[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: I-D.ietf-v6ops-cpe-simple-security-09

On 2010-03-22 10:28, Mark Townsley wrote:
> On 3/21/10 9:29 PM, james woodyatt wrote:
>> On Mar 21, 2010, at 12:18, Mark Townsley <townsley@cisco.com> wrote:
>>> On 3/21/10 6:29 PM, Brian E Carpenter wrote:
>>>>
>>>>
>>>> So, I'm wondering what's really wrong with:
>>>>
>>>>   REC-41  Gateways MUST provide an easily selected configuration option
>>>>       that permits operation in a mode that forwards all unsolicited
>>>>       flows regardless of forwarding direction.
>>>>
>>> The problem is the default, which is not to permit this.
>>>>
>>
>>
>> That problem is inherited from RFC 4864, which this draft is not
>> intended to reverse.
> Why not, if that is the current consensus? We've reversed the text of
> IETF standards track documents before, much less Informational documents
> that are not a standard of any kind.

As a co-author of 4864, let me agree violently. It's not a BCP.
Even if it was, consensus could reverse it.

What 4864 says is: NATs weren't designed as security devices but they
provide simple security by blocking everything incoming by default.
To implement simple security for v6 you should do it with a stateful
firewall.

It doesn't say that CPEs MUST do this. It leaves that choice open, as
an informational document.

    Brian