IETF Logo Mail Archive

Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-implications-on-ipv4-nets-03.txt> (Security Implications of IPv6 on IPv4 Networks) to Informational RFC

Brian E Carpenter <brian.e.carpenter@gmail.com> Tue, 02 April 2013 09:45 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4EC921F9858; Tue, 2 Apr 2013 02:45:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.48
X-Spam-Level:
X-Spam-Status: No, score=-101.48 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_IP_ADDR=1.119, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 72pC3uAcsPxg; Tue, 2 Apr 2013 02:45:28 -0700 (PDT)
Received: from mail-wi0-x229.google.com (mail-wi0-x229.google.com [IPv6:2a00:1450:400c:c05::229]) by ietfa.amsl.com (Postfix) with ESMTP id AA1B821F9850; Tue, 2 Apr 2013 02:45:27 -0700 (PDT)
Received: by mail-wi0-f169.google.com with SMTP id c10so2972609wiw.0 for <multiple recipients>; Tue, 02 Apr 2013 02:45:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:message-id:date:from:organization:user-agent :mime-version:to:cc:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=XRgv9LTx9/KXB2UTkDmdxcNEuuw5ZUIgIC8IDRIYeoo=; b=XsF5aKFPjXREIU7Niaa4faHdNrUi7SqZNTqKb3G+p6oUKWNNq4CNBK5KAMrCLr61wJ gOEPzWOLp/SSkn19NaPNuT5NpPuOGHUZYJLcLJHMBfi84I6sIpVSP3nvUnDtai2j29Yj 4DZFqOk9bus7El+wewaUxyVvWXhB1RLOxukZHfWYad1iHxA+cPcg/Mb3EON8OMfc0b6k B+B625JeriNCnv0c2uRYiIwDmdxLJuMHuPP0oLouftjCmnrwALhBMY9O2hLzImzSjsv8 3dAqZE2WtXG5JrZ6N6rNHaodvdjxJv9DLjtiA2B09hqyA4mYPvOVqHtK/HTUmaUvnaXF G5Bw==
X-Received: by 10.194.220.70 with SMTP id pu6mr20384298wjc.27.1364895923349; Tue, 02 Apr 2013 02:45:23 -0700 (PDT)
Received: from [128.232.110.128] (c128.al.cl.cam.ac.uk. [128.232.110.128]) by mx.google.com with ESMTPS id er1sm17900398wib.5.2013.04.02.02.45.21 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 02 Apr 2013 02:45:22 -0700 (PDT)
Message-ID: <515AA8B4.5020707@gmail.com>
Date: Tue, 02 Apr 2013 10:45:24 +0100
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Fernando Gont <fgont@si6networks.com>
Subject: Re: [OPSEC] Last Call: <draft-ietf-opsec-ipv6-implications-on-ipv4-nets-03.txt> (Security Implications of IPv6 on IPv4 Networks) to Informational RFC
References: <20130329130326.13012.1402.idtracker@ietfa.amsl.com> <51559943.1010703@gmail.com> <515985E1.1000404@si6networks.com>
In-Reply-To: <515985E1.1000404@si6networks.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: opsec@ietf.org, ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Apr 2013 09:45:28 -0000

Fernando,

Rather than repeating myself, I'll suggest a change to the Introduction
that would (IMHO) improve the message:

OLD:

1.  Introduction

   Most general-purpose operating systems implement and enable native
   IPv6 [RFC2460] support and a number of transition/co-existence
   technologies by default.  For cases in which the corresponding
   devices are deployed on networks that are assumed to be IPv4-only,

NEW:

1.  Introduction

   Most general-purpose operating systems implement and enable native
   IPv6 [RFC2460] support and a number of transition/co-existence
   technologies by default [RFC6434]. Support of IPv6 by all nodes is
   intended to become best current practice [RFC6540]. As a result,
   networks will need to plan for and deploy IPv6 and its security
   mechanisms. Some enterprise networks might, however, choose to delay
   active use of IPv6. For networks that are assumed to be IPv4-only,

It would be nice to refer to draft-ietf-v6ops-enterprise-incremental-ipv6
but I think that is too far from RFC publication to be very useful.

Regards
   Brian

On 01/04/2013 14:04, Fernando Gont wrote:
> Brian,
> 
> On 03/29/2013 10:38 AM, Brian E Carpenter wrote:
>> My minimal request for this draft is for my name to be removed from
>> the Acknowledgements, as I do not think that my comments have been
>> acted on.
> 
> That has been my intent, and I sent a note before publishing one of the
> latest revs to double-check that (not sure if I missed your respond, or
> you didn't respond).
> 
> 
>> In fact, I think that in its current state, this document is harmful
>> to IPv6 deployment. It in effect encourage sites to fence themselves
>> into an IPv4-only world. Particularly, it explicitly suggests a
>> default/deny approach to IPv6-in-IPv4 tunnels, which would prevent
>> the typical "baby steps" first approach to IPv6 deployment.
> 
> Sites that implement any kind of security policy employ a "default deny
> policy" (for the simple reason that it's safer to open holes than
> explicitly close them). The bottom-line is that if your site enforces
> any kind of security policy, you should make an explicit decision
> regarding what you do with v6, rather than being unaware that it's there
> in your network.
> 
> 
> 
>> I would like to see the document convey a positive message, suggesting
>> that an IPv4 site first decides which IPv6 deployment mechanism it
>> will use, and then configures security appropriately (to allow that
>> mechanism and block all others).
> 
> There's an operational gap here: in many cases, operators have no tools
> to enforce security policies on such tunneled traffic.
> 
> Besides, when thinking about v6, enterprise networks and the like should
> be doing native IPv6 (in which case v6 security controls would be
> enforced throughout the network), rather than having each node go their
> own way.
> 
> 
>> A specific aspect of this is that if a site provides one well-managed
>> 6in4 tunnel mechanism, all tunneled IPv6 packets will pass through
>> well-defined points where security mechanisms may be applied.
> 
> In which case you'd be "enforcing IPv6 security controls", which is
> entirely in-line ith what this document is saying.
> 
> 
>> We shouldn't imply that not having an IPv6 plan and blocking all IPv6
>> by default is a sound strategy.
> 
> It's not, and I don't think we're implying that. However, I'd note that
> some people are in the position of blocking traffic, or not doing
> anything about it. Check for IPv6 support in different security
> products, and you might get depressed.
> 
> Cheers,

v2.23.0 | Report a Bug | By Email