[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: WGLC: draft-ietf-v6ops-cpe-simple-security-10.txt

To: Rémi Després <remi.despres@free.fr>
Subject: Re: WGLC: draft-ietf-v6ops-cpe-simple-security-10.txt
From: Mohacsi Janos <mohacsi@niif.hu>
Date: Wed, 21 Apr 2010 18:54:42 +0200 (CEST)
Cc: James Woodyatt <jhw@apple.com>, Fred Baker <fred@cisco.com>, IPv6 v6ops <v6ops@ops.ietf.org>
In-reply-to: <BBCE382A-67A8-4C42-9E3A-3266E1B550DE@free.fr>
References: <118FE8EC-41DF-4907-AE1C-2B7185477D64@cisco.com> <BBCE382A-67A8-4C42-9E3A-3266E1B550DE@free.fr>
User-agent: Alpine 2.00 (BSF 1167 2008-08-23)

Hi Remi,

I feel to be asked  as a co-author of the RFC 4890.

On Tue, 13 Apr 2010, Rémi Després wrote:

Hi James,

After a review of what RFC 4890 says, the new section 3.2.1 on ICMPv6 needs in my understanding to be modified.

CURRENT 3.2.1 TEXT: "Recommendations for filtering ICMPv6 messages in firewall devices are described separately in
[RFC4890] and apply generally to residential gateways as to any class of router.  No additional recommendations are made
here, but it's important to note that Destination Unreachable and Packet Too Big errors corresponding to filtering states
for all upper-layer transport protocols are important to the proper function of the Internet."

PROBLEM: 
RFC 4890 recommends that NO Destination Unreachable and NO Packet Too Big error messages be dropped (sec 4.3.1).
If the intent is that incoming DU or PTB messages that don't match any filtering state should be dropped, this should then
be expressed as an *additional* recommendation. 
(If the intent is different, I have difficulty understanding it.)

In the RFC 4890 we seperated the transit traffic (4.3) and the trafficdestined (4.4) to the firewall. At that time it was written IPv6 capablestate inspection firewalls was rare (see section 4.1) therefore werecommended NOT to drop transit destination unreachable and and packet toobig errors icmpv6 packets..


As described in section 4.1 of RFC 4890:
"Depending on the capabilities of the firewall being configured, it
   may be possible for the firewall to maintain state about packets
.....
This state may allow the firewall to perform more precise
   checks based on this state, and to apply limits on the number of
   ICMPv6 packets accepted incoming or outgoing as a result of a packet
   traveling in the opposite direction.
"

So this might be defined more clearly in RFC 4890....



PROPOSAL: "Recommendations for filtering ICMPv6 messages in firewall devices are described separately in [RFC4890] and
apply to residential gateways, with the additional recommendation that incoming Destination Unreachable and  Packet Too Big
error messages that don't match any filtering state should be dropped."


This way it is more understandable....

Best Regards,

		Janos Mohacsi

Follow-Ups:
- Re: WGLC: draft-ietf-v6ops-cpe-simple-security-10.txt
  - From: Rémi Després <remi.despres@free.fr>

References:
- WGLC: draft-ietf-v6ops-cpe-simple-security-10.txt
  - From: Fred Baker <fred@cisco.com>
- Re: WGLC: draft-ietf-v6ops-cpe-simple-security-10.txt
  - From: Rémi Després <remi.despres@free.fr>

Prev by Date: RE: WGLC: draft-ietf-v6ops-cpe-simple-security-10.txt
Next by Date: Re: WGLC: draft-ietf-v6ops-cpe-simple-security-10.txt
Previous by thread: Re: WGLC: draft-ietf-v6ops-cpe-simple-security-10.txt
Next by thread: Re: WGLC: draft-ietf-v6ops-cpe-simple-security-10.txt
Index(es):
- Date
- Thread