draft-ietf-v6ops-cpe-simple-security-06.txt   draft-ietf-v6ops-cpe-simple-security-07.txt 
IPv6 Operations j. woodyatt, Ed. IPv6 Operations j. woodyatt, Ed.
Internet-Draft Apple Internet-Draft Apple
Intended status: Informational June 16, 2009 Intended status: Informational July 27, 2009
Expires: December 18, 2009 Expires: January 28, 2010
Recommended Simple Security Capabilities in Customer Premises Equipment Recommended Simple Security Capabilities in Customer Premises Equipment
for Providing Residential IPv6 Internet Service for Providing Residential IPv6 Internet Service
draft-ietf-v6ops-cpe-simple-security-06 draft-ietf-v6ops-cpe-simple-security-07
Status of this Memo Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
skipping to change at page 1, line 33 skipping to change at page 1, line 33
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on December 18, 2009. This Internet-Draft will expire on January 28, 2010.
Copyright Notice Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of Provisions Relating to IETF Documents in effect on the date of
publication of this document (http://trustee.ietf.org/license-info). publication of this document (http://trustee.ietf.org/license-info).
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. and restrictions with respect to this document.
Abstract Abstract
This document makes specific recommendations to the makers of devices This document makes specific recommendations to the makers of devices
that provide "simple security" capabilities at the perimeter of that provide "simple security" capabilities at the perimeter of
local-area IPv6 networks in Internet-enabled homes and small offices. local-area IPv6 networks in Internet-enabled homes and small offices.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. Special Language . . . . . . . . . . . . . . . . . . . . . 3 1.1. Special Language . . . . . . . . . . . . . . . . . . . . . 4
2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1. Basic Sanitation . . . . . . . . . . . . . . . . . . . . . 5 2.1. Basic Sanitation . . . . . . . . . . . . . . . . . . . . . 6
2.2. Internet Layer Protocols . . . . . . . . . . . . . . . . . 5 2.2. Internet Layer Protocols . . . . . . . . . . . . . . . . . 6
2.3. Transport Layer Protocols . . . . . . . . . . . . . . . . 6 2.3. Transport Layer Protocols . . . . . . . . . . . . . . . . 7
3. Detailed Recommendations . . . . . . . . . . . . . . . . . . . 6 3. Detailed Recommendations . . . . . . . . . . . . . . . . . . . 7
3.1. Stateless Filters . . . . . . . . . . . . . . . . . . . . 7 3.1. Stateless Filters . . . . . . . . . . . . . . . . . . . . 8
3.2. Connection-free Filters . . . . . . . . . . . . . . . . . 8 3.2. Connection-free Filters . . . . . . . . . . . . . . . . . 9
3.2.1. Internet Control and Management . . . . . . . . . . . 8 3.2.1. Internet Control and Management . . . . . . . . . . . 9
3.2.2. Upper-layer Transport Protocols . . . . . . . . . . . 8 3.2.2. Upper-layer Transport Protocols . . . . . . . . . . . 9
3.2.3. UDP Filters . . . . . . . . . . . . . . . . . . . . . 9 3.2.3. UDP Filters . . . . . . . . . . . . . . . . . . . . . 10
3.2.4. 6to4 Tunnels . . . . . . . . . . . . . . . . . . . . . 10 3.2.4. 6to4 Tunnels . . . . . . . . . . . . . . . . . . . . . 11
3.2.5. Teredo-specific Filters . . . . . . . . . . . . . . . 10 3.2.5. Teredo-specific Filters . . . . . . . . . . . . . . . 11
3.2.6. IPsec and Internet Key Exchange (IKE) . . . . . . . . 11 3.2.6. IPsec and Internet Key Exchange (IKE) . . . . . . . . 12
3.2.7. Other Virtual Private Network Protocols . . . . . . . 11 3.2.7. Other Virtual Private Network Protocols . . . . . . . 12
3.3. Connection-oriented Filters . . . . . . . . . . . . . . . 11 3.3. Connection-oriented Filters . . . . . . . . . . . . . . . 13
3.3.1. TCP Filters . . . . . . . . . . . . . . . . . . . . . 12 3.3.1. TCP Filters . . . . . . . . . . . . . . . . . . . . . 13
3.3.2. SCTP Filters . . . . . . . . . . . . . . . . . . . . . 15 3.3.2. SCTP Filters . . . . . . . . . . . . . . . . . . . . . 16
3.3.3. DCCP Filters . . . . . . . . . . . . . . . . . . . . . 18 3.3.3. DCCP Filters . . . . . . . . . . . . . . . . . . . . . 19
3.3.4. Level 3 Multihoming Shim Protocol for IPv6 (SHIM6) . . 21 3.3.4. Level 3 Multihoming Shim Protocol for IPv6 (SHIM6) . . 22
3.4. Passive Listeners . . . . . . . . . . . . . . . . . . . . 21 3.4. Passive Listeners . . . . . . . . . . . . . . . . . . . . 22
4. Summary of Recommendations . . . . . . . . . . . . . . . . . . 21 4. Summary of Recommendations . . . . . . . . . . . . . . . . . . 22
5. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 26 5. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 28
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 27 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 29
7. Security Considerations . . . . . . . . . . . . . . . . . . . 28 7. Security Considerations . . . . . . . . . . . . . . . . . . . 29
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 28 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 29
8.1. Normative References . . . . . . . . . . . . . . . . . . . 28 8.1. Normative References . . . . . . . . . . . . . . . . . . . 29
8.2. Informative References . . . . . . . . . . . . . . . . . . 30 8.2. Informative References . . . . . . . . . . . . . . . . . . 31
Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 31 Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 32
A.1. draft-ietf-v6ops-cpe-simple-security-00 to A.1. draft-ietf-v6ops-cpe-simple-security-00 to
draft-ietf-v6ops-cpe-simple-security-01 . . . . . . . . . 31 draft-ietf-v6ops-cpe-simple-security-01 . . . . . . . . . 32
A.2. draft-ietf-v6ops-cpe-simple-security-01 to A.2. draft-ietf-v6ops-cpe-simple-security-01 to
draft-ietf-v6ops-cpe-simple-security-02 . . . . . . . . . 32 draft-ietf-v6ops-cpe-simple-security-02 . . . . . . . . . 33
A.3. draft-ietf-v6ops-cpe-simple-security-02 to A.3. draft-ietf-v6ops-cpe-simple-security-02 to
draft-ietf-v6ops-cpe-simple-security-03 . . . . . . . . . 32 draft-ietf-v6ops-cpe-simple-security-03 . . . . . . . . . 33
A.4. draft-ietf-v6ops-cpe-simple-security-03 to A.4. draft-ietf-v6ops-cpe-simple-security-03 to
draft-ietf-v6ops-cpe-simple-security-04 . . . . . . . . . 32 draft-ietf-v6ops-cpe-simple-security-04 . . . . . . . . . 34
A.5. draft-ietf-v6ops-cpe-simple-security-04 to A.5. draft-ietf-v6ops-cpe-simple-security-04 to
draft-ietf-v6ops-cpe-simple-security-05 . . . . . . . . . 33 draft-ietf-v6ops-cpe-simple-security-05 . . . . . . . . . 34
A.6. draft-ietf-v6ops-cpe-simple-security-05 to A.6. draft-ietf-v6ops-cpe-simple-security-05 to
draft-ietf-v6ops-cpe-simple-security-06 . . . . . . . . . 34 draft-ietf-v6ops-cpe-simple-security-06 . . . . . . . . . 35
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 34 A.7. draft-ietf-v6ops-cpe-simple-security-06 to
draft-ietf-v6ops-cpe-simple-security-07 . . . . . . . . . 36
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 36
1. Introduction 1. Introduction
In "Local Network Protection for IPv6" [RFC4864], IETF recommends In "Local Network Protection for IPv6" [RFC4864], IETF recommends
'simple security' capabilities for gateway devices that enable 'simple security' capabilities for gateway devices that enable
delivery of Internet services in residential and small office delivery of Internet services in residential and small office
settings. The principle goal of these capabilities is to improve settings. The principle goal of these capabilities is to improve
security of the IPv6 Internet without increasing the perceived security of the IPv6 Internet without increasing the perceived
complexity for users who just want to accomplish useful work. complexity for users who just want to accomplish useful work.
skipping to change at page 6, line 37 skipping to change at page 7, line 37
administratively prohibited. administratively prohibited.
3. Detailed Recommendations 3. Detailed Recommendations
This section describes the specific recommendations made by this This section describes the specific recommendations made by this
document in full detail. They are summarized into a convenient list document in full detail. They are summarized into a convenient list
in Section 4. in Section 4.
Some recommended filters are to be applied to all traffic that passes Some recommended filters are to be applied to all traffic that passes
through residential Internet gateways regardless of the direction through residential Internet gateways regardless of the direction
they are to be forwarded. However, most filters are expected to be they are to be forwarded. Other recommended filters are intended to
sensitive to the direction that traffic is flowing. Packets are said be sensitive to the "direction" of traffic flows. Applied to
to be "outbound" if they originate from interior nodes to be bidirectional transport flows, "direction" has a specific meaning in
forwarded to the Internet, and "inbound" if they originate from this document.
exterior nodes to be forwarded to any node or nodes on the interior
prefix. Flows, as opposed to packets, are said to be "outbound" if Packets are said to be "outbound" if they originate from interior
the initiator is an interior node and one or more of the participants nodes to be forwarded to the Internet, and "inbound" if they
are at exterior addresses. Flows are said to be "inbound" if the originate from exterior nodes to be forwarded to any node or nodes on
initiator is an exterior node and one or more of the participants are the interior prefix.
nodes on the interior network. The initiator of a flow is the first
node to send a packet in the context of a given transport Flows, as opposed to packets, are said to be "outbound" if the
association, e.g. a TCP connection, et cetera. originator of the initial packet in any given transport association
is an interior node and one or more of the participants are at
exterior addresses. Flows are said to be "inbound" if the originator
of the initial packet is an exterior node and one or more of the
participants are nodes on the interior network.
3.1. Stateless Filters 3.1. Stateless Filters
Certain kinds of IPv6 packets MUST NOT be forwarded in either Certain kinds of IPv6 packets MUST NOT be forwarded in either
direction by residential Internet gateways regardless of network direction by residential Internet gateways regardless of network
state. These include packets with multicast source addresses, state. These include packets with multicast source addresses,
packets to destinations with certain non-routable and/or reserved packets to destinations with certain non-routable and/or reserved
prefixes and packets with deprecated extension headers. prefixes and packets with deprecated extension headers.
Other stateless filters are recommended to guard against spoofing, to Other stateless filters are recommended to guard against spoofing, to
skipping to change at page 21, line 42 skipping to change at page 22, line 45
consensus has yet emerged in the Internet engineering community as to consensus has yet emerged in the Internet engineering community as to
which proposal is most appropriate for residential IPv6 usage which proposal is most appropriate for residential IPv6 usage
scenarios. scenarios.
R41: Gateways SHOULD implement a protocol to permit applications to R41: Gateways SHOULD implement a protocol to permit applications to
solicit inbound traffic without advance knowledge of the addresses of solicit inbound traffic without advance knowledge of the addresses of
exterior nodes with which they expect to communicate. If exterior nodes with which they expect to communicate. If
implemented, this protocol MUST have a specification that meets the implemented, this protocol MUST have a specification that meets the
requirements of [RFC3979], [RFC4879] and [RFC5378]. requirements of [RFC3979], [RFC4879] and [RFC5378].
R42: Gateways MUST provide an easily selected configuration option
that permits operation in a mode that forwards all unsolicited flows
regardless of forwarding direction.
4. Summary of Recommendations 4. Summary of Recommendations
This section collects all of the recommendations made in this This section collects all of the recommendations made in this
document into a convenient list. document into a convenient list.
R1 Packets bearing in their outer IPv6 headers multicast source R1 Packets bearing in their outer IPv6 headers multicast source
addresses MUST NOT be forwarded or transmitted on any interface. addresses MUST NOT be forwarded or transmitted on any interface.
R2 Packets which bear in their outer IPv6 headers multicast R2 Packets which bear in their outer IPv6 headers multicast
destination addresses of equal or narrower scope (see section 2.7 destination addresses of equal or narrower scope (see section 2.7
skipping to change at page 26, line 40 skipping to change at page 27, line 46
R40 Receipt of any sort of ICMP message MUST NOT terminate the state R40 Receipt of any sort of ICMP message MUST NOT terminate the state
record for a DCCP connection. record for a DCCP connection.
R41 Gateways SHOULD implement a protocol to permit applications to R41 Gateways SHOULD implement a protocol to permit applications to
solicit inbound traffic without advance knowledge of the addresses solicit inbound traffic without advance knowledge of the addresses
of exterior nodes with which they expect to communicate. If of exterior nodes with which they expect to communicate. If
implemented, this protocol MUST have a specification that meets implemented, this protocol MUST have a specification that meets
the requirements of [RFC3979], [RFC4879] and [RFC5378]. the requirements of [RFC3979], [RFC4879] and [RFC5378].
R42 Gateways MUST provide an easily selected configuration option
that permits operation in a mode that forwards all unsolicited
flows regardless of forwarding direction.
5. Contributors 5. Contributors
Comments and criticisms during the development of this document were Comments and criticisms during the development of this document were
received from the following IETF participants: received from the following IETF participants:
Fred Baker Fred Baker
Norbert Bollow Norbert Bollow
Brian Carpenter Brian Carpenter
RA(C)mi DesprA(C)s
Remi Despres
Fabrice Fontaine Fabrice Fontaine
Jun-ichiro itojun Hagino Jun-ichiro itojun Hagino
Thomas Herbst Thomas Herbst
Christian Huitema Christian Huitema
Joel Jaeggli Joel Jaeggli
skipping to change at page 34, line 42 skipping to change at page 36, line 5
o Added a section describing the irrelevance of 6to4 and an o Added a section describing the irrelevance of 6to4 and an
informative reference to [RFC3068]. informative reference to [RFC3068].
o Added normative reference to [RFC4291], and word-smithed R2 to add o Added normative reference to [RFC4291], and word-smithed R2 to add
a brief discussion about multicast scope boundaries. a brief discussion about multicast scope boundaries.
o Added a section and an information reference for SHIM6 explaining o Added a section and an information reference for SHIM6 explaining
why it's incompatible with IPv6 simple security. why it's incompatible with IPv6 simple security.
A.7. draft-ietf-v6ops-cpe-simple-security-06 to
draft-ietf-v6ops-cpe-simple-security-07
o Improve the language describing directionality of traffic flows.
o Explicitly recommend a less restrictive configuration option.
o Don't use Latin-1 characters not present in 7-bit ASCII.
Author's Address Author's Address
james woodyatt (editor) james woodyatt (editor)
Apple Inc. Apple Inc.
1 Infinite Loop 1 Infinite Loop
Cupertino, CA 95014 Cupertino, CA 95014
US US
Email: jhw@apple.com Email: jhw@apple.com
 End of changes. 15 change blocks. 
54 lines changed or deleted 78 lines changed or added

This html diff was produced by rfcdiff 1.35. The latest version is available from http://tools.ietf.org/tools/rfcdiff/