RE: Node Req. Issue 28: Security Considerations
john.loughney@nokia.com Thu, 20 November 2003 08:18 UTC
Received: from optimus.ietf.org ([132.151.1.19]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id DAA24219 for <ipv6-archive@odin.ietf.org>; Thu, 20 Nov 2003 03:18:13 -0500 (EST)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AMk0g-0008L8-Iw for ipv6-archive@odin.ietf.org; Thu, 20 Nov 2003 03:17:55 -0500
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id hAK8HsOq032047 for ipv6-archive@odin.ietf.org; Thu, 20 Nov 2003 03:17:54 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AMk0e-0008Ko-Cc for ipv6-web-archive@optimus.ietf.org; Thu, 20 Nov 2003 03:17:52 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id DAA24170 for <ipv6-web-archive@ietf.org>; Thu, 20 Nov 2003 03:17:40 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1AMk0d-0006Qa-00 for ipv6-web-archive@ietf.org; Thu, 20 Nov 2003 03:17:51 -0500
Received: from [132.151.1.19] (helo=optimus.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 1AMk0c-0006QX-00 for ipv6-web-archive@ietf.org; Thu, 20 Nov 2003 03:17:50 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AMjzq-00081S-2m; Thu, 20 Nov 2003 03:17:02 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AMjyq-0007zw-OW for ipv6@optimus.ietf.org; Thu, 20 Nov 2003 03:16:00 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id DAA24082 for <ipv6@ietf.org>; Thu, 20 Nov 2003 03:15:48 -0500 (EST)
From: john.loughney@nokia.com
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1AMjyp-0006MH-00 for ipv6@ietf.org; Thu, 20 Nov 2003 03:15:59 -0500
Received: from mgw-x1.nokia.com ([131.228.20.21]) by ietf-mx with esmtp (Exim 4.12) id 1AMjyo-0006ME-00 for ipv6@ietf.org; Thu, 20 Nov 2003 03:15:58 -0500
Received: from esvir01nok.ntc.nokia.com (esvir01nokt.ntc.nokia.com [172.21.143.33]) by mgw-x1.nokia.com (Switch-2.2.8/Switch-2.2.8) with ESMTP id hAK8EWA09991 for <ipv6@ietf.org>; Thu, 20 Nov 2003 10:15:53 +0200 (EET)
Received: from esebh001.NOE.Nokia.com (unverified) by esvir01nok.ntc.nokia.com (Content Technologies SMTPRS 4.2.5) with ESMTP id <T66050b0207ac158f21082@esvir01nok.ntc.nokia.com>; Thu, 20 Nov 2003 10:14:31 +0200
Received: from esebe023.NOE.Nokia.com ([172.21.138.115]) by esebh001.NOE.Nokia.com with Microsoft SMTPSVC(5.0.2195.6747); Thu, 20 Nov 2003 10:14:31 +0200
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: RE: Node Req. Issue 28: Security Considerations
X-MimeOLE: Produced By Microsoft Exchange V6.0.6487.1
Date: Thu, 20 Nov 2003 10:14:30 +0200
Message-ID: <DADF50F5EC506B41A0F375ABEB320636A8BA97@esebe023.ntc.nokia.com>
Thread-Topic: Node Req. Issue 28: Security Considerations
Thread-Index: AcOu24mX7TsKs2IsTYWTEStHAQ694AAYo1Tw
To: jari.arkko@kolumbus.fi, mrw@windriver.com
Cc: ipv6@ietf.org
X-OriginalArrivalTime: 20 Nov 2003 08:14:31.0120 (UTC) FILETIME=[52F61D00:01C3AF3E]
Content-Transfer-Encoding: quoted-printable
Sender: ipv6-admin@ietf.org
Errors-To: ipv6-admin@ietf.org
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Id: IP Version 6 Working Group (ipv6) <ipv6.ietf.org>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: quoted-printable
Content-Transfer-Encoding: quoted-printable
Jari,
> >>>In the IPsec section, you mention that other security issues
> >>>will be covered in the Security Considerations section, but
> >>>I don't see any issues here...
>
> There used to be some things, but they got removed because
> people felt that those things belong to the individual
> protocol RFCs, or their future updates.
Agreed. No changes needed in current doc.
> >>>Why aren't privacy addresses covered in this document?
> >
> >
> > Should this be covered in the security section? Already, section
> > 4.5.3 talks about privacy extensions. Do we need more?
>
> As I mentioned, there's been a debate whether the specific
> issues belong here or in the individual RFCs. As John says,
> we already have a section for RFC 3041 and I am not aware
> of any specific IPv6 security issues it would raise beyond
> those mentioned in the document itself.
>
> As we were working on RFC 3316 (cellular hosts), we did
> discuss privacy issues a little bit in the security considerations
> section. But there we had a reason, as we explained the specific
> implications and benefits (or lack thereof) of using RFC 3041
> in cellular networks. As an example, since every host had its
> own prefix, obfuscating the interface identifier did not help
> quite as much as it did in Ethernet.
>
> Here we don't have that specific situation.
Agreed.
> >>>Also, did you consider a recommendation that IPv6 nodes should
> >>>implement SEND? Perhaps you should at least mention the
> >>>security issues with ND and indicate that the SEND group is
> >>>working to resolve them?
> >
> >
> > I believe we did not want this kind of forward reference to stuff
> > that is on-going. However, if people feel that the SEND stuff
> > is stable enough, we could put in a reference.
>
> Borderline. Back in IETF-56 & 57 we believed node reqs would be
> done much sooner than SEND. Now in SEND we have a plan to finish
> all work and have the WG go to sleep; the draft will be reissued
> once within a couple of weeks, then reviewed, and then reissued
> again and sent to IESG. So it might be off to the IESG this year.
> Assuming I find time to edit the draft ;-)
>
> If it gets there in time before node reqs is approved, we probably
> should add a reference. But it looks like we might agree about
> node reqs soon, so SEND probably completes slightly later.
> In that case there's no sense in waiting for SEND.
Agreed.
> Anyway, that reminds me that while redoing RFC 2461, we should
> probably tone down the language a bit regarding the use of AH;
> there's widely known issues with that (send documents some of
> these, draft-arkko-icmpv6-ike-effects talks about others). I'm
> not sure we should present AH any more as general solution.
> Perhaps SEND is done by the time that 2461bis is ready, so
> it could reference some of the SEND documents. Also, I'm not
> sure I agree with the RFC 2460 statement that the node requirements
> document quotes:
>
> The security features of IPv6 are described in the Security
> Architecture for the Internet Protocol [RFC-2401].
>
> I don't agree because we appear to have a number of other security
> features in IPv6 in addition to IPsec. MIPv6 RR, ND options for
> certs and CGAs in SEND, etc.
Suggested re-write:
Many of the the security features of IPv6 are described in the Security
Architecture for the Internet Protocol [RFC-2401].
However, your above text seems to indicate that 2401 requires a substantial
re-write.
John
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
- Re: Node Req. Issue 28: Security Considerations Jari Arkko
- RE: Node Req. Issue 28: Security Considerations john.loughney
- Node Req. Issue 28: Security Considerations john.loughney