Re: [OPSEC] New Version Notification for draft-yourtchenko-opsec-humansafe-ipv6-00.txt
Fernando Gont <fgont@si6networks.com> Tue, 06 March 2012 12:28 UTC
Return-Path: <fgont@si6networks.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF1D121F882D for <opsec@ietfa.amsl.com>; Tue, 6 Mar 2012 04:28:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.557
X-Spam-Level:
X-Spam-Status: No, score=-2.557 tagged_above=-999 required=5 tests=[AWL=0.043, BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fCfat-J2RZg0 for <opsec@ietfa.amsl.com>; Tue, 6 Mar 2012 04:28:23 -0800 (PST)
Received: from srv01.bbserve.nl (unknown [IPv6:2a02:27f8:1025:18::232]) by ietfa.amsl.com (Postfix) with ESMTP id BB10E21F8826 for <opsec@ietf.org>; Tue, 6 Mar 2012 04:28:22 -0800 (PST)
Received: from [2001:5c0:1000:a::6a1] by srv01.bbserve.nl with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.77) (envelope-from <fgont@si6networks.com>) id 1S4tV4-00023o-D5; Tue, 06 Mar 2012 13:28:18 +0100
Message-ID: <4F5602DA.2010806@si6networks.com>
Date: Tue, 06 Mar 2012 09:28:10 -0300
From: Fernando Gont <fgont@si6networks.com>
Organization: SI6 Networks
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.27) Gecko/20120216 Thunderbird/3.1.19
MIME-Version: 1.0
To: Andrew Yourtchenko <ayourtch@cisco.com>
References: <alpine.DEB.2.00.1203051204580.20167@ayourtch-lnx> <4F55B1A2.7000909@gont.com.ar> <alpine.DEB.2.00.1203061046000.2860@ayourtch-lnx>
In-Reply-To: <alpine.DEB.2.00.1203061046000.2860@ayourtch-lnx>
X-Enigmail-Version: 1.1.2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: opsec@ietf.org, mircea.pisica@bt.com, sasad@cisco.com
Subject: Re: [OPSEC] New Version Notification for draft-yourtchenko-opsec-humansafe-ipv6-00.txt
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Mar 2012 12:28:24 -0000
Hi, Andrew, On 03/06/2012 07:32 AM, Andrew Yourtchenko wrote: >> I think this one is somewhat incorrect: What's usually deemed as hard to >> manage is temporary addresses (RFC 4941), rather than the fact that the >> identifiers are random (see e.g., >> <http://tools.ietf.org/id/draft-gont-6man-managing-slaac-policy-00.txt>). > > No, in this case I'm talking about permanently assigned addresses. It's > just that telling the full IPv6 address over the phone or remembering it > is a chore. It wasn't clear to me that you were referring to this problem. > Example: 2001:db8:d923:297a:2068:d95d:cff5:308a. Make an experiment and > measure how much it takes to get this address over to someone over the > phone, without errors. That's the type of problem I had in mind. I know of quite a few folks that have already established the rule that "you don't tell IPv6 addresses over the phone" >> * Section 5 states: >> The idea is to exploit the randomness property of the encryption >> function output. The interface identifier, used within the IPv6 >> address of the host, would be derived from the 64-bit data >> corresponding to hostname, encrypted with a site-wide "secret". >> >> How would you distribute the secret. > > USB stick, for example. Or write it on the wall in the ops room :-) BTW, what are the types of systems that you have in mind for using this? Host? Servers? Routers? All of them? > I probably should have not named it a "secret" - the idea was to have it > secret enough so that a random script kiddie does not know it, yet it > can be easily known by the staff. Any suggestions on how I should rename > it so there's less confusion ? Well, as far as the attacker is concerned, the "secret" is secret. So the term is okay. But I guess it should be more clear to whom the "secret" is secret, and how you plan to distribute it. >> That aside: have you read >> <http://tools.ietf.org/id/draft-gont-6man-stable-privacy-addresses-00.txt>. >> >> It solves the scanning problem and the management problem, with no need >> to distribute secrets. > > It's nice, however it requires changes to host OSes. Well, yes... but that's what you need to do to fix the underlying problem of vulnerability to scanning... Thanks, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
- [OPSEC] New Version Notification for draft-yourtc… Andrew Yourtchenko
- Re: [OPSEC] New Version Notification for draft-yo… Fernando Gont
- Re: [OPSEC] New Version Notification for draft-yo… Andrew Yourtchenko
- Re: [OPSEC] New Version Notification for draft-yo… Fernando Gont
- Re: [OPSEC] New Version Notification for draft-yo… Andrew Yourtchenko
- Re: [OPSEC] New Version Notification for draft-yo… Fernando Gont
- Re: [OPSEC] New Version Notification for draft-yo… Andrew Yourtchenko
- Re: [OPSEC] New Version Notification for draft-yo… Fernando Gont