Re: [OPSEC] [Last-Call] Opsdir last call review of draft-ietf-opsec-v6-21

Warren Kumari <warren@kumari.net> Mon, 09 December 2019 21:50 UTC

Return-Path: <warren@kumari.net>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83424120086 for <opsec@ietfa.amsl.com>; Mon, 9 Dec 2019 13:50:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lKLqcFv74-Jf for <opsec@ietfa.amsl.com>; Mon, 9 Dec 2019 13:50:04 -0800 (PST)
Received: from mail-qt1-x82e.google.com (mail-qt1-x82e.google.com [IPv6:2607:f8b0:4864:20::82e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB6051200D7 for <opsec@ietf.org>; Mon, 9 Dec 2019 13:50:03 -0800 (PST)
Received: by mail-qt1-x82e.google.com with SMTP id g1so694506qtj.6 for <opsec@ietf.org>; Mon, 09 Dec 2019 13:50:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=yOoi7AYde1nHT4Eaf+5cWVelgOrKX6KYZKRxj1jZNzQ=; b=a9ERL9aP4bX7wkDTgpR6dQtziHJbi1LqbLBfjnzuGYzbbnvobBgTa1HPd7hTWt55bt L1by1asKAt6kYadVVfogOAuNJUACrVxowJy8StYeIQMB7oGoCTv2/9nWNqw77LO5v68a BFvGrPrTpDHuuL2GEctQ+pgUZjAWb9jZRS/wGEpmhomSuyLqxUOBOpYgY0mc1s1kwbnS 4dL4OYrzNHZpc0gHnDK6ruIuEJaItXMR+GxF7gb+fxxuPSKotmrwJZFDbkgIIBRTvtD1 CVJbbavt/apFn6JFsTL4WrNOhCMmMlQkd54E8be3roHKVK4wWZd6ky6i0hrGSzjaXjvX bAMw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=yOoi7AYde1nHT4Eaf+5cWVelgOrKX6KYZKRxj1jZNzQ=; b=JU6gv9Kba2pkrP/qxPftHU1kn02eeI9slRcDlWpsQhAqhX/ULHhNzzZG9wZ53jGn7Q xKXyVl0HNslexJQxLHgRUDC+b7hJt+RSZXC/odetsFvPXn6bDTdhl6XxursQ8cjkAfwe FBgIO5LkkEPdKtjwHRyMFx1SROw7wD3uuy9LDqdLqwXpm5+Ic4bog22UQPQPvEg2D3T1 X5REbEORtH1NDMBgs1QQNIsAKv//kRNJUd+VJsPyRObMMGrjHdS88UWn5AvijD/fbdBn kUWmonwz1m+hNesrAaXfTqVNWIr6jTdV4U7n6lSVWUd9OKnLoekLQVQOTFIzaOFYavMW 3pcg==
X-Gm-Message-State: APjAAAVzowR/SSs23MBSeJKNNf6WSriYh7u1kKpBaJpVGX1fP3gfCPYE DeY+0WSM3+ccKbxLbxmzMXnYExaQceHrGMRfhp1rvw==
X-Google-Smtp-Source: APXvYqyewzjk0wncoSFod9hQ4X5Zv0pYpmJDgp7y/vEFM9HtLr/JQ1ZJGmJm6UpwTxWHk4MZ7YDhoMhfqyuW5PGFEjo=
X-Received: by 2002:ac8:387b:: with SMTP id r56mr6693350qtb.364.1575928202502; Mon, 09 Dec 2019 13:50:02 -0800 (PST)
MIME-Version: 1.0
References: <157562487044.21086.3344278098662647264@ietfa.amsl.com> <3E6971B4-D213-4F63-A09D-7AEAFE69A2CD@cisco.com> <12F11732-63CB-4A39-BA22-C2A24EB40B85@doubleshotsecurity.com> <39A9410C-4EE3-4672-AE6F-0411CD33C01A@jisc.ac.uk> <518DA75C-1880-4D0B-8D8C-BF3558A6D2F0@doubleshotsecurity.com>
In-Reply-To: <518DA75C-1880-4D0B-8D8C-BF3558A6D2F0@doubleshotsecurity.com>
From: Warren Kumari <warren@kumari.net>
Date: Mon, 9 Dec 2019 16:49:26 -0500
Message-ID: <CAHw9_iK-UkPD0U4MqjrmD=Rx+EiX=QSqMMYmLTWyDWkEyqPrug@mail.gmail.com>
To: Merike Kaeo <merike@doubleshotsecurity.com>
Cc: Tim Chown <Tim.Chown@jisc.ac.uk>, "Eric Vyncke (evyncke)" <evyncke@cisco.com>, "ops-dir@ietf.org" <ops-dir@ietf.org>, "opsec@ietf.org" <opsec@ietf.org>, "draft-ietf-opsec-v6.all@ietf.org" <draft-ietf-opsec-v6.all@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/Hx1GDCWNMOhX5USS5ZJctQSc5YA>
Subject: Re: [OPSEC] [Last-Call] Opsdir last call review of draft-ietf-opsec-v6-21
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Dec 2019 21:50:08 -0000

[ - last-call@ flor clutter ]

Authors,

Thank you for being diligent in addressing comments -- please SHOUT
LOUDLY once you believe that it is ready for me to progress.

Thanks!
W

On Sat, Dec 7, 2019 at 2:26 AM Merike Kaeo
<merike@doubleshotsecurity.com> wrote:
>
> Hello Tim.
>
> We will be reviewing and considering the July 2018 comments from you (and Don) along with the other AD review comments from the past few weeks.
>
> - merike
>
> > On Dec 6, 2019, at 8:41 AM, Tim Chown <Tim.Chown@jisc.ac.uk> wrote:
> >
> > Hi,
> >
> > No problem, it’s not a big issue.  I must admit I didn’t check at the time for any responses after completing the last review.  But now looking back at the opsec archives I don’t see any response to that email (bar a separate comment) nor any changes that I could see to the document as a result.  If there is something I missed please do point it out.
> >
> > Anyway, if you can consider those comments when looking at the additional notes in the new review, that would be great.  Overall the document is certainly in much better shape than 18 months ago, and very close to being done :)
> >
> > Best wishes,
> > Tim
> >
> >> On 6 Dec 2019, at 16:17, Merike Kaeo <merike@doubleshotsecurity.com> wrote:
> >>
> >> Hi Tim.
> >>
> >> You are someone who has over the years made many substantial recommendations to this document so I will echo Eric’s comment that if we did not react to your last review it was a gross oversight.  I will look at my archives since I recall making a concerted effort to make sure we included all the review comments from 2017/2018 in a version around October 2018.
> >>
> >> - merike
> >>
> >>
> >>> On Dec 6, 2019, at 6:19 AM, Eric Vyncke (evyncke) <evyncke@cisco.com> wrote:
> >>>
> >>> Tim
> >>>
> >>> Thank you for your additional review. And, I feel really bad if we, the authors, have not reacted to your previous review (even if I had in mind that we acted on it -- possibly not changing the text to fit completely your view)
> >>>
> >>> -éric
> >>>
> >>> On 06/12/2019, 10:34, "Tim Chown via Datatracker" <noreply@ietf.org> wrote:
> >>>
> >>>   Reviewer: Tim Chown
> >>>   Review result: Not Ready
> >>>
> >>>   I have reviewed this document as part of the Operational directorate's ongoing
> >>>   effort to review all IETF documents being processed by the IESG.  These
> >>>   comments were written with the intent of improving the operational aspects of
> >>>   the IETF drafts. Comments that are not addressed in last call may be included
> >>>   in AD reviews during the IESG review.  Document editors and WG chairs should
> >>>   treat these comments just like any other last call comments.
> >>>
> >>>   This draft analyses operational security issues related to the deployment of
> >>>   IPv6, and describes appropriate mechanisms and practices to mitigate potential
> >>>   threats.
> >>>
> >>>   I had previously reviewed the draft as an OPS-DIR Early Review in July 2018, as
> >>>   detailed in
> >>>   https://mailarchive.ietf.org/arch/msg/opsec/6s_YFrXNPwtbQRe62D3_AtXb6as, but I
> >>>   don’t see any evidence of these comments being acted upon, or any response, so
> >>>   as far as I can see, the comments in this review still apply, and I would urge
> >>>   the authors to review these comments.
> >>>
> >>>   That said, there have been a number of improvements to the draft in the past 18
> >>>   months, and overall it is a much better document for those changes.  The
> >>>   question is at what point the WG should simply ship the draft as “good enough”,
> >>>   rather than try to improve it further.
> >>>
> >>>   At the moment I think the document is Not Ready, though it’s getting nearer to
> >>>   being Ready with Nits.
> >>>
> >>>   General comments:
> >>>
> >>>   There are a number of typos / grammatical errors in the document.  While the
> >>>   RFC Editor will correct, e.g., in the abstract - “mitigations” should be
> >>>   singular, in the intro “with that have been”, in 2.1 “of address space
> >>>   available” (add “is”), “allow” should be “allows”.  Just needs a careful proof
> >>>   read.
> >>>
> >>>   Specific comments:
> >>>
> >>>   Abstract:
> >>>
> >>>   “places” should be “aspects” or similar.
> >>>
> >>>   2.1.1:
> >>>
> >>>   Or for internal communication stability in networks where external connectivity
> >>>   may came and go, e.g., many ISPs provide ULAs in home networks.
> >>>
> >>>   2.1.5:
> >>>
> >>>   This section muddles privacy addresses with stable per-prefix identifiers.
> >>>   They have different uses, and can be used independently or together.
> >>>
> >>>   You say “RFC 8064 specifies a way to”, but I think you should cite RFC 7217 as
> >>>   the address generation mechanism, and RFC 8064 as the recommendation to use
> >>>   that, but note that you can still use RFC 4941 addresses alongside RFC RFC 7217
> >>>   addresses.
> >>>
> >>>   2.1.6
> >>>
> >>>   As per my previous review I think you should have a section on address
> >>>   accountability / auditing, and discuss that for all address assignment methods,
> >>>   be it DHCPv6 or SLAAC/RFC7217.  You say here DHCPv6 is used for audit purposes,
> >>>   yet later in the doc say there are issues with that approach.
> >>>
> >>>   Address accountability is the most common question I get asked when speaking to
> >>>   universities about IPv6 deployment when there is (dual-stack) multi-addressing.
> >>>
> >>>   This can be a place to mention DHCPv6 anonymity profiles, but that would be
> >>>   better in a separate section on address and thus user privacy.
> >>>
> >>>   2.2.4
> >>>
> >>>   As per later in the document, emphasise here that IPSec is optional (some still
> >>>   have the original IPv6 marketing message in their head…)
> >>>
> >>>   2.3.3
> >>>
> >>>   “his packets” -> “their packets” to be gender neutral.
> >>>
> >>>   How widely deployed is SAVI in practice?  A comment is rightly made about SeND,
> >>>   but what about SAVI implementation?
> >>>
> >>>   Can also suggest the /64 per host isolation approach here before the “A drastic
> >>>   technique” paragraph.
> >>>
> >>>   2.6.1.5
> >>>
> >>>   Address accountability appears again here in the 5th paragraph.  You can get a
> >>>   level of accountability from polling network devices where DHCPv6 is not used;
> >>>   this should be discussed somewhere.
> >>>
> >>>   2.7.1
> >>>
> >>>   Should mention RFC 7123 here, and also in Section 3.
> >>>
> >>>   3.2
> >>>
> >>>   Given you raise VPNs, you should add a note about RFC 7359.
> >>>
> >>>   In R&E campus enterprises, eduroam is widely deployed and gives accountability
> >>>   through federated 802.1x based network access.
> >>>
> >>>   4.3
> >>>
> >>>   You manage to avoid talking about IPv6 NAT until here.  Then assume there is no
> >>>   IPv6 NAT on a CPE.  Would it be better to not mention IPv6 NAT at all, or dare
> >>>   you open that can of very wriggly worms in this document?  I imagine the IESG
> >>>   reviews may ask, given the widely held industry belief that “NAT is added
> >>>   security” :).  RFC 4864 still has value, but you cite that for a different
> >>>   reason.
> >>>
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> OPSEC mailing list
> >>> OPSEC@ietf.org
> >>> https://www.ietf.org/mailman/listinfo/opsec
> >>>
> >>
> >> --
> >> last-call mailing list
> >> last-call@ietf.org
> >> https://www.ietf.org/mailman/listinfo/last-call
> >
>


-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf