Request for feedback on IETF I-D draft-v6ops-vyncke-balanced-ipv6-security
Dear all, The authors would like to invite the community to review and comment on IETF I-D draft-v6ops-vyncke-balanced-ipv6-security. <snip> Abstract This document describes how an IPv6 residential Customer Premise Equipment (CPE) can have a balanced security policy that allows for a mostly end-to-end connectivity while keeping the major threats outside of the home. It is based on an actual IPv6 deployment by Swisscom and proposes to allow all packets inbound/outbound EXCEPT for some layer-4 ports where attacks and vulnerabilities (such as weak passwords) are well-known. </snip> http://tools.ietf.org/html/draft-v6ops-vyncke-balanced-ipv6-security We have received feedback from the IETF community that there should not be any explicit list of ports to be blocked in the document. The authors feels that this list should be maintained by a neutral internet body, however we need suggestions from the community on who this could be solved. So basically there are a few options on who the list could be managed; * Let the ISP/Vendor define and maintain the list by them selves. * Let the community maintain such list using consensus. * Ask a neutral internet body (insert favorite here) to manage the list based on the actual threat picture. Please keep in mind that this draft is not meant to define an IDS/IPS style of functionality. We are only looking for how to solve the IPv6 firewall default on/off problem. This draft only covers the default list provided when the customer is begin connected. The customer can, depending on the ISP's policy, fully administer the firewall rules. Best Regards The authors; Eric Vyncke, Cisco Martin Gysi, Swisscom Guillaume Leclanche, Swisscom Ragnar Anfinsen, Altibox
* Anfinsen, Ragnar <Ragnar.Anfinsen@altibox.no> [2013-10-16 16:30]:
Dear all,
The authors would like to invite the community to review and comment on IETF I-D draft-v6ops-vyncke-balanced-ipv6-security.
<snip> Abstract
This document describes how an IPv6 residential Customer Premise Equipment (CPE) can have a balanced security policy that allows for a mostly end-to-end connectivity while keeping the major threats outside of the home. It is based on an actual IPv6 deployment by Swisscom and proposes to allow all packets inbound/outbound EXCEPT for some layer-4 ports where attacks and vulnerabilities (such as weak passwords) are well-known. </snip>
http://tools.ietf.org/html/draft-v6ops-vyncke-balanced-ipv6-security
We have received feedback from the IETF community that there should not be any explicit list of ports to be blocked in the document. The authors feels that this list should be maintained by a neutral internet body, however we need suggestions from the community on who this could be solved.
Hello, I can see the advantage in having a mostly-open end-to-end connectivity by default but I don't think it's feasible. Such a list would require a tremendous efford to keep up-to-date and I don't think people would do that. I'm more with the "block inbound by default" crowd. One of the reasons for IPv6 was to have every "smart thing" in the home connect to the Internet. Who wants to gather every vulnerability for every dishwasher and TV that's connecting to the internet? Having said that, I'm bothered by the word "should" in connection with the ability of the enduser to change this list. I would strongly suggest to change that to a MUST everywhere in the document. If I ever get a CPE that doesn't let me choose which ports to open inbound I will go ballistic. Regards Sebastian -- GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant
participants (2)
-
Anfinsen, Ragnar -
Sebastian Wiesinger