Re: Node Req. Issue 28: Security Considerations
Jari Arkko <jari.arkko@kolumbus.fi> Wed, 19 November 2003 20:29 UTC
Received: from optimus.ietf.org ([132.151.1.19]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA09975 for <ipv6-archive@odin.ietf.org>; Wed, 19 Nov 2003 15:29:02 -0500 (EST)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AMYwK-0005cO-9s for ipv6-archive@odin.ietf.org; Wed, 19 Nov 2003 15:28:41 -0500
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id hAJKSeSN021594 for ipv6-archive@odin.ietf.org; Wed, 19 Nov 2003 15:28:40 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AMYwJ-0005cD-TC for ipv6-web-archive@optimus.ietf.org; Wed, 19 Nov 2003 15:28:39 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA09894 for <ipv6-web-archive@ietf.org>; Wed, 19 Nov 2003 15:28:26 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1AMYwI-0001XF-00 for ipv6-web-archive@ietf.org; Wed, 19 Nov 2003 15:28:38 -0500
Received: from [132.151.1.19] (helo=optimus.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 1AMYwI-0001XA-00 for ipv6-web-archive@ietf.org; Wed, 19 Nov 2003 15:28:38 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AMYvk-0005QT-Gi; Wed, 19 Nov 2003 15:28:04 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AMYvI-0005M1-KP for ipv6@optimus.ietf.org; Wed, 19 Nov 2003 15:27:37 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA09662 for <ipv6@ietf.org>; Wed, 19 Nov 2003 15:27:11 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1AMYv4-0001VF-00 for ipv6@ietf.org; Wed, 19 Nov 2003 15:27:22 -0500
Received: from p2.piuha.net ([131.160.192.2]) by ietf-mx with esmtp (Exim 4.12) id 1AMYv4-0001V8-00 for ipv6@ietf.org; Wed, 19 Nov 2003 15:27:22 -0500
Received: from kolumbus.fi (p4.piuha.net [131.160.192.4]) by p2.piuha.net (Postfix) with ESMTP id 464816A911; Wed, 19 Nov 2003 22:27:20 +0200 (EET)
Message-ID: <3FBBCF9D.5030309@kolumbus.fi>
Date: Wed, 19 Nov 2003 22:16:29 +0200
From: Jari Arkko <jari.arkko@kolumbus.fi>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5) Gecko/20031007
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: john.loughney@nokia.com, Margaret Wasserman <mrw@windriver.com>
Cc: ipv6@ietf.org
Subject: Re: Node Req. Issue 28: Security Considerations
References: <DADF50F5EC506B41A0F375ABEB320636A8BA7D@esebe023.ntc.nokia.com>
In-Reply-To: <DADF50F5EC506B41A0F375ABEB320636A8BA7D@esebe023.ntc.nokia.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Sender: ipv6-admin@ietf.org
Errors-To: ipv6-admin@ietf.org
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Id: IP Version 6 Working Group (ipv6) <ipv6.ietf.org>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
john.loughney@nokia.com wrote: >>>In the IPsec section, you mention that other security issues >>>will be covered in the Security Considerations section, but >>>I don't see any issues here... There used to be some things, but they got removed because people felt that those things belong to the individual protocol RFCs, or their future updates. >>>Why aren't privacy addresses covered in this document? > > > Should this be covered in the security section? Already, section > 4.5.3 talks about privacy extensions. Do we need more? As I mentioned, there's been a debate whether the specific issues belong here or in the individual RFCs. As John says, we already have a section for RFC 3041 and I am not aware of any specific IPv6 security issues it would raise beyond those mentioned in the document itself. As we were working on RFC 3316 (cellular hosts), we did discuss privacy issues a little bit in the security considerations section. But there we had a reason, as we explained the specific implications and benefits (or lack thereof) of using RFC 3041 in cellular networks. As an example, since every host had its own prefix, obfuscating the interface identifier did not help quite as much as it did in Ethernet. Here we don't have that specific situation. >>>Also, did you consider a recommendation that IPv6 nodes should >>>implement SEND? Perhaps you should at least mention the >>>security issues with ND and indicate that the SEND group is >>>working to resolve them? > > > I believe we did not want this kind of forward reference to stuff > that is on-going. However, if people feel that the SEND stuff > is stable enough, we could put in a reference. Borderline. Back in IETF-56 & 57 we believed node reqs would be done much sooner than SEND. Now in SEND we have a plan to finish all work and have the WG go to sleep; the draft will be reissued once within a couple of weeks, then reviewed, and then reissued again and sent to IESG. So it might be off to the IESG this year. Assuming I find time to edit the draft ;-) If it gets there in time before node reqs is approved, we probably should add a reference. But it looks like we might agree about node reqs soon, so SEND probably completes slightly later. In that case there's no sense in waiting for SEND. Anyway, that reminds me that while redoing RFC 2461, we should probably tone down the language a bit regarding the use of AH; there's widely known issues with that (send documents some of these, draft-arkko-icmpv6-ike-effects talks about others). I'm not sure we should present AH any more as general solution. Perhaps SEND is done by the time that 2461bis is ready, so it could reference some of the SEND documents. Also, I'm not sure I agree with the RFC 2460 statement that the node requirements document quotes: The security features of IPv6 are described in the Security Architecture for the Internet Protocol [RFC-2401]. I don't agree because we appear to have a number of other security features in IPv6 in addition to IPsec. MIPv6 RR, ND options for certs and CGAs in SEND, etc. --Jari -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
- Re: Node Req. Issue 28: Security Considerations Jari Arkko
- RE: Node Req. Issue 28: Security Considerations john.loughney
- Node Req. Issue 28: Security Considerations john.loughney