[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: draft-ietf-v6ops-cpe-simple-security-12 - default behavior
> The mail below apparently didn't receive much attention.
> Yet, the subject is IMHO important.
> We all recognized in Anaheim that, concerning IPv6, some people prefer NAT44-like filtering to e2e transparency, and some other people prefer e2e transparency.
> The consensus as I remember it was that vendors would be free to choose the default behavior one way or another.
> In my understanding, the proposed wording below (or something equivalent) would express more accurately that consensus.
after receiving review comments from the security directorate on the Basic IPv6 CPE requirements document, we now have the following requirement:
S-1: The IPv6 CE router SHOULD support
[I-D.ietf-v6ops-cpe-simple-security]. In particular, the IPv6
CE router SHOULD support functionality sufficient for
implementing the set of recommendations in
[I-D.ietf-v6ops-cpe-simple-security] section 4. Ths document
takes no position on whether such functionality is enabled by
default or mechanisms by which users would configure it.
I also support text in the simple security draft which does make it clear that it does not make any recommendation on a default. it simply specifies what NAT equivalent 'security' is.
> Début du message réexpédié :
>> De : Rémi Després <email@example.com>
>> Date : 22 juin 2010 15:28:53 HAEC
>> À : James Woodyatt <firstname.lastname@example.org>
>> Cc : IPv6 v6ops <email@example.com>
>> Objet : Rép : I-D Action:draft-ietf-v6ops-cpe-simple-security-11.txt
>> Hi, James,
>> The current REC 43 says:
>> -"Gateways MUST provide an easily selected configuration option
>> that permits a "transparent mode" of operation that forwards
>> all unsolicited flows regardless of forwarding direction,
>> i.e. to disable the IPv6 simple security capabilities of the
>> This seems to imply that, if a CPE supports the default simple security, it should have it enabled by default.
>> In my understanding of what was agreed, each manufacturer would decide whether the default configuration would be "transparent mode" or not.
>> To reflect this, REC 43 could, for example, be:
>> -"Gateways that support simple security MUST provide an easily selected configuration option that, if the default configuration has simple security enabled, permits a "transparent mode" of operation that forwards all unsolicited flows regardless of forwarding direction, or that, if the default configuration has "transparent mode" enabled, enables the filtering of unsolicited incoming flows."