[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: I-D.ietf-v6ops-cpe-simple-security-09

To: Mark Baugher <mbaugher@cisco.com>
Subject: Re: I-D.ietf-v6ops-cpe-simple-security-09
From: Fred Baker <fred@cisco.com>
Date: Thu, 4 Mar 2010 15:56:17 -0800
Cc: james woodyatt <jhw@apple.com>, IPv6 Operations <v6ops@ops.ietf.org>
In-reply-to: <0E826480-B510-4907-9F38-6119C0D7523B@cisco.com>
References: <D6F5ACD2-EB43-477E-9F48-AC3EDB3F7EB4@apple.com> <0E826480-B510-4907-9F38-6119C0D7523B@cisco.com>

On Mar 4, 2010, at 3:25 PM, Mark Baugher wrote:

> I think this is an important document that seems to be ready to be published.  I have a couple of concerns:
> 
> 1. Rec-2.  Why not site-scope?

   REC-2: Packets which bear in their outer IPv6 headers multicast
   destination addresses of equal or narrower scope (see section 2.7 of
   IP Version 6 Addressing Architecture [RFC4291]) than the configured
   scope boundary level of the gateway MUST NOT be forwarded in any
   direction.  The DEFAULT scope boundary level SHOULD be organization-
   local scope, and it SHOULD be configurable by the network
   admininistrator.

I'm not even sure I understand the recommendation. To be sure, RFC 4291 knows nothing of an "organization-local" scope; what is likely meant here is "site-local". I'm also not sure I understand the reasoning behind it; I would understand if it said to drop datagrams addressed to wider scopes ("all customers of a given ISP") or narrower scopes (if you mean a specific subnet, which one is that?) but I don't understand why you would drop the datagram if the scope of its address were exactly as configured on the firewall.

> 2. Rec-42.  Pardon me if I'm being dense, but what are you saying here?  That service providers cannot manage the device from an exterior interface?

I should hope they couldn't without the network administration actively doing something to permit them to. As we have discussed privately, a protocol that enables an entity outside my administrative domain to control equipment witin my administrative domain without my explicit authorization is a security issue.

> There are many SHOULDs and some should be MUSTs.  I have a long list of nits and such.  I'll send the markups directly to you, James.  Is this Last Call or is this going into Last Call soon?

Last call will not happen before IETF 77.

> Mark
> 
> 
> On Mar 3, 2010, at 3:06 PM, james woodyatt wrote:
> 
>> everyone--
>> 
>> Once again, I'd like to ask for some discussion and feedback on this draft.  Is there any reason this revision of the draft should not proceed to Working Group Last Call at this time?
>> 
>> 
>> --
>> james woodyatt <jhw@apple.com>
>> member of technical staff, communications engineering
>> 
>> 
>> 
> 
> 

http://www.ipinc.net/IPv4.GIF

Follow-Ups:
- Re: I-D.ietf-v6ops-cpe-simple-security-09
  - From: Mark Baugher <mbaugher@cisco.com>
- Re: I-D.ietf-v6ops-cpe-simple-security-09
  - From: james woodyatt <jhw@apple.com>

References:
- I-D.ietf-v6ops-cpe-simple-security-09
  - From: james woodyatt <jhw@apple.com>
- Re: I-D.ietf-v6ops-cpe-simple-security-09
  - From: Mark Baugher <mbaugher@cisco.com>

Prev by Date: Re: I-D.ietf-v6ops-cpe-simple-security-09
Next by Date: Re: I-D.ietf-v6ops-cpe-simple-security-09
Previous by thread: Re: I-D.ietf-v6ops-cpe-simple-security-09
Next by thread: Re: I-D.ietf-v6ops-cpe-simple-security-09
Index(es):
- Date
- Thread