Re: WGLC: draft-ietf-v6ops-cpe-simple-security-10.txt

[james woodyatt <jhw@apple.com>]

On Apr 21, 2010, at 17:10, Timothy Baldwin wrote:
> 
> Instead of dropping, and possibly sending an ICMP Destination Unreachable 
> Message, a gateway should instead insert a Firewall header intp the packet, 

The design team considered and rejected this category of ideas.  Marking unsolicited and insecure traffic before forwarding it into the interior defeats the intended purpose of IPv6 Simple Security, which is *explicitly* to block it entirely.  There has been much working group discussion already on this topic, and the sense of the working group as I understand it is that the distinction between blocking and marking is a feature of this draft.  It's quite deliberate.

I believe proposals to mark instead of block to be now out of scope for I-D.ietf-v6op-cpe-simple-security.  I think a better place for that discussion would be in the context of I-D.vyncke-advanced-ipv6-security, which is properly positioned as an alternative to this draft.

> Teredo could be mentioned alongside STUN as a means of transversing IPv4 
> NAT, it is significant in that a IPv6 application may have better 
> connectivity behind an IPv4 NAT than behind simple security.

I'd rather not explicitly encourage the use of Teredo in a non-transitional mode.  Not without seeing the appropriate revisions to the Teredo specification published as Standard Track to make it clear that Teredo is now expected to be used in non-transitional networks for the purpose of improving transparency in the face of IPv6 simple security filtering.  I don't see that happening.  Do you?


--
james woodyatt <jhw@apple.com>
member of technical staff, communications engineering