[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: WGLC: draft-ietf-v6ops-cpe-simple-security-10.txt

To: v6ops@ops.ietf.org
Subject: Re: WGLC: draft-ietf-v6ops-cpe-simple-security-10.txt
From: Timothy Baldwin <T.E.Baldwin99@members.leeds.ac.uk>
Date: Thu, 22 Apr 2010 01:10:21 +0100
Connect(): No such file or directory
References: <118FE8EC-41DF-4907-AE1C-2B7185477D64@cisco.com>
User-agent: KNode/4.4.2

Fred Baker wrote:

> As agreed at the last IETF meeting, I am opening a two week WGLC of
> draft-ietf-v6ops-cpe-simple-security-10.txt. Please read the document,
> comment to this list on matters of substance, and send nits
> (spelling/grammar, word choice, sentence structure comments) to the
> authors.

Section 3.4. Passive Listeners

Teredo could be mentioned alongside STUN as a means of transversing IPv4 
NAT, it is significant in that a IPv6 application may have better 
connectivity behind an IPv4 NAT than behind simple security.

"something similar to NAT-PMP and UPnP-IGD but without actually supporting 
NAT needs to be deployed."

It doesn't need to be protocol to configure the gateway, any solution that 
allows passive listeners to opt in will suffice. Since there is no 
requirement to protect the host IP stack (plenty of other holes) a packet 
mangling scheme could used. An idea:

Instead of dropping, and possibly sending an ICMP Destination Unreachable 
Message, a gateway should instead insert a Firewall header intp the packet, 
if there is Hop-by-Hop Options header the Firewall header should be inserted 
immediately after the Hop-by-Hop Options header, otherwise the Firewall 
header must be inserted immediately after the IPv6 header. The Next Header 
value for a Firewall Header is TBD.

+---------------+----------------------------------------+
|  Next Header  |  Modified EUI-64 of gateway (8 bytes)  |
+---------------+----------------------------------------+

If the forwarded packet results in a ICMP Error packet, the gateway MUST 
remove any Firewall header that it inserted. If the packet is a Packet Too 
Big Message the MTU value must be reduced by 9, to account for the size of 
the Firewall header. If the packet is a Parameter Problem Message the 
pointer must be adjusted accordingly if it does not refer to the Firewall 
header being removed, if it does the packet must be converted to a ICMP 
Destination Unreachable Message, with a code of 1 - administratively 
prohibited.

Follow-Ups:
- Re: WGLC: draft-ietf-v6ops-cpe-simple-security-10.txt
  - From: james woodyatt <jhw@apple.com>

References:
- WGLC: draft-ietf-v6ops-cpe-simple-security-10.txt
  - From: Fred Baker <fred@cisco.com>

Prev by Date: Re: FYI: DNSOPS presentation
Next by Date: Re: I-D.ietf-v6ops-cpe-simple-security-10
Previous by thread: RE: WGLC: draft-ietf-v6ops-cpe-simple-security-10.txt
Next by thread: Re: WGLC: draft-ietf-v6ops-cpe-simple-security-10.txt
Index(es):
- Date
- Thread