Re: [OPSEC] WGLC on draft-ietf-opsec-ipv6-implications-on-ipv4-nets-02
Fernando Gont <fgont@si6networks.com> Fri, 01 February 2013 07:03 UTC
Return-Path: <fgont@si6networks.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D33C721F88BD for <opsec@ietfa.amsl.com>; Thu, 31 Jan 2013 23:03:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.25
X-Spam-Level:
X-Spam-Status: No, score=-3.25 tagged_above=-999 required=5 tests=[AWL=0.350, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kTD8h-Z+WZGV for <opsec@ietfa.amsl.com>; Thu, 31 Jan 2013 23:03:10 -0800 (PST)
Received: from web01.jbserver.net (web01.jbserver.net [93.186.182.34]) by ietfa.amsl.com (Postfix) with ESMTP id D573821F88BE for <opsec@ietf.org>; Thu, 31 Jan 2013 23:03:09 -0800 (PST)
Received: from 95-132-17-190.fibertel.com.ar ([190.17.132.95] helo=[192.168.1.113]) by web01.jbserver.net with esmtpsa (TLSv1:DHE-RSA-CAMELLIA256-SHA:256) (Exim 4.80.1) (envelope-from <fgont@si6networks.com>) id 1U1Adx-0004E8-Cq; Fri, 01 Feb 2013 08:03:02 +0100
Message-ID: <510B6886.30005@si6networks.com>
Date: Fri, 01 Feb 2013 04:02:30 -0300
From: Fernando Gont <fgont@si6networks.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130106 Thunderbird/17.0.2
MIME-Version: 1.0
To: Warren Kumari <warren@kumari.net>
References: <0DF8F7D8-01EF-44AC-9ABB-A48D7E4855FC@kumari.net> <99E981C1-88DA-4BED-9E1C-8914BB271223@kumari.net> <AD28E3FE-25C3-42D0-9AF2-2408315FDA40@kumari.net> <E51F3621-0744-4053-A3BF-A0D84726376A@kumari.net>
In-Reply-To: <E51F3621-0744-4053-A3BF-A0D84726376A@kumari.net>
X-Enigmail-Version: 1.4.6
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
Cc: opsec@ietf.org, opsec chairs <opsec-chairs@tools.ietf.org>
Subject: Re: [OPSEC] WGLC on draft-ietf-opsec-ipv6-implications-on-ipv4-nets-02
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Feb 2013 07:03:10 -0000
Hi, Warren, Thanks so much for your feedback! -- Please find my comments in-line... On 01/31/2013 01:36 PM, Warren Kumari wrote: > And hare are a chunk more comments. These are just nits / readability > bits… > > On a slightly more substantive note, I also think that the reference > to military networks is unneeded / not helpful. The only reason for which it was added is because the text just preceding it essentially claims that "blocking transition technologies should only be considered a short-term strategy" (but that doesn't hold true for some networks). To be honest, I wouldn't waste anyone's energy on this one :-), and could just remove such note if the wg thinks that's the best way forward. (As a matter of personal taste, I'd remove any wording of short-term vs. longer-term strategies, or note in which cases (such as military networks) blocking this stuff might be seen as a longer term thing). Input is certainly welcome! [I've removed all the readability bits that I'll apply "as suggested"] > o A Network Intrusion Detection System (NIDS) might be prepared to > detect attack patterns for IPv4 traffic, but might be unable to > detect the same attack patterns when a transition/co-existence > technology is leveraged for that purpose. > > O: might be prepared [...] might be unable P: may be prepared [...] > but may not be able Some native-English-speaking folk advised me to phrase the text as suggested, noting that "may" implies "permission", rather than "probability" (FWIW, I studied this a looong time :-) ago, and I'm not sure I could tell the difference). > o An IPv4 firewall might enforce a specific security policy in > IPv4, but might be unable to enforce the same policy in IPv6. > > O: might (twice) P: may (twice) Same as above -- please double-check... > o Some transition/co-existence mechanisms might cause an internal > host with otherwise limited IPv4 connectivity to become globally > reachable over IPv6, therefore resulting in increased (and possibly > unexpected) host exposure. > > O: might P: could Fixed. > Some transition/co-existence mechanisms (notably Teredo) are designed > to traverse Network Address Port Translation (NAPT) [RFC2663] > devices, allowing incoming IPv6 connections from the Internet to > hosts behind the organizational firewall or NAPT (which in many > deployments provides a minimum level of protection by only allowing > those instances of communication that have been initiated from the > internal network). > > O: or NAPT (which in many deployments P: or NAPT. (In many > deployments, this Is it okay to have a full sentece within parenthesis? > o IPv6 support might, either inadvertently or as a result of a > deliberate attack, result in VPN traffic leaks if IPv6-unaware > Virtual Private Network (VPN) software is employed by dual-stacked > hosts [I-D.ietf-opsec-vpn-leakages]. > > O: might P: could Fixed. > In general, most of the aforementioned security implications can be > mitigated by enforcing security controls on native IPv6 traffic and > on IPv4-tunneled traffic. Among such controls is the enforcement of > filtering policies, such that undesirable traffic is blocked. While > > O: , such that undesirable traffic is blocked. P: to block > undesirable traffic. Fixed. > This document discusses the security implications of IPv6 and IPv6 > transition/co-existence technologies on (allegedly) IPv4-only > networks, and provides guidance on how to mitigate the > aforementioned issues. > > O: This document discusses the security implications of IPv6 and > IPv6 transition/co-existence technologies on (allegedly) IPv4-only > networks, and provides guidance on how to mitigate the > aforementioned issues. P: Delete above paragraph C: Already in the > abstract; not sure why it is here as well? Common practice of producing the abstract from the Intro? :-) > 2. Security Implications of Native IPv6 Support > > Most popular operating systems include IPv6 support that is enabled > by default. This means that even if a network is expected to be > IPv4-only, much of its infrastructure is nevertheless likely to be > IPv6 enabled. For example, hosts are likely to have at least link- > local IPv6 connectivity which might be exploited by attackers with > access to the local network. > > [CORE2007] is a security advisory about a buffer overflow which could > be remotely-exploited by leveraging link-local IPv6 connectivity that > is enabled by default. > > Additionally, unless appropriate measures are taken, an attacker > with access to an 'IPv4-only' local network could impersonate a > local router and cause local hosts to enable their 'non-link-local' > IPv6 connectivity (e.g. by sending Router Advertisement messages), > possibly circumventing security controls that were enforced only on > IPv4 communications. > > [THC-IPV6] is the first publicly-available toolkit that implemented > this attack vector (along with many others). > > [IPv6-Toolkit] is a fully-featured trouble-shooting and security > assessment tool that implements this attack vector (along with many > others). > > [Waters2011] provides an example of how this could be achieved using > publicly available tools (besides incorrectly claiming the discovery > of a "0day vulnerability"). > > Native IPv6 support could also possibly lead to VPN traffic leakages > when hosts employ VPN software that not only does not support IPv6, > but that does nothing about IPv6 traffic. > > O: about IPv6 traffic. P: with IPv6 traffic, instead allowing that to > bypass the VPN. C: Not sure if this is what is meant? What I meant is that is not just that they cannot tunnel v6 traffic, but that they also don't even bother to block it. Should we s/about/with/, or keep it "as is"? Thanks so much! Best regards, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
- [OPSEC] WGLC on draft-ietf-opsec-ipv6-implication… Warren Kumari
- Re: [OPSEC] WGLC on draft-ietf-opsec-ipv6-implica… George, Wes
- Re: [OPSEC] Fwd: WGLC on draft-ietf-opsec-ipv6-im… Rama Darbha
- Re: [OPSEC] WGLC on draft-ietf-opsec-ipv6-implica… Warren Kumari
- Re: [OPSEC] WGLC on draft-ietf-opsec-ipv6-implica… Smith, Donald
- Re: [OPSEC] WGLC on draft-ietf-opsec-ipv6-implica… Panos Kampanakis (pkampana)
- Re: [OPSEC] WGLC on draft-ietf-opsec-ipv6-implica… Fernando Gont
- [OPSEC] FW: WGLC on draft-ietf-opsec-ipv6-implica… Smith, Donald
- Re: [OPSEC] WGLC on draft-ietf-opsec-ipv6-implica… joel jaeggli
- Re: [OPSEC] WGLC on draft-ietf-opsec-ipv6-implica… Alec Waters
- Re: [OPSEC] WGLC on draft-ietf-opsec-ipv6-implica… Fernando Gont
- Re: [OPSEC] WGLC on draft-ietf-opsec-ipv6-implica… joel jaeggli
- Re: [OPSEC] WGLC on draft-ietf-opsec-ipv6-implica… Fernando Gont
- Re: [OPSEC] WGLC on draft-ietf-opsec-ipv6-implica… Alec Waters
- Re: [OPSEC] WGLC on draft-ietf-opsec-ipv6-implica… Fernando Gont
- Re: [OPSEC] WGLC on draft-ietf-opsec-ipv6-implica… Alec Waters
- Re: [OPSEC] WGLC on draft-ietf-opsec-ipv6-implica… joel jaeggli
- Re: [OPSEC] WGLC on draft-ietf-opsec-ipv6-implica… Warren Kumari
- Re: [OPSEC] WGLC on draft-ietf-opsec-ipv6-implica… joel jaeggli
- Re: [OPSEC] WGLC on draft-ietf-opsec-ipv6-implica… Warren Kumari
- Re: [OPSEC] WGLC on draft-ietf-opsec-ipv6-implica… Warren Kumari
- Re: [OPSEC] WGLC on draft-ietf-opsec-ipv6-implica… Fernando Gont
- Re: [OPSEC] WGLC on draft-ietf-opsec-ipv6-implica… Warren Kumari
- Re: [OPSEC] WGLC on draft-ietf-opsec-ipv6-implica… Fernando Gont