[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: I-D.ietf-v6ops-cpe-simple-security-10

To: Timothy Baldwin <T.E.Baldwin99@members.leeds.ac.uk>
Subject: Re: I-D.ietf-v6ops-cpe-simple-security-10
From: Mark Townsley <townsley@cisco.com>
Date: Thu, 22 Apr 2010 19:05:34 +0200
Cc: IPv6 Operations <v6ops@ops.ietf.org>
In-reply-to: <4BD07B73.9020509@members.leeds.ac.uk>
References: <955E4D2B-1212-4CFE-B06B-9B91B66EB7E0@apple.com> <4BCDABC7.9060503@htt-consult.com> <ACA1CA4C-CE59-48B1-B244-F66D43276E97@apple.com> <20100421202204.502771b0@opy.nosense.org> <4BD07B73.9020509@members.leeds.ac.uk>
User-agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4

On 4/22/10 6:38 PM, Timothy Baldwin wrote:
> Mark Smith wrote:
>> Would it be possible to make these rules a bit more general, such that
>> they'd automatically cover things like IPsec, HIP or any other current
>> (e.g. ssh) or future protocols that are authenticated, without
>> nominating the protocols specifically?

Being able to adapt to future protocols implies that there be a
mechanism to communicate this adaptation. simple-security doesn't have
that.

> There are many ssh servers with default or poorly chosen passwords, so
> that might not be a good idea.

So Bob's bad password means Alice has to figure out how to configure a
pinhole for ssh because she wants her ssh to be reachable from the
Internet. Hardly fair, particularly when we don't even know what the
intrusion rate would be for a given service/protocol over IPv6.

Modern IPS firewalls actually have provisions for sniffing and blocking
login attempts from the outside using poor/default passwords. But this
isn't foolproof, and requires digging deeply into packets.

It would be really nice if applications would be easily configurable for
what IPv6 address scope they could use. Then when you turn on SSH, you
are simply asked whether it should be made available on the Internet or not.

- Mark

> 
> 
> 
>

Follow-Ups:
- Re: I-D.ietf-v6ops-cpe-simple-security-10
  - From: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>
- Re: I-D.ietf-v6ops-cpe-simple-security-10
  - From: Konrad Rosenbaum <konrad@silmor.de>

References:
- I-D.ietf-v6ops-cpe-simple-security-10
  - From: james woodyatt <jhw@apple.com>
- Re: I-D.ietf-v6ops-cpe-simple-security-10
  - From: Robert Moskowitz <rgm-ietf@htt-consult.com>
- Re: I-D.ietf-v6ops-cpe-simple-security-10
  - From: james woodyatt <jhw@apple.com>
- Re: I-D.ietf-v6ops-cpe-simple-security-10
  - From: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>
- Re: I-D.ietf-v6ops-cpe-simple-security-10
  - From: Timothy Baldwin <T.E.Baldwin99@members.leeds.ac.uk>

Prev by Date: Re: I-D.ietf-v6ops-cpe-simple-security-10
Next by Date: Re: WGLC: draft-ietf-v6ops-cpe-simple-security-10.txt
Previous by thread: Re: I-D.ietf-v6ops-cpe-simple-security-10
Next by thread: Re: I-D.ietf-v6ops-cpe-simple-security-10
Index(es):
- Date
- Thread