Re: [OPSEC] Request for opions on accepting draft-gont-opsec-ip-security-01 as a working group document (fwd)

Andrew Yourtchenko <ayourtch@cisco.com> Thu, 15 January 2009 12:03 UTC

Return-Path: <opsec-bounces@ietf.org>
X-Original-To: opsec-archive@optimus.ietf.org
Delivered-To: ietfarch-opsec-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DA6B83A690B; Thu, 15 Jan 2009 04:03:46 -0800 (PST)
X-Original-To: opsec@core3.amsl.com
Delivered-To: opsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1E3B33A691A for <opsec@core3.amsl.com>; Thu, 15 Jan 2009 04:03:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SVrorYUfloLg for <opsec@core3.amsl.com>; Thu, 15 Jan 2009 04:03:45 -0800 (PST)
Received: from av-tac-bru.cisco.com (odd-brew.cisco.com [144.254.15.119]) by core3.amsl.com (Postfix) with ESMTP id C5E903A67A1 for <opsec@ietf.org>; Thu, 15 Jan 2009 04:03:44 -0800 (PST)
X-TACSUNS: Virus Scanned
Received: from strange-brew.cisco.com (localhost [127.0.0.1]) by av-tac-bru.cisco.com (8.11.7p3+Sun/8.11.7) with ESMTP id n0FC3TQ27361 for <opsec@ietf.org>; Thu, 15 Jan 2009 13:03:29 +0100 (CET)
Received: from kk-son (dhcp-peg3-vl30-144-254-7-191.cisco.com [144.254.7.191]) by strange-brew.cisco.com (8.11.7p3+Sun/8.11.7) with ESMTP id n0FC3St29019 for <opsec@ietf.org>; Thu, 15 Jan 2009 13:03:28 +0100 (CET)
Date: Thu, 15 Jan 2009 13:04:03 +0100 (CET)
From: Andrew Yourtchenko <ayourtch@cisco.com>
X-X-Sender: ayourtch@zippy.stdio.be
To: opsec@ietf.org
Message-ID: <Pine.LNX.4.64.0901151301470.3534@zippy.stdio.be>
MIME-Version: 1.0
Subject: Re: [OPSEC] Request for opions on accepting draft-gont-opsec-ip-security-01 as a working group document (fwd)
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: ayourtch@cisco.com
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/opsec>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: opsec-bounces@ietf.org
Errors-To: opsec-bounces@ietf.org

Hi all,

It's my first activity on OPSEC, and I was a tad late to react - so 
initially sent unicast, but forwarding to the list now nonetheless FYI.

thanks,
andrew

---------- Forwarded message ----------
Date: Wed, 14 Jan 2009 19:54:34 +0100 (CET)
From: Andrew Yourtchenko <ayourtch@cisco.com>
To: Joel Jaeggli <joelja@bogus.com>
Cc: Fernando Gont <fernando@gont.com.ar>
Subject: Re: [OPSEC] Request for opions on accepting
     draft-gont-opsec-ip-security-01 as a working group document

Hello Joel,

I've been only reading the mails on the WG up till now, so, given my very late 
reaction - not sure if it is still OK to send the opinion now - unicasting..

In my opinion this work is definitely something that should be adopted by the 
WG for further review and discussion.

To illustrate - one point, which rose upon a quick scan of the document:

With my security hat on, the trivially incrementing IP ID is obviously a Bad 
Thing(tm).

With my digger-debugger hat on, the trivially incrementing IP ID within the 
session more than once allowed to spot a misbehaving middlebox unknown to be 
there and save some real pain to real customers.
>From this operational perspective, the incrementing ID is a good property 
because it provides an ephemeral "identity" to the endpoint besides the easily 
spoofable IP address - hence allows to detect the latter.

So I think there might be more than just black and white, and it might be 
useful to discuss.

If the document gets adopted, I volunteer to review it in more detail.

thanks,
andrew





On Thu, 1 Jan 2009, Joel Jaeggli wrote:

>  I trust everyone had a eventful new year and I hope that for the sake of
>  our industry the next six months doesn't look worse than the previous
>  six months.
>
>  Working from the the action items it's time to test consensus on accepting;
>
>  draft-gont-opsec-ip-security-01
>
>  http://tools.ietf.org/html/draft-gont-opsec-ip-security-01
>
>  as a working group document.
>
>  Commentary will be accepted through Friday January 9th.
>
>  Thanks
>  Joel
>  _______________________________________________
>  OPSEC mailing list
>  OPSEC@ietf.org
>  https://www.ietf.org/mailman/listinfo/opsec
>
_______________________________________________
OPSEC mailing list
OPSEC@ietf.org
https://www.ietf.org/mailman/listinfo/opsec