Re: [OPSEC] Call for Adoption: draft-gont-opsec-ipv6-nd-security-01

["George, Wes" <wesley.george@twcable.com>]

I think that this is worthwhile work for Opsec to undertake, because ND security is definitely something that not all vendors and SPs have a handle on yet, and it's really useful to have all of the information in one place to be able to point vendors at when trying to improve the state of ND security.

That said, I have some concern about the current format of this document vs. its name and intent. This is supposed to be a security assessment, but rather than simply identifying the current vulnerabilities, it also provides recommendations on how to secure against them. This is certainly good information that I support being in a document, we just need to decide if it belongs in this document and whether that drives a title and abstract change to reflect the document's purpose more accurately, or whether we want to split out mitigation from assessment.
The doc is currently informational, and does not include any RFC2119 boilerplate, but it makes recommendations for behaviors that are not explicitly required by the existing protocol implementation. Many of the places where "...should..." appears in the document look prescriptive/normative to me, and it's not always clear from the text/references whether this is simply reiterating what is already in the standard, or making a new recommendation for better security.

e.g. section 3.1: " If
   the packet does not pass this check, it should be silently dropped.

      While this is not explicitly required in [RFC4861] this provides
      an additional counter-measure (other than the validation of the
      Hop Limit) for non-local malicious nodes willing to make use of
      Router Solicitation messages for reconnaissance purposes."

Perhaps BCP would be a better choice, or info with 2119 keywords, I don't know.

I'd also recommend moving the current section 6 much earlier in the document, so that you start by discussing the vulnerabilities, and then you can go into the recommendations on ND validations (current section 3). I'm not sure how sections 4 and 5 fit into that framework, since they appear to be talking about vulnerabilities as well, but I know that the current one doesn't seem very intuitive to me.


Thanks,

Wes George




> -----Original Message-----
> From: opsec-bounces@ietf.org [mailto:opsec-bounces@ietf.org] On Behalf
> Of Warren Kumari
> Sent: Wednesday, September 11, 2013 10:17 AM
> To: OpSec@ietf.org; draft-gont-opsec-ipv6-nd-security-01@tools.ietf.org
> Cc: Warren Kumari
> Subject: [OPSEC] Call for Adoption: draft-gont-opsec-ipv6-nd-security-01
>
> Dear OpSec WG,
>
> This starts a Call for Adoption for draft-gont-opsec-ipv6-nd-security-
> 01.
>
Anything below this line has been added by my company's mail server, I have no control over it.
-----------------

This E-mail and any of its attachments may contain Time Warner Cable proprietary information, which is privileged, confidential, or subject to copyright belonging to Time Warner Cable. This E-mail is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient of this E-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this E-mail is strictly prohibited and may be unlawful. If you have received this E-mail in error, please notify the sender immediately and permanently delete the original and any copy of this E-mail and any printout.