Re: I-D Action:draft-ietf-v6ops-ipv6-cpe-router-06.txt

[Rémi Després <remi.despres@free.fr>]

Hi,

drfat.ietf-v6ops-cpe-simple-security-11 says in its introduction (quite rightly in my understanding):

  "Some IPv6 gateway devices that enable delivery of Internet services
   in residential and small office settings may be augmented with
   'simple security' capabilities as described in "Local Network
   Protection for IPv6" [RFC4864]. In general, these capabilities cause
   packets to be discarded in an attempt to make local networks and the
   Internet more secure.  However, it is worth noting that some packets
   sent by legitimate applications may also be discarded in this
   process, affecting reliability and ease of use for these
   applications.

   There is a constructive tension between the desires of users for
   transparent end-to-end connectivity on the one hand, and the need for
   local-area network administrators to detect and prevent intrusion by
   unauthorized public Internet users on the other.  This document is
   intended to highlight reasonable limitations on end-to-end
   transparency where security considerations are deemed important to
   promote local and Internet security."

Now, draft-ietf-v6ops-ipv6-cpe-router-06 says in S-1 of its security-consideration section:
- "The IPv6 CE router SHOULD support [I-D.ietf-v6ops-cpe-simple-security]."


The latter should IMHO be made more consistent with the former.
it should, for this, be more open to IPv6-CPEs that don't sacrifice end-to-end connectivity.
(The counterpart of this sacrifice, detrimental to a number of applications, is an additional security that not everybody needs).

For instance, S-1 could  say:
- "If more security than available with end-to-end connectivity is found desirable, the IPv6-CE SHOULD support [I-D.ietf-v6ops-cpe-simple-security]." 

Regards,
RD