> +-----+
>>> Host A ---+ |
>>> + CPE +--------- Internet ------ Host X
>>> Host B ---+ |
>>> +-----+
>>>
>>>
>>> If the CPE is providing security -- as this draft is titled -- the
>>> traffic from X to B would be blocked.
>>>
>>> To permit such traffic, B would need a way to tell the CPE to allow
>>> such traffic from X (or to allow arbitrary traffic from any host
>>> on the Internet). This is described in Section 3.4 of
>>> draft-ietf-v6ops-cpe-simple-security-03 (where James mentions
>>> Apple's ALD") but, to my knowledge, has not received much
>>> attention and I do not know if it has working group consensus.
>> The thing is that it can't meet any reasonable definition of
>> 'simple'...
>>
>> But blocking tunnels by default, although it's simple, also
>> blocks innovation. That worries me.
>
> Would your worry go away if the IETF initiated a standards effort around
> something like Apple's ALD (draft-woodyatt-ald-03.txt)?
I believe that something like that is needed.
Brian
P.S. I am about to disappear on vacation until Sept. 15.