Recommended Simple Security Capabilities in Customer Premises Equipment (CPE) for Providing Residential IPv6 Internet Service
Draft of message to be sent after approval:
From: The IESG <email@example.com> To: IETF-Announce <firstname.lastname@example.org> Cc: Internet Architecture Board <email@example.com>, RFC Editor <firstname.lastname@example.org>, v6ops mailing list <email@example.com>, v6ops chair <firstname.lastname@example.org> Subject: Document Action: 'Recommended Simple Security Capabilities in Customer Premises Equipment for Providing Residential IPv6 Internet Service' to Informational RFC The IESG has approved the following document: - 'Recommended Simple Security Capabilities in Customer Premises Equipment for Providing Residential IPv6 Internet Service ' <draft-ietf-v6ops-cpe-simple-security-16.txt> as an Informational RFC This document is the product of the IPv6 Operations Working Group. The IESG contact persons are Ron Bonica and Dan Romascanu. A URL of this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-v6ops-cpe-simple-security-16.txt
Technical Summary This document identifies a set of recommendations for the makers of devices describing how to provide for "simple security" capabilities at the perimeter of local-area IPv6 networks in Internet-enabled homes and small offices. Working Group Summary The working group was divided on the concept of defining or recommending the use of firewalls; as a result, this document is very explicitly a set of recommendations for those that would choose to build or deploy a firewall without making any recommendation on whether anyone should do either. It describes a simple stateful firewall, permeable to traffic that is secured using IPsec. Document Quality There is at least one deployed implementation of this firewall, and expected to be others. The document clearly specifies a consensus set of recommendations for such firewalls. Personel Fred Baker is shepherd. RFC Editor Note OLD TEXT: REC-13: By DEFAULT, Internet gateways SHOULD, automatically download and install software updates for extending IPv6 simple security for support of future standard upper layer transports and extension headers. NEW TEXT: REC-13: Residential Internet Gateways SHOULD provide a convenient means to securely update their firmware, for the installation of security patches and other manufacturer-recommended changes. Vendors can expect users and operators to have differing viewpoints on the maintenance of patches, with some preferring automated update and some preferring manual initiation, and those preferring automated update wanting to download from a vendor site or one managed by the network operator. To handle the disparity, vendors are well advised if they provide manual and automated options. In the automated case, they would do well to facilitate pre-configuration of the download URL and a means of validating the software image such as a certificate.