IETF Logo Mail Archive

Re: [OPSEC] I-D Action: draft-ietf-opsec-v6-15.txt

"Eric Vyncke (evyncke)" <evyncke@cisco.com> Mon, 11 March 2019 08:44 UTC

Return-Path: <evyncke@cisco.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 146481310BF for <opsec@ietfa.amsl.com>; Mon, 11 Mar 2019 01:44:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.501
X-Spam-Level:
X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=M7As2hD0; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=QAPkFXPG
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LM3w_k_pd_Xb for <opsec@ietfa.amsl.com>; Mon, 11 Mar 2019 01:44:47 -0700 (PDT)
Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 675461310F8 for <opsec@ietf.org>; Mon, 11 Mar 2019 01:44:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3900; q=dns/txt; s=iport; t=1552293887; x=1553503487; h=from:to:subject:date:message-id:references:in-reply-to: content-id:content-transfer-encoding:mime-version; bh=Fc9IL4HOUBkiAQnQoLk2APGap5OzmYVndhli+8DZCVA=; b=M7As2hD0632P9pO66OGVdHOBH+7qTvkNxJX04t5Fx4/ZL470Jbe6UbJW 4rGkIMt6tkUP12LatEG4uCsVuzDd4IHaSJsr7mqTn1nHCI8jQ0D2oKuD6 1pEEgp8Wc0PIL9VS1Ph2uXe/DYSIhBwqlYUoR7ECLDjgobkHkft9VIUTB g=;
IronPort-PHdr: 9a23:eupPbBboE1QSoxMZwtczic3/LSx94ef9IxIV55w7irlHbqWk+dH4MVfC4el20gebRp3VvvRDjeee87vtX2AN+96giDgDa9QNMn1NksAKh0olCc+BB1f8KavncT08F8dPfFRk5Hq8d0NSHZW2ag==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BAAACTH4Zc/5hdJa1kHAEBAQQBAQcEAQGBUgYBAQsBgTwpJwNodAQLJ4QJg0cDjzRKgg2JMY51gSQDVAsBARgLCYRAAheEIiI1CA0BAQMBAQcBAwJtHAyFSwEBAwEBASERDAEBLAwPAgEIGgImAgICHwYLFRACBAESgyIBgV0DDQgBAgyjcwKKFHGBL4J4AQEFgkaCNA0LggwDBYELJAGLLBeBQD+BEScfgkyCV0cBAYFhF4JzMYImikuCApckMwkCi0uEAYM+GYF5hWaCRIkXiniHFosxAgQCBAUCDgEBBYFJATWBVnAVOyoBgkGCCgwXgQABCIJChRSFP3IBgSeMRyqCIwEB
X-IronPort-AV: E=Sophos;i="5.58,467,1544486400"; d="scan'208";a="530168755"
Received: from rcdn-core-1.cisco.com ([173.37.93.152]) by rcdn-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 11 Mar 2019 08:44:43 +0000
Received: from XCH-RCD-006.cisco.com (xch-rcd-006.cisco.com [173.37.102.16]) by rcdn-core-1.cisco.com (8.15.2/8.15.2) with ESMTPS id x2B8ihSn002026 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 11 Mar 2019 08:44:43 GMT
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by XCH-RCD-006.cisco.com (173.37.102.16) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 11 Mar 2019 03:44:42 -0500
Received: from xhs-rcd-001.cisco.com (173.37.227.246) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 11 Mar 2019 03:44:41 -0500
Received: from NAM01-BN3-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-001.cisco.com (173.37.227.246) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Mon, 11 Mar 2019 03:44:41 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector1-cisco-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Fc9IL4HOUBkiAQnQoLk2APGap5OzmYVndhli+8DZCVA=; b=QAPkFXPG7v/0e4oz2C9mRqIkDEA3qFtBIJnQcZ07ZdDXDMcRmviRmVZ7oWhe5BhCu/7zzexcnTcVmTPtECYXprqi6DrYCsgr8ni6nlk6OZXVFsr5xfUpLf+vd5qW+tkgAcQL9Dt+9YKr3LyeI9VVIKHUXXyr5/azC65AIDjtkw4=
Received: from DM6PR11MB3820.namprd11.prod.outlook.com (20.179.17.28) by DM6PR11MB2841.namprd11.prod.outlook.com (20.176.100.32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1686.19; Mon, 11 Mar 2019 08:44:41 +0000
Received: from DM6PR11MB3820.namprd11.prod.outlook.com ([fe80::e5ab:9e18:b14c:9b9c]) by DM6PR11MB3820.namprd11.prod.outlook.com ([fe80::e5ab:9e18:b14c:9b9c%5]) with mapi id 15.20.1686.021; Mon, 11 Mar 2019 08:44:41 +0000
From: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>, "opsec@ietf.org" <opsec@ietf.org>
Thread-Topic: [OPSEC] I-D Action: draft-ietf-opsec-v6-15.txt
Thread-Index: AQHU1sLzpT2aeYvj+EyB2crrw1NFzaYGGK2A
Date: Mon, 11 Mar 2019 08:44:40 +0000
Message-ID: <C0624615-9C19-4E96-A53B-45FA47459DFD@cisco.com>
References: <155216353255.28690.611573903036715612@ietfa.amsl.com> <f851fd05-b175-432e-7f64-4cbb9d0c4049@gmail.com>
In-Reply-To: <f851fd05-b175-432e-7f64-4cbb9d0c4049@gmail.com>
Accept-Language: fr-BE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.15.0.190117
authentication-results: spf=none (sender IP is ) smtp.mailfrom=evyncke@cisco.com;
x-originating-ip: [2001:420:c0c0:1007::21d]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b7caa803-e860-49e1-2eb1-08d6a5fdcd60
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600127)(711020)(4605104)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020); SRVR:DM6PR11MB2841;
x-ms-traffictypediagnostic: DM6PR11MB2841:
x-ms-exchange-purlcount: 1
x-microsoft-exchange-diagnostics: 1;DM6PR11MB2841;23:9pKXCxQoTznTSHxfSfbAZQ7NRteSiLaOKcYrLDMzAeUftIs/07P8DW3N83+GJnn04TrQetggOotpAaMwJfrSXASdbDK/U61tE1FD8bE3CS9v8C2zVEmC59s+IAUqTrifVWrcfeS0zDjEZZ2mqPOR1rvMGXRlKQbqd1GHvh97cXnyV2K+MwL4n4hmHsdSKDIv2zK+HBvdJWp2RerRpn8XYt0EHu2wTnE8DbLjeKlJGrMTsVrWfecSy8NZXBCVzO8pv5oO5kssLl9YDfAQQjkVzqqAvVc9hxtbkpIOM63Pw30+pkBT4Oa7puNt+jJ6sPCe4yUgg+htplm6vO0vM3a8eIAs54v4cKdnPvyCsaoGemGJSkIB5MsZ5gJne7W/kn4QE9ESQaFNuhcNIw2UkclgiqdDP52xKbQvz8tudZH7JqECnm1pD66l4GNkqkceSFQdl9pYrkNPqZPXctjVzSqM2h4gnZ+yjg+OjTlFCXgIScmsTMupPYTOxnlzgGB28qe9xe+csQkz9D2i03vILMTk9fvt4QEiESxMZG3y/ir8FzATxKJ6LC+6ruJvFngRLT3b17PRUALQ8w1MeNGm7yyesKYALEGas+kudcpeej36Q8LMnPAjIHwrssKuu8tHfuGO/h/ozkzF33IlD0J2IixSi9vAP5UWU5CfbgDu7wfXsCCZ1HJDwnA6KmCV4fryY5FR+LIKaI58r2+85upkLKziqYHQDOBvIAcaVOqUFLHkwUavGdnWcsYm4T2Ck8NbeXPGL5UmVRvahM7pHATPjCZjSSR0Ot9mx/Q7cPN6NNbPE6n/5TP2HVx+Y6G2FCnbCsbHICjDBtVx/CTIXQ5YyeCZLge7xozKV7EgU3UtGnx32SX+pKSfq5Med41NAygiMvpE0Y4jYe/UC3jBvjzZ1yk109M+jnycKsqXN9uP+Ff3o/EZqIszyJHzubV8a7eFHQ8H4/N6dp++J+AArof6/ksLfAU4Zf4Kyu25LmJrSUgsnpGhUdiy6YsBdreeVx1wbrZlS4rX5dLronOsDL/r3P6SX+eoOWbBdL+okxnMdC7fuDUX2bRwXR0t1BtDgv4egM3pWInAPyjAcOaTgTPVRArKvm7ty6cFY5iVIC4QTv+HOiPew1YrF/LyYjHQodFqDFXpf3j8jAhu5Xdycdg1qs+fQEi4vxBBZLqah90GRepJ5J8zvDzWblDBwxt5nQVWfQ7uzEZOlzh0ORWaPbvJi46Qv75z8vfL7/hBiYhDaN5c+B4=
x-microsoft-antispam-prvs: <DM6PR11MB2841E7409264F48417FCD43FA9480@DM6PR11MB2841.namprd11.prod.outlook.com>
x-forefront-prvs: 09730BD177
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(136003)(396003)(366004)(39860400002)(376002)(346002)(199004)(189003)(11346002)(36756003)(2906002)(83716004)(86362001)(110136005)(476003)(446003)(2616005)(46003)(256004)(82746002)(14444005)(8936002)(58126008)(97736004)(486006)(316002)(229853002)(186003)(6486002)(68736007)(25786009)(6436002)(6116002)(106356001)(71200400001)(305945005)(6512007)(6306002)(7736002)(5660300002)(102836004)(2501003)(76176011)(14454004)(966005)(33656002)(8676002)(6246003)(99286004)(53936002)(81156014)(81166006)(478600001)(105586002)(6506007)(71190400001); DIR:OUT; SFP:1101; SCL:1; SRVR:DM6PR11MB2841; H:DM6PR11MB3820.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: ko1y3PTjCF6RN2PT8d11hURm8/FenW887vaTJeV+ag2csKtSG3NmuUttnD8bTRvuwzPvRdQ3YO3HbbBciWGJX/r/MEjaG9lw+Okp//igZC1MLaqyLKH7IGpPu+RM1bQpqPNtKrIfD8kknlGkQTNPjUZP6cpOLaWmmqlpVtEu/1dOmENH1knO7NYZOYGsfHRCVMq0wxt87LO8vf6yqqT6u2qprni6fB5cGMO/nAzI0d/GbX3TLCduPuFkTl9Fr7L79LyOfFP8SYtEtoQrVYqLbIUbiwS2y97ZqILV7T75gnK0EBa5r5ViSDNLOL7P0RNcpsOq2DTzmbjyjyCXtsEsaJMj3FID8wMwpnbg41vJKI7iViVeE95CarvU6zyudbg5poB/bI8MpeodBuP/IQkeGszZA3wwZY8kP0TAKGPVu2Q=
Content-Type: text/plain; charset="utf-8"
Content-ID: <631997ACDA561F4E8872A928511992E2@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: b7caa803-e860-49e1-2eb1-08d6a5fdcd60
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Mar 2019 08:44:40.7653 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB2841
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.16, xch-rcd-006.cisco.com
X-Outbound-Node: rcdn-core-1.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/H5HdyHwPAelxiVLCxFTb0_DSPzw>
Subject: Re: [OPSEC] I-D Action: draft-ietf-opsec-v6-15.txt
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Mar 2019 08:44:49 -0000

Brian and Bob,

First of all, thank you for the quick review. And especially, the text around EUI-64 & SLAAC which we, the authors, will gladly accept.

In order to progress with this draft, the authors will issue today a -16 where the ULA section will simply be reduced to mention the ULA considerations draft. With this, we hope to remove the last (?) blocking factor for this OPsecv6 draft.

Regards

-éric

On 09/03/2019, 22:56, "OPSEC on behalf of Brian E Carpenter" <opsec-bounces@ietf.org on behalf of brian.e.carpenter@gmail.com> wrote:

    Hi,
    
    A few comments. (Note that I am not on the opsec list, so please CC me on any replies.)
    
    > 2.1.2. Use of ULAs
    ....
    > It is tempting to think that ULAs could be useful for infrastructure
    > hiding as described in [RFC4864];...
    
    That's a very strange choice of words, and ignores the actual argument
    for this choice, which is that internal communications using ULAs
    are doubly protected from accidental external visibility. If you want
    to say that RFC4864 was wrong, please argue that explcitly. Otherwise
    please be neutral, e.g.:
    
    ULAs could be used for infrastructure hiding as described in [RFC4864];...
    
    > It is recommended to consider filtering packets with ULA source	
    > addresses or ULA destination addresses at the domain boundary.
    
    Actually RFC4193 is already stronger than that. Filtering ULA routes
    is a "must", and filtering packets containing ULA source or destination
    is a "should" (unless explicitly configured otherwise). I think you
    should not weaken this here!
    
    > 2.1.4.  Temporary Addresses - Privacy Extensions for SLAAC
    > 
    > Historically stateless address autoconfiguration (SLAAC) relies on	
    > the automatically generated EUI-64 address,which together with the	
    > /64 prefix makes up the global unique IPv6 address.
    
    That's inaccurate. Try:
    
    Historically, stateless address autoconfiguration (SLAAC) relied on	
    an automatically generated 64 bit interface identifier (IID) based
    on the EUI-64 MAC address, which together with the /64 prefix makes
    up the globally unique IPv6 address.
    
    ....
    > As [RFC4941] privacy extension addresses could also be used to
    > obfuscate some malevolent activities (whether on purpose or not),
    > specific user attribution/accountability procedures must be put in
    > place as described in section Section 2.6.
    
    That "must" is a bit strange. It seems too much to say "MUST",
    so why not make it "SHOULD"?
    
    Regards
       Brian Carpenter
    
    _______________________________________________
    OPSEC mailing list
    OPSEC@ietf.org
    https://www.ietf.org/mailman/listinfo/opsec

v2.23.0 | Report a Bug | By Email