[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: I-D Action:draft-ietf-v6ops-ipv6-cpe-router-06.txt

To: Ole Troan <otroan@employees.org>
Subject: Re: I-D Action:draft-ietf-v6ops-ipv6-cpe-router-06.txt
From: Rémi Després <remi.despres@free.fr>
Date: Tue, 22 Jun 2010 17:08:34 +0200
Cc: IPv6 v6ops <v6ops@ops.ietf.org>
In-reply-to: <66288C70-F51C-4EDE-9073-18D94929EA83@employees.org>
References: <BC7B02A3-9CCB-42BA-A518-A095EB95349A@free.fr> <66288C70-F51C-4EDE-9073-18D94929EA83@employees.org>

Le 22 juin 2010 à 15:27, Ole Troan a écrit :

> Remi,
> 
>> drfat.ietf-v6ops-cpe-simple-security-11 says in its introduction (quite rightly in my understanding):
>> 
>> "Some IPv6 gateway devices that enable delivery of Internet services
>>  in residential and small office settings may be augmented with
>>  'simple security' capabilities as described in "Local Network
>>  Protection for IPv6" [RFC4864]. In general, these capabilities cause
>>  packets to be discarded in an attempt to make local networks and the
>>  Internet more secure.  However, it is worth noting that some packets
>>  sent by legitimate applications may also be discarded in this
>>  process, affecting reliability and ease of use for these
>>  applications.
>> 
>>  There is a constructive tension between the desires of users for
>>  transparent end-to-end connectivity on the one hand, and the need for
>>  local-area network administrators to detect and prevent intrusion by
>>  unauthorized public Internet users on the other.  This document is
>>  intended to highlight reasonable limitations on end-to-end
>>  transparency where security considerations are deemed important to
>>  promote local and Internet security."
>> 
>> Now, draft-ietf-v6ops-ipv6-cpe-router-06 says in S-1 of its security-consideration section:
>> - "The IPv6 CE router SHOULD support [I-D.ietf-v6ops-cpe-simple-security]."
>> 
>> 
>> The latter should IMHO be made more consistent with the former.
>> it should, for this, be more open to IPv6-CPEs that don't sacrifice end-to-end connectivity.
>> (The counterpart of this sacrifice, detrimental to a number of applications, is an additional security that not everybody needs).
>> 
>> For instance, S-1 could  say:
>> - "If more security than available with end-to-end connectivity is found desirable, the IPv6-CE SHOULD support [I-D.ietf-v6ops-cpe-simple-security]." 
> 
> note that S-1 says the CE should have the capability to do simple security. it does not say if this functionality should be turned on or off or what the default should be.

The point is that the draft simple-security draft only SPECIFIES simple security, for products that support it.
It DOESN'T say that CPEs SHOULD support it.
(What it says is - capitalization added: "SOME IPv6 gateway devices ... MAY be augmented with 'simple security' capabilities ..." . 

As an example, Free's CPEs have acted as IPv6 routers since December 2007 without needing "IPV6 simple security".
They MUST remain legitimate IPv6 routers despite this absence. 

Cheers,
RD 





> 
> cheers,
> Ole
> 
>

References:
- Re: I-D Action:draft-ietf-v6ops-ipv6-cpe-router-06.txt
  - From: Rémi Després <remi.despres@free.fr>
- Re: I-D Action:draft-ietf-v6ops-ipv6-cpe-router-06.txt
  - From: Ole Troan <otroan@employees.org>

Prev by Date: Re: I-D Action:draft-ietf-v6ops-cpe-simple-security-11.txt
Next by Date: I-D Action:draft-ietf-v6ops-cpe-simple-security-12.txt
Previous by thread: Re: I-D Action:draft-ietf-v6ops-ipv6-cpe-router-06.txt
Next by thread: I-D Action:draft-ietf-v6ops-rogue-ra-01.txt
Index(es):
- Date
- Thread