Re: [OPSEC] Iotdir early review of draft-ietf-opsec-v6-21

Stuart Cheshire <cheshire@apple.com> Tue, 16 February 2021 03:34 UTC

Return-Path: <cheshire@apple.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C191E3A0C32 for <opsec@ietfa.amsl.com>; Mon, 15 Feb 2021 19:34:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.668
X-Spam-Level:
X-Spam-Status: No, score=-2.668 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.57, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EaHcLfc6S5EY for <opsec@ietfa.amsl.com>; Mon, 15 Feb 2021 19:33:58 -0800 (PST)
Received: from ma1-aaemail-dr-lapp01.apple.com (ma1-aaemail-dr-lapp01.apple.com [17.171.2.60]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EACDB3A0C1E for <opsec@ietf.org>; Mon, 15 Feb 2021 19:33:57 -0800 (PST)
Received: from pps.filterd (ma1-aaemail-dr-lapp01.apple.com [127.0.0.1]) by ma1-aaemail-dr-lapp01.apple.com (8.16.0.42/8.16.0.42) with SMTP id 11G3XZ1Z041477; Mon, 15 Feb 2021 19:33:49 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=content-type : mime-version : subject : from : in-reply-to : date : cc : content-transfer-encoding : message-id : references : to; s=20180706; bh=2cr9cidFm9qZpwv9TpFnPb5OZAoUzrWm7B6nxcfAVaU=; b=fQHcPORoPMzFZM/098UU4oXnV0EvevpQNuOKI72MUcjuuvVQgjbZ+8nadHWq3X0BGtGo o3IK57+M0TDd+VK+eZZEn8fkIxzQ3/aUJJNGxVIa0lfk5LoR0JXzAgb14fHyekLHpogS wCpBpiKW+c8kZUj0KodRWT7o9zNrM3pdnb/bNbUghdhJnOIL70hdzHHDqlbKeBa3JCgw 0+ktnaCLrT6timKg6hA3/uvm99Qw6c+yvBWMi9GezEQwsuLOqTFcvU/kk1GdgUsHUW5+ dt9zqsSCiOhPZnrQXrpCQZZgxkURUBAZWhikxUefbsLtFxG99bhOGk3SbnqqPgOVmVMD 6g==
Received: from rn-mailsvcp-mta-lapp01.rno.apple.com (rn-mailsvcp-mta-lapp01.rno.apple.com [10.225.203.149]) by ma1-aaemail-dr-lapp01.apple.com with ESMTP id 36pea683yy-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Mon, 15 Feb 2021 19:33:49 -0800
Received: from rn-mailsvcp-mmp-lapp02.rno.apple.com (rn-mailsvcp-mmp-lapp02.rno.apple.com [17.179.253.15]) by rn-mailsvcp-mta-lapp01.rno.apple.com (Oracle Communications Messaging Server 8.1.0.7.20201203 64bit (built Dec 3 2020)) with ESMTPS id <0QOL00R4XR8CH200@rn-mailsvcp-mta-lapp01.rno.apple.com>; Mon, 15 Feb 2021 19:33:48 -0800 (PST)
Received: from process_milters-daemon.rn-mailsvcp-mmp-lapp02.rno.apple.com by rn-mailsvcp-mmp-lapp02.rno.apple.com (Oracle Communications Messaging Server 8.1.0.7.20201203 64bit (built Dec 3 2020)) id <0QOL00900QO62T00@rn-mailsvcp-mmp-lapp02.rno.apple.com>; Mon, 15 Feb 2021 19:33:48 -0800 (PST)
X-Va-A:
X-Va-T-CD: fa095092440e15a1948c34b3cd103a88
X-Va-E-CD: 8374e755a7b96a1083dead1f7cf68564
X-Va-R-CD: 942fa795535ed48ad41f956c32baf597
X-Va-CD: 0
X-Va-ID: e3ac1bf7-1247-4b01-aa03-2762174e62ca
X-V-A:
X-V-T-CD: fa095092440e15a1948c34b3cd103a88
X-V-E-CD: 8374e755a7b96a1083dead1f7cf68564
X-V-R-CD: 942fa795535ed48ad41f956c32baf597
X-V-CD: 0
X-V-ID: de8e657d-3c21-466a-a8b7-95e7fb64a9d8
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369, 18.0.761 definitions=2021-02-15_16:2021-02-12, 2021-02-15 signatures=0
Received: from [17.11.72.4] (unknown [17.11.72.4]) by rn-mailsvcp-mmp-lapp02.rno.apple.com (Oracle Communications Messaging Server 8.1.0.7.20201203 64bit (built Dec 3 2020)) with ESMTPSA id <0QOL00FD3R8BSX00@rn-mailsvcp-mmp-lapp02.rno.apple.com>; Mon, 15 Feb 2021 19:33:48 -0800 (PST)
Content-type: text/plain; charset=utf-8
MIME-version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.1\))
From: Stuart Cheshire <cheshire@apple.com>
In-reply-to: <99FA8310-CDA8-4FCA-90F9-FE0952D95D93@fugue.com>
Date: Mon, 15 Feb 2021 19:33:47 -0800
Cc: Ted Lemon <mellon@fugue.com>, Merike Kaeo <merike@doubleshotsecurity.com>, KK Chittimaneni <kk.chittimaneni@gmail.com>, Enno Rey <erey@ernw.de>, "opsec@ietf.org" <opsec@ietf.org>, Warren Kumari <warren@kumari.net>
Content-transfer-encoding: quoted-printable
Message-id: <1EA99726-2050-4B05-8D8F-924A52D2303E@apple.com>
References: <157394737956.25908.2003745932020934234@ietfa.amsl.com> <DA7A5C72-C893-4240-A716-B0BD37122916@doubleshotsecurity.com> <7BCD5A24-D200-48F9-8410-7F1D5BA28B28@cisco.com> <20F36D91-A80F-49F8-9820-BAB18BACB4B5@fugue.com> <2B0A426F-9414-4FC2-99A1-DF71D495F02C@cisco.com> <99FA8310-CDA8-4FCA-90F9-FE0952D95D93@fugue.com>
To: =?utf-8?Q?=C3=89ric_Vyncke?= <evyncke@cisco.com>
X-Mailer: Apple Mail (2.3608.120.23.2.1)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369, 18.0.761 definitions=2021-02-15_16:2021-02-12, 2021-02-15 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/EDJKuUs7A3pmh3Ts-kIG8mc5PXM>
Subject: Re: [OPSEC] Iotdir early review of draft-ietf-opsec-v6-21
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Feb 2021 03:34:01 -0000

Thank you Éric for making this change.

If ISPs were to to implement and enable RA-Guard in ISP-supplied home gateways, that would break both Apple HomeKit and the upcoming Project Connected Home over IP <https://www.connectedhomeip.com/>. It would be a pity to break residential IoT in the infancy of the IoT industry, and it would create a lot of support telephone calls for Apple, other residential IoT vendors, and ISPs.

Stuart Cheshire

On Feb 12, 2021, at 10:31 AM, Eric Vyncke (evyncke) <evyncke@cisco.com> wrote:

> Ted,
> 
> As you guessed in your email : we, the authors, do not want to prevent multi-homing ;-)  E.g., we already have several ‘do not apply in all cases’ for several mitigation techniques include the RA-guard one for obvious reason.
> 
> Just to be clear, we have used your suggestion to modify the abstract and add an applicability statement in a -24 version (yet to be published). We would appreciate it if you reviewed the proposed change below.
> 
> --- start of abstract ---
>    Knowledge and experience on how to operate IPv4 securely is
>    available: whether it is the Internet or an enterprise internal
>    network.  However, IPv6 presents some new security challenges.  RFC
>    4942 describes the security issues in the protocol, but network
>    managers also need a more practical, operations-minded document to
>    enumerate advantages and/or disadvantages of certain choices.
> 
>    This document analyzes the operational security issues associated
>    with several types of network and proposes technical and procedural
>    mitigation techniques.  This document is only applicable to managed
>    networks, such as enterprise building networks.  The recommendations
>    in this document are not applicable to residential user cases, even
>    in cases where a Service Provider may be managing the home gateway.
> 
> --- end of abstract ---
> 
> --- start of applicability statement (sub-section of introduction) ---
> 1.1.  Applicability Statement
> 
>    This document is applicable to managed networks, i.e., when the
>    network is operated by the user organization itself.  Indeed, many of
>    the recommended mitigation techniques must be configured with the
>    detailed knowledge of the network (which are the default router,
>    which are the switch trunk ports, etc.).  This covers Service
>    Provider (SP), enterprise networks and some knowledgeable-home-user-
>    managed residential network.  This applicability statement especially
>    applies to Section 2.3 and Section 2.5.4.
> 
>    For example, an exception to the generic recommendations of this
>    document is when a residential or enterprise network is multi-homed.
> 
> --- end of applicability statement (sub-section of introduction) ---