Re: [OPSEC] Roman Danyliw's No Objection on draft-ietf-opsec-v6-26: (with COMMENT)
KK Chittimaneni <kk.chittimaneni@gmail.com> Tue, 11 May 2021 14:30 UTC
Return-Path: <kk.chittimaneni@gmail.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 91F0B3A19C6; Tue, 11 May 2021 07:30:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VT9CGyBHtpzK; Tue, 11 May 2021 07:30:22 -0700 (PDT)
Received: from mail-lf1-x135.google.com (mail-lf1-x135.google.com [IPv6:2a00:1450:4864:20::135]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 721AC3A19C7; Tue, 11 May 2021 07:30:21 -0700 (PDT)
Received: by mail-lf1-x135.google.com with SMTP id x20so28956710lfu.6; Tue, 11 May 2021 07:30:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=C6lhI5BDNGhPYi1vjs/LIAZ7pj1bG1JyUeECF1MRwZc=; b=HDJn2atwB98k5Gok/J6LI+PYgfE3NgB+9cz9k/b/L3IGhtxwCqIjv3tSuRgrgdGvAi QCgRbmWbdNq+F0wViKoNpvQhZXCl7FBBIXJgCi/I8wRu2SG3j/JX3P6GWBXRLUork9Ww lFXSV9w35qZaNphqzq1kIswNczMRowD3FwMyGXzHmTm/zF9wyc6wgljFjsTLHKdwjHlo WlJKm8sWOKQck4opmDqJxteTqoDl69ps2yx2yfa/8TOqT8l/KwEQdzxxpHrreSJIVugX 1VsH5Lhc1wnS5v3ivdTGmhAh4cf++DM/z0fSPcvlKraDvyoEvq3+7e9sbcdvPOJ/xIlM cttg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=C6lhI5BDNGhPYi1vjs/LIAZ7pj1bG1JyUeECF1MRwZc=; b=lsEPIqO2qsS458G9ZfBKT9an+U5gPECUw40P+nANyuPvjoN4PIgnOyVB20veBG0ga5 RlhiEgh4yzW/La6OhoGCda96QatQatg8WKyfuniY5VmRY+aTE2Myjyvu505stIVqyX3M jv9IiyCWtbrqqAINSCiL/WAXizJGgA7C+jWE98unDLnJ49jqU0415maj+GpLmayspWOO G31Ohia/41B0eRsdkPHy0I7Pvtd0BMgssDhR7FqWAkOjCUITohCeE3j4BJEWmotX8lWI 0PgTb9JJ94sBBKM+xccfkG+f7/G47n0kPgBPd+Aai5QmzVN/B7xmkXcQ9DcpwQBho/it mwQw==
X-Gm-Message-State: AOAM530lHXMVeBU4lKnyCKebgEPTm/LlyWvJ/97aQ2Kd96T8rgr4Oid5 D2eNo1Vv8SQRxmS6sMP5YLsIAHnFddHKPtKtCe0=
X-Google-Smtp-Source: ABdhPJxPqEOfKM5P+CBOgukwob0fNTjP35Zt4oESt4QB16+OBIVME7k6tFnSPGagWy2ve42WaU4kMC65RLnWqqcm5Aw=
X-Received: by 2002:ac2:43ce:: with SMTP id u14mr21317131lfl.439.1620743418780; Tue, 11 May 2021 07:30:18 -0700 (PDT)
MIME-Version: 1.0
References: <161897107564.3338.17761721532629857647@ietfa.amsl.com>
In-Reply-To: <161897107564.3338.17761721532629857647@ietfa.amsl.com>
From: KK Chittimaneni <kk.chittimaneni@gmail.com>
Date: Tue, 11 May 2021 07:30:07 -0700
Message-ID: <CA+iP7bXPNT5mMqspfvTspUj5zFhSqTwEKOzsn7cZX136x9uQEQ@mail.gmail.com>
To: Roman Danyliw <rdd@cert.org>
Cc: The IESG <iesg@ietf.org>, draft-ietf-opsec-v6@ietf.org, opsec-chairs@ietf.org, opsec@ietf.org, Gyan Mishra <hayabusagsm@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000bfa46205c20ebb35"
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/0AYd5W57T5jO4iy9yGcUNkpKiBM>
Subject: Re: [OPSEC] Roman Danyliw's No Objection on draft-ietf-opsec-v6-26: (with COMMENT)
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 May 2021 14:30:27 -0000
Hi Roman, Thank you very much for your detailed review. Together with my co-authors, we have uploaded revision -27, which should address most of your comments except a few listed below with our rationale: ** Section 2.1.5. Per “However, in scenarios where anonymity is a strong desire (protecting user privacy is more important than user attribution), privacy extension addresses should be used.”, it might be worth acknowledging that even if these are managed network, the end user and the operators may be at odds on what privacy properties are important. [authors] We didn't change the text here as we felt that this is a given. ** Section 3.1. This list is helpful. Is text here and Section 2.5.4 needed? For example, does one need to say both “discard _packets_ from bogons” (this section) and “discard _routes_ from bogons” (Section 2.5.4) [authors] We kept the text in both sections the rationale being that packets are dropped at the enterprise edge while routes are ignored by peering routers (not all enterprises have a DFZ routing) The diff is at: https://www.ietf.org/rfcdiff?url2=draft-ietf-opsec-v6-27 Regards, KK On Tue, Apr 20, 2021 at 7:11 PM Roman Danyliw via Datatracker < noreply@ietf.org> wrote: > Roman Danyliw has entered the following ballot position for > draft-ietf-opsec-v6-26: No Objection > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-opsec-v6/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > ** Section 2.1.5. Per “However, in scenarios where anonymity is a strong > desire (protecting user privacy is more important than user attribution), > privacy extension addresses should be used.”, it might be worth > acknowledging > that even if these are managed network, the end user and the operators may > be > at odds on what privacy properties are important. > > ** Section 2.2.1. Per “A firewall or edge device should be used to > enforce the > recommended order and the maximum occurrences of extension headers”, does > enforcement mean dropping the packets? > > ** Section 2.3.2. Per “Network operators should be aware that RA-Guard and > SAVI do not work or could even be harmful in specific network > configurations”, > please provide a more details, ideally through citation. > > ** Section 2.3.2, “Enabling RA-Guard by default in … enterprise campus > networks > …”, what’s the key property of “enterprise campus network”. The > introduction > already roughly says this whole document applies to managed networks. > > ** Section 2.5.2. Reading this section, the specific recommended practices > weren’t clear. > > ** Section 2.6. It wasn’t clear how comprehensive this list of logs was > intended to be. A few additional thoughts include: -- DHCPv6 logs -- > firewall > ACL logs -- authentication server logs -- NEA-like policy enforcement at > the > time of connection -- vpn/remote access logs -- passive DNS from port 53 > traffic -- full packet capture -- active network and service scanning/audit > information > > ** Section 2.6.1.2. The recommended fields in this section are helpful, > but > only in the context of the rest of the five-tuple + timing + interface + > vlan + > select layer 4 information for each flow. These open IPFIX information > elements aren't mentioned. > > ** Section 2.6.2.1. Per “The forensic use case is when the network > operator > must locate an IPv6 address that was present in the network at a certain > time > or is currently in the network”, isn’t this use case more precisely an > attempt > to link an IP address to (a) a specific port in the case of a wired > network; > (b) a access point (or base station, etc.) in the case of wireless; or (c) > an > external IP address in the case of a VPN connection? > > ** Section 2.6.2.1. Additional techniques/suggestions to consider: > -- Using the IPAM system noted in Section 2.1 or any other inventory > system to > provide hints in the about where an IP address might belong in the > topology. > > -- A reminder that mapping between and IP+port or MAC+IP might not have > been > the same one as during the time of the event of interest > > -- there is discussion about identifying subscribers for an ISP but not in > normal enterprise network scenario through SSO logs (if port level security > doesn’t exist) > > ** Section 2.6.2.2. Per “The first technique is to use the IPFIX > information > and extract the list of all IPv6 source addresses to find all of the IPv6 > nodes > that sent packets through the router”. This framing is mixing the > technique > with a particular logging format. I would recommend being clear that the > technique is question is passive inspection of network talkers. There a > several ways to get that: a properly configured IPFIX feed from a router, > but > also from any number of network analysis tools on a span port or a tap. > > ** Section 2.7.1. In addition to the two listed practices at the IPv4 > edge, I > would recommend adding the common practice of application specific flow > inspection. > > ** Section 2.8. The intent of this section isn’t clear as all of the > described > practices are equally true of v4. A few missing hardening practices > include: > > -- applying firmware, OS and application patches/upgrades to the devices > in a > timely manner. > > -- using multi-factor credentials to authenticate to devices > > ** Section 3. This section is titled “Enterprises Specific …”, how is an > “enterprise” different than a “managed network” called out in the > applicability > statement? > > ** Section 3.1. This list is helpful. Is text here and Section 2.5.4 > needed? > For example, does one need to say both “discard _packets_ from bogons” > (this > section) and “discard _routes_ from bogons” (Section 2.5.4) > > > >
- [OPSEC] Roman Danyliw's No Objection on draft-iet… Roman Danyliw via Datatracker
- Re: [OPSEC] Roman Danyliw's No Objection on draft… KK Chittimaneni