[node req] Issue 34: security issues
john.loughney@nokia.com Wed, 11 February 2004 19:05 UTC
Received: from optimus.ietf.org (optimus.ietf.org [132.151.1.19]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA14437 for <ipv6-archive@odin.ietf.org>; Wed, 11 Feb 2004 14:05:26 -0500 (EST)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AqzfO-0002UX-8y for ipv6-archive@odin.ietf.org; Wed, 11 Feb 2004 14:04:58 -0500
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id i1BJ4wHt009571 for ipv6-archive@odin.ietf.org; Wed, 11 Feb 2004 14:04:58 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AqzfO-0002UH-3y for ipv6-web-archive@optimus.ietf.org; Wed, 11 Feb 2004 14:04:58 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA14390 for <ipv6-web-archive@ietf.org>; Wed, 11 Feb 2004 14:04:55 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1AqzfL-0007IC-00 for ipv6-web-archive@ietf.org; Wed, 11 Feb 2004 14:04:55 -0500
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1AqzeR-0007BI-00 for ipv6-web-archive@ietf.org; Wed, 11 Feb 2004 14:04:00 -0500
Received: from optimus.ietf.org ([132.151.1.19]) by ietf-mx with esmtp (Exim 4.12) id 1AqzdU-00074L-00 for ipv6-web-archive@ietf.org; Wed, 11 Feb 2004 14:03:00 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AqzdV-0001ll-NN; Wed, 11 Feb 2004 14:03:01 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1Aqzcb-0001XU-E5 for ipv6@optimus.ietf.org; Wed, 11 Feb 2004 14:02:05 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA14180 for <ipv6@ietf.org>; Wed, 11 Feb 2004 14:02:02 -0500 (EST)
From: john.loughney@nokia.com
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1AqzcZ-0006wr-00 for ipv6@ietf.org; Wed, 11 Feb 2004 14:02:03 -0500
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1AqzbZ-0006p5-00 for ipv6@ietf.org; Wed, 11 Feb 2004 14:01:02 -0500
Received: from mgw-x1.nokia.com ([131.228.20.21]) by ietf-mx with esmtp (Exim 4.12) id 1AqzaT-0006fc-00 for ipv6@ietf.org; Wed, 11 Feb 2004 13:59:54 -0500
Received: from esvir01nok.ntc.nokia.com (esvir01nokt.ntc.nokia.com [172.21.143.33]) by mgw-x1.nokia.com (Switch-2.2.8/Switch-2.2.8) with ESMTP id i1BIxrq22184 for <ipv6@ietf.org>; Wed, 11 Feb 2004 20:59:53 +0200 (EET)
Received: from esebh004.NOE.Nokia.com (unverified) by esvir01nok.ntc.nokia.com (Content Technologies SMTPRS 4.2.5) with ESMTP id <T67b2c9add5ac158f210ad@esvir01nok.ntc.nokia.com> for <ipv6@ietf.org>; Wed, 11 Feb 2004 20:59:53 +0200
Received: from esebe023.NOE.Nokia.com ([172.21.138.115]) by esebh004.NOE.Nokia.com with Microsoft SMTPSVC(5.0.2195.6747); Wed, 11 Feb 2004 20:59:51 +0200
X-MimeOLE: Produced By Microsoft Exchange V6.0.6487.1
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: [node req] Issue 34: security issues
Date: Wed, 11 Feb 2004 20:59:52 +0200
Message-ID: <DADF50F5EC506B41A0F375ABEB3206360143B5E2@esebe023.ntc.nokia.com>
Thread-Topic: FW: Evaluation of: draft-ietf-ipv6-node-requirements-07.txt
Thread-Index: AcPJUuZdq/Dzns8DTTydWfqRk2m0pwnfjrOQ
To: jari.arkko@kolumbus.fi
Cc: ipv6@ietf.org
X-OriginalArrivalTime: 11 Feb 2004 18:59:51.0796 (UTC) FILETIME=[3A91A340:01C3F0D1]
Content-Transfer-Encoding: quoted-printable
Sender: ipv6-admin@ietf.org
Errors-To: ipv6-admin@ietf.org
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Id: IP Version 6 Working Group (ipv6) <ipv6.ietf.org>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on ietf-mx.ietf.org
X-Spam-Status: No, hits=0.3 required=5.0 tests=AWL, NO_REAL_NAME autolearn=no version=2.60
Content-Transfer-Encoding: quoted-printable
Content-Transfer-Encoding: quoted-printable
Assigned issue 34. > >>For Section 8, RFCs 2401, 2402, and 2406 are currently being > >>revised by the IPsec group; that should be mentioned. > > Ok. I agree that it is good to alert the reader to the > fact that some of the documents may have updated RFCs > available. Thanks. > > >>The crypto algorithm requirements should be better aligned > >>with recommendations from the IPsec wg. There's a draft that > >>lists 3DES as SHOULD, not MAY. > > The problem is that the requirements have been aligned with > the recommendations of the IPsec, as they exist in *RFCs*. > Not drafts. > > I personally think that we need to recommend and inform > about better alternatives, even if such alternatives do not > yet exist as RFCs or if they are not mandated by keywords. > This is what we have done -- the document talks about 3DES, > AES, etc. > > However, there has been general resistance in the WG (maybe even the > ADs) for us to mandate anything beyond the current normative RFCs. It > was felt that the original RFCs should rather be updated than the > node requirements document made to impose additional requirements. > If the IESG thinks its okay for us to mandate stronger algorithms > than what the current IPsec RFCs say, then I'm going to be > *very* happy. > > But if, not then I think its up to the IPsec WG to advance their > documents and mandate the algorithms that they think are > appropriate. > > >>I think that IKEv? should be a SHOULD, not a MAY. While the > >>IESG hasn't yet seen draft-bellovin-mandate-keymgmt, it will > >>soon and it describes automated key management as a "strong > >>SHOULD". That's certainly the consensus in the security area. > > This is also related to the question of what the current > RFCs say. In the case of IKE, I'm actually uncertain what > the keyword is -- it is not immediately clear to me from the > document. Perhaps it is to others, I would appreciate comments > on this! I think we should use a keyword that the current > RFCs have, whatever that is. > > Anyway, I think the node requirements document is somewhat > different than a usual IETF protocol document. In the RFC for > for protocol FOO, there are some security issues and those > are solved with the support of some security mechanisms. > > But here, the specific security issues appear within the > RFCs that we refer to, and the necessary security mechanisms > are introduced there as well. So when talking about FOO > and IKE, we know that IKE addresses FOO's issues. But in > the case of the node requirements document, the security > issues either have been addressed in the relevant RFCs, or > those RFCs should be reissued and corrected. > > Additional stuff can be extremely useful for the nodes, but it > may not address any IPv6-specific issue. For instance, if we > required IKE, TLS, and S/MIME, this would make sure that > those are available to the IPv6 nodes, but none of them would > help addressing the security issues in, say, IPv6 ND. > > So I guess what I am looking for is some guidance on whether > this document should focus on the IPv6 specific part, or give > a more general requirements. I think we need to choose between > > (1) "We, the IETF, think that in order to do IPv6, you > need <THIS>.", and > (2) "We, the IETF, think that in order to do IPv6, you > need <THIS> and the user on a node surely needs > also <THAT>." > > I'm fine doing it either way, but we need to agree what > the scope is. -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
- [node req] Issue 34: security issues john.loughney