RE: On SEND deployment (Re: Conclusion: 6MAN Adoption call on draft-rafiee-6man-ssas-07)
"Hosnieh Rafiee" <ietf@rozanak.com> Mon, 20 January 2014 18:21 UTC
Return-Path: <ietf@rozanak.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 915D31A0222 for <ipv6@ietfa.amsl.com>; Mon, 20 Jan 2014 10:21:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.265
X-Spam-Level:
X-Spam-Status: No, score=0.265 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RP_MATCHES_RCVD=-0.535] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8OsdwNZxkFl2 for <ipv6@ietfa.amsl.com>; Mon, 20 Jan 2014 10:21:20 -0800 (PST)
Received: from mail.rozanak.com (mail.rozanak.com [IPv6:2a01:238:42ad:1500:aa19:4238:e48f:61cf]) by ietfa.amsl.com (Postfix) with ESMTP id 00C851A01E5 for <ipv6@ietf.org>; Mon, 20 Jan 2014 10:21:19 -0800 (PST)
Received: from localhost (unknown [127.0.0.1]) by mail.rozanak.com (Postfix) with ESMTP id C112E23E2D48; Mon, 20 Jan 2014 18:21:18 +0000 (UTC)
X-Virus-Scanned: amavisd-new at rozanak.com
Received: from mail.rozanak.com ([127.0.0.1]) by localhost (mail.iknowlaws.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 37dFsgdTnwQO; Mon, 20 Jan 2014 19:21:13 +0100 (CET)
Received: from kopoli (g231195012.adsl.alicedsl.de [92.231.195.12]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.rozanak.com (Postfix) with ESMTPSA id 65D2923E2B25; Mon, 20 Jan 2014 19:21:12 +0100 (CET)
From: Hosnieh Rafiee <ietf@rozanak.com>
To: 'Fernando Gont' <fgont@si6networks.com>, 'Fernando Gont' <fernando@gont.com.ar>, 'Ole Troan' <otroan@employees.org>, '6man WG' <ipv6@ietf.org>
Subject: RE: On SEND deployment (Re: Conclusion: 6MAN Adoption call on draft-rafiee-6man-ssas-07)
Date: Mon, 20 Jan 2014 19:21:11 +0100
Message-ID: <001501cf160c$66105a00$32310e00$@rozanak.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: Ac8WDGN4/fj2matnTPmt+IaYi/jFTw==
Content-Language: en-us
Cc: '6man Chairs' <6man-chairs@tools.ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jan 2014 18:21:22 -0000
Fernando, Just a quick review about SSAS to give you and those who didn't get the idea of SSAS a short review. If you review the SSAS draft, you will find out that you can either use it as an option of SeND or use it alone. So, it doesn't necessarily need to deploy with SeND but if one wants to use it as a SeND option, it is also possible but in this case it doesn't need to carry the signature in SSAS data structure. I explained this all in version 8 of this draft and addressed all the issues. About why SeND is not deployed again, I refer you to the local security draft that I wrote which is informational draft. You can find some of the reasons that I gathered during the discussions with people. http://tools.ietf.org/html/draft-rafiee-6man-local-security-00#section-4.1 Some notes, None of the existing approaches can prevent IP spoofing, with some of the approaches you can mitigate fake RA spoofing but not host IP address spoofing. > > Hosnieh, > > On 01/17/2014 02:52 AM, Hosnieh Rafiee wrote: > >> My two cents: > >> > >> * Use of trust anchors makes deployment painful for the general case. > > > > This is why I proposed a local centralized RPKI in the second draft. > > What do you mean by "local centralized"? Whether the PKI is local or global > doesn't seem to affect how hard this is to deploy. > > > > >> * Most popular OSes do not have a real SEND implementation (not long > >> ago the only way to play on BSDs was a Java implementation?). When it > >> comes to open source ones, the fact that SEND is IPR'ed doesn't help the > situation. > > > > The reason is because of CGA > > IIRC, there were *two* patents on SEND. > > > > >> * While other parts of the "system" are largely unsecured, SeND > >> probably does not much. (e.g, if a local attacker can spoof a DNS > >> response, > > securing the > >> layer-2/3 mapping will not buy much in most cases -- i.e., just spoof > >> the > > DNS > >> response, and you're done). > > > > I considered DNS spoofing to address that problem by proposing > > CGA-TSIG (it use both SSAS/CGA as its solution) and it is implemented. > > I didn't go through your I-D in detail, hence I cannot comment one way or > another. > > Based on the discussions it seems folks are not convinced why this would be > easier to deploy than send. So if you're willing to continue pursuing this effort, > you could try to spell out the reasons for which SEND has not been widely > deployed, and provide a clear explanation on why your proposal would make > a difference. -- Feel free to start from the reasons I provided, or tweak as > deemed necessary. You can actually find the reasons inside the drafts and all supportive drafts. At least in version 8 I tried to clarify the reasons. > > >> * SEND wasn't there for v4. And there's a tendency to try to employ > >> IPv6 as IPv4, focusing on the benefit of the larger address space > >> (i.e., > > for > >> some, "I lived with this in v4 for 20+ years, so..."). Not that I > > necessarily > >> endorse this view, but just meant to spell it out. > > > > Current available mechanism also have problem and cannot mitigate IP > > spoofing. This is the main reason I wrote that local security draft to > > address these problems. > > Agreed. But we're analyzing why SEND has not been widely deployed. If folks > out there do not consider this is to be a problem that is worth addressing, no > matter what solution we propose, it will still be a "problem not worth > addressing" from their point of view. Why do you think that I established a non-WG group. I want really to solve the problem of local security and deploy it and also use it as a means of authentication for other layers. I again refer you to that local security draft. I really tried to discuss the problem and inform the possible solutions. Hosnieh
- RE: On SEND deployment (Re: Conclusion: 6MAN Adop… Hosnieh Rafiee
- RE: On SEND deployment (Re: Conclusion: 6MAN Adop… Mikael Abrahamsson