[OPSEC] Roman Danyliw's Discuss on draft-ietf-opsec-ipv6-eh-filtering-08: (with DISCUSS and COMMENT)
Roman Danyliw via Datatracker <noreply@ietf.org> Tue, 13 July 2021 13:23 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: opsec@ietf.org
Delivered-To: opsec@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 7528F3A0DDE; Tue, 13 Jul 2021 06:23:35 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Roman Danyliw via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-opsec-ipv6-eh-filtering@ietf.org, opsec-chairs@ietf.org, opsec@ietf.org, Éric Vyncke <evyncke@cisco.com>, evyncke@cisco.com
X-Test-IDTracker: no
X-IETF-IDTracker: 7.34.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Roman Danyliw <rdd@cert.org>
Message-ID: <162618261483.23262.1123677167769417679@ietfa.amsl.com>
Date: Tue, 13 Jul 2021 06:23:35 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/4PArbu6nICQwPS9n6yYoOvqOOUY>
Subject: [OPSEC] Roman Danyliw's Discuss on draft-ietf-opsec-ipv6-eh-filtering-08: (with DISCUSS and COMMENT)
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.29
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jul 2021 13:23:43 -0000
Roman Danyliw has entered the following ballot position for draft-ietf-opsec-ipv6-eh-filtering-08: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-opsec-ipv6-eh-filtering/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- Can the principled approach to making these recommendations be more clearly explained and documented? Section 3 primarily establishes a two-option filtering regime (drop vs. permit), but Section 4 seems to provide more nuance with a three-option filtering regime which considers the needs of the network (drop vs. drop if functionality not needed vs. permit). As an aside, a fourth filtering action of removing the options is presented in Section 4.3.9.4. Additionally, see the comment below which has a summary table for recommendations in Section 4 analogous to Table 1 of Section 3 to allow side-by-side comparisons. Was the three-option filtering regime considered for all recommendations? For example, Section 4.3.7.5 , Router Alert (Type=0x05) recommends permitting this option “in environments where support for RSVP, multicast routing, or similar protocols is desired.” (i.e., “drop if functionality is not needed”). However, Section 3.4.8, HIP (Protocol Number=139) recommend categorically permitted these packets. If an operator knows that HIP is not a technology they have a desire to use in an environment, why shouldn’t they block it (just like was suggested for Router Alerts)? Consideration for conditional discard based on local needs seems appropriate for Shim6, Mobility Header, HIP, ILNP Nonce, Tunnel Encapsulation, and all RPL options if the goal is to minimize traffic which has to go on the slow path. I read in the shepherd’s write-up that trade-offs were made to minimize ossification. However, that rationale is not apparent in the text. ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- ** Section 1. Per “Recent studies (see e.g. [RFC7872) …”, is there an updated study to reference to support the thesis that widespread dropping of IPv6 packets with extension headers is happening? RFC7872 is based on data sets from 2014 and 2015. ** Section 1. While some operators "officially" drop packets that contain IPv6 EHs, it is possible that some of the measured packet drops be the result of improper configuration defaults, or inappropriate advice in this area. -- What does the word officially in quotes mean? -- Is there any reference that supports the assertion of improper configuration defaults? -- who is providing inappropriate advice? ** Section 1. The text calls out the use of “deny-lists” by transit networks and “accept-lists” that are “enforced closer to the destination systems”. Is there any indication that the networks which originate the traffic are doing filtering of outbound traffic? ** Section 2.1 Per “… and irrespective of whether the specific filtering action is logged”, no issues with making this distinction. However, it seems out of place since none of the previous text said anything about logging as a discriminator among the permit, drop or reject actions. ** Section 2.3. This section seems mistitled as “Conventions”. The text appears to be describing assumptions for nodes and how the guidance will be used. ** Section 3.2. Per the cited references: -- [FW-Benchmark]. This associated URL returned a 404 error for me (http://www.ipv6hackers.org/meetings/ipv6-hackers-1/zack-ipv6hackers1-firewall-security-assessment-and-benchmarking.pdf) -- [Cisco-EH]. This document was last updated in 2006. Are the design descriptions it captures still accurate? ** Section 4. Table 1 summarized the recommendations of Section 3. A similar table would be helpful for the recommendations of this section. For example: +----------------------------+--------------------------+-----------+ | Option | Filtering policy | Reference | +----------------------------+--------------------------+-----------+ | Pad1 | Permit | Section | | (Type=0x00) | | 4.3.1 | +----------------------------+--------------------------+-----------+ | PadN | Permit | Section | | (Type=0x01) | | 4.3.2 | +----------------------------+--------------------------+-----------+ | Jumbo Payload | Permit based on | Section | | (Type=0xC2) | needed functionality | 4.3.3 | +----------------------------+--------------------------+-----------+ | RPL Option | Router-specific filter | Section | | (Type=0x63) | | 4.3.4 | +----------------------------+--------------------------+-----------+ | RPL Option | Permit | Section | | (Type=0x23) | | 4.3.5 | +----------------------------+--------------------------+-----------+ | Tunnel Encapsulation Limit | Permit | Section | | (Type=0x04) | | 4.3.6 | +----------------------------+--------------------------+-----------+ | Router Alert | Permit based on | Section | | (Type=0x05) | needed functionality | 4.3.7 | +----------------------------+--------------------------+-----------+ | Quick Start | Permit | Section | | (Type=0x26) | | 4.3.8 | +----------------------------+--------------------------+-----------+ | CALIPSO | Permit based on | Section | | (Type=0x07) | needed functionality | 4.3.9 | +----------------------------+--------------------------+-----------+ | Home Address | Permit | Section | | (Type=0xC9) | | 4.3.11 | +----------------------------+--------------------------+-----------+ | Endpoint Identification | Drop | Section | | (Type=0x8A) | | 4.3.12 | +----------------------------+--------------------------+-----------+ | ILNP Nonce | Permit | Section | | (Type=0x8B) | | 4.3.13 | +----------------------------+--------------------------+-----------+ | Line-Identification | Drop | Section | | (Type=0x8C) | | 4.3.14 | +----------------------------+--------------------------+-----------+ | Deprecated | Drop | Section | | (Type=0x4D) | | 4.3.15 | +----------------------------+--------------------------+-----------+ ... ** Section 7. The text doesn’t seem to make a statement about security beyond reiterating the intent of the document. Does adopting the practices in this document improve the security posture of the network? Are there any new security considerations to consider if these practices are adopted? ** Editorial -- Section 2.3. Editorial. Per the paragraph that starts with “Finally, we note that …”, this guidance seems very similar (repetitive) to the explanation already provided in Section 2.1. -- Section 3.2. Editorial. s/decisions in future/decisions in the future/ -- Section 4.3.9.5. Editorial. Recommend removing the unique “RFC-5570” style notation.
- [OPSEC] Roman Danyliw's Discuss on draft-ietf-ops… Roman Danyliw via Datatracker
- Re: [OPSEC] Roman Danyliw's Discuss on draft-ietf… Fernando Gont