[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: I-D.ietf-v6ops-cpe-simple-security-09

To: Mark Townsley <townsley@cisco.com>
Subject: Re: I-D.ietf-v6ops-cpe-simple-security-09
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Date: Sat, 20 Mar 2010 08:34:11 +1300
Cc: IPv6 Operations <v6ops@ops.ietf.org>, james woodyatt <jhw@apple.com>, "Eric Vyncke (evyncke)" <evyncke@cisco.com>
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; b=QJ9D6aHzD6TntxycwUEQjTtUkarZN5AbHIlGGBWFapwHaHty91Yu8DR0S7YR1RTFwN 75bdzG5+07jzNKM8MkpIhG1GBD2tFH8+Z658Lx+Z4A8nkjDoZo1MYR2wrw0D0WdneKy4 VHAzgGj5l5hYm8jp1DJeuBshRIUoSSGLXchcE=
In-reply-to: <4BA3BBCF.2090903@cisco.com>
Organization: University of Auckland
References: <D6F5ACD2-EB43-477E-9F48-AC3EDB3F7EB4@apple.com> <4BA3BBCF.2090903@cisco.com>
User-agent: Thunderbird 2.0.0.6 (Windows/20070728)

Mark, I'm not going to reply to your specific question.

The one most clear result from the ISP survey I will report
on during the IETF is that the biggest gap in products holding
up general v6 deployment is CPE.

I think it's a matter of great urgency to get this draft
out as an RFC; it's a couple of years too late.

So I want to say: let's not add *anything*. Let's just
push it out in a matter of weeks.

The same applies to draft-ietf-v6ops-ipv6-cpe-router
of course.

Regards
   Brian Carpenter

On 2010-03-20 07:00, Mark Townsley wrote:
> 
> I would like to propose some form of "ParanoidOpeness" (Rule #7) from
> draft-vyncke-advanced-ipv6-security-01 to be brought into the
> simple-security draft.
> 
> The basic idea is that rather than blocking otherwise unauthorized
> inbound connections outright, the CPE rate-limits them according to a
> variable setting. When that setting is 0, all incoming packets are
> dropped. When set to its maximum, all packets are permitted (as if the
> firewall function is configured off). In-between, the CPE rate-limits
> incoming packets to reduce probing of the home network, but to allow
> just enough packets through that, if a host inside responds, a pinhole
> is opened for the communication to occur. Of course, the hard part is
> what the default setting should be, but I'd like to get a sense first of
> whether we can bring this function in.
> 
> James, I think I remember you being warm to the idea in some (jabber?)
> comments during the meeting in Hiroshima when I presented this first.
> 
> Thanks,
> 
> - Mark
> 
> On 3/4/10 12:06 AM, james woodyatt wrote:
>> everyone--
>>
>> Once again, I'd like to ask for some discussion and feedback on this
>> draft.  Is there any reason this revision of the draft should not
>> proceed to Working Group Last Call at this time?
>>
>>
>> -- 
>> james woodyatt<jhw@apple.com>
>> member of technical staff, communications engineering
>>
>>
>>
>>
>>    
> 
> 
>

Follow-Ups:
- Re: I-D.ietf-v6ops-cpe-simple-security-09
  - From: james woodyatt <jhw@apple.com>
- Re: I-D.ietf-v6ops-cpe-simple-security-09
  - From: Mark Townsley <townsley@cisco.com>

References:
- I-D.ietf-v6ops-cpe-simple-security-09
  - From: james woodyatt <jhw@apple.com>
- Re: I-D.ietf-v6ops-cpe-simple-security-09
  - From: Mark Townsley <townsley@cisco.com>

Prev by Date: Re: RFC 5006 status
Next by Date: Re: I-D.ietf-v6ops-cpe-simple-security-09
Previous by thread: Re: I-D.ietf-v6ops-cpe-simple-security-09
Next by thread: Re: I-D.ietf-v6ops-cpe-simple-security-09
Index(es):
- Date
- Thread