IETF Logo Mail Archive

Re: ITU-T SG17 IPv6 security work items liaison

Fernando Gont <fernando@gont.com.ar> Tue, 07 June 2011 13:32 UTC

Return-Path: <fernando.gont.netbook.win@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 61E1011E8101; Tue, 7 Jun 2011 06:32:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.607
X-Spam-Level:
X-Spam-Status: No, score=-2.607 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, DATE_IN_PAST_12_24=0.992, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YbodLpky5zOb; Tue, 7 Jun 2011 06:31:59 -0700 (PDT)
Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com [209.85.161.172]) by ietfa.amsl.com (Postfix) with ESMTP id 556CA11E808E; Tue, 7 Jun 2011 06:31:59 -0700 (PDT)
Received: by gxk19 with SMTP id 19so2638489gxk.31 for <multiple recipients>; Tue, 07 Jun 2011 06:31:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:sender:message-id:date:from:user-agent :mime-version:to:cc:subject:references:in-reply-to :x-enigmail-version:content-type:content-transfer-encoding; bh=Gs/07prDImCcX7YegUVdeujV3T0/S0uzggVg7GZJej0=; b=NUF+z20w5mwP4OXwXwKEBZf9WFcgCGFnpzKkkFGNodHPEQzbtieJkN4DuR7Ic4ZU6R btg6xBbwkEAN50xEySR4YpTNUJwAxmtTcTbDYyUEd+Hlm6orz1XL7UOZnuqQOC9Nrfyy I3LkbuK0/C3Rf4OuQko4dtsSATv2N5xgqtfwI=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:content-type :content-transfer-encoding; b=c71AKdoXA6PEXOwiqk4ueAoH3jPSqvbdAppM70USwO9/HW2UcAoqC05P8ELegsHw2P 6Oe2SWgeJJSvpuJgra1Duidj6/KI97UqInoTptUhB4vSCqT+NIDNYLYBo/0ZMZnu9Alm eb7Uyy+putwYdU1pePgKDSvUIZtzPmllzM0GE=
Received: by 10.101.2.25 with SMTP id e25mr4862704ani.28.1307453518777; Tue, 07 Jun 2011 06:31:58 -0700 (PDT)
Received: from [192.168.1.102] ([190.190.97.123]) by mx.google.com with ESMTPS id w19sm4069026anf.38.2011.06.07.06.31.52 (version=SSLv3 cipher=OTHER); Tue, 07 Jun 2011 06:31:57 -0700 (PDT)
Sender: Fernando Gont <fernando.gont.netbook.win@gmail.com>
Message-ID: <4DED7DB2.6080802@gont.com.ar>
Date: Mon, 06 Jun 2011 22:24:02 -0300
From: Fernando Gont <fernando@gont.com.ar>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110424 Thunderbird/3.1.10
MIME-Version: 1.0
To: John Leslie <john@jlc.net>
Subject: Re: ITU-T SG17 IPv6 security work items liaison
References: <4DEA6323.4070302@cs.tcd.ie> <20110605031045.GK88250@verdi>
In-Reply-To: <20110605031045.GK88250@verdi>
X-Enigmail-Version: 1.1.2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: v6ops@ietf.org, ipv6@ietf.org, Eliot Lear <lear@cisco.com>, "saag@ietf.org" <saag@ietf.org>, "Turner, Sean P." <turners@ieca.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jun 2011 13:32:00 -0000

On 06/05/2011 12:10 AM, John Leslie wrote:

>> I think we'd like to respond to them that that's great,
>> and we'll be interested in their results, but can they
>> *please* come back to us before saying something should
>> be changed so's we can talk about it.
> 
>    I don't think that's quite right. We should welcome their studying
> security issues; but I think we need to _strongly_ encourage them to
> start from draft-ietf-6man-node-req-bis when it becomes an RFC -- since
> it has _significant_ changes from RFC 4294 (and an ITU-T study based
> on RFC4294 will be of rather limited value).

While I have not read the latest version of the aforementioned I-D, I
don't think it address (nor should it) the security implications of
IPv6. As a simply example, while there has been some work on the
security implications of transition/co-existence technologies, I don't
think there have been e.g. best practices published on e.g. how to
filter them (in those environments in which the use of technologies such
as Teredo is undesirable). Additionally, I don't think there has been
much work on which tools could be used (and how) to perform network
monitoring (e.g., use NDPMon to monitor ND-based attacks).


>    Clearly, ITU-T is entirely justified in publishing recommendations
> of what level of security-related-trust to place in IPv6 packet
> forwarding: but any protocol _changes_ are outside their bailiwick.

Agreed. However (and with no clue about what ITU-T is planning to work
on) I guess there's room for recommendations on  what stuff to filter,
specific features that should be enabled/disabled, etc.


>    (As an aside, IETF should resist most proposals for change until
> IPv6 sees widespread deployment -- deploying to a moving target is
> just TOO risky.)

While I do see some value in this point (and I'm aware there are many
that share this point of view), I think this argument does not
necessarily apply to security. If a flaw is identified, and there's a
concrete proposal to mitigate it, I don't think it would be a good idea
to resist to *this* type of change/update.

Thanks!

Best regards,
-- 
Fernando Gont
e-mail: fernando@gont.com.ar || fgont@acm.org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1

v2.23.0 | Report a Bug | By Email