Re: [OPSEC] Erik Kline's Discuss on draft-ietf-opsec-v6-25: (with DISCUSS and COMMENT)
Erik Kline <ek.ietf@gmail.com> Fri, 09 April 2021 01:26 UTC
Return-Path: <ek.ietf@gmail.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id EAC6E3A2549;
Thu, 8 Apr 2021 18:26:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key)
header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 5OtttTmrunot; Thu, 8 Apr 2021 18:26:27 -0700 (PDT)
Received: from mail-ot1-x331.google.com (mail-ot1-x331.google.com
[IPv6:2607:f8b0:4864:20::331])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 937743A2547;
Thu, 8 Apr 2021 18:26:26 -0700 (PDT)
Received: by mail-ot1-x331.google.com with SMTP id
c24-20020a9d6c980000b02902662e210895so4205226otr.9;
Thu, 08 Apr 2021 18:26:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to
:cc:content-transfer-encoding;
bh=4wks5ayQwHH2GMK+fkkB6EfZLNwoqg5IgQCQLibCS+o=;
b=UQ6t8n2rB0mIqFk/02eil9m4paNTftzquzB3wrys9QgMxRFbB/P4MbVJz4oFJK58/h
qtctyMP54lNe3LXyInLkT55zaGGvv64u030Xd3ciO7YsIULvSTI8Q+9bm9ii6VWAjF1w
+ot9/cK24gVFhWO9E9EarBOMgQ6IBYjHXZlgRQYqPejITWQCZZ8QoJROOIN5V36WhZj7
oGj3zov+oXATRpk3IA6XpR3JXs1exPx/ZrhadGhdafd42p7t7XUUevF4P1uLau8DBgm6
fOgYe4OShdyPTYKbCr258oZcbNXGcofqF84BHMFwQ3HtGvrCJkoZYOZrY5jIuVwnx0vO
SK4g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to:cc:content-transfer-encoding;
bh=4wks5ayQwHH2GMK+fkkB6EfZLNwoqg5IgQCQLibCS+o=;
b=VC+L+aZ+UjYsrm9WvwKf59VyNbGWLP/C0UuH0vajRfAtMjXOcBd8PPy3wEX52WLTAE
/rsiE9eWl9KHLY2hUzR3Isr5s3DIT5kxJhMPLB1ZMbwOl9gaxcUvlJ0NAzhY+TXtr4aS
FYo9S2oOsQrh0jccOZHtIg1Je6fBwufVdq7N2s8UaQpvhDVWrJEPiKRtFNOTirCqV4RY
V0MUk9DUicKlWL2OSIGovIZ9RbF1oPu9Yg9iNJwWBVh4H7xa3vG+VXIA3COnVg9o6c9W
HnSHiCo5/gAYOhHuXmsaWlqCU3pVa3gCr+Hj/w4KYfdj1LSV2wHDPTqeEQSMDU3mWulc
GmQA==
X-Gm-Message-State: AOAM5312/pKv/tJOwHHcEI4mm3/dLnbB2gmtW6lfvjZqLrUiCbV4dJFd
9UTcAnF9PUdGG22VV/62BGh+WzunHq4OCcYDBh+ieW9p
X-Google-Smtp-Source: ABdhPJzxKs4vdZQn7DuTlLNyY9MQ0ykKOVP8AgJx4uo8FhyX7S9pufYct0uIhbddZTxMiBs06o7ILq/IRRiDNN5q2RU=
X-Received: by 2002:a05:6830:140e:: with SMTP id
v14mr10319338otp.155.1617931585377;
Thu, 08 Apr 2021 18:26:25 -0700 (PDT)
MIME-Version: 1.0
References: <161776910743.14253.17550631411662929687@ietfa.amsl.com>
<20210408224954.GA85489@ernw.de>
In-Reply-To: <20210408224954.GA85489@ernw.de>
From: Erik Kline <ek.ietf@gmail.com>
Date: Thu, 8 Apr 2021 18:26:14 -0700
Message-ID: <CAMGpriUCD7AmXcg6UtXJxWbrF1x2sZW0LV2+6w9JxYA25RFewQ@mail.gmail.com>
To: Enno Rey <erey@ernw.de>
Cc: The IESG <iesg@ietf.org>, draft-ietf-opsec-v6@ietf.org,
opsec-chairs@ietf.org, opsec@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/C5GCV5vQGiB4MyCnNyvWNKVtn4g>
Subject: Re: [OPSEC] Erik Kline's Discuss on draft-ietf-opsec-v6-25: (with
DISCUSS and COMMENT)
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>,
<mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>,
<mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Apr 2021 01:26:32 -0000
Enno, Broadly these proposed changes seem good to me. I look forward to reading the next version. Thanks! On Thu, Apr 8, 2021 at 3:49 PM Enno Rey <erey@ernw.de> wrote: > > Hi Erik, > > thank you very much for the detailed feedback. > Based on that, and on some other reviewers' comments, we plan to do some edits, more specifically: > > > > On Tue, Apr 06, 2021 at 09:18:27PM -0700, Erik Kline via Datatracker wrote: > > > > ---------------------------------------------------------------------- > > DISCUSS: > > ---------------------------------------------------------------------- > > > > [ section 2.1 ] > > > > * "may also force the use of NPTv6" seems like it draws some conclusions. > > > > Perhaps something like: > > > > "may also increase the perceived need for the use of NPTv6"? > > That's a good point & proposed change; we'll incorporate that. > > > > > > [ section 2.2 ] > > > > * "It must also be noted that there is no indication in the IPv6 packet > > as to whether the Next Protocol field points to an extension header > > or to a transport header." > > > > What is this trying to say? Is this about what 8200 calls the "Next > > Header" field? If so, the Next Header field indicates...the next > > header, and whether that's a transport header or not depends on its > > value. > > > > I guess I read this text as implying that the 8200 standard is somehow > > ambiguous about what NH means, but it's really not. It's just that > > NH does not always indicate a transport. > > I have in mind to replace the above sentence by the following: > "Vendors of filtering solutions and operations personnel [responsible for implementing packet filtering rules] should be aware that the 'Next Header' field in an IPv6 header can both point to an IPv6 extension header or to an upper layer protocol header. This has to be kept in mind [or: considered] when designing the UX of filtering solutions or during the creation of [filtering] rule sets." > > From ypur perspective, would this provide sufficient clarification with regard to the potential problem space? This was about misconceptions among security operators, not about RFC 8200 ambiguities. I hope my suggested sentence makes this clear. > > > > > > [ section 2.3.2.4 ] > > > > * "Only trivial cases [...] should have RA-guard..." > > > > Only? This doesn't strike me as being obviously the best recommendation. > > Definitely in trivial cases it should be enabled, but surely it should > > also be enabled even in more complex cases, albeit ones where > > knowledgeable administrators can configure things appropriately > > (vis. the applicability statement in section 1.1)...maybe? > > I agree with what you're writing. Point is that other reviewers pointed out that they see cases where RA-Guard would be counterproductve. I hence suggest to replace the phrase ("Only trivial cases") by the following: > > "Enabling RA-Guard by default in Wi-Fi networks or enterprise campus networks should be [strongly] considered unless specific circumstances [or: use cases] such as the presence of Homenet devices emitting router advertisements preclude this." > > Would that make sense, from your point of view? > > We will also address the majority of your COMMENTs in the next revision. Thank you again for providing those, and the above (very valid) points. > > Enno > > > > > > > ---------------------------------------------------------------------- > > COMMENT: > > ---------------------------------------------------------------------- > > > > [ general ] > > > > * There are many uses of ellipses ("...") that probably could be > > tightened up (usually just removed might work). > > > > [ section 2.1.1 ] > > > > * I think it never hurts to repeat the message that ULA /48s from the > > fd00::/8 space (L=1) MUST be generated with a pseudo-random algorithm, > > per RFC 4193 sections 3.2, 3.2.1, &c. > > > > [ section 2.1.4 ] > > > > * I think the opening sentence might clarify that it's talking about > > stable address assignment for nodes. On a one-pass reading, > > section 2.1.3 immediately preceding this is discussing router loopback > > addressing, so I found I had routers on the brain when I started 2.1.4. > > > > [ section 2.1.5 ] > > > > * Up to you, but 4941 has been superseded by 8981. > > > > [ section 2.1.6 ] > > > > * "(see Section 2.6.1.5)" -> I think the trailing ")" probably wants to be > > at the end of that sentence; if not, it does not quite make grammatical > > sense (to me). > > > > [ section 2.2.3 ] > > > > * s/ipv6/IPv6/g > > > > [ section 2.3.5 ] > > > > * As an addendum to the final paragraph, it might be noted that such > > filtering can inhibit mDNS (whether or not that's a desirable outcome). > > > > [ section 2.4 ] > > > > * "non-legit": perhaps a bit too casual? > > > > [ section 2.6.1.7 ] > > > > * "as currently collected as in" -> "as currently collected in", I suspect > > > > [ section 2.6.2.1 ] > > > > * There are other motivations for doing forensic analysis that simply > > investigating "malicious activity" (even if this is the most common > > motivation). > > > > As a concrete proposal, perhaps: > > > > "At the end of the process, the interface of the host originating, > > or the subscriber identity associated with, the activity in question > > has been determined." > > > > ...or something > > > > [ section 2.7.2 ] > > > > * "legit": perhaps a bit too casual? "legitimate"? Or perhaps just > > s/legit and//. > > > > [ section 2.7.2.8 ] > > > > * s/IPV4/IPv4/ > > > > * Consider port 123 NTP in your allowlist. :-) > > > > * "hardly never" -> "hardly ever" > > > > [ section 2.7.3.1 ] > > > > * Does this section belong in this document? It's all about IPv4, and > > not even particular to IPv4 in the presence of IPv6 -- just IPv4 in > > general. > > > > [ section 2.7.3.2 ] > > > > * "DNSSEC has an impact on DNS64" > > > > It might also be said that "DNS64 has an impact on DNSSEC", so perhaps > > "DNSSEC and DNS64 negatively interact"? > > > > [ section 4.3 ] > > > > * "and what the respective log retention" -> > > "and the respective log retention", I think > > > > > > > > _______________________________________________ > > OPSEC mailing list > > OPSEC@ietf.org > > https://www.ietf.org/mailman/listinfo/opsec > > -- > Enno Rey > > Cell: +49 173 6745902 > Twitter: @Enno_Insinuator
- [OPSEC] Erik Kline's Discuss on draft-ietf-opsec-… Erik Kline via Datatracker
- Re: [OPSEC] Erik Kline's Discuss on draft-ietf-op… Enno Rey
- Re: [OPSEC] Erik Kline's Discuss on draft-ietf-op… Erik Kline
- Re: [OPSEC] Erik Kline's Discuss on draft-ietf-op… Enno Rey