On 3/19/10 8:34 PM, Brian E Carpenter wrote:
Mark, I'm not going to reply to your specific question.
That's too bad.
The one most clear result from the ISP survey I will report on during the IETF is that the biggest gap in products holding up general v6 deployment is CPE.
Understood.
I think it's a matter of great urgency to get this draft out as an RFC; it's a couple of years too late.
It's more the implementations that are late, but I get your point.
So I want to say: let's not add *anything*. Let's just push it out in a matter of weeks.
All we are doing is talking about allowing what is now a binary on/off in the draft now to be a variable between 0 and some maximum instead. The default could still well be what we have now, 0, though I would like it to be something else.
I'm not sure that leaving this out will help advance the draft more quickly. Folks like me, who are quite happy with their native IPv6 service for the past couple of years with no IPv6 firewall, think of cpe-simple-security as a sword in the heart of IPv6 and end-to-end transparency. Including "Rule 7" is something that would go a long way towards at least me stepping back and not making an enormous ruckus when this draft hits last call.
We've already talked about the idea in v6ops, it's been documented in a draft for at least a little while, and after Hiroshima I got some indication that this was something people would like to have. The basic concept comes from Dave Oran, who included it in various presentations for years.
So, aside of your fears of changing anything in the draft at all, what do you think of the idea?
- Mark
The same applies to draft-ietf-v6ops-ipv6-cpe-router of course. Regards Brian Carpenter On 2010-03-20 07:00, Mark Townsley wrote:I would like to propose some form of "ParanoidOpeness" (Rule #7) from draft-vyncke-advanced-ipv6-security-01 to be brought into the simple-security draft. The basic idea is that rather than blocking otherwise unauthorized inbound connections outright, the CPE rate-limits them according to a variable setting. When that setting is 0, all incoming packets are dropped. When set to its maximum, all packets are permitted (as if the firewall function is configured off). In-between, the CPE rate-limits incoming packets to reduce probing of the home network, but to allow just enough packets through that, if a host inside responds, a pinhole is opened for the communication to occur. Of course, the hard part is what the default setting should be, but I'd like to get a sense first of whether we can bring this function in. James, I think I remember you being warm to the idea in some (jabber?) comments during the meeting in Hiroshima when I presented this first. Thanks, - Mark On 3/4/10 12:06 AM, james woodyatt wrote:everyone-- Once again, I'd like to ask for some discussion and feedback on this draft. Is there any reason this revision of the draft should not proceed to Working Group Last Call at this time? -- james woodyatt<jhw@apple.com> member of technical staff, communications engineering