Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-opsec-dhcpv6-shield-05: (with DISCUSS and COMMENT)
Ted Lemon <Ted.Lemon@nominum.com> Tue, 10 February 2015 17:49 UTC
Return-Path: <Ted.Lemon@nominum.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07ABE1A1ADC; Tue, 10 Feb 2015 09:49:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VWrIKCfWEbMk; Tue, 10 Feb 2015 09:49:08 -0800 (PST)
Received: from sjc1-mx02-inside.nominum.com (sjc1-mx02-inside.nominum.com [64.89.234.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44FF01A1ADA; Tue, 10 Feb 2015 09:49:05 -0800 (PST)
Received: from archivist.nominum.com (archivist.nominum.com [64.89.228.108]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.nominum.com", Issuer "Go Daddy Secure Certificate Authority - G2" (verified OK)) by sjc1-mx02-inside.nominum.com (Postfix) with ESMTPS id 020BDDA0278; Tue, 10 Feb 2015 17:49:04 +0000 (UTC)
Received: from webmail.nominum.com (cas-03.win.nominum.com [64.89.235.66]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (Client CN "mail.nominum.com", Issuer "Go Daddy Secure Certificate Authority - G2" (verified OK)) by archivist.nominum.com (Postfix) with ESMTP id B7CED53E083; Tue, 10 Feb 2015 09:49:04 -0800 (PST)
Received: from [10.0.20.107] (71.233.43.215) by CAS-03.WIN.NOMINUM.COM (64.89.235.66) with Microsoft SMTP Server (TLS) id 14.3.224.2; Tue, 10 Feb 2015 09:49:04 -0800
Content-Type: text/plain; charset="windows-1252"
MIME-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Ted Lemon <Ted.Lemon@nominum.com>
In-Reply-To: <54D98F62.4080508@bogus.com>
Date: Tue, 10 Feb 2015 12:48:56 -0500
Content-Transfer-Encoding: quoted-printable
Message-ID: <ADCFDFED-5EF9-4121-A323-562C1E33C2F5@nominum.com>
References: <20150207194616.20651.30892.idtracker@ietfa.amsl.com> <72C73500-E6C4-4D75-9CFA-8FE4B012AB9E@nominum.com> <7516AD5C-1152-4020-B050-FA0383B58DBA@viagenie.ca> <Pine.LNX.4.64.1502081734120.24776@shell4.bayarea.net> <97C8D14E-D440-4625-8F26-83AF26917CF2@nominum.com> <54D83E7F.3040207@gmail.com> <E478028B-8FFC-47B4-B12D-F0A32227A726@nominum.com> <54D83FCE.4070804@qti.qualcomm.com> <Pine.LNX.4.64.1502082137570.16054@shell4.bayarea.net> <96CE509D-3B6E-49B8-98F6-CB8581787D7E@nominum.com> <Pine.LNX.4.64.1502090708270.22936@shell4.bayarea.net> <174AA530-3993-4894-BCE7-2AE8818EB35E@nominum.com> <54D8F98D.1030101@si6networks.com> <B3474476-3FA1-484E-BAAD-E7A6474BA11C@nominum.com> <54D90EE5.2060002@gmail.com> <5C9CF492-A795-4023-BB91-28B1B52706E4@nominum.com> <54D92987.2080505@gmail.com> <CDA3CF60-BB2E-4F77-B325-B3057C01FBD1@nominum.com> <Pine.LNX.4.64.1502091713320.26279@shell4.bayarea.net> <FFC8BDEA-51BB-4D18-8240-F360CD9A7566@nominum.com> <54D98F62.4080508@bogus.com>
To: Joel Jaeggli <joelja@bogus.com>
X-Mailer: Apple Mail (2.1878.6)
X-Originating-IP: [71.233.43.215]
Archived-At: <http://mailarchive.ietf.org/arch/msg/opsec/EQOP_bekJpul7Lecaqa2qOJFsTM>
Cc: "draft-ietf-opsec-dhcpv6-shield@ietf.org" <draft-ietf-opsec-dhcpv6-shield@ietf.org>, "C. M. Heard" <heard@pobox.com>, Pete Resnick <presnick@qti.qualcomm.com>, "opsec@ietf.org" <opsec@ietf.org>, "draft-ietf-opsec-dhcpv6-shield.ad@ietf.org" <draft-ietf-opsec-dhcpv6-shield.ad@ietf.org>, "draft-ietf-opsec-dhcpv6-shield.shepherd@ietf.org" <draft-ietf-opsec-dhcpv6-shield.shepherd@ietf.org>, The IESG <iesg@ietf.org>, Fernando Gont <fgont@si6networks.com>, "opsec-chairs@ietf.org" <opsec-chairs@ietf.org>, Brian E Carpenter <brian.e.carpenter@gmail.com>
Subject: Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-opsec-dhcpv6-shield-05: (with DISCUSS and COMMENT)
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Feb 2015 17:49:10 -0000
On Feb 9, 2015, at 11:56 PM, joel jaeggli <joelja@bogus.com> wrote: > We do ourselves and the community a disservice when we fail to include > discussion of operational divergence from expected behavior. if whe can > find a position that falls short of advocacy where does that leave us? I would suggest a note in the security considerations section that says something like this: The recommendations in this document represent the ideal behavior of a DHCPv6 shield device. However, in order to implement DHCPv6 shield on the fast path, it may be necessary to limit the depth into the packet that can be scanned before giving up. In circumstances where there is such a limitation, it is recommended that implementations drop packets after attempting to find a protocol header (as opposed to an extension header) up to that limit, whatever it is. Ideally, such devices should be configurable with a list of protocol header identifiers so that if new transport protocols are standardized after the device is released, they can be added to the list of protocol header types that the device recognizes. Since any protocol header that is not a UDP header would be passed by the DHCPv6 shield algorithm, this would allow such devices to avoid blocking the use of new transport protocols. When an implementation must stop searching for recognizable header types in a packet due to such limitations, whether the device passes or drop that packet SHOULD be configurable.
- [OPSEC] Revisting Re: Ted Lemon's Discuss on draf… joel jaeggli
- Re: [OPSEC] Revisting Re: Ted Lemon's Discuss on … C. M. Heard
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Joel Jaeggli
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- [OPSEC] Ted Lemon's Discuss on draft-ietf-opsec-d… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Brian E Carpenter
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… C. M. Heard
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Brian E Carpenter
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Fernando Gont
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Fernando Gont
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Fernando Gont
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… C. M. Heard
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… C. M. Heard
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Marc Blanchet
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… C. M. Heard
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Brian E Carpenter
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Pete Resnick
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… C. M. Heard
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Brian Haberman
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… C. M. Heard
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… C. M. Heard
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… joel jaeggli
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Fernando Gont
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Fernando Gont
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Fernando Gont
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Fernando Gont
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Brian E Carpenter
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Fernando Gont
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Brian E Carpenter
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Fernando Gont
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Fernando Gont
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… C. M. Heard
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… joel jaeggli
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Brian Haberman
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… C. M. Heard
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Fernando Gont
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… C. M. Heard
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… Ted Lemon
- Re: [OPSEC] Ted Lemon's Discuss on draft-ietf-ops… joel jaeggli