Re: Flow label drafts updated
Brian E Carpenter <brian.e.carpenter@gmail.com> Thu, 05 May 2011 06:03 UTC
Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A80DE0693 for <ipv6@ietfa.amsl.com>; Wed, 4 May 2011 23:03:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.753
X-Spam-Level:
X-Spam-Status: No, score=-102.753 tagged_above=-999 required=5 tests=[AWL=-0.373, BAYES_00=-2.599, DATE_IN_PAST_24_48=1.219, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xMk2+GncfG4z for <ipv6@ietfa.amsl.com>; Wed, 4 May 2011 23:03:12 -0700 (PDT)
Received: from mail-bw0-f44.google.com (mail-bw0-f44.google.com [209.85.214.44]) by ietfa.amsl.com (Postfix) with ESMTP id A7B6EE0692 for <ipv6@ietf.org>; Wed, 4 May 2011 23:03:11 -0700 (PDT)
Received: by bwz13 with SMTP id 13so1788918bwz.31 for <ipv6@ietf.org>; Wed, 04 May 2011 23:03:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:message-id:date:from:organization:user-agent :mime-version:to:cc:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=mmHS9tiUcjfV/DVr4BhtKh2IrxIqCZnC9C/k0cdl164=; b=dXaAuj3LYaxGevmf2u+aT3cGS49K5z8i5MD+wIH9pm9TsGJCIluselYeuP+CpNZS0k eBn4Sdu6+a//UAitX+kKq2VjboUHp0aPrsHdAeKw9OtDEaVKouW4byrd8jiY7xOlfNEm HjHtsuOLutLFQmPZoIgz2okV0kAhheN5Zhxgw=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; b=JVrXRay6sySbfzCe4/g2d5cNBkbu2woszCAMd16oLJFxH7BHWgj++t3SYKiNDITFJF GgaxA8VjRSNZly/go93JCTYt85Q72lqra45c67CliKsU4OkxUrkL9vmzMbb0sDqk2tP6 bSmsezXKPAEuaL5UFN0rmCEiGQTrVZL6JdjeE=
Received: by 10.204.230.194 with SMTP id jn2mr1845504bkb.133.1304574965651; Wed, 04 May 2011 22:56:05 -0700 (PDT)
Received: from [10.1.1.5] ([121.98.251.219]) by mx.google.com with ESMTPS id c11sm1150375bkc.2.2011.05.04.22.56.02 (version=SSLv3 cipher=OTHER); Wed, 04 May 2011 22:56:04 -0700 (PDT)
Message-ID: <4DC07A80.2030200@gmail.com>
Date: Wed, 04 May 2011 09:58:24 +1200
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: RJ Atkinson <rja.lists@gmail.com>
Subject: Re: Flow label drafts updated
References: <D98CE1E0-4F21-4D7D-BB6C-AC2F89FE96B8@gmail.com>
In-Reply-To: <D98CE1E0-4F21-4D7D-BB6C-AC2F89FE96B8@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: ipv6@ietf.org
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 May 2011 06:03:12 -0000
Ran, > I am troubled by the apparent decision to ignore legitimate > operational security considerations (e.g. about covert channels) We should certainly mention the covert channels issue in the security considerations of 3697bis. > and also the apparent decision to write these documents > in a manner intended to legislate reasonable security measures > (if applicable only in selected deployments) out of existence. I don't understand this comment. The flow label has always been defined as immutable; the consensus in the WG is to keep that property. So a firewall that overwrites it is unambiguously breaking the standard. Regards Brian On 2011-05-03 21:47, RJ Atkinson wrote: > Hi, > > My thanks to all of the editors for their joint work to sort out > these drafts and to progress them together. It is substantial > work to undertake. The drafts generally seem fine and are > eminently readable. > > However, the "Security Considerations" for both > draft-ietf-6man-flow-ecmp-02 and draft-ietf-6man-flow-3697bis > seem not to mention the issue where the IPv6 Flow Label field > is a relatively high-bandwidth covert channel. This means the > Security Considerations for those 2 I-Ds are incomplete. > > I'm pleased that the covert channel issue is discussed on page 4 > of draft-ietf-6man-flow-update-05. This covert channel issue is > one reason why a number of deployed IPv6-capable firewalls (and > other similar security appliances) clear the IPv6 Flow Label > (e.g. in financial/trading environments where M&A information > has very high monetary value). > > I request that this operational security concern, which is entirely > legitimate albeit not applicable to all operational environments, > at least be mentioned at the top of page 11 of draft-ietf-6man-flow-3697bis > (i.e. where the fact that Flow Labels will continue to be zeroed > in some deployments is noted). At present, the words there seem > to imply that the zeroing behaviour is illogical, silly, and/or wrong > -- when in fact it is logical, sensible, and quite correct in certain > deployments. I would be MUCH happier if the wording were changed > to allow an "operational security" exception to the general > principle of not modifying non-zero IPv6 Flow Labels during transit. > For example, the wording could say that network devices ought > not modify non-zero IPv6 Flow Labels *by default*, leaving it > open for users with particular security concerns to configure > a non-default configuration (i.e. zeroing the Flow Label). > > I request that at least a brief mention of the covert channel > issue be made in the Security Considerations sections of both > draft-ietf-6man-flow-ecmp and draft-ietf-6man-flow-3697bis. > If desired, such mentions could refer to the Gont draft or > to the -3697bis draft for more detailed discussion of that > issue. > > I am troubled by the apparent decision to ignore legitimate > operational security considerations (e.g. about covert channels) > and also the apparent decision to write these documents > in a manner intended to legislate reasonable security measures > (if applicable only in selected deployments) out of existence. > This seems to be a case of the IETF levying deployment > constraints upon users/operators, which is something that the > IETF generally tries to avoid. > > Yours, > > Ran Atkinson > > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > ipv6@ietf.org > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > -------------------------------------------------------------------- >
- Re: Flow label drafts updated RJ Atkinson
- Flow label drafts updated Brian E Carpenter
- Re: Flow label drafts updated Brian E Carpenter
- Re: Flow label drafts updated RJ Atkinson
- RE: Flow label drafts updated George, Wes E [NTK]
- Re: Flow label drafts updated Fernando Gont
- Re: Flow label drafts updated Thomas Narten
- Re: Flow label drafts updated RJ Atkinson
- RE: Flow label drafts updated George, Wes E [NTK]
- Re: Flow label drafts updated Brian E Carpenter
- Re: Flow label drafts updated Brian E Carpenter
- Re: Flow label drafts updated RJ Atkinson
- Re: Flow label drafts updated Brian E Carpenter
- RE: Flow label drafts updated Manfredi, Albert E
- Re: Flow label drafts updated Brian E Carpenter
- Re: Flow label drafts updated Joel M. Halpern
- Re: Flow label drafts updated Brian E Carpenter
- Re: Flow label drafts updated Joel M. Halpern
- Re: Flow label drafts updated RJ Atkinson
- Re: Flow label drafts updated Brian E Carpenter
- Re: Flow label drafts updated Brian E Carpenter
- Re: Flow label drafts updated John Leslie
- RE: Flow label drafts updated George, Wes E [NTK]
- Re: Flow label drafts updated Ran Atkinson
- Re: Flow label drafts updated Brian E Carpenter
- Flow label drafts updated again Brian E Carpenter