[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SECDIR review: draft-ietf-v6ops-tunnel-concerns

To: Suresh Krishnan <suresh.krishnan@ericsson.com>
Subject: Re: SECDIR review: draft-ietf-v6ops-tunnel-concerns
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Date: Wed, 22 Oct 2008 10:15:45 +1300
Cc: Christian Huitema <huitema@windows.microsoft.com>, Nathan Ward <v6ops@daork.net>, Kurt Zeilenga <Kurt.Zeilenga@Isode.com>, Pasi Eronen <Pasi.Eronen@nokia.com>, Tim Polk <tim.polk@nist.gov>, "secdir@mit.edu" <secdir@mit.edu>, "Jim_Hoagland@symantec.com" <Jim_Hoagland@symantec.com>, Dave Thaler <dthaler@windows.microsoft.com>, "v6ops@ops.ietf.org" <v6ops@ops.ietf.org>
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; b=WuhDTAxzu1a0xFPrFZz28xdd4ucHzighsjuz/lvTi4q0p/LL+zh9rKk5oyalVAEjV9 G9KnarOC7IiYmasZA2tjJSsz2CM+JM47qVTtBCtqAf4BzKqWjccYh+ESFxqscd/aGACp 2B7/79nxjqKMszrk25Ddg0c5V/jYz+BBTbeiA=
In-reply-to: <48FDFBCB.1090508@ericsson.com>
Organization: University of Auckland
References: <8B128AB2-BBD9-49B9-A837-F00DD80BF5D3@Isode.com> <48F2C29B.8090900@ericsson.com> <D6947E23-5209-4767-882A-7EBA645B3DCB@daork.net> <48F8EE0D.4060307@ericsson.com> <48FB9A79.8040407@gmail.com> <8EFB68EAE061884A8517F2A755E8B60A134A70E895@NA-EXMSG-W601.wingroup.windeploy.ntdev.microsoft.com> <48FDFBCB.1090508@ericsson.com>
User-agent: Thunderbird 2.0.0.6 (Windows/20070728)

Suresh,

You wrote to Christian:

> While I agree with you about the possibility of an "arms race" I really
> do not see anything we can do about this. What would you recommend
> instead? I am really open to suggestions.

My feeling is that we need to tell IT managers something like
"If your users have a need for IPv6 tunnels, here is how to
make them as safe as possible:

 <description of mechanisms, e.g. for detecting DoS,...>

and after that, explain the threats, and state that tunnels
should be disabled if you are not protected against the threats.

There are also other positive suggestions, like operating
an on-site 6to4 relay and/or Teredo server, so that those
mechanisms don't cross the border router.

I agree with you that there are real threats (or will be, once
there is enough deployment to make IPv6 tunnels an interesting
target). It's quite appropriate to document them.

    Brian

Follow-Ups:
- Re: SECDIR review: draft-ietf-v6ops-tunnel-concerns
  - From: Nathan Ward <v6ops@daork.net>
- RE: SECDIR review: draft-ietf-v6ops-tunnel-concerns
  - From: Christian Huitema <huitema@windows.microsoft.com>

References:
- Re: SECDIR review: draft-ietf-v6ops-tunnel-concerns-00
  - From: Suresh Krishnan <suresh.krishnan@ericsson.com>
- Re: SECDIR review: draft-ietf-v6ops-tunnel-concerns-00
  - From: Nathan Ward <v6ops@daork.net>
- Re: SECDIR review: draft-ietf-v6ops-tunnel-concerns-00
  - From: Suresh Krishnan <suresh.krishnan@ericsson.com>
- Re: SECDIR review: draft-ietf-v6ops-tunnel-concerns
  - From: Brian E Carpenter <brian.e.carpenter@gmail.com>
- RE: SECDIR review: draft-ietf-v6ops-tunnel-concerns
  - From: Christian Huitema <huitema@windows.microsoft.com>
- Re: SECDIR review: draft-ietf-v6ops-tunnel-concerns
  - From: Suresh Krishnan <suresh.krishnan@ericsson.com>

Prev by Date: Re: SECDIR review: draft-ietf-v6ops-tunnel-concerns
Next by Date: RE: SECDIR review: draft-ietf-v6ops-tunnel-concerns
Previous by thread: Re: SECDIR review: draft-ietf-v6ops-tunnel-concerns
Next by thread: RE: SECDIR review: draft-ietf-v6ops-tunnel-concerns
Index(es):
- Date
- Thread