draft-ietf-v6ops-cpe-simple-security-11.txt   draft-ietf-v6ops-cpe-simple-security-12.txt 
IPv6 Operations j. woodyatt, Ed. IPv6 Operations j. woodyatt, Ed.
Internet-Draft Apple Internet-Draft Apple
Intended status: Informational April 24, 2010 Intended status: Informational June 22, 2010
Expires: October 26, 2010 Expires: December 24, 2010
Recommended Simple Security Capabilities in Customer Premises Equipment Recommended Simple Security Capabilities in Customer Premises Equipment
for Providing Residential IPv6 Internet Service for Providing Residential IPv6 Internet Service
draft-ietf-v6ops-cpe-simple-security-11 draft-ietf-v6ops-cpe-simple-security-12
Abstract Abstract
This document identifies a set of recommendations for the makers of This document identifies a set of recommendations for the makers of
devices describing how to provide for "simple security" capabilities devices describing how to provide for "simple security" capabilities
at the perimeter of local-area IPv6 networks in Internet-enabled at the perimeter of local-area IPv6 networks in Internet-enabled
homes and small offices. homes and small offices.
Status of this Memo Status of this Memo
skipping to change at page 1, line 34 skipping to change at page 1, line 34
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 26, 2010. This Internet-Draft will expire on December 24, 2010.
Copyright Notice Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 36 skipping to change at page 2, line 36
3.3.4. Level 3 Multihoming Shim Protocol for IPv6 (SHIM6) . . 21 3.3.4. Level 3 Multihoming Shim Protocol for IPv6 (SHIM6) . . 21
3.4. Passive Listeners . . . . . . . . . . . . . . . . . . . . 21 3.4. Passive Listeners . . . . . . . . . . . . . . . . . . . . 21
3.5. Management Applications . . . . . . . . . . . . . . . . . 22 3.5. Management Applications . . . . . . . . . . . . . . . . . 22
4. Summary of Recommendations . . . . . . . . . . . . . . . . . . 22 4. Summary of Recommendations . . . . . . . . . . . . . . . . . . 22
5. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 28 5. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 28
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 28 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 28
7. Security Considerations . . . . . . . . . . . . . . . . . . . 28 7. Security Considerations . . . . . . . . . . . . . . . . . . . 28
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 29 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 29
8.1. Normative References . . . . . . . . . . . . . . . . . . . 29 8.1. Normative References . . . . . . . . . . . . . . . . . . . 29
8.2. Informative References . . . . . . . . . . . . . . . . . . 31 8.2. Informative References . . . . . . . . . . . . . . . . . . 31
Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 32 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 32
A.1. draft-ietf-v6ops-cpe-simple-security-10 to
draft-ietf-v6ops-cpe-simple-security-11 . . . . . . . . . 32
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 33
1. Introduction 1. Introduction
Some IPv6 gateway devices that enable delivery of Internet services Some IPv6 gateway devices that enable delivery of Internet services
in residential and small office settings may be augmented with in residential and small office settings may be augmented with
'simple security' capabilities as described in "Local Network 'simple security' capabilities as described in "Local Network
Protection for IPv6" [RFC4864]. In general, these capabilities cause Protection for IPv6" [RFC4864]. In general, these capabilities cause
packets to be discarded in an attempt to make local networks and the packets to be discarded in an attempt to make local networks and the
Internet more secure. However, it is worth noting that some packets Internet more secure. However, it is worth noting that some packets
sent by legitimate applications may also be discarded in this sent by legitimate applications may also be discarded in this
skipping to change at page 22, line 5 skipping to change at page 22, line 5
recommendations are the best guidance available. recommendations are the best guidance available.
REC-42: Internet gateways with IPv6 simple security capabilities REC-42: Internet gateways with IPv6 simple security capabilities
SHOULD implement a protocol to permit applications to solicit inbound SHOULD implement a protocol to permit applications to solicit inbound
traffic without advance knowledge of the addresses of exterior nodes traffic without advance knowledge of the addresses of exterior nodes
with which they expect to communicate. with which they expect to communicate.
REC-43: Internet gateways with IPv6 simple security capabilities MUST REC-43: Internet gateways with IPv6 simple security capabilities MUST
provide an easily selected configuration option that permits a provide an easily selected configuration option that permits a
"transparent mode" of operation that forwards all unsolicited flows "transparent mode" of operation that forwards all unsolicited flows
regardless of forwarding direction, i.e. to disable the IPv6 simple regardless of forwarding direction, i.e. not to use the IPv6 simple
security capabilities of the gateway. security capabilities of the gateway.
In general, "transparent mode" will enable more flexibility and In general, "transparent mode" will enable more flexibility and
reliability for applications which require devices to be contacted reliability for applications which require devices to be contacted
inside the home directly, particularly in absence of a protocol as inside the home directly, particularly in absence of a protocol as
described in REC-42. Operating in transparent mode may come at the described in REC-42. Operating in transparent mode may come at the
expense of security if there are IPv6 nodes in the home that do not expense of security if there are IPv6 nodes in the home that do not
have their own host-based firewall capability and require a firewall have their own host-based firewall capability and require a firewall
in the gateway in order not to be compromised. in the gateway in order not to be compromised.
skipping to change at page 32, line 38 skipping to change at page 32, line 38
[RFC5533] Nordmark, E. and M. Bagnulo, "Shim6: Level 3 Multihoming [RFC5533] Nordmark, E. and M. Bagnulo, "Shim6: Level 3 Multihoming
Shim Protocol for IPv6", RFC 5533, June 2009. Shim Protocol for IPv6", RFC 5533, June 2009.
[UPnP-IGD] [UPnP-IGD]
UPnP Forum, "Universal Plug and Play Internet Gateway UPnP Forum, "Universal Plug and Play Internet Gateway
Device Standardized Gateway Device Protocol", Device Standardized Gateway Device Protocol",
September 2006, September 2006,
<http://www.upnp.org/standardizeddcps/igd.asp>. <http://www.upnp.org/standardizeddcps/igd.asp>.
Appendix A. Change Log
A.1. draft-ietf-v6ops-cpe-simple-security-10 to
draft-ietf-v6ops-cpe-simple-security-11
o Wordsmithing on the abstract.
o Use the word "flow" throughout, as introduced in Section 3,
instead of using "exchange" for UDP and "connection" for TCP, SCTP
and DCCP.
o Added HIP [RFC5201] to the set of secure transports.
o Added citation of DHCP6 [RFC3315].
o Added citation of Mobility Support in IPv6 (MIPv6) [RFC3775] along
with a new section and a recommendation for filtering behavior.
o Removed all references to 6to4 [RFC3068].
o Removed all the earlier Change Log sections.
o Made a boatload of little editorial changes recommended by
Boucadair Mohamed.
Author's Address Author's Address
james woodyatt (editor) james woodyatt (editor)
Apple Inc. Apple Inc.
1 Infinite Loop 1 Infinite Loop
Cupertino, CA 95014 Cupertino, CA 95014
US US
Email: jhw@apple.com Email: jhw@apple.com
 End of changes. 6 change blocks. 
34 lines changed or deleted 6 lines changed or added

This html diff was produced by rfcdiff 1.38. The latest version is available from http://tools.ietf.org/tools/rfcdiff/