Re: I-D.ietf-v6ops-cpe-simple-security-09

[Brian E Carpenter <brian.e.carpenter@gmail.com>]

I don't think we should really be doing textual analysis
of an informational document, but since you quoted it:

On 2010-03-22 18:19, james woodyatt wrote:
...
> I would have expected an author of RFC 4864 to quote the following excerpt from Section 4.2 instead:
> 
>    To implement simple security for IPv6 in, for example, a DSL or cable
>    modem-connected home network, the broadband gateway/router should be
>    equipped with stateful firewall capabilities.  These should provide a
>    default configuration where incoming traffic is limited to return
>    traffic resulting from outgoing packets (sometimes known as
>    reflective session state).  There should also be an easy interface
>    that allows users to create inbound 'pinholes' for specific purposes
>    such as online gaming.

Correct, and (given what was already quoted from the abstract) I have always
read that paragraph to start implicitly with the words

"If you want to... "

and understood "simple security" to refer to the preceding text that
describes NATs as providing "simple security" via default deny.
And that was because we believed that many network managers wanted
exactly that and believed that NAT66 was the way to achieve it.
So we wanted to document how to achieve the same effect without NAT.
Obviously, if you don't want that effect, don't implement
draft-ietf-v6ops-cpe-simple-security, or use its REC-41 option.

       Brian