IETF Logo Mail Archive

Re: [OPSEC] New updated version of draft-vyncke-opsec-v6-01 (Operational Security Considerations for IPv6 Networks)

"Panos Kampanakis (pkampana)" <pkampana@cisco.com> Fri, 20 July 2012 20:36 UTC

Return-Path: <pkampana@cisco.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0645F11E8088 for <opsec@ietfa.amsl.com>; Fri, 20 Jul 2012 13:36:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.598
X-Spam-Level:
X-Spam-Status: No, score=-10.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WA9clQFXanUY for <opsec@ietfa.amsl.com>; Fri, 20 Jul 2012 13:36:01 -0700 (PDT)
Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) by ietfa.amsl.com (Postfix) with ESMTP id 97EF911E8080 for <opsec@ietf.org>; Fri, 20 Jul 2012 13:36:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=pkampana@cisco.com; l=11007; q=dns/txt; s=iport; t=1342816618; x=1344026218; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=9SA/Xs7M2Zh7XlEukJ4KYcjHpmXQjViFCM9bz5oFIaI=; b=eYDx8CZOKWqZcSLtQI+FRhLBKtnJbMs0WXtAcMLj+FJtAuNxq5lvbsZr P8uxMNQEwjtoobAWW4sjuHyi/J5roAqeP67PAs2BWAGviaWb+ErMA07SA wa85DdyAp4Asjh+DMmXUSTws7OUm4LfHQCnHX9fQcuilHAE7gbjqeaTj4 0=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AjQFABbBCVCtJXHA/2dsb2JhbABFgkquEAGIdYEHgiABAQEEEgEaOiICAQgRBAEBCxkEBzIUCQgBAQQBEggah2sLnlWgHYtOhgBgA4gYjkCNEYFmgl8
X-IronPort-AV: E=Sophos; i="4.77,626,1336348800"; d="scan'208,217"; a="103926712"
Received: from rcdn-core2-5.cisco.com ([173.37.113.192]) by rcdn-iport-7.cisco.com with ESMTP; 20 Jul 2012 20:36:58 +0000
Received: from xhc-aln-x15.cisco.com (xhc-aln-x15.cisco.com [173.36.12.89]) by rcdn-core2-5.cisco.com (8.14.5/8.14.5) with ESMTP id q6KKawxV006438 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for <opsec@ietf.org>; Fri, 20 Jul 2012 20:36:58 GMT
Received: from xmb-rcd-x10.cisco.com ([169.254.15.17]) by xhc-aln-x15.cisco.com ([173.36.12.89]) with mapi id 14.02.0298.004; Fri, 20 Jul 2012 15:36:57 -0500
From: "Panos Kampanakis (pkampana)" <pkampana@cisco.com>
To: "Eric Vyncke (evyncke)" <evyncke@cisco.com>, "opsec@ietf.org" <opsec@ietf.org>
Thread-Topic: [OPSEC] New updated version of draft-vyncke-opsec-v6-01 (Operational Security Considerations for IPv6 Networks)
Thread-Index: Ac1k8n6y0ZuVpdOPQS+AAZ9+CBbUHwBv1ArQ
Date: Fri, 20 Jul 2012 20:36:56 +0000
Message-ID: <1C9F17D1873AFA47A969C4DD98F98A7502512E@xmb-rcd-x10.cisco.com>
References: <97EB7536A2B2C549846804BBF3FD47E1050EC5@xmb-aln-x02.cisco.com>
In-Reply-To: <97EB7536A2B2C549846804BBF3FD47E1050EC5@xmb-aln-x02.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [64.102.89.105]
x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19054.001
x-tm-as-result: No--36.150200-8.000000-31
x-tm-as-user-approved-sender: No
x-tm-as-user-blocked-sender: No
Content-Type: multipart/alternative; boundary="_000_1C9F17D1873AFA47A969C4DD98F98A7502512Exmbrcdx10ciscocom_"
MIME-Version: 1.0
Subject: Re: [OPSEC] New updated version of draft-vyncke-opsec-v6-01 (Operational Security Considerations for IPv6 Networks)
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Jul 2012 20:36:04 -0000

Hello Eric,

This draft is indeed needed.

I haven't reviewed the whole draft yet, but here are some comments/suggestions:

- 2.1.4.  Privacy Addresses could mention draft-gont-opsec-ipv6-host-scanning that explains some concerns even when using DHCPv6 or privacy addresses.
- 2.2.  Link Layer Security could mention ND cache DoS concerns and protection
- 2.2.1.  SeND and CGA could mention the limitation of vendor support that makes SeND challenging to deploy widely
- 2.3.  Control Plane Security mentions rate-limiting of the valid packets should be done for Mgmnt and Control Plane. A spoofed legit source could still cause DoS effect on the control and management plane, even when rate-limiting is enabled. The device will still be alive, but the services could still see outages. That I think would be valuable to be pointed out as a consideration
- 2.6.3.1.  Carrier Grade Nat (CGN) could mention the log size concern and draft-donley-behave-deterministic-cgn that alleviates it.
- 3.1.  External Security Considerations: could mention "Implement Anti-Spoof filtering or other Anti-Spoof protections". Anti-Spoof filtering could be ACLs. But RTBH could also be implemented if BGP is used on the CPE.
- 3.2.  Internal Security Considerations: can mention "filtering IPv6 Tunneling that can bypass outbound security policy" (the usual Torrent over Teredo tunnel example in Section 5).

Thank you,
Panos




From: opsec-bounces@ietf.org [mailto:opsec-bounces@ietf.org] On Behalf Of Eric Vyncke (evyncke)
Sent: Wednesday, July 18, 2012 10:35 AM
To: v6ops@ietf.org WG; opsec@ietf.org
Subject: [OPSEC] New updated version of draft-vyncke-opsec-v6-01 (Operational Security Considerations for IPv6 Networks)

We have posted a new version of our draft draft-vyncke-opsec-v6 at:
http://tools.ietf.org/html/draft-vyncke-opsec-v6-01

As usual comments are welcome, at Paris, comments were 'yes this is required'. BTW, the intent is not to write 100's of pages but rather document existing I-D and good practices.

Best regards

-merike, kk and éric

v2.23.0 | Report a Bug | By Email