RE: [rfc2461bis issue 252] Security considerations issues
Soliman Hesham <H.Soliman@flarion.com> Wed, 11 February 2004 22:34 UTC
Received: from optimus.ietf.org (optimus.ietf.org [132.151.1.19]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA04505 for <ipv6-archive@odin.ietf.org>; Wed, 11 Feb 2004 17:34:23 -0500 (EST)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1Ar2vZ-0008Pt-Rx for ipv6-archive@odin.ietf.org; Wed, 11 Feb 2004 17:33:56 -0500
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id i1BMXrrG032347 for ipv6-archive@odin.ietf.org; Wed, 11 Feb 2004 17:33:53 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1Ar2vZ-0008Pe-NR for ipv6-web-archive@optimus.ietf.org; Wed, 11 Feb 2004 17:33:53 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA04472 for <ipv6-web-archive@ietf.org>; Wed, 11 Feb 2004 17:33:50 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1Ar2vX-0004as-00 for ipv6-web-archive@ietf.org; Wed, 11 Feb 2004 17:33:51 -0500
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1Ar2ud-0004TX-00 for ipv6-web-archive@ietf.org; Wed, 11 Feb 2004 17:32:56 -0500
Received: from optimus.ietf.org ([132.151.1.19]) by ietf-mx with esmtp (Exim 4.12) id 1Ar2u3-0004MJ-00 for ipv6-web-archive@ietf.org; Wed, 11 Feb 2004 17:32:19 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1Ar2tn-0007vZ-48; Wed, 11 Feb 2004 17:32:03 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1Ar2tb-0007uq-4L for ipv6@optimus.ietf.org; Wed, 11 Feb 2004 17:31:51 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA04360 for <ipv6@ietf.org>; Wed, 11 Feb 2004 17:31:47 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1Ar2tY-0004L0-00 for ipv6@ietf.org; Wed, 11 Feb 2004 17:31:48 -0500
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1Ar2sg-0004Ek-00 for ipv6@ietf.org; Wed, 11 Feb 2004 17:30:54 -0500
Received: from mail.flarion.com ([63.103.94.23] helo=ftmail.lab.flarion.com) by ietf-mx with esmtp (Exim 4.12) id 1Ar2sF-00047P-00 for ipv6@ietf.org; Wed, 11 Feb 2004 17:30:27 -0500
Received: by ftmail.lab.flarion.com with Internet Mail Service (5.5.2657.72) id <1FYGWTVB>; Wed, 11 Feb 2004 17:29:54 -0500
Message-ID: <9E3BA3946476AD4EB94672712B12A85F04212E@ftmail.lab.flarion.com>
From: Soliman Hesham <H.Soliman@flarion.com>
To: 'James Kempf' <kempf@docomolabs-usa.com>, ipv6@ietf.org
Subject: RE: [rfc2461bis issue 252] Security considerations issues
Date: Wed, 11 Feb 2004 17:29:18 -0500
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2657.72)
Content-Type: text/plain; charset="iso-8859-1"
Sender: ipv6-admin@ietf.org
Errors-To: ipv6-admin@ietf.org
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Id: IP Version 6 Working Group (ipv6) <ipv6.ietf.org>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on ietf-mx.ietf.org
X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.60
Thanks James, a couple of answers below. > > 1. Adding a new section (3.2) before the message formats > > to briefly explain that security is outside the scope of > > this doc and refer to SEND work. It also explains when IPsec > > can be used. > > > > I think it might be wise to discuss whether the document > should continue to > recommend IPsec with the Security ADs and get some input > from the community > and the security directorate. > draft-arkko-manual-icmpv6-sas-01.txt outlines > some scalability problems with IPsec, even if manual keying > is used, as you > mention below. There is a potential deployment issue as to > what constitutes > a "small" network and at what point the network hits the > scalability barrier > when the network provider will have to completely > reconfigure their network > and turn SEND on. I'm not sure whether it makes sense to > recommend manual > keying for small networks when SEND would work as well and > wouldn't require > a flag day reconfigure if the network grew too large. Also, > manual keying > doesn't make sense for zeroconf networks, because it isn't > zeroconf. The ND > part of SEND could be used for disconnected zeroconf > networks, and the > router part could too if the host came preconfigured with a > collection of > cert trust anchors. => I just want to clarify one thing: it is not my intention to recommend IPsec in any way. I just wanted to mention when it can be used and its limitation. I can add something to say that SEND is the preferred option in general. If the WG wants to remove any reference to IPsec I'm happy to do that too. > > "Neighbor Discovery messages are needed for various > functions. Several > > functions are designed to allow hosts to ascertain the > ownership of an > > address or the mapping between link layer and IP layer > addresses. Having > > Neighbor Discovery functions on the ICMP layer allows for > the use of IP > > layer security mechanisms, which are available independently of the > > availability of security on the link layer. > > > > I would say "requires the use of IP layer", since if the > user chooses to use > security in ND, they must use IP layer security. => ok, I actually changed this as per Jari's comment. > If there is support for completely deprecating IPsec for ND, > I'd suggest > adding that instead. => I'll go with whatever the WG wants of course. So far only you and Jari have commented. > > I assume you will also put a reference to draft-send-ndopts > (to be changed > into the RFC when it passes IESG review) in the normative references > section? => Sure. Hesham > > jak > -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
- [rfc2461bis issue 252] Security considerations is… Soliman Hesham
- Re: [rfc2461bis issue 252] Security consideration… Jari Arkko
- RE: [rfc2461bis issue 252] Security consideration… Soliman Hesham
- Re: [rfc2461bis issue 252] Security consideration… James Kempf
- Re: [rfc2461bis issue 252] Security consideration… James Kempf
- RE: [rfc2461bis issue 252] Security consideration… Soliman Hesham
- Re: [rfc2461bis issue 252] Security consideration… James Kempf
- Re: [rfc2461bis issue 252] Security consideration… Steven M. Bellovin