[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SECDIR review: draft-ietf-v6ops-tunnel-concerns-00



On 13/10/2008, at 4:38 PM, Suresh Krishnan wrote:

 One simple method to do that is easy to employ for many tunnel
  protocols is to block outbound packets to the UDP or TCP port used
  (e.g., UDP port 3544 for Teredo, UDP port 1701 for L2TP, etc.).
The description of this method is not precise. Is the method to block dest ports, with these source ports, or either, or both?

The method is to block destination ports. We have changed this sentence
to read
(e.g., destination UDP port is 3544 for Teredo, UDP port 1701 for
  L2TP, etc.)

This makes me squirm a bit.

It seems silly to promote blocking discrete ports, when a user could simply run their own Teredo server on a different port and tunnel out with that, or run any other proxy or tunnel server of some kind on any port they wanted. We've all run PPP over SSH before, it's not hard to do this stuff, there are tools to do it automatically.

If an organisation is concerned about people tunnelling through their firewalls, they must use default-deny if they want to have any effect.

In 3.1.3,
Tunneling over UDP or TCP (including HTTP) to reach the Internet is
  not recommended as a solution for managed networks.
First, I'm going to read the sentence as if the word 'managed' was not used as I think all networks on the Internet are 'managed' to some degree. If the authors had a particular definition of the term 'managed network' in mind, they should define it. So reading the sentence without the term 'managed', this is basically a general applicability statement that use of tunneling over UDP or TCP is not recommend for use to 'reach the Internet'. I don't see this recommendation as being appropriate given the issue.

We have changed this text to read

"  Tunneling over UDP or TCP (including HTTP) to reach the Internet is
  not recommended as a solution for networks that wish to enforce
  security polcies on the user traffic.  (Windows, for example,
  disables Teredo by default if it detects that it is within an
  enterprise network that contains a Windows domain controller.)"

Why tunnelling over UDP or TCP? Why not tunnelling in IP as in 6to4?
I don't imagine that UDP makes it any more difficult to inspect than an IP protocol.

I think this statement should be changed to "Tunnelling through a security device (ie. firewall) is not recommended for.. " etc.


--
Nathan Ward