Re: [OPSEC] Request for opions on accepting draft-gont-opsec-ip-security-01 as a working group document (fwd)
Andrew Yourtchenko <ayourtch@cisco.com> Thu, 15 January 2009 12:03 UTC
Return-Path: <opsec-bounces@ietf.org>
X-Original-To: opsec-archive@optimus.ietf.org
Delivered-To: ietfarch-opsec-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DA6B83A690B; Thu, 15 Jan 2009 04:03:46 -0800 (PST)
X-Original-To: opsec@core3.amsl.com
Delivered-To: opsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1E3B33A691A for <opsec@core3.amsl.com>; Thu, 15 Jan 2009 04:03:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SVrorYUfloLg for <opsec@core3.amsl.com>; Thu, 15 Jan 2009 04:03:45 -0800 (PST)
Received: from av-tac-bru.cisco.com (odd-brew.cisco.com [144.254.15.119]) by core3.amsl.com (Postfix) with ESMTP id C5E903A67A1 for <opsec@ietf.org>; Thu, 15 Jan 2009 04:03:44 -0800 (PST)
X-TACSUNS: Virus Scanned
Received: from strange-brew.cisco.com (localhost [127.0.0.1]) by av-tac-bru.cisco.com (8.11.7p3+Sun/8.11.7) with ESMTP id n0FC3TQ27361 for <opsec@ietf.org>; Thu, 15 Jan 2009 13:03:29 +0100 (CET)
Received: from kk-son (dhcp-peg3-vl30-144-254-7-191.cisco.com [144.254.7.191]) by strange-brew.cisco.com (8.11.7p3+Sun/8.11.7) with ESMTP id n0FC3St29019 for <opsec@ietf.org>; Thu, 15 Jan 2009 13:03:28 +0100 (CET)
Date: Thu, 15 Jan 2009 13:04:03 +0100
From: Andrew Yourtchenko <ayourtch@cisco.com>
X-X-Sender: ayourtch@zippy.stdio.be
To: opsec@ietf.org
Message-ID: <Pine.LNX.4.64.0901151301470.3534@zippy.stdio.be>
MIME-Version: 1.0
Subject: Re: [OPSEC] Request for opions on accepting draft-gont-opsec-ip-security-01 as a working group document (fwd)
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: ayourtch@cisco.com
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/opsec>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: opsec-bounces@ietf.org
Errors-To: opsec-bounces@ietf.org
Hi all, It's my first activity on OPSEC, and I was a tad late to react - so initially sent unicast, but forwarding to the list now nonetheless FYI. thanks, andrew ---------- Forwarded message ---------- Date: Wed, 14 Jan 2009 19:54:34 +0100 (CET) From: Andrew Yourtchenko <ayourtch@cisco.com> To: Joel Jaeggli <joelja@bogus.com> Cc: Fernando Gont <fernando@gont.com.ar> Subject: Re: [OPSEC] Request for opions on accepting draft-gont-opsec-ip-security-01 as a working group document Hello Joel, I've been only reading the mails on the WG up till now, so, given my very late reaction - not sure if it is still OK to send the opinion now - unicasting.. In my opinion this work is definitely something that should be adopted by the WG for further review and discussion. To illustrate - one point, which rose upon a quick scan of the document: With my security hat on, the trivially incrementing IP ID is obviously a Bad Thing(tm). With my digger-debugger hat on, the trivially incrementing IP ID within the session more than once allowed to spot a misbehaving middlebox unknown to be there and save some real pain to real customers. >From this operational perspective, the incrementing ID is a good property because it provides an ephemeral "identity" to the endpoint besides the easily spoofable IP address - hence allows to detect the latter. So I think there might be more than just black and white, and it might be useful to discuss. If the document gets adopted, I volunteer to review it in more detail. thanks, andrew On Thu, 1 Jan 2009, Joel Jaeggli wrote: > I trust everyone had a eventful new year and I hope that for the sake of > our industry the next six months doesn't look worse than the previous > six months. > > Working from the the action items it's time to test consensus on accepting; > > draft-gont-opsec-ip-security-01 > > http://tools.ietf.org/html/draft-gont-opsec-ip-security-01 > > as a working group document. > > Commentary will be accepted through Friday January 9th. > > Thanks > Joel > _______________________________________________ > OPSEC mailing list > OPSEC@ietf.org > https://www.ietf.org/mailman/listinfo/opsec > _______________________________________________ OPSEC mailing list OPSEC@ietf.org https://www.ietf.org/mailman/listinfo/opsec
- [OPSEC] Request for opions on accepting draft-gon… Joel Jaeggli
- Re: [OPSEC] Request for opions on acceptingdraft-… Smith, Donald
- Re: [OPSEC] Request for opions on accepting draft… Alfred Hönes
- Re: [OPSEC] Request for opions on accepting draft… Andrew Yourtchenko