Re: I-D.ietf-v6ops-cpe-simple-security-09

[Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>]

Hi James,

On Sat, 20 Mar 2010 23:00:40 -0700
james woodyatt <jhw@apple.com> wrote:

> On Mar 20, 2010, at 18:00, Mark Smith wrote:
> > 
> > One thing that does seem to be missing from the draft is a specific list of threats it is attempting to mitigate i.e. a threat model.
> 
> RFC 4864 doesn't offer one, and its authors haven't offered much in the way of specifics to the discussion here or on the design team list.  Perhaps, you'd like to offer a contribution?
> 

While threat model is probably the correct term, more broadly I think
probably something of a problem statement i.e. what security measures
the CPE does provide, and what it doesn't, probably with some
justification.

I think the role of IPv6 CPE in the residential Internet security model
is different to the role IPv4/NAT CPE commonly is or was capable of
playing.

Stating the obvious, IPv4/NAT provides a much harder boundary between
internal and external devices, primarily due to the nature of NAPT.
NAPT by it's nature provides a default deny to inbound traffic. That's
what breaks end-to-end. Because of that harder boundary, I think
end-user expectations are that the IPv4/NAPT CPE can perform much
more of a primary security role when it comes to protecting them from
the Internet.

The nature of the operation of NAPT inherently defined a set of threats
that it protected against. 

With IPv6/CPE security, by trying to restore end-to-end, I think we're
inherently reducing the security that people formerly had with
IPv4/NAPT CPE. End nodes will now have to play more of a primary
security role, with filtering IPv6/CPE providing an
assisting/secondary/defence in depth role.

Now that IPv6 end-nodes will be "burdened" with more security
responsibility, I think it is important to make sure it is clear that
the security functions performed in IPv6 CPE aren't exactly the
same as as they were in IPv4/NAPT CPE. 


> The Overview contains my best attempt at explaining what considerations I think are really in play behind the CPE Simple Security recommendation.  Here's what I think is the most relevant excerpt:
> 
> >> The stateful packet filtering behavior of NAT set user expectations that persist today with residential IPv6 service.  "Local Network Protection for IPv6" [RFC4864] recommends applying stateful packet filtering at residential IPv6 gateways that conforms to the user expectations already in place.
> 
> In other words, we recommend filtering at the middlebox-- making IPv6 routers do filtering like IPv4/NAT gateways do-- because "defense in depth" is a virtue in and of itself, and that Internet users have come to expect it.  Apparently, there's a consensus in IETF that this is enough reason to do it, and I strongly suspect that an explicit threat model might be inviting more controversy than anyone wants to endure.
> 
> 

Regards,
Mark.