Re: [OPSEC] Opsdir early review of draft-ietf-opsec-v6-13

"Eric Vyncke (evyncke)" <evyncke@cisco.com> Mon, 08 February 2021 16:11 UTC

IronPort-PHdr: 9a23:HoLyMBfb/4BdSKvdE2iXNWjulGMj4e+mNxMJ6pchl7NFe7ii+JKnJkHE+PFxlwaTA9fw5vRYlvDHl6HmWioL5pPS+HwBcZkZURgDhI1WmgE7G8eKBAX9K+KidC01GslOFToHt3G2OERYAoDyMlvVpHDhxjMUBgjlJC50IOezEYnX3Iy70umo8MjVZANFzDO2fbJ1KkCwqgPc/skbiIdvMOA/0BzM93BJYO9Rg2hvIAGe
From: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
To: "Smith, Donald" <Donald.Smith@CenturyLink.com>, Tim Chown <tim.chown@jisc.ac.uk>, "ops-dir@ietf.org" <ops-dir@ietf.org>
CC: "opsec@ietf.org" <opsec@ietf.org>, "draft-ietf-opsec-v6.all@ietf.org" <draft-ietf-opsec-v6.all@ietf.org>
Thread-Topic: [OPSEC] Opsdir early review of draft-ietf-opsec-v6-13
Thread-Index: AQHW/jIycce5YnLflU2S1JYWIVktfg==
Date: Mon, 08 Feb 2021 15:51:01 +0000
Message-ID: <6E6F584E-366B-4048-A103-B7D8FF045AD5@cisco.com>
References: <153055392479.16095.569198674604354407@ietfa.amsl.com> <68EFACB32CF4464298EA2779B058889D53DE8559@PDDCWMBXEX503.ctl.intranet>
In-Reply-To: <68EFACB32CF4464298EA2779B058889D53DE8559@PDDCWMBXEX503.ctl.intranet>
Accept-Language: fr-BE, en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/16.45.21011103
Content-Type: text/plain; charset="utf-8"
Content-ID: <40554598EF26AD4DB8385F13CBDB17AB@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 5e08b54c-0244-4af7-7b74-08d8cc4c235a
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Feb 2021 16:11:05.4772 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: SDJOdnGQQacZgpq7VgEUlGFiyQn5HibOFxypZRKemr7334rZhxhJ/C3ffbWx1nl9MFvPH9UWrvtu2tUqLynIxg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR11MB5015
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.14, xch-aln-004.cisco.com
X-Outbound-Node: rcdn-core-5.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/J4xQ516XdAAgv7DHj7m0GFOXDRI>
Subject: Re: [OPSEC] Opsdir early review of draft-ietf-opsec-v6-13
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Feb 2021 16:11:12 -0000

Hello Donald,

As for Tim Chown's review, here is my belated reply...

Look for EV>

Thank you for the review

-éric


-----Original Message-----
From: "Smith, Donald" <Donald.Smith@CenturyLink.com>
Date: Monday, 2 July 2018 at 22:14
To: Tim Chown <tim.chown@jisc.ac.uk>, "ops-dir@ietf.org" <ops-dir@ietf.org>
Cc: "opsec@ietf.org" <opsec@ietf.org>, "draft-ietf-opsec-v6.all@ietf.org" <draft-ietf-opsec-v6.all@ietf.org>
Subject: Re: [OPSEC] Opsdir early review of draft-ietf-opsec-v6-13

    Routing security talks exclusively to OSFPv3 which isn't in common use externally today, BGP would be a better choice.

EV> I made the reference to RFC 7454 more prominent in the text

    2.1.1 This:
    There are many scanning
       techniques and more to come possible, hence, operators should never
       relly on the 'impossible to find because my address is random'
       paradigm.

    Should probably be this:
    There are many scanning techniques and possibly more to come, hence, operators should never rely on the 'impossible to find because my address is random' paradigm.

    Or adding Tom's suggestion:
    There are many scanning techniques and possibly more to come, hence, operators should never rely on the 'security by obscurity' paradigm.

EV> indeed, the text has changed following Tim's suggestion

    Maybe it doesn't belong there but this appears to be a potential new smurf amplification vector.

    "Another way works only for local network, it consists in sending a
       ICMP ECHO_REQUEST to the link-local multicast address ff02::1 which
       is all IPv6 nodes on the network.  All nodes should reply to this
       ECHO_REQUEST per [RFC4443]."

EV> except that this is local only (packets to ff02::1 will not be forwarded by an IP router). SO, the attack is local only (but could be a real annoyance in same settings).

    But maybe that belongs in 4443 or some other draft?



    I feel some mention of anycast used for DDoS Reflection and Amplification (RA) should be included (again might be out of scope)?

EV> I agree that RFC 4443 did not take this amplification attack into consideration. At least nowadays, large layer-2 (notably wifi) have disabled the link-local multicast. Added a new section 2.3.6 on this issue.



    Metric System < +000 > -000
    Extra People's Terribly Good Meals Kept mY uNCLE    Ned   Purring For     Ages
    Exa   Peta        Tera     Giga   Mega  Kilo milli Micro(u) Nano Pico    Femto Atto
    Donald.Smith@centurylink.com

[OPSEC] Opsdir early review of draft-ietf-opsec-v… Tim Chown
Re: [OPSEC] Opsdir early review of draft-ietf-ops… Smith, Donald
Re: [OPSEC] Opsdir early review of draft-ietf-ops… Eric Vyncke (evyncke)
Re: [OPSEC] Opsdir early review of draft-ietf-ops… Eric Vyncke (evyncke)
Re: [OPSEC] Opsdir early review of draft-ietf-ops… Tim Chown