Re: [OPSEC] I-D Action: draft-ietf-opsec-v6-06.txt
"George, Wes" <wesley.george@twcable.com> Thu, 02 April 2015 19:20 UTC
Return-Path: <wesley.george@twcable.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58E631A8868 for <opsec@ietfa.amsl.com>; Thu, 2 Apr 2015 12:20:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.225
X-Spam-Level:
X-Spam-Status: No, score=0.225 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_MODEMCABLE=0.768, HOST_EQ_MODEMCABLE=1.368, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TVGExIFgSt50 for <opsec@ietfa.amsl.com>; Thu, 2 Apr 2015 12:20:15 -0700 (PDT)
Received: from cdpipgw02.twcable.com (cdpipgw02.twcable.com [165.237.59.23]) by ietfa.amsl.com (Postfix) with ESMTP id 20F8A1A6FEA for <opsec@ietf.org>; Thu, 2 Apr 2015 12:20:15 -0700 (PDT)
X-SENDER-IP: 10.136.163.11
X-SENDER-REPUTATION: None
X-IronPort-AV: E=Sophos;i="5.11,512,1422939600"; d="scan'208";a="669743762"
Received: from unknown (HELO PRVPEXHUB02.corp.twcable.com) ([10.136.163.11]) by cdpipgw02.twcable.com with ESMTP/TLS/RC4-MD5; 02 Apr 2015 15:05:50 -0400
Received: from PRVPEXVS10.corp.twcable.com ([10.136.163.40]) by PRVPEXHUB02.corp.twcable.com ([10.136.163.11]) with mapi; Thu, 2 Apr 2015 15:20:14 -0400
From: "George, Wes" <wesley.george@twcable.com>
To: "opsec@ietf.org" <opsec@ietf.org>
Date: Thu, 02 Apr 2015 15:20:13 -0400
Thread-Topic: [OPSEC] I-D Action: draft-ietf-opsec-v6-06.txt
Thread-Index: AdBtegssnKBjvRNHTUexy44HL9yoIw==
Message-ID: <D142FCA7.4BF11%wesley.george@twcable.com>
References: <20150309110722.2150.57623.idtracker@ietfa.amsl.com>
In-Reply-To: <20150309110722.2150.57623.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.8.150116
acceptlanguage: en-US
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/opsec/CEj8LkJMVexjJPsL_ULbJ1rrgVI>
Subject: Re: [OPSEC] I-D Action: draft-ietf-opsec-v6-06.txt
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Apr 2015 19:20:22 -0000
I gave this doc a read, and have a few comments: 2.1 - I'm not certain that the unsubstantiated assertion about renumbering being difficult helps this section. If you really want to discuss renumbering, perhaps cite the documents that discuss this in gory detail? http://tools.ietf.org/wg/6renum/ Also, might be worth discussing the idea of geographical/topological hierarchy to ease security in a bit more detail, specifically calling out things like simplifying ACLs by limiting the number of address blocks, using nibble boundaries, etc. since that's actually the more useful/relevant justification for having a good address plan. There's not really any discussion of DHCPv6 PD (vs IA_NA) in 2.5.2, and that might be of interest since the inventory and correlation and logging might be at per-address level, but there may be a much larger block that is actually associated with a given customer or site, like a /48 or a /56 that has been allocated with the idea that it will be further delegated to subnets as appropriate. Basically, you may want to discuss the idea of per-host addressing vs per-network delegation and whether it has any impact here. 2.5.2.2 - CMTS devices use a method called gleaning to watch the DHCPv6 messages as they go by. This might be an additional method to add. See RFC 4779 5.2.2.5.2. 3.1 - reference for anti-spoofing? (BCP38/84 or something else?) Finally, not sure exactly where this fits: Might be useful to have some discussion about single-stack (IPv6-only) as a security method. In other words for a given set of features or services, if everything using it can reach it over IPv6, it makes sense to disable IPv4 access so that you reduce the attack surface. This is especially interesting for internal services like management protocols since you control both ends and can be more aggressive about moving away from dual-stack. I know in my own network it would allow me to eliminate some very long ACLs that have had lots of holes punched over time without sufficient cleanup in favor of a much cleaner and smaller list of permitted IPv6 prefixes from in many cases one single block of permitted addresses. It's almost like a reset button for access controls, because you start with nothing, and explicitly add things such that the legacy cruft that everyone was afraid to touch for fear of breaking something critical goes away. General idea is that anywhere you can go single stack, you're reducing the overhead of management by eliminating the need to duplicate and maintain your security for two stacks. Thanks, Wes On 3/9/15, 7:07 AM, "internet-drafts@ietf.org" <internet-drafts@ietf.org> wrote: > >A New Internet-Draft is available from the on-line Internet-Drafts >directories. > This draft is a work item of the Operational Security Capabilities for >IP Network Infrastructure Working Group of the IETF. > > Title : Operational Security Considerations for IPv6 >Networks > Authors : Kiran K. Chittimaneni > Merike Kaeo > Eric Vyncke > Filename : draft-ietf-opsec-v6-06.txt > Pages : 41 > Date : 2015-03-09 > >Abstract: > Knowledge and experience on how to operate IPv4 securely is > available: whether it is the Internet or an enterprise internal > network. However, IPv6 presents some new security challenges. RFC > 4942 describes the security issues in the protocol but network > managers also need a more practical, operations-minded document to > enumerate advantages and/or disadvantages of certain choices. > > This document analyzes the operational security issues in all places > of a network (service providers, enterprises and residential users) > and proposes technical and procedural mitigations techniques. Anything below this line has been added by my company’s mail server, I have no control over it. ----------- This E-mail and any of its attachments may contain Time Warner Cable proprietary information, which is privileged, confidential, or subject to copyright belonging to Time Warner Cable. This E-mail is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient of this E-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this E-mail is strictly prohibited and may be unlawful. If you have received this E-mail in error, please notify the sender immediately and permanently delete the original and any copy of this E-mail and any printout.
- Re: [OPSEC] I-D Action: draft-ietf-opsec-v6-06.txt George, Wes
- [OPSEC] I-D Action: draft-ietf-opsec-v6-06.txt internet-drafts