Re: Last Call: <draft-ietf-opsec-ipv6-implications-on-ipv4-nets-03.txt> (Security Implications of IPv6 on IPv4 Networks) to Informational RFC
SM <sm@resistor.net> Mon, 01 April 2013 21:24 UTC
Return-Path: <sm@resistor.net>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A858011E80F4 for <ietf@ietfa.amsl.com>; Mon, 1 Apr 2013 14:24:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jsEFtl06XiRn for <ietf@ietfa.amsl.com>; Mon, 1 Apr 2013 14:24:49 -0700 (PDT)
Received: from mx.ipv6.elandsys.com (mx.ipv6.elandsys.com [IPv6:2001:470:f329:1::1]) by ietfa.amsl.com (Postfix) with ESMTP id A2FAD11E80E2 for <ietf@ietf.org>; Mon, 1 Apr 2013 14:24:49 -0700 (PDT)
Received: from SUBMAN.resistor.net (IDENT:sm@localhost [127.0.0.1]) (authenticated bits=0) by mx.elandsys.com (8.14.5/8.14.5) with ESMTP id r31LOgiM002668; Mon, 1 Apr 2013 14:24:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=opendkim.org; s=mail2010; t=1364851487; bh=7UkiGtGbVG9eJN+jffo4E0vLEwm7Z7moOUKNNsBMZzw=; h=Date:To:From:Subject:Cc:In-Reply-To:References; b=46zasMWA0EXiLhqdJ8OR++povsJwRvLuiSqi9Vo32LhLi3ntVLl8Kpl2YGv3MPXri Tmgf3Bjx5c+KvhLnnpasfK8/0w1rUyyON01JmSZjjPsjJWJQ5BgDjadjEdIWZ7T6q6 rqNj+MqdVbN+kgKhCOy36OaSuToWz8FV3+bNyHMQ=
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=resistor.net; s=mail; t=1364851487; i=@resistor.net; bh=7UkiGtGbVG9eJN+jffo4E0vLEwm7Z7moOUKNNsBMZzw=; h=Date:To:From:Subject:Cc:In-Reply-To:References; b=iRYM/eZmd4nU7MkTparn7uvvNEiTKVcwppwwXW02vKmZVO3BOtP604Aa48psKospX jf80vxH/PUMDTWFCeiocPL/gH+QUZBO0SbTe7KMvIVa37c4y8YufV2kGcQbJUl5vbO u1MrALxfE0WOfanKwEc09n0VVkxDUzhUOcRBKpAU=
Message-Id: <6.2.5.6.2.20130401124437.0a5a1190@resistor.net>
X-Mailer: QUALCOMM Windows Eudora Version 6.2.5.6
Date: Mon, 01 Apr 2013 13:49:15 -0700
To: Fernando Gont <fgont@si6networks.com>
From: SM <sm@resistor.net>
Subject: Re: Last Call: <draft-ietf-opsec-ipv6-implications-on-ipv4-nets-03.txt> (Security Implications of IPv6 on IPv4 Networks) to Informational RFC
In-Reply-To: <51598243.2020109@si6networks.com>
References: <20130329130326.13012.1402.idtracker@ietfa.amsl.com> <6.2.5.6.2.20130330230305.0bce91a8@resistor.net> <51598243.2020109@si6networks.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Cc: ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Apr 2013 21:24:50 -0000
Hi Fernando,
At 05:49 01-04-2013, Fernando Gont wrote:
>Please re-read the above paragraph -- you missed the part that says
>"...the same security policies".
I saw that. :-) I commented on Section 6 first as it's only when I
reached that part of the document that I saw the trade-off between
blocking IPv6 traffic and security.
>Those issues are not present when your network employs v4-only.
What's missing is some text in the Introduction section explaining
that the draft is discussing about IPv4 networks (what is mentioned above).
>A network were none of the devices connected to it implement v6.
If that is the case some of the attacks would not be possible. The
scenario the draft discusses about is when there are devices which
have IPv6 support. The draft could have an explanation about IPv4
networks (see previous comment) and then follow it with the first
sentence of Section 1. It can then go into a discussion of the
threats and how to mitigate them.
From Section 1:
"filtering IPv6 traffic (whether native or transition/co-existence)
to mitigate IPv6 security implications on IPv4 networks should
(generally) only be considered as a temporary measure until IPv6
is deployed."
It's not a temporary measure in the sense that there is an assumption
that the network should be IPv4 only. If the network is to support
IPv4 and IPv6, filtering of IPv6 traffic is not recommended then.
>The reference is meant to illustrate that that even if you think your
>network only employs IPv4 (and hence forget about the v6 support), you
>could be hit by that.
Ok.
>For attacks that employ link-local connectivity, it bolds down to packet
>filtering (either by a personal firewall at the host, or by filtering v6
>at layer-2) -- this is discussed in the I-D.
I don't see anything about that in the draft. There is a mention of
filtering at Layer 2 and Layer 3.
>Happy Eyeballs has to do with what you do when you drop packets. If you
>silently drop them, the host may have rely on timeouts rather than
>having a positive indication that a packet has been dropped.
This is a browser issue. I'll comment further in another message.
>Could you please elaborate?
The text about DNS (Section 4) is about DNS replies. What I meant
was that the draft recommends changing the answer for a (DNS) AAAA
query in an attempt to stop IPv6 traffic. It's ok to block IPv6
traffic as it's an IPv4-only network. I don't think that it is ok to
tamper with DNS replies (in this case you are covered by local policy
and you can do that).
>Please see the quotes when we say "'IPv4-only' networks" -- in practice,
>there's no such a thing, and you should think v6 security even if you
>think/want to run an IPv4-only network.
It might help to reword the Abstract and the Introduction Section so
that the purpose of the document is clear. I agree that it is good
to think IPv6 security even if I want an IPv4-only network.
>This one I cannot do much about. :-)
:-)
Regards,
-sm
- Re: Last Call: <draft-ietf-opsec-ipv6-implication… Brian E Carpenter
- Re: Last Call: <draft-ietf-opsec-ipv6-implication… SM
- Re: Last Call: <draft-ietf-opsec-ipv6-implication… Fernando Gont
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-imp… Fernando Gont
- RE: Last Call: <draft-ietf-opsec-ipv6-implication… George, Wes
- Re: Last Call: <draft-ietf-opsec-ipv6-implication… SM
- RE: Last Call: <draft-ietf-opsec-ipv6-implication… SM
- Re: Last Call: <draft-ietf-opsec-ipv6-implication… Fernando Gont
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-imp… Brian E Carpenter
- Re: Last Call: <draft-ietf-opsec-ipv6-implication… Fernando Gont
- Re: Last Call: <draft-ietf-opsec-ipv6-implication… Ted Lemon
- Re: Last Call: <draft-ietf-opsec-ipv6-implication… SM
- Re: Last Call: <draft-ietf-opsec-ipv6-implication… Fernando Gont
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-imp… Fernando Gont
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-imp… Brian E Carpenter
- Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-imp… Fernando Gont