IETF Logo Mail Archive

Re: [Gen-art] Re: Partial review of draft-ietf-v6ops-security-overview-04.txt

Brian E Carpenter <brc@zurich.ibm.com> Tue, 06 June 2006 09:40 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FnY2n-0003fN-HJ; Tue, 06 Jun 2006 05:40:13 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FnY2m-0003fI-84 for gen-art@ietf.org; Tue, 06 Jun 2006 05:40:12 -0400
Received: from mtagate3.de.ibm.com ([195.212.29.152]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FnY2j-0000Vt-MW for gen-art@ietf.org; Tue, 06 Jun 2006 05:40:12 -0400
Received: from d12nrmr1607.megacenter.de.ibm.com (d12nrmr1607.megacenter.de.ibm.com [9.149.167.49]) by mtagate3.de.ibm.com (8.13.6/8.13.6) with ESMTP id k569e8B0015962 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <gen-art@ietf.org>; Tue, 6 Jun 2006 09:40:08 GMT
Received: from d12av04.megacenter.de.ibm.com (d12av04.megacenter.de.ibm.com [9.149.165.229]) by d12nrmr1607.megacenter.de.ibm.com (8.13.6/NCO/VER7.0) with ESMTP id k569g4KA096240 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <gen-art@ietf.org>; Tue, 6 Jun 2006 11:42:04 +0200
Received: from d12av04.megacenter.de.ibm.com (loopback [127.0.0.1]) by d12av04.megacenter.de.ibm.com (8.12.11.20060308/8.13.3) with ESMTP id k569e7AM001688 for <gen-art@ietf.org>; Tue, 6 Jun 2006 11:40:07 +0200
Received: from sihl.zurich.ibm.com (sihl.zurich.ibm.com [9.4.16.232]) by d12av04.megacenter.de.ibm.com (8.12.11.20060308/8.12.11) with ESMTP id k569e6iP001556; Tue, 6 Jun 2006 11:40:06 +0200
Received: from zurich.ibm.com (sig-9-146-217-178.de.ibm.com [9.146.217.178]) by sihl.zurich.ibm.com (AIX4.3/8.9.3p2/8.9.3) with ESMTP id LAA60578; Tue, 6 Jun 2006 11:40:04 +0200
Message-ID: <44854D75.5050304@zurich.ibm.com>
Date: Tue, 06 Jun 2006 11:40:05 +0200
From: Brian E Carpenter <brc@zurich.ibm.com>
Organization: IBM
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113
X-Accept-Language: en, fr, de
MIME-Version: 1.0
To: Elwyn Davies <elwynd@dial.pipex.com>
Subject: Re: [Gen-art] Re: Partial review of draft-ietf-v6ops-security-overview-04.txt
References: <713043CE8B8E1348AF3C546DBE02C1B408AADFBD@zcarhxm2.corp.nortel.com> <4475D2BF.2050805@dial.pipex.com>
In-Reply-To: <4475D2BF.2050805@dial.pipex.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 5ebbf074524e58e662bc8209a6235027
Cc: david.kessens@nokia.com, fred.baker@cisco.com, gen-art@ietf.org, suresh.krishnan@ericsson.com, kurtis@kurtis.pp.se, psavola@funet.fi
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/gen-art>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
Errors-To: gen-art-bounces@ietf.org

Actually this got deferred by one telechat, so maybe Sharon has the
chance to look at the rest...

I will very likely be a No Objection, this being a draft I have kept
an eye on; it would be rather hypocritical to Discuss it at this
late stage. Since there are a couple of quite tricky Discuss comments,
there well may be a revision coming, at which point I trust the authors
will review Sharon's comments.

    Brian

Elwyn Davies wrote:
> 
> 
> Sharon Chisholm wrote:
> 
>> Attached is my review of the specified document, submitted as part of
>> the Gen-ART process.  For background on Gen-ART, please see the FAQ at
>> <http://www.alvestrand.no/ietf/gen/art/gen-art-FAQ.html>.
>>
>> Document:
>> http://www.ietf.org/internet-drafts/draft-ietf-v6ops-security-overview-0
>> 4.txt
>>
>> Summary: This draft is basically ready for publication, but has nits
>> that
>>     should be fixed before publication.
>>
>> Comments:
>>
>> I somehow wasn't paying attention and only realized at the last minute
>> that I was assigned this review for today's meeting. Apologies for the
>> lateness and incompleteness of this review. I only managed to review to
>> the end of section 2.3.
>>
>> 1. In section 1, second paragraph, it says "It is important to
>> understand that we have to be concerned not about replacing IPv4 with
>> IPv6", which seems a bit bold of a statement without a clarification
>> like "in the near future" or some form of explanation.
>>   
> 
> The sentence is intended to mean that we aren't going to see the 
> all-IPv4 net going away to be replaced by the all-IPv6 network (in the 
> short term - actually that is an understatement- more like the long 
> teerm). Instead we have to deal with co-existence for a very long time.
> 
> Maybe the words could be improved.
> 
>> 2. In section 2.1.1, second paragraph and after the bullets, there is a
>> typo - "point wher it is being "
>>
>> 3. The document contains a number of references to internet drafts that
>> originally defined the problems discussed. The document claims "Several
>> of these issues have been discussed in separate drafts but are
>> summarized here to avoid normative references that may not become RFCs",
>> but it isn't clear what the RFC editor should do. Should it delete all
>> these references or just delete the ones that are not RFCs at the time
>> of publication, or should it evaluate which it thinks will someday
>> become RFCs and then wait for them?
>>   
> 
> I believe that it is OK to leave the references as 'work in progress' 
> since they are informative in an Informational document.
> 
>> 4. Section 2.1.9. 1 does not make a recommendation. Are we suggesting
>> that middleware boxes should inspect these packets or just letting
>> people know about the conflict. A recommendation of some sort would seem
>> more satisfying.
>>   
> 
> Yes it would... unfortunately this is difficult because doing what is 
> advisable breaks the letter of the IPv6 standard and doing what the 
> standard says can lead to a security hole.  IMO the standard should be 
> fixed but that is not something we can recommend or expect here- so we 
> can point out that you can do it and leave it to operators to do as they 
> see fit.  Recommending either way would be to upset somebody.
> 
>> 5. In section 2.1.9.2, third paragraph says that "This either limits the
>> security that can be applied in firewalls or makes it difficult to
>> deploy new extension header types", but I did not find information in
>> this section to support that conclusion. It may well be true, but it
>> isn't supported. Why is it difficult to skip over header extensions I
>> don't recognize, for example?
>>   
> 
> Because there is no guarantee that a random new header is in the right 
> TLV format.  It alsmost certainly would be but the standard doesn't 
> *guarantee* it.  Again this ought to be fixed.
> 
>> 6. In section 2.3.2, second paragraph, second bullet, isn't it mandatory
>> to implement ipsec in IPv6 but it isn't mandatory to deploy it is it?
>> I'm not sure this distinction is clear in this bullet. (Assuming my
>> understanding is correct that is)
>>   
> 
> A conforming implementation has to implement it - and hence it *should* 
> be deployed.  The choice is whether the user chooses to use it for any 
> given session.  I think the statements in the section are correct.
> 
> Regards,
> Elwyn
> 
>> Sharon Chisholm
>> Nortel Ottawa, Ontario
>> Canada
>>   
> 
> 
> _______________________________________________
> Gen-art mailing list
> Gen-art@ietf.org
> https://www1.ietf.org/mailman/listinfo/gen-art
> 

_______________________________________________
Gen-art mailing list
Gen-art@ietf.org
https://www1.ietf.org/mailman/listinfo/gen-art

v2.23.0 | Report a Bug | By Email