Re: [OPSEC] Opsdir early review of draft-ietf-opsec-v6-13

"Eric Vyncke (evyncke)" <evyncke@cisco.com> Mon, 08 February 2021 16:11 UTC

Return-Path: <evyncke@cisco.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E8B03A1108; Mon, 8 Feb 2021 08:11:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.62
X-Spam-Level:
X-Spam-Status: No, score=-9.62 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=hJITX/DO; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=AU54B9wG
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sbpvp8poWa4u; Mon, 8 Feb 2021 08:11:10 -0800 (PST)
Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD9573A1107; Mon, 8 Feb 2021 08:11:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3506; q=dns/txt; s=iport; t=1612800669; x=1614010269; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=7XU7yG8fP7aS8XmyOp1Z6WhJJv8fq9RoIAZWnfH8Fj0=; b=hJITX/DOOtXFX9gIzG83aoTrTzxvvHUeXp+SNfZTzUHu8a90TgJzFyRr kDeG6TSTSvMjAK+BW8AzVdCthJli71G96BLvVMgPieg3K6ZF8lT1yWKmx mW2QC3nXFFRXUcA5vc/6IVV0TZ+C099Dly+JVQwX4xXMYjvSPzo1mrHOY o=;
IronPort-PHdr: =?us-ascii?q?9a23=3AHoLyMBfb/4BdSKvdE2iXNWjulGMj4e+mNxMJ6p?= =?us-ascii?q?chl7NFe7ii+JKnJkHE+PFxlwaTA9fw5vRYlvDHl6HmWioL5pPS+HwBcZkZUR?= =?us-ascii?q?gDhI1WmgE7G8eKBAX9K+KidC01GslOFToHt3G2OERYAoDyMlvVpHDhxjMUBg?= =?us-ascii?q?jlJC50IOezEYnX3Iy70umo8MjVZANFzDO2fbJ1KkCwqgPc/skbiIdvMOA/0B?= =?us-ascii?q?zM93BJYO9Rg2hvIAGe?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0ABCgCnYSFg/5xdJa1iDg8BAQEBCQE?= =?us-ascii?q?SAQUFAUCBT4FTUQeBUDYxhEGDSAONaiUDmRyCUwNUCwEBAQ0BAS0CBAEBhEs?= =?us-ascii?q?CF4FrAiU4EwIDAQELAQEFAQEBAgEGBHGFYQ2FcQEBAQQjEQwBATcBCwQCAQg?= =?us-ascii?q?RAwECAwImAgICMBUICAIEAQ0FgyaCVgMuAaQWAooldoEygwUBAQaFBRiCEgm?= =?us-ascii?q?BDiqCd4JxUEeCUYFMgSCBByYbgUE/gTgMEIJWPoRFM4JfNIIsgVkQYloNIhY?= =?us-ascii?q?LMDBIaREZB5EMgnylSwqCepwDAx+jIpQynR6EWAIEAgQFAg4BAQaBbSOBV3A?= =?us-ascii?q?VZQGCPlAXAg2OIQwXg06KGEF0NwIGAQkBAQMJfIscAQE?=
X-IronPort-AV: E=Sophos;i="5.81,162,1610409600"; d="scan'208";a="860287592"
Received: from rcdn-core-5.cisco.com ([173.37.93.156]) by rcdn-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 08 Feb 2021 16:11:07 +0000
Received: from XCH-ALN-004.cisco.com (xch-aln-004.cisco.com [173.36.7.14]) by rcdn-core-5.cisco.com (8.15.2/8.15.2) with ESMTPS id 118GB86e011742 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 8 Feb 2021 16:11:08 GMT
Received: from xhs-rcd-001.cisco.com (173.37.227.246) by XCH-ALN-004.cisco.com (173.36.7.14) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 8 Feb 2021 10:11:07 -0600
Received: from xhs-aln-001.cisco.com (173.37.135.118) by xhs-rcd-001.cisco.com (173.37.227.246) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 8 Feb 2021 10:11:07 -0600
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-001.cisco.com (173.37.135.118) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Mon, 8 Feb 2021 10:11:07 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=mVVhBG74qbv8ZihlbPHJngXLRLxHGS92wPWhw3J/OA1zdWAhiXmSAXfkY6gNwUc+GtEv8B/mlknjJzlnU/7eZB6xsbxnsB9e0wzh7ABEzzUtsJj+Kwfsf/emOqq0QZo26oSpryJj4CY+yzZOuMCBQJuBRR5vvsidYs/e2JkfZ0UmpOE9t/ffaiwdKAgnZ/bGiXfQvlbCDS8K+1+0QX1UFohzBzAHOCYqFPT37DdH8MeKv7Zkn85u8f6gm4pFKR12MqPAIF1mWM6Nkx9ImAGQclb6Kve8hOIVG5FP3uennlhsLtk9ylD3IcUKIDNh9x40zMSSOZn9rEEDR7dm/r+Jmg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7XU7yG8fP7aS8XmyOp1Z6WhJJv8fq9RoIAZWnfH8Fj0=; b=DuT5XA9Qcm17vuQNOKMTx1ewn/PhdMW9vju3jo+y2gCA+0ys/NqxvilYp1loapbntSPdoe0v02+D1dALuj3xjqukw++esygy7e6WnSmlUgRfOlLoyvApXIqDrJBPlZAOMfQq/SewS/Eb95YNsg+7Kb7EagliTL34zRo0rCfGLYgoy0YITYTAPHUTR4J9jePV7ge33OpDVfknFMtMhwgFdA+qLmYI9fs1O57gOu8hYsmLUszGThdYCwYymKN4UUIxkiOEg01efUH6qXW2MV05vlFoYQXq47ZSJ62lYbwdh97AFxsrkX7CFB0KaOdhHvXwL4RqI7F2x7VD3lJCJDvN+A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7XU7yG8fP7aS8XmyOp1Z6WhJJv8fq9RoIAZWnfH8Fj0=; b=AU54B9wGMgV9lswL+XjdtxPhqALAmxbvaSrJw7Q+E0VwXNksGf3qQ4StDUCUKloLAbEKERq3BxXH4GeU6mTbl3TFVmlmiUUQ2gtQoVY5jlVkYbET/6yPOmrazUAZeUXinvhp1JSGwtRtuc5GM6P3UG67HOFVF+wd2hDPWrrLbcw=
Received: from PH0PR11MB4966.namprd11.prod.outlook.com (2603:10b6:510:42::21) by PH0PR11MB5015.namprd11.prod.outlook.com (2603:10b6:510:39::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3825.23; Mon, 8 Feb 2021 16:11:05 +0000
Received: from PH0PR11MB4966.namprd11.prod.outlook.com ([fe80::7d4c:6b05:89aa:85b]) by PH0PR11MB4966.namprd11.prod.outlook.com ([fe80::7d4c:6b05:89aa:85b%3]) with mapi id 15.20.3825.030; Mon, 8 Feb 2021 16:11:05 +0000
From: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
To: "Smith, Donald" <Donald.Smith@CenturyLink.com>, Tim Chown <tim.chown@jisc.ac.uk>, "ops-dir@ietf.org" <ops-dir@ietf.org>
CC: "opsec@ietf.org" <opsec@ietf.org>, "draft-ietf-opsec-v6.all@ietf.org" <draft-ietf-opsec-v6.all@ietf.org>
Thread-Topic: [OPSEC] Opsdir early review of draft-ietf-opsec-v6-13
Thread-Index: AQHW/jIycce5YnLflU2S1JYWIVktfg==
Date: Mon, 8 Feb 2021 15:51:01 +0000
Message-ID: <6E6F584E-366B-4048-A103-B7D8FF045AD5@cisco.com>
References: <153055392479.16095.569198674604354407@ietfa.amsl.com> <68EFACB32CF4464298EA2779B058889D53DE8559@PDDCWMBXEX503.ctl.intranet>
In-Reply-To: <68EFACB32CF4464298EA2779B058889D53DE8559@PDDCWMBXEX503.ctl.intranet>
Accept-Language: fr-BE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.45.21011103
authentication-results: CenturyLink.com; dkim=none (message not signed) header.d=none;CenturyLink.com; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [2001:420:c0c1:36:a139:7459:c380:8975]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 5e08b54c-0244-4af7-7b74-08d8cc4c235a
x-ms-traffictypediagnostic: PH0PR11MB5015:
x-microsoft-antispam-prvs: <PH0PR11MB50153E732928D62CE2D8675DA98F9@PH0PR11MB5015.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: ELmGkj7lGjHBW7y3WkSyoN9BRkxh67pDfEG5uxJotzOnhCQrbhdMtQxoXnk4/7w19SZ7cYw5pIbFKk0yR/gspwAJXlvxYQai7hP3AAYDPVY+eKopAwgKbKsKIQRs+QLwb0BRt4J2syRTNJ0cRcfF5tsYBzGejakRJWk00uzcpZv96+O5wy2OnkH3SyAkDHmhpeEKmDljmv/CjQajRbjZ487l+5gLDj5RNK6WLR3obDzxlww0HC1oZD0t4AlQR9hx1ACnptRRR0E7CCgmKOaLuyo0S7u6NV971N7u+5og4BVzqVk021WqISAnyxbzLI3aWxKD7Cn0yqDTyz3rzD0yDJdv/WVkE844We0lTI/mBOnkGhj3M+heB74Np8UJa9m+JDQhOj5K8VFif/0v/SgBDY7i5Ct1PxBuyj7PKhbaGHa8RgkdYStLrYzrsXPC5G+9Zs33p73HxqtBkm4lVshLbgS4mjBWqi+wfgQXsbqxRns82g68nLSXfn0q2PZcbjGCCNeGqPJcLjes13wcRhC0LOjTEjgtNOgUQTuzXI7hqFBcUMU3zli2Q4DBj1lpJSig8NIT+oajfaumOMUFe1jhiQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PH0PR11MB4966.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(39860400002)(396003)(376002)(346002)(136003)(54906003)(2616005)(5660300002)(86362001)(83380400001)(33656002)(8936002)(66946007)(91956017)(2906002)(110136005)(76116006)(64756008)(66446008)(66574015)(36756003)(53546011)(6506007)(6666004)(478600001)(6486002)(6512007)(8676002)(66556008)(316002)(4326008)(66476007)(186003)(71200400001)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?utf-8?B?bzhmTGFBSUxUSktIMEFoM1I2V3hNdFFaZkV1Mnhka01qUVpmVitlYm82eVo0?= =?utf-8?B?b0JhVVJaUitpL0M0b04zR2RXRXhFME5HSXNRbjZ3amh5SnU5bUFiNEF2eVR4?= =?utf-8?B?VFpMK05hOENtVmF2Z0JLdDVLWm5TZ1l1c0RXVXZYZFlnK1Z6dm0wSHI3cEdm?= =?utf-8?B?b055SXJpV2xNU3FlVVlMMTRZNmxzZlI2Uyt5RTBoY3FFdTUrdUN3RFIraHZT?= =?utf-8?B?RzI5SWlKUzhWclRuNVFtdG9PMWlOYXhRZU1TMERuSTJ0cVIxQnpxUlhpWU1p?= =?utf-8?B?ZnEyVWJ0MUsweFAxV1c0NVV2Q1ZPaXkvVlp2TGZ4UEo3cGFVVHFHRlJPMGVk?= =?utf-8?B?bHBUam9xTVVYL1VCWE5rdzlLVXNqYm1OM3NrMXpBUWNMN01jYWUvbjliaEUr?= =?utf-8?B?dGw3aFpZVjV1Q21zRE44UXNtWGpId1VSZk9lTU0xaXZQbmJ0U1NhODJCZDZu?= =?utf-8?B?Y1JuYkNpd0VOR1pNTTJWRnlVN3ZNa2JMdHIwNUttV01XaWdONGRIWW02WmpU?= =?utf-8?B?Sk1FY2VHeGtyMDVwMUx1QXRsQXhUNjR4VGllcm5wdHpmaDlyb1BpZVJXdlpu?= =?utf-8?B?TVE0Z3d0TmhFU3NZNTl0a25jTVcvUDBuR0NvZ0Q4T2FrRHgzMlgzbzY4ZGd0?= =?utf-8?B?SkFLVlYwTDV5Umh0VzhmYW8zYWtlYjM4eGVVOHFJMUJIMEtJQm16MUVZNnRE?= =?utf-8?B?RHNIb0Zoejg2WFVIaE55RVM3OEFpNFZwREVHWmpxbFQ2bk0wcCtVaFpycm1q?= =?utf-8?B?RDVXZDlvYVFibEF3TkxnSitRa1U3OXNqck9OTEtodnAxMWd0UXhLQVBWL1Jl?= =?utf-8?B?b1dnR3ovSkR0Mmh3Wk8zNnpibExTblliK1N0Nitvamd4TjZRczhaeXQ1U3Ir?= =?utf-8?B?Vm0wakNsTnFHKzVGMEN3aGdweWhTR3R5WlRiQU5zYVNyY3lRazkrdksxWnh6?= =?utf-8?B?NG5QUytJYXhHS080cnVZUmwzMUg5WkQzNmFNK0o0ZFUxRWdoRlp4ZkV0UGxy?= =?utf-8?B?V294Y3g3TnRkYU51QjRMZlpocTdDUjIxUHAwbmJ2T3RDejRTaHcyTGFSN2Rq?= =?utf-8?B?bWpZamdTZVZ5UWJURkowbldUQzNxLzVMR2Z1OXdOWVdRNWFweHQ0V0hkUkhp?= =?utf-8?B?cUFiakpnTW5DUHRzY093KzVPbHhmNkRRV1ZOblhjc05iakluTHNYakNqVlNy?= =?utf-8?B?Mi96TnhLeXdIQWdMNVRIN2dGTUhKajlKajFsMytjT1IvS2ZWRVNHRm00R25X?= =?utf-8?B?aXFHTXR3TDkwYW4yQnB6Q2FyN2VES0VwYVdRYWJNdmo0T2hZRHNYYVkwOXI4?= =?utf-8?B?ZWhHcHlNQTBxRHBSSmJLbEFEOFlKMGxzSGppMjJ3SUdoVmtYNFluZm1jbHlB?= =?utf-8?B?U2pKSWIyZnUyWW5iTXNmbkJhdkpReXNtNklBOWFUTHROa3liOFNlaGVDd09T?= =?utf-8?B?QUxsVzNoaVppTElFZTlrcncvZGtrMURIZlljSTFpc01NYklZTVVFcVpTUWZu?= =?utf-8?B?MXJneVJickdUQnZRNUdQSHR0N1hDV3RCTGxzVFFlalQzbzVFMC9IVWVETXRL?= =?utf-8?B?cFR4MnB5Wjk3RWs1aFNvUUYzSmFaWllhM0RveGRKS1B1cmVwa05aeFhhdmJr?= =?utf-8?B?WUl5T1g1VFZpcnpIV3FheTI5VlRDVWU3djdYQk9tcG5ua3J3MWdoZGoyNll4?= =?utf-8?B?VFJTek1uMzlvaTZKb1JlYUJiSXFlb1JuNHZLRTlVZnM3NXozMUpaaHU0akw5?= =?utf-8?B?dFlSTGg0ZUZLbXo5dDhmKzNqcityQmhJWlY4bFBKeUdaQzRaVU0zWmNVTEpr?= =?utf-8?B?am40amExcDNsYTRrQWt2L3VVL2tDdUx3UkR5SkxRMmlxUFRNMldpazZmL0Fy?= =?utf-8?Q?H7hZHDoNYdsXI?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <40554598EF26AD4DB8385F13CBDB17AB@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH0PR11MB4966.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5e08b54c-0244-4af7-7b74-08d8cc4c235a
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Feb 2021 16:11:05.4772 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: SDJOdnGQQacZgpq7VgEUlGFiyQn5HibOFxypZRKemr7334rZhxhJ/C3ffbWx1nl9MFvPH9UWrvtu2tUqLynIxg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR11MB5015
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.14, xch-aln-004.cisco.com
X-Outbound-Node: rcdn-core-5.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/J4xQ516XdAAgv7DHj7m0GFOXDRI>
Subject: Re: [OPSEC] Opsdir early review of draft-ietf-opsec-v6-13
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Feb 2021 16:11:12 -0000

Hello Donald,

As for Tim Chown's review, here is my belated reply...

Look for EV>

Thank you for the review

-éric


-----Original Message-----
From: "Smith, Donald" <Donald.Smith@CenturyLink.com>
Date: Monday, 2 July 2018 at 22:14
To: Tim Chown <tim.chown@jisc.ac.uk>uk>, "ops-dir@ietf.org" <ops-dir@ietf.org>
Cc: "opsec@ietf.org" <opsec@ietf.org>rg>, "draft-ietf-opsec-v6.all@ietf.org" <draft-ietf-opsec-v6.all@ietf.org>
Subject: Re: [OPSEC] Opsdir early review of draft-ietf-opsec-v6-13

    Routing security talks exclusively to OSFPv3 which isn't in common use externally today, BGP would be a better choice.

EV> I made the reference to RFC 7454 more prominent in the text

    2.1.1 This:
    There are many scanning
       techniques and more to come possible, hence, operators should never
       relly on the 'impossible to find because my address is random'
       paradigm.

    Should probably be this:
    There are many scanning techniques and possibly more to come, hence, operators should never rely on the 'impossible to find because my address is random' paradigm.

    Or adding Tom's suggestion:
    There are many scanning techniques and possibly more to come, hence, operators should never rely on the 'security by obscurity' paradigm.

EV> indeed, the text has changed following Tim's suggestion

    Maybe it doesn't belong there but this appears to be a potential new smurf amplification vector.

    "Another way works only for local network, it consists in sending a
       ICMP ECHO_REQUEST to the link-local multicast address ff02::1 which
       is all IPv6 nodes on the network.  All nodes should reply to this
       ECHO_REQUEST per [RFC4443]."

EV> except that this is local only (packets to ff02::1 will not be forwarded by an IP router). SO, the attack is local only (but could be a real annoyance in same settings).

    But maybe that belongs in 4443 or some other draft?



    I feel some mention of anycast used for DDoS Reflection and Amplification (RA) should be included (again might be out of scope)?

EV> I agree that RFC 4443 did not take this amplification attack into consideration. At least nowadays, large layer-2 (notably wifi) have disabled the link-local multicast. Added a new section 2.3.6 on this issue.



    Metric System < +000 > -000
    Extra People's Terribly Good Meals Kept mY uNCLE    Ned   Purring For     Ages
    Exa   Peta        Tera     Giga   Mega  Kilo milli Micro(u) Nano Pico    Femto Atto
    Donald.Smith@centurylink.com