Re: Flow label drafts updated
RJ Atkinson <rja.lists@gmail.com> Tue, 03 May 2011 09:47 UTC
Return-Path: <rja.lists@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB4BFE07B1 for <ipv6@ietfa.amsl.com>; Tue, 3 May 2011 02:47:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Znw+o3YcSVMh for <ipv6@ietfa.amsl.com>; Tue, 3 May 2011 02:47:27 -0700 (PDT)
Received: from mail-ww0-f44.google.com (mail-ww0-f44.google.com [74.125.82.44]) by ietfa.amsl.com (Postfix) with ESMTP id 9189DE079D for <ipv6@ietf.org>; Tue, 3 May 2011 02:47:27 -0700 (PDT)
Received: by wwa36 with SMTP id 36so4864673wwa.13 for <ipv6@ietf.org>; Tue, 03 May 2011 02:47:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:from:content-type:content-transfer-encoding :subject:date:message-id:to:mime-version:x-mailer; bh=ePYUFtJdpGnrGx4Q5XWVETvyBtfg9mq4nc5Fc76IHss=; b=pIx8+P/RLsE9aBLu5J9cfEmJSyBKIqw6XxbvBwyIGw4cn5VjsW2kAmMDyuMGfLD09w +787ZjNMp9x65Kwfghp94ERe+bD/eUQaUo+8j6Yi/AzauC3BOeMkFeV4+ocmBw3CUiht aYPhZDs2Ad5btbgA2MNIQpoE8EUpW5Yjj0JiE=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:content-type:content-transfer-encoding:subject:date:message-id :to:mime-version:x-mailer; b=fdz21/VWznYsB4pgree1+7MBilyoR4k6sUen3MrJUWKndGwIc08rxPVZ6urtSerDoz pBNIbZ1tu+8NuBMmbPjcUcv2BOrVS3j7qYWs8WOu6fnfXfCJj6gYtoICyG34LfoLauDl R9SIr844wohpHvVtr0bRV4LS1VL2Wk2+Cl/cM=
Received: by 10.227.197.201 with SMTP id el9mr4958725wbb.22.1304416045738; Tue, 03 May 2011 02:47:25 -0700 (PDT)
Received: from dragonfly.cs.ucl.ac.uk (dragonfly.cs.ucl.ac.uk [128.16.64.246]) by mx.google.com with ESMTPS id ca12sm111779wbb.2.2011.05.03.02.47.24 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 03 May 2011 02:47:25 -0700 (PDT)
From: RJ Atkinson <rja.lists@gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Subject: Re: Flow label drafts updated
Date: Tue, 03 May 2011 05:47:23 -0400
Message-Id: <D98CE1E0-4F21-4D7D-BB6C-AC2F89FE96B8@gmail.com>
To: ipv6@ietf.org
Mime-Version: 1.0 (Apple Message framework v1084)
X-Mailer: Apple Mail (2.1084)
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 May 2011 09:47:28 -0000
Hi, My thanks to all of the editors for their joint work to sort out these drafts and to progress them together. It is substantial work to undertake. The drafts generally seem fine and are eminently readable. However, the "Security Considerations" for both draft-ietf-6man-flow-ecmp-02 and draft-ietf-6man-flow-3697bis seem not to mention the issue where the IPv6 Flow Label field is a relatively high-bandwidth covert channel. This means the Security Considerations for those 2 I-Ds are incomplete. I'm pleased that the covert channel issue is discussed on page 4 of draft-ietf-6man-flow-update-05. This covert channel issue is one reason why a number of deployed IPv6-capable firewalls (and other similar security appliances) clear the IPv6 Flow Label (e.g. in financial/trading environments where M&A information has very high monetary value). I request that this operational security concern, which is entirely legitimate albeit not applicable to all operational environments, at least be mentioned at the top of page 11 of draft-ietf-6man-flow-3697bis (i.e. where the fact that Flow Labels will continue to be zeroed in some deployments is noted). At present, the words there seem to imply that the zeroing behaviour is illogical, silly, and/or wrong -- when in fact it is logical, sensible, and quite correct in certain deployments. I would be MUCH happier if the wording were changed to allow an "operational security" exception to the general principle of not modifying non-zero IPv6 Flow Labels during transit. For example, the wording could say that network devices ought not modify non-zero IPv6 Flow Labels *by default*, leaving it open for users with particular security concerns to configure a non-default configuration (i.e. zeroing the Flow Label). I request that at least a brief mention of the covert channel issue be made in the Security Considerations sections of both draft-ietf-6man-flow-ecmp and draft-ietf-6man-flow-3697bis. If desired, such mentions could refer to the Gont draft or to the -3697bis draft for more detailed discussion of that issue. I am troubled by the apparent decision to ignore legitimate operational security considerations (e.g. about covert channels) and also the apparent decision to write these documents in a manner intended to legislate reasonable security measures (if applicable only in selected deployments) out of existence. This seems to be a case of the IETF levying deployment constraints upon users/operators, which is something that the IETF generally tries to avoid. Yours, Ran Atkinson
- Re: Flow label drafts updated RJ Atkinson
- Flow label drafts updated Brian E Carpenter
- Re: Flow label drafts updated Brian E Carpenter
- Re: Flow label drafts updated RJ Atkinson
- RE: Flow label drafts updated George, Wes E [NTK]
- Re: Flow label drafts updated Fernando Gont
- Re: Flow label drafts updated Thomas Narten
- Re: Flow label drafts updated RJ Atkinson
- RE: Flow label drafts updated George, Wes E [NTK]
- Re: Flow label drafts updated Brian E Carpenter
- Re: Flow label drafts updated Brian E Carpenter
- Re: Flow label drafts updated RJ Atkinson
- Re: Flow label drafts updated Brian E Carpenter
- RE: Flow label drafts updated Manfredi, Albert E
- Re: Flow label drafts updated Brian E Carpenter
- Re: Flow label drafts updated Joel M. Halpern
- Re: Flow label drafts updated Brian E Carpenter
- Re: Flow label drafts updated Joel M. Halpern
- Re: Flow label drafts updated RJ Atkinson
- Re: Flow label drafts updated Brian E Carpenter
- Re: Flow label drafts updated Brian E Carpenter
- Re: Flow label drafts updated John Leslie
- RE: Flow label drafts updated George, Wes E [NTK]
- Re: Flow label drafts updated Ran Atkinson
- Re: Flow label drafts updated Brian E Carpenter
- Flow label drafts updated again Brian E Carpenter