[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: I-D.ietf-v6ops-cpe-simple-security-09

To: IPv6 Operations <v6ops@ops.ietf.org>
Subject: Re: I-D.ietf-v6ops-cpe-simple-security-09
From: james woodyatt <jhw@apple.com>
Date: Sat, 20 Mar 2010 23:00:40 -0700
In-reply-to: <20100321113037.13756c12@opy.nosense.org>
References: <D6F5ACD2-EB43-477E-9F48-AC3EDB3F7EB4@apple.com> <4BA3BBCF.2090903@cisco.com> <4BA3D1B3.4010501@gmail.com> <9EEBEB1D-8D88-45DB-9200-EBE2ED0D84CF@apple.com> <4BA524A8.9020201@cisco.com> <D6BE2A3C-57BD-486D-B9C6-382B42FA4A67@cisco.com> <4BA55147.601@cisco.com> <F0FDFF3D-F703-422A-9443-D6F723FB034C@cisco.com> <20100321113037.13756c12@opy.nosense.org>

On Mar 20, 2010, at 18:00, Mark Smith wrote:
> 
> One thing that does seem to be missing from the draft is a specific list of threats it is attempting to mitigate i.e. a threat model.

RFC 4864 doesn't offer one, and its authors haven't offered much in the way of specifics to the discussion here or on the design team list.  Perhaps, you'd like to offer a contribution?

The Overview contains my best attempt at explaining what considerations I think are really in play behind the CPE Simple Security recommendation.  Here's what I think is the most relevant excerpt:

>> The stateful packet filtering behavior of NAT set user expectations that persist today with residential IPv6 service.  "Local Network Protection for IPv6" [RFC4864] recommends applying stateful packet filtering at residential IPv6 gateways that conforms to the user expectations already in place.

In other words, we recommend filtering at the middlebox-- making IPv6 routers do filtering like IPv4/NAT gateways do-- because "defense in depth" is a virtue in and of itself, and that Internet users have come to expect it.  Apparently, there's a consensus in IETF that this is enough reason to do it, and I strongly suspect that an explicit threat model might be inviting more controversy than anyone wants to endure.

--
james woodyatt <jhw@apple.com>
member of technical staff, communications engineering

Follow-Ups:
- Re: I-D.ietf-v6ops-cpe-simple-security-09
  - From: Mark Townsley <townsley@cisco.com>
- Re: I-D.ietf-v6ops-cpe-simple-security-09
  - From: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>

References:
- I-D.ietf-v6ops-cpe-simple-security-09
  - From: james woodyatt <jhw@apple.com>
- Re: I-D.ietf-v6ops-cpe-simple-security-09
  - From: Mark Townsley <townsley@cisco.com>
- Re: I-D.ietf-v6ops-cpe-simple-security-09
  - From: Brian E Carpenter <brian.e.carpenter@gmail.com>
- Re: I-D.ietf-v6ops-cpe-simple-security-09
  - From: james woodyatt <jhw@apple.com>
- Re: I-D.ietf-v6ops-cpe-simple-security-09
  - From: Mark Townsley <townsley@cisco.com>
- Re: I-D.ietf-v6ops-cpe-simple-security-09
  - From: Fred Baker <fred@cisco.com>
- Re: I-D.ietf-v6ops-cpe-simple-security-09
  - From: Mark Townsley <townsley@cisco.com>
- Re: I-D.ietf-v6ops-cpe-simple-security-09
  - From: Fred Baker <fred@cisco.com>
- Re: I-D.ietf-v6ops-cpe-simple-security-09
  - From: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>

Prev by Date: Re: Proposed agenda for IPv6 Operations - IETF 77
Next by Date: Re: I-D.ietf-v6ops-cpe-simple-security-09
Previous by thread: Re: I-D.ietf-v6ops-cpe-simple-security-09
Next by thread: Re: I-D.ietf-v6ops-cpe-simple-security-09
Index(es):
- Date
- Thread