RE: But are we talking IPv6 only? That's how I read the draft. (Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03)

["Dan Wing" <dwing@cisco.com>]

> -----Original Message-----
> From: Mark Smith 
> [mailto:ipng@69706e6720323030352d30312d31340a.nosense.org] 
> Sent: Wednesday, August 27, 2008 3:17 AM
> To: Dan Wing
> Cc: 'Truman Boyes'; 'Brian E Carpenter'; jhw@apple.com; 'IPv6 
> Operations'
> Subject: But are we talking IPv6 only? That's how I read the 
> draft. (Re: Some suggestions for 
> draft-ietf-v6ops-cpe-simple-security-03)
> 
> 
> On Mon, 25 Aug 2008 17:29:47 -0700
> "Dan Wing" <dwing@cisco.com> wrote:
> 
> > > On 25/08/2008, at 6:37 PM, Brian E Carpenter wrote:
> > > > But blocking tunnels by default, although it's simple, also
> > > > blocks innovation. That worries me.
> > > >
> > > >    Brian
> > > 
> > > I agree with this stance. Blocking tunnels, although 
> possibly more  
> > > secure is going to make it very difficult to solve real world  
> > > problems. We have enough trouble today with IPv4 Port 
> forwarding in  
> > > CPEs and the fact that some devices do not by default pass VPN  
> > > traffic. I believe internal to external tunnel flow/solicitation  
> > > should be permitted by default.
> > 
> > Internalt to external is permitted, by default, in the 
> current document.
> > 
> > We are discussing external to internal.  
> > 
> 
> external to interal what?

External to network that the CPE, providing Simple Security, is
protecting.

> IPv6 in IPv4, IPv6 in GRE in IPv4, IPv6 in
> IPsec in IPv4, IPv6 in L2TP in IPv4, IPv6 in IPv6, IPv6 in GRE in IPv6
> etc. etc.
> 
> The draft seems to be limited to specifying IPv6 only CPE
> security functionality. My comments about limiting uninspected
> inbound tunnel encapsuluation to authenticated protocols were only
> regarding IPv6 in IPv6 (or IPsec over IPv6, or GRE over IPv6)
> tunneling. No IPv4 involved or seen.
> 
> All the discussion that has occured since seems to be discussing IPv6
> over IPv4, and IMHO that is not within scope the way the draft
> is currently written.

I, at least, am not thinking of anything running over v4 in 
regards to v6ops-cpe-simple-security.

The only exception for tunnels that I see in the draft is for
tunnels running over v6, in requirement R22:

   R23: In their DEFAULT operating mode, IPv6 gateways MUST NOT prohibit
   the forwarding, to and from legitimate node addresses, with upper
   layer protocol of type IP version 6, and SHOULD NOT prohibit the
   forwarding of other tunneled networking protocols commonly used for
   virtual private networking, e.g.  IP version 4, Generic Routing
   Encapsulation, etcetera.

I don't see any exception, or discussion, of v4 tunnels except for
Teredo -- and the draft recommends those be blocked.

> So it seems to me that before this discussion goes on too 
> much more, we
> should agree on exactly what we're talking about and what we 
> understand
> the draft is to cover. Namely, is it:
> 
> * IPv6 only CPE security functionality
> * Native IPv6 CPE security, plus IPv4 security/functionality
> requirements to support IPv6 transition via IPv4 tunnelling
> * Native IPv6, plus IPv4 security/functionality requirements 
> to support
> IPv6 transition, and IPv4 security in both IPv4 NAT and Non-NAT
> scenarios.
> 
> I certainly think the last point is out of scope.

And the draft has no requirement for that last point, except to
break Teredo (requirement R18).

> However, if the
> second one is the scope, then I think the draft will have to deal with
>  and specify all the various IPv4 NAT/NAPT/No NAT tunnelling scenarios
> and security issues related to tunnelling IPv6 over IPv4.

-d

> Regards,
> Mark.
>