[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SECDIR review: draft-ietf-v6ops-tunnel-concerns

To: Suresh Krishnan <suresh.krishnan@ericsson.com>
Subject: Re: SECDIR review: draft-ietf-v6ops-tunnel-concerns
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Date: Mon, 20 Oct 2008 09:37:13 +1300
Cc: Nathan Ward <v6ops@daork.net>, Kurt Zeilenga <Kurt.Zeilenga@Isode.com>, Pasi Eronen <Pasi.Eronen@nokia.com>, Tim Polk <tim.polk@nist.gov>, secdir@mit.edu, Jim_Hoagland@symantec.com, dthaler@microsoft.com, v6ops@ops.ietf.org
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; b=PaslFtxa8VJ34SqohiNx7UaV4jitUb/wGmKmpT+W5//VVN7BvnuUjiCbRdE9N6tf+a mMaSi2k32f1Zfk94Cj1yWXfLDwL4843GXk+pMSQOsT9uPPalq8YAEpgs1WFFsI0uOXTu uTbc73rfUtIs0Tsx4H0Kz+Ps/7tawtmBJWlOQ=
In-reply-to: <48F8EE0D.4060307@ericsson.com>
Organization: University of Auckland
References: <8B128AB2-BBD9-49B9-A837-F00DD80BF5D3@Isode.com> <48F2C29B.8090900@ericsson.com> <D6947E23-5209-4767-882A-7EBA645B3DCB@daork.net> <48F8EE0D.4060307@ericsson.com>
User-agent: Thunderbird 2.0.0.6 (Windows/20070728)

...
>> Why tunnelling over UDP or TCP? Why not tunnelling in IP as in 6to4?
>> I don't imagine that UDP makes it any more difficult to inspect than
>> an IP protocol.
>>
>> I think this statement should be changed to "Tunnelling through a
>> security device (ie. firewall) is not recommended for.. " etc.
> 
> Sounds good. We will make this change.

Now you have me worried enough to say something I've been feeling
ever since I really read this draft carefully.

To exaggerate, <sarcasm> why not just rename it "tunneling considered
harmful" and chop it down to one paragraph? </sarcasm>

I think there's a real risk of this document being misunderstood
by typical site IT managers, and being used simply as an excuse
to block all kinds of tunnel-based v4/v6 coexistence. But tunnels
are a legitimate coexistence strategy. I'd much rather see
this document talking more about how to make the use of tunnels
safe as part of v4/v6 coexistence. There is some of that material
in the document, but the impression the draft leaves is now of
a succession of warnings to block tunnels.

    Brian

Follow-Ups:
- Re: SECDIR review: draft-ietf-v6ops-tunnel-concerns
  - From: Suresh Krishnan <suresh.krishnan@ericsson.com>
- RE: SECDIR review: draft-ietf-v6ops-tunnel-concerns
  - From: Christian Huitema <huitema@windows.microsoft.com>

References:
- Re: SECDIR review: draft-ietf-v6ops-tunnel-concerns-00
  - From: Suresh Krishnan <suresh.krishnan@ericsson.com>
- Re: SECDIR review: draft-ietf-v6ops-tunnel-concerns-00
  - From: Nathan Ward <v6ops@daork.net>
- Re: SECDIR review: draft-ietf-v6ops-tunnel-concerns-00
  - From: Suresh Krishnan <suresh.krishnan@ericsson.com>

Prev by Date: Re: Last Call: draft-ietf-tcpm-tcp-soft-errors (TCP's Reaction to Soft Errors) to Informational RFC
Next by Date: RE: SECDIR review: draft-ietf-v6ops-tunnel-concerns
Previous by thread: Re: SECDIR review: draft-ietf-v6ops-tunnel-concerns-00
Next by thread: RE: SECDIR review: draft-ietf-v6ops-tunnel-concerns
Index(es):
- Date
- Thread