[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: I-D.ietf-v6ops-cpe-simple-security-10

To: Mark Townsley <townsley@cisco.com>
Subject: Re: I-D.ietf-v6ops-cpe-simple-security-10
From: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>
Date: Sat, 24 Apr 2010 01:22:41 +0930
Cc: Timothy Baldwin <T.E.Baldwin99@members.leeds.ac.uk>, IPv6 Operations <v6ops@ops.ietf.org>
In-reply-to: <4BD081DE.2070204@cisco.com>
References: <955E4D2B-1212-4CFE-B06B-9B91B66EB7E0@apple.com> <4BCDABC7.9060503@htt-consult.com> <ACA1CA4C-CE59-48B1-B244-F66D43276E97@apple.com> <20100421202204.502771b0@opy.nosense.org> <4BD07B73.9020509@members.leeds.ac.uk> <4BD081DE.2070204@cisco.com>

On Thu, 22 Apr 2010 19:05:34 +0200
Mark Townsley <townsley@cisco.com> wrote:

> On 4/22/10 6:38 PM, Timothy Baldwin wrote:
> > Mark Smith wrote:
> >> Would it be possible to make these rules a bit more general, such that
> >> they'd automatically cover things like IPsec, HIP or any other current
> >> (e.g. ssh) or future protocols that are authenticated, without
> >> nominating the protocols specifically?
> 
> Being able to adapt to future protocols implies that there be a
> mechanism to communicate this adaptation. simple-security doesn't have
> that.

I think that if there is a statement of baseline expected security
for protocols, then a CPE vendor could add it as a default allow.
e.g. If XYZ security protocol, invented in 2015, and operating over UDP
port ABC, has end-to-end integrity as one it's properties, then vendors
who make CPE that is compliant with this draft can add UDP port ABC to
the list of permitted end-to-end protocols in 2015/2016. I think it is
possible to do that without being tied to specifying particular
protocols, as long as the required security properties are specified.
Otherwise we're in the trap of revising this draft/RFC for every new
protocol that has end-to-end integrity.

Regards,
Mark.

> 
> > There are many ssh servers with default or poorly chosen passwords, so
> > that might not be a good idea.
> 
> So Bob's bad password means Alice has to figure out how to configure a
> pinhole for ssh because she wants her ssh to be reachable from the
> Internet. Hardly fair, particularly when we don't even know what the
> intrusion rate would be for a given service/protocol over IPv6.
> 
> Modern IPS firewalls actually have provisions for sniffing and blocking
> login attempts from the outside using poor/default passwords. But this
> isn't foolproof, and requires digging deeply into packets.
> 
> It would be really nice if applications would be easily configurable for
> what IPv6 address scope they could use. Then when you turn on SSH, you
> are simply asked whether it should be made available on the Internet or not.
> 
> - Mark
> 
> 
> 
> > 
> > 
> > 
> > 
> 
>

Follow-Ups:
- Re: I-D.ietf-v6ops-cpe-simple-security-10
  - From: james woodyatt <jhw@apple.com>

References:
- I-D.ietf-v6ops-cpe-simple-security-10
  - From: james woodyatt <jhw@apple.com>
- Re: I-D.ietf-v6ops-cpe-simple-security-10
  - From: Robert Moskowitz <rgm-ietf@htt-consult.com>
- Re: I-D.ietf-v6ops-cpe-simple-security-10
  - From: james woodyatt <jhw@apple.com>
- Re: I-D.ietf-v6ops-cpe-simple-security-10
  - From: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>
- Re: I-D.ietf-v6ops-cpe-simple-security-10
  - From: Timothy Baldwin <T.E.Baldwin99@members.leeds.ac.uk>
- Re: I-D.ietf-v6ops-cpe-simple-security-10
  - From: Mark Townsley <townsley@cisco.com>

Prev by Date: Re: I-D.ietf-v6ops-cpe-simple-security-10
Next by Date: Re: I-D.ietf-v6ops-cpe-simple-security-10
Previous by thread: Re: I-D.ietf-v6ops-cpe-simple-security-10
Next by thread: Re: I-D.ietf-v6ops-cpe-simple-security-10
Index(es):
- Date
- Thread