[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-ietf-v6ops-cpe-simple-security-12.txt feedback

To: Fred Baker <fred@cisco.com>
Subject: Re: draft-ietf-v6ops-cpe-simple-security-12.txt feedback
From: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>
Date: Tue, 10 Aug 2010 07:32:50 +0930
Cc: james woodyatt <jhw@apple.com>, Toerless Eckert <eckert@cisco.com>, IPv6 Operations <v6ops@ops.ietf.org>, mboned@ietf.org
In-reply-to: <D30AB774-C818-4A95-8146-3D368079056E@cisco.com>
References: <20100728072319.GU26000@cisco.com> <430696D0-EA0E-438A-B46F-D6DCD00652E0@apple.com> <20100728080009.GZ26000@cisco.com> <99D85A94-0DDF-4950-8151-035024CE8105@apple.com> <0D448E93-070E-478D-911F-60606DFE3441@cisco.com> <62860430-A9D7-46E2-8600-298810C18089@apple.com> <20100807101911.2dbbd430@opy.nosense.org> <F8471906-675A-478C-B86B-C6940A580E32@cisco.com> <20100808193040.1063ffb1@opy.nosense.org> <D30AB774-C818-4A95-8146-3D368079056E@cisco.com>

Hi Fred,

On Sun, 8 Aug 2010 16:05:36 -0700
Fred Baker <fred@cisco.com> wrote:

> 
> On Aug 8, 2010, at 3:00 AM, Mark Smith wrote:
> 
> > It might be better to say in this draft something like, "all
> > multicast traffic is not to be forwarded by the CPE, unless appropriate
> > multicast traffic security mechanisms have been implemented. Such
> > multicast security mechanisms are out of scope for this memo." (or
> > addressed in a multicast security RFC that I'm not aware of.)
> 
> Again, I'm wrestling with the distinction between the security draft and the CPE Router draft. Absent the configuration of some form of multicast routing, I would be surprised by the router forwarding anything at all. Configuration of routing protocols or mechanisms, and routing behaviors on or off by default, sounds more like the subject of the CPE Router draft to me. I should think that the security draft is about filters - "presuming that a standard router would choose to forward the datagram, is there any other policy that would prevent it?" A standard router doesn't do a thing with MLD unless it is configured to do so.

I suppose that might mean there are three levels/layers of problem,
with parts of the layers covered by the two drafts (and possibly
are to be covered by other drafts)

- what are the capabilities of the CPE (unicast routing is the
  baseline, capable of routing multicast is optional)

- what capabilities are enabled by default

- what are appropriate security measures for those capabilities, with
  whether they're enabled by default being an influence on what is
  appropriate.

I suppose my comments have been a bit influenced by some of the IPv6 CPE
I've been working with. They have multicast capabilities, and options
relating to IGMP or MLD snooping. Since they're low end residential
CPE at a low price point, inherently I think I've started to accept
that their capabilities are the baseline IPv6 CPE functionality that
will be common.

Regards,
Mark.

Follow-Ups:
- Re: draft-ietf-v6ops-cpe-simple-security-12.txt feedback
  - From: Fred Baker <fred@cisco.com>

References:
- Re: draft-ietf-v6ops-cpe-simple-security-12.txt feedback
  - From: james woodyatt <jhw@apple.com>
- Re: draft-ietf-v6ops-cpe-simple-security-12.txt feedback
  - From: james woodyatt <jhw@apple.com>
- Re: draft-ietf-v6ops-cpe-simple-security-12.txt feedback
  - From: Fred Baker <fred@cisco.com>
- Re: draft-ietf-v6ops-cpe-simple-security-12.txt feedback
  - From: james woodyatt <jhw@apple.com>
- Re: draft-ietf-v6ops-cpe-simple-security-12.txt feedback
  - From: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>
- Re: draft-ietf-v6ops-cpe-simple-security-12.txt feedback
  - From: Fred Baker <fred@cisco.com>
- Re: draft-ietf-v6ops-cpe-simple-security-12.txt feedback
  - From: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>
- Re: draft-ietf-v6ops-cpe-simple-security-12.txt feedback
  - From: Fred Baker <fred@cisco.com>

Prev by Date: Re: draft-ietf-v6ops-cpe-simple-security-12 - default behavior
Next by Date: Re: draft-ietf-v6ops-cpe-simple-security-12.txt feedback
Previous by thread: Re: draft-ietf-v6ops-cpe-simple-security-12.txt feedback
Next by thread: Re: draft-ietf-v6ops-cpe-simple-security-12.txt feedback
Index(es):
- Date
- Thread