[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: I-D.ietf-v6ops-cpe-simple-security-10

To: james woodyatt <jhw@apple.com>
Subject: Re: I-D.ietf-v6ops-cpe-simple-security-10
From: Robert Moskowitz <rgm-ietf@htt-consult.com>
Date: Tue, 20 Apr 2010 09:27:35 -0400
Cc: draft-ietf-v6ops-cpe-simple-security.chairs@tools.ietf.org, IPv6 v6ops <v6ops@ops.ietf.org>
In-reply-to: <955E4D2B-1212-4CFE-B06B-9B91B66EB7E0@apple.com>
References: <955E4D2B-1212-4CFE-B06B-9B91B66EB7E0@apple.com>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.9) Gecko/20100330 Fedora/3.0.4-1.fc12 Thunderbird/3.0.4

I discussed this briefly with James during IETF 77.

HIP is on track to be reved for standards track. It is assignedProtocol number 139, and should be treated by cpe-simple-security thesame as IKE. I will offer my best effort at text below.

I apologize for the few week delay, Passover came RIGHT after IETF. AndI SUPPOSE I should have pushed this 6 months ago while we were pushingto get HIP moving towards standards. But that is water under the bridge...


On 03/29/2010 05:43 PM, james woodyatt wrote:

concerned--

This is to inform the chairs of the V6OPS working group that it is the sense of the editor of draft-ietf-v6ops-cpe-simple-security and the design team that worked most closely on it during its development, that the latest posted revision, i.e. -10, is ready for Working Group Last Call.


In sec 2.2 add at the end of the para:

HIP is also explicitly secured by definition, so this documentrecommends the DEFAULT operating mode permit Host Identity Protocol(HIP) flows to pass without filtering.


Add sec 3.2.6:

3.2.6  Host Identity Protocol (HIP)

Host Identity Protocol (HIP) offers greater flexibility and betteroverall security than the simple security of stateful packet filteringat network perimeters. Therefore, residential IPv6 gateways need notprohibit HIP traffic flows.

REC-nn: In their DEFAULT operating mode, IPv6 gateways MUST NOT prohibitthe forwarding of packets, to and from legitimate node addresses, withdestination extension headers of type "Host Identity Protocol (HIP)"[RFC5201] in their outer IP extension header chain.

{note here, 5201-bis exists, but it will take a few months to finishthis (we are NOT expecting a long process to add the agreed changes to5201). The new RFC will be tagged as Standard, but will use the sameprotocol number.}

REC-nn: In their DEFAULT operating mode, IPv6 gateways MUST NOT prohibitthe forwarding of packets, to and from legitimate node addresses, withan upper layer protocol of type "Encapsulating Security Payload (ESP)"[RFC4303] in their outer IP extension header chain.


{note this is the same text as REC-21, as HIP uses ESP in TRANSPORT mode.}

{note: There is no easy equivalence of REC-23 with HIP due to itsmobility. In RFC 5206 we cover mobility and mid-box updating of moves.But do you want that here? In HIP the SPI is all you can count on, asthe IP address pair are mutable during the life of the SPI.}


In sec 8.1 add:

RFC 5201

Thank you.

Follow-Ups:
- Re: I-D.ietf-v6ops-cpe-simple-security-10
  - From: james woodyatt <jhw@apple.com>

References:
- I-D.ietf-v6ops-cpe-simple-security-10
  - From: james woodyatt <jhw@apple.com>

Prev by Date: Re: FYI: DNSOPS presentation
Next by Date: Re: New Version Notification for draft-koodli-ipv6-in-mobile-networks-02
Previous by thread: Re: I-D.ietf-v6ops-cpe-simple-security-10
Next by thread: Re: I-D.ietf-v6ops-cpe-simple-security-10
Index(es):
- Date
- Thread