Re: [OPSEC] I-D Action: draft-ietf-opsec-v6-15.txt
Brian E Carpenter <brian.e.carpenter@gmail.com> Sat, 09 March 2019 21:55 UTC
Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 498611277D9 for <opsec@ietfa.amsl.com>; Sat, 9 Mar 2019 13:55:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kQBaBN0Krr96 for <opsec@ietfa.amsl.com>; Sat, 9 Mar 2019 13:55:53 -0800 (PST)
Received: from mail-pf1-x42b.google.com (mail-pf1-x42b.google.com [IPv6:2607:f8b0:4864:20::42b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BEE8B12705F for <opsec@ietf.org>; Sat, 9 Mar 2019 13:55:53 -0800 (PST)
Received: by mail-pf1-x42b.google.com with SMTP id n22so790816pfa.3 for <opsec@ietf.org>; Sat, 09 Mar 2019 13:55:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=bbn5i8rJZYgo2yp7Di8MI0Dh+/nP4t8oKbc9wRKW7qc=; b=qbD9WmQNeyLwO9OMZuIhnBtAbTulI/VlUHn6EIxnrrT9vLodIz/08LCIm9SzxtRwMR Vp+ALLz+S9nGb+usm14z/B8KoNmjJ6OsrzdbCpCcXfQt/7VBSepoMYN2+tD87OK1dX8H UX2eXz1kU/xFXy4jNOLDu5SLuH+iEeXG9WjanFVBRVo95Eg19zufw+Ss8a5FfX0nporV Fmd9jZFURpsYwuzOf3kX9daB5kQC0U6mG459V5PImitkGPuQ+jDEEYHi3+MXckG5K1nD ovEaEcFeucIgUDX7CTbabZV063PUsGtqDvJDxGMN7IMkv/mAbad6T2mmNe0ghhfNW+1q O9jA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=bbn5i8rJZYgo2yp7Di8MI0Dh+/nP4t8oKbc9wRKW7qc=; b=IpV6l3h0uPBThs7FLyqMNcR514j1XC52UzpTvmYoczKvdlWIfcuz1iSMp1A0PLwmPR Pe6zJM0gbr6BVIwT7Px0dSpu/uT+wNW8kdnoutBeI9eOR6TbKXWkrnodGVd3hTBgdDNV 5Mi4CgcxkcYA1gmEPwGd4ZTpP/moYAnt/ZYs+887VU2+qCJz7BjdvuJdS8iS+PaHY3t5 kwYEvpCPt60nJww+l8sKmRwP7GOtZT1sMvhQjruCKDBf1NTOVaobUIUmwDmWTf90rHH0 BolfMk0qGOS0wuy7SSCgSR+XlQn2A+R+ZjCNeCMTkNYHEPfcEvWAaSqQIwobtle9erFQ 4Dmw==
X-Gm-Message-State: APjAAAV2GyUWgtbavIEbqUQkl5dNqwyRXA3CY35OpepufvJMbdQfgBtf o7lNRtdnGbmyCqHQ5S01XGOeQpNR
X-Google-Smtp-Source: APXvYqyRxjXxlxjgQdLvhF1hVhP3SvWS7LZoAp+j0K1k6N77TGkBPfrhJjwxfrynygmMhlPFm6Ahcg==
X-Received: by 2002:a63:68ca:: with SMTP id d193mr23015360pgc.53.1552168552922; Sat, 09 Mar 2019 13:55:52 -0800 (PST)
Received: from [192.168.178.30] (211.231.69.111.dynamic.snap.net.nz. [111.69.231.211]) by smtp.gmail.com with ESMTPSA id f10sm1887376pgo.55.2019.03.09.13.55.50 for <opsec@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 09 Mar 2019 13:55:51 -0800 (PST)
To: opsec@ietf.org
References: <155216353255.28690.611573903036715612@ietfa.amsl.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Message-ID: <f851fd05-b175-432e-7f64-4cbb9d0c4049@gmail.com>
Date: Sun, 10 Mar 2019 10:55:49 +1300
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.5.3
MIME-Version: 1.0
In-Reply-To: <155216353255.28690.611573903036715612@ietfa.amsl.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/9IUp1L6YtyysEdzgz6SWQB6Voc0>
Subject: Re: [OPSEC] I-D Action: draft-ietf-opsec-v6-15.txt
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Mar 2019 21:55:55 -0000
Hi, A few comments. (Note that I am not on the opsec list, so please CC me on any replies.) > 2.1.2. Use of ULAs ... > It is tempting to think that ULAs could be useful for infrastructure > hiding as described in [RFC4864];... That's a very strange choice of words, and ignores the actual argument for this choice, which is that internal communications using ULAs are doubly protected from accidental external visibility. If you want to say that RFC4864 was wrong, please argue that explcitly. Otherwise please be neutral, e.g.: ULAs could be used for infrastructure hiding as described in [RFC4864];... > It is recommended to consider filtering packets with ULA source > addresses or ULA destination addresses at the domain boundary. Actually RFC4193 is already stronger than that. Filtering ULA routes is a "must", and filtering packets containing ULA source or destination is a "should" (unless explicitly configured otherwise). I think you should not weaken this here! > 2.1.4. Temporary Addresses - Privacy Extensions for SLAAC > > Historically stateless address autoconfiguration (SLAAC) relies on > the automatically generated EUI-64 address,which together with the > /64 prefix makes up the global unique IPv6 address. That's inaccurate. Try: Historically, stateless address autoconfiguration (SLAAC) relied on an automatically generated 64 bit interface identifier (IID) based on the EUI-64 MAC address, which together with the /64 prefix makes up the globally unique IPv6 address. ... > As [RFC4941] privacy extension addresses could also be used to > obfuscate some malevolent activities (whether on purpose or not), > specific user attribution/accountability procedures must be put in > place as described in section Section 2.6. That "must" is a bit strange. It seems too much to say "MUST", so why not make it "SHOULD"? Regards Brian Carpenter
- [OPSEC] I-D Action: draft-ietf-opsec-v6-15.txt internet-drafts
- Re: [OPSEC] I-D Action: draft-ietf-opsec-v6-15.txt Brian E Carpenter
- Re: [OPSEC] I-D Action: draft-ietf-opsec-v6-15.txt Bob Hinden
- Re: [OPSEC] I-D Action: draft-ietf-opsec-v6-15.txt Eric Vyncke (evyncke)
- Re: [OPSEC] I-D Action: draft-ietf-opsec-v6-15.txt Bob Hinden