Re: [Homesec-dt] IPv6 Advanced Security...

"Lee Howard" <lee@asgard.org> Tue, 23 March 2010 13:49 UTC

From: Lee Howard <lee@asgard.org>
To: 'Mark Townsley' <mark@townsley.net>, homesec-dt@ietf.org
References: <da57d4211003160724o54b19210p440cb62df958dae6@mail.gmail.com>
In-Reply-To: <da57d4211003160724o54b19210p440cb62df958dae6@mail.gmail.com>
Date: Tue, 23 Mar 2010 06:49:18 -0700
Message-ID: <000b01caca8f$a5891900$f09b4b00$@org>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_000C_01CACA54.F92A4100"
Thread-Index: AcrFFF/7LVWcn1wnSEGkcnyyI8Zj6QFCxOAQ
Content-Language: en-us
Subject: Re: [Homesec-dt] IPv6 Advanced Security...
Precedence: list

Complete silence. . .

 

Let  me say where I am:  I am very interested in the concepts outlines in
advanced-security, but I'm not convinced that an IPS is a good replacement
for a firewall.  Host OSes aren't secure enough yet.  I think
simple-security ("deny any" as default) is the right approach right now.
After there is some live experience with advanced-security (i.e., using an
IPS instead of a stateful firewall), and until CPE is beefy enough to
support an IPS and reputation client, we can promote advanced-security.

 

So, some specific places where design work is needed (not just nits with
rules):

What are the requirements of the reputation engine?   Assuming reputation
defaults to "white," then  when something is blackened, how much space is
blacklisted?  Since any host can use any address within a /64, at least,
blacklist whack-a-mole of the individual address seems unscaleable.  Has
work been done in this area already?

What are the requirements of the IPS provider?  A certain scale is required,
in order to perform event correlation as described, and to detect new
exploits.  A certain expertise and funding is required to write signatures
and mitigations.

What happens if they become unreachable?  Business collapse, or dDoS as part
of a worm attack, for instance.

Rule CryptoIntercept sounds like it should become a man-in-the-middle; needs
further discussion.

 

I'm willing to take on some of this work, but I will not be at the homegate
interim meeting in Paris, because it squarely overlaps with ARIN.

 

Lee

 

 

From: homesec-dt-bounces@ietf.org [mailto:homesec-dt-bounces@ietf.org] On
Behalf Of Mark Townsley
Sent: Tuesday, March 16, 2010 7:24 AM
To: homesec-dt@ietf.org
Subject: [Homesec-dt] IPv6 Advanced Security...

 


"Homesec DT" members,

First, an apology. I created this list months ago with the intention of
kicking off discussion. This list contains the people who raised their hand
at the Hiroshima meeting and/or sent me email volunteering time to
participate in the advancement of the idea Eric V. and I presented at the
v6ops meeting there. 

I subsequently dropped the ball. I have a long list of reasons/excuses,
personal and professional, as to why this is the case (not the least of
which is my new 2-week old daughter!), but this doesn't discount the fact
that I've left people hanging.

So, where are we? 

First, Eric updated draft-vyncke-advanced-ipv6-security to -01, with minor
additions/modifications based on direct feedback and review. No major
overhaul though. The idea is still basically the same as presented in
Hiroshima, and the draft is certainly subject to more work before it is
ready for prime time. I will not be in Anaheim next week (I am still on
paternity leave, and the actual due date for the baby was yesterday). I'm
not sure if Eric will be presenting in v6ops. 

I remember list & jabber discussion about taking some of the ideas in the
advanced-security document and bringing them into simple-security. In
particular, "Rule #7, ParanoidOpeness"- I'd like to see that at least be
discussed seriously before simple-security advances. Time is probably of the
essence here. If you think this is a good idea, feel free to grab on to it
and try to make it happen.

I still get the impression that there is a lot of interest around this idea,
and when I speak to people about it, initial skepticism almost inevitably
makes its way into some form of interest. 

As for steps forward... we can do a number of things here. Perhaps a first
step is for some of you that will be in the same city next week to chat
about this. If there are any good ideas, I'll be happy to setup a webex
after you all return home for us to brainstorm about next steps. What I
would like to get an idea of is:

- The basic architecture of IPv6 advanced security (I think a good start are
the slides I used in Hiroshima)
- The areas that could use operational description (e.g., within the scope
of v6ops)
- The areas that could use functional definition (a start is in
draft-vyncke)
- The interfaces that could use protocol standardization (we've talked and
hand-waived a bit about this)

If we can nail this down, we'll know better what could/should be done in the
IETF. Also, it could be input to the "homegate" interim meeting in April, if
we get our act together before then.

Finally, this email list is composed of just the "design team" volunteers
that agreed to help in Hiroshima. We can operate like this for a bit, but
soon (if not immediately) we'll need to move this to an open discussion. I'd
like to get an idea of where, and with what goal, first though, as we don't
want to create a list and invite people to it without knowing what the
discussion there is designed to achieve.

Again, sorry for not marching forth with a battle plan right after
Hiroshima. Hopefully we didn't lose too much time here. See you on email
while you are in California!

- Mark

[Homesec-dt] IPv6 Advanced Security... Mark Townsley
Re: [Homesec-dt] IPv6 Advanced Security... Lee Howard