IETF Logo Mail Archive

Re: [OPSEC] draft-ietf-opsec-v6-24 - Shepherd Review update

Gyan Mishra <hayabusagsm@gmail.com> Thu, 13 May 2021 15:12 UTC

Return-Path: <hayabusagsm@gmail.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0447D3A0FF5; Thu, 13 May 2021 08:12:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.087
X-Spam-Level:
X-Spam-Status: No, score=-2.087 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yU7mU8zw_TrQ; Thu, 13 May 2021 08:12:44 -0700 (PDT)
Received: from mail-pg1-x52b.google.com (mail-pg1-x52b.google.com [IPv6:2607:f8b0:4864:20::52b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 914B23A0F9D; Thu, 13 May 2021 08:12:41 -0700 (PDT)
Received: by mail-pg1-x52b.google.com with SMTP id s22so21661653pgk.6; Thu, 13 May 2021 08:12:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=OhP94tcMtRwS6WCU3K4rcai1D+I8tFk0HWcPo4/ubA4=; b=KRnCEgSfDA8c/CKib3i/BTpKgvUJoK9b+3UYe2ldv5kIRXGZ0I7WgIpvynxSmOfObM mjt7QxjwKs5pLF/41/hpqPqrXAHiFIvXVTE4uzCSgVr+oDVDvgF8E9mt9x548MAytXhp a5IWYtIKUDu9YQYZPX18WFp5h3lEOd3EhDYd0Q3/qaoEilYay8KqsSNlYbuhpC1KwEN8 GsbiAdPLOR6oomzWtmTFvnfGjyj+gWJUbllcEp3srj4vuNqLHwUPp/rq3Ye/gXji5tci h0b3/x6F6ehhfLI3PAwiu3KUnGDnoGwIFFKulZGL8zx2D7s13PsJqqifRVN8MlkgfCRC MvtQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=OhP94tcMtRwS6WCU3K4rcai1D+I8tFk0HWcPo4/ubA4=; b=dW0ial6B2Qz9YzUo+bUhO7vYqvQi7qSnbK/cK0rzswPC1XHsFXzIVQoFUV7TJFjUhm aajZjJnF9Ju8eOOzOSU4eLWfwHY8IBBsbq7qssh+PL4pe2nCsmixqDVpICHkG1DzmSEw j6VsVtYLaxRkMQR2koLd+CNe47dr++HXAuBgod22v6uEfMN4GGPbJ7dM/2V2Tqt4QTtP zcRIljs5wujqPJmfDO0qY5g1lHRhhvzLYje4et9EiI6TeRMphgJpwixmdc8Z7LOq0Uwc xW4g9iZsPi0Yw37iBeEUY1S/t2EEGMqrfV2S8Fhlgrl985xiRFh73/POEJnBXxmEd/b2 eRoA==
X-Gm-Message-State: AOAM533lO4pt6EPq+mVs5QHyQRg1i3U4E0eRMMCJWDRhJmchoX0se+Wn xzsy7y156Xu5XaiX/afEBXoEAZ839gl5cPyCWZk=
X-Google-Smtp-Source: ABdhPJx9IdfRWaMkhpJCG+iZnIE/t4surlhRiLc9/L1NnCwx/lUHBuCqgSsiS7bIhxxoFijtpzVUJ/tk3sO5/PXEcfQ=
X-Received: by 2002:a17:90b:88c:: with SMTP id bj12mr44476163pjb.112.1620918759237; Thu, 13 May 2021 08:12:39 -0700 (PDT)
MIME-Version: 1.0
References: <CABNhwV1d4L5EHGhH4GKqUw-vpw7GFgMkA3h+QSQpqU4gPEqD5Q@mail.gmail.com> <0B38A56C-B339-4226-86E6-D6E89B799018@cisco.com> <CABNhwV1R-m14CDb9hKJg=4_e9qsR3T8f2a2pwh9WPo2mnqcqoA@mail.gmail.com>
In-Reply-To: <CABNhwV1R-m14CDb9hKJg=4_e9qsR3T8f2a2pwh9WPo2mnqcqoA@mail.gmail.com>
From: Gyan Mishra <hayabusagsm@gmail.com>
Date: Thu, 13 May 2021 11:12:28 -0400
Message-ID: <CABNhwV2viSC97PRE_ZBqMdzd1QKYon4JDgB86dk8wEEt7pei4g@mail.gmail.com>
To: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
Cc: OpSec Chairs <opsec-chairs@ietf.org>, opsec WG <opsec@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000daa91105c2378ed7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/L5NrowpNrZ2C0bNEV86lMLalm0U>
Subject: Re: [OPSEC] draft-ietf-opsec-v6-24 - Shepherd Review update
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 May 2021 15:12:56 -0000

Hi Eric

Just checking if you had a chance look my Shepherd review.

Kind Regards

Gyan

On Thu, Apr 29, 2021 at 7:38 PM Gyan Mishra <hayabusagsm@gmail.com> wrote:

>
>
> Hi Eric
>
> Shepherd Review below:
>
> Abstract
>
> “ This document is only applicable to managed
>
>    networks, such as enterprise networks.”
>
>
> Should we mention service provider public internet and private networks
> are applicable
>
> Introduction
>
> Maybe mention extension headers as that has been a huge difference as well
> as security issue
>
> When mentioning ARP and ND difference maybe mention that now ICMPv6 now
> takes on the role of L2 Mac to L3 address mapping and maybe along the same
> line of thinking of broadcast versus multicast mention that broadcast no
> longer exist in IPv6.
>
> 2.1 Addressing Architecture
>
> Rewording of what RFC 7934 states related to multiple addresses
>
> Old
>
> In [RFC7934 <https://tools.ietf.org/html/rfc7934>], it is recommended that IPv6 network deployments provide multiple IPv6 addresses from each prefix to general-purpose hosts and
>  it specifically does not recommend limiting a host to only one IPv6
>    address per prefix. The way it’s worded it appears that it’s recommended
>
> that the network provide more then one address.
>
>
> New
>
>
>
> RFC 7934 states that most general-purpose IPv6 networks, hosts have the ability to configure additional IPv6 addresses from the link prefix(es) without
>    explicit requests to the network as there are
>
> host functions that require more then one address.
>
>
> Maybe also mention at the end of the paragraph that having multiple
> addresses on a host provides challenges to the NOC in troubleshooting and
> MTTR.
>
> Section 2.1.1
>
> ULAs although less likely to have overlap due to pseudo random algorithm
> there is no guarantee of not having an overlap.  Operators of with large
> internal corporate networks that are subject to mergers  and acquisitions
> it is recommended to not use ULA.  ULA does not guarantee uniqueness where
> GUA does for internal deployments.
>
> 2.1.2
>
> Many operators reserve a /64 block for all P2P  addresses in
>    their infrastructure and allocate a /127 out of this reserved /64
>    prefix for each p2p interface.
>
>
> This is a routing related caveat related to addressing.  So as all routing protocols use LL next hop most vendors have a command similar to cisco “IPv6 enable” that allows for processing and forwarding of IPv6 packets without an IPv6 address configured on an interface.  The caveat here is in traceroute the interface next hop is not shown in the trace and so for the NOC makes troubleshooting more difficult.  However it does make deployments or IPv6 on routed backbone nodes much quicker as no address planning is required.  I actually use this method in lab environments all the time and
>
> it’s very handy.  Also mention that on eBGP tie connections GUI or ULA as well is not required to save on address planning and
>
> peering can be done using link local. However care must be taken as the caveat is LL is not reachable beyond local link and
>
> ping or OAM of link if required that will not work.  The same operationalissue goes for a routed interfaces using LL and
>
> no IPv6 address are now not pingable to ensure each link is Up and reachable by NMS.
>
>
>
> On P2P when using /127 it is recommended to disable DAD as the subnet router anycast is used and so DAD could fail and place the IPv6 interface in a “tentative” state.
>
>
> 2.14
>
>
> I believe what was meant is stable but random not “not-stable as for server functions should always be stable address. Maybe worth mentioning and use of static stable address for servers and not SLAAC address.
>
>
> Old
>
>
> Typical deployments will have a mix of stable and non-stable
>    addresses; the stable addresses being either predictable (e.g., ::25
>    for a mail server) or obfuscated (i.e., appearing as a random 64-bit
>    number).
>
>
> New
>
>
> Typical deployments will have a mix of stable predictable and stable random
>    addresses; the stable addresses being either predictable (e.g., ::25
>    for a mail server) or obfuscated (i.e., appearing as a random 64-bit
>    number).  The
>
>
> Mention the double edged sword trade off as far as importance when it comes to using random changing address used for privacy
>
> for broadband users versus stable address for corporate network user community where security and traceability is of utmost importance.
>
>
> I believe what is being conveyed related to scanning is by pinging FF02::1
> it is easy to discover all hosts on the network.  Also may want to mention
> that all host have a local ND cache similar to a router ND cache as ICMPv6
> is running between the router and all hosts NS/NA as well as RS/RA.
>
> 2.1.5
>
> Should note that even though M and O bit is set the SLAAC address is also
> set as well.  SLAAC has to be disabled manually on router via cisco command
> example “IPv6 nd default no-advertise”.
>
> For any router or P2P links mentioned also “IPv6 ND RA suppress-all” cisco
> command example which suppress both periodic and response to unsolicited RS
> as routed link has static IP.
>
> On L2 switches which may have Mgmt interface that sits on the same subnet
> as upstream router pair L2 connected to closet switch once and address is
> placed on the L3 router interface the L2 router can act as a default
> gateway hijack as it sends an RA.  This can impact all hosts on the subnet
> black hole. All L2 switches Mgmt L3 interface that sits on host subnets
> interface should have “IPv6 nd ra suppress-all”.  For L2 hosts the
> recommended is to not enable IPv6 uncast-routing on hosts placing them in
> “host-mode” versus acting as a router and now the L2 switch can pick up
> default route via RA from upstream router pair.  With that of course any
> use of SLAAC and RA advertisement to host requires RA guard.
>
> 2.2
>
> Mention the DDOS denial of service issue related to HBH and DOH as their
> is no limit to the number of TLV options other than the maximum length of
> hbh options header 2048 that can be present as well as well as 0 byte TLVs
> are valid and also no limit to  the number of extended headers stacked
> limited by the MTU.  Also the cyclical cycle by operators filtering hbh and
> doh to avoid risk of ddos attack and management plane impact which impacts
> designers from developing new use cases for hbh and doh.  This impacts the
> use of hbh and doh over the internet.
>
> Section 2.4
>
> See this draft which I am Co-author has some details related to NPU and
> fixed function ASIC and
> separation of control plane and data plane criticality.
>
> Maybe add below draft as normative reference
> https://tools.ietf.org/html/draft-peng-v6ops-hbh-03
>
> Mention the management plane which is impacted when packets are sent to
> the control plane.
>
>
> 3.1
>
> Perimeter ACLs as well as firewall filters it is recommended to only
> permit directly adjacent ND packet as ND used RFC 5082 GTSM so TTL is set
> to 255 and which can be used as an attack vector. I have an perimeter IACL
> that is customized and had the DAD has the solicit node multicast address
> so DAD succeeds.
>
> 2.7.2.4
>
> “Securing the routing protocol between CE and PE; in the case of 6PE and 6VPE, link-local addresses (see [RFC7404 <https://tools.ietf.org/html/rfc7404>]) can be used and as these addresses cannot be reached from outside of the link, the security of 6PE and 6VPE is even higher than an IPv4 BGP/MPLS IP
> VPN.”
>
>
> When using LL peering on the PE-RR iBGP peeing or PE-PE ibgp peering make
> sure next-hop-self is used so the next hop is rewritten to loopback0 which
> is reachable as LL not reachable.
>
> Section 2.7.1
>
> Mention  Happy Eyeballs RFC 6555 and Happy Eyeballs 2 RFC 8305  -  By
> default with dual stack IPv6 is preferred over IPv4 and that impacts access
> to host via TCP or UDP as well as operational impact so any ping trace or
> ssh done from the device IPV6 is used over IPV4. By default on dual stacked
> host a A/AAAAA request goes out and a A/AAAA reply comes back and the
> client creates IPv6 socket for TCP session to server with a TCP  RTO
> retransmission timeout of 20 seconds approximately.  With Happy Eyeballs 1
> there is a simultaneous v6 end v6 connection with a 300ms preference for v6
> establishes and within 300ms the failover of the session occurs from v6 to
> v4 thus not noticeable to the naked eye thus happiness with the eyeballs of
> the user.
>
> Section 2.7.2
>
> We should include 4to6 which as well as 6to6 tunnels.
>
> Kind Regards
>
> Gyan
>
>
> On Mon, Apr 26, 2021 at 3:30 AM Eric Vyncke (evyncke) <evyncke@cisco.com>
> wrote:
>
>> Thank you Gyan
>>
>>
>>
>> -éric
>>
>>
>>
>> *From: *Gyan Mishra <hayabusagsm@gmail.com>
>> *Date: *Monday, 26 April 2021 at 06:34
>> *To: *opsec WG <opsec@ietf.org>, OpSec Chairs <opsec-chairs@ietf.org>,
>> Eric Vyncke <evyncke@cisco.com>
>> *Subject: *draft-ietf-opsec-v6-24 - Shepherd Review update
>>
>>
>>
>>
>> Hi Eric
>>
>>
>>
>> I will do another final Shepherd review now of the draft as this draft as
>> it is on its way to publication.
>>
>>
>>
>> Kind Regards
>>
>>
>>
>> <http://www.verizon.com/>
>>
>> *Gyan Mishra*
>>
>> *Network Solutions Architect *
>>
>> *Email gyan.s.mishra@verizon.com <gyan.s.mishra@verizon.com>*
>>
>> *M 301 502-1347*
>>
>>
>>
> --
>
> <http://www.verizon.com/>
>
> *Gyan Mishra*
>
> *Network Solutions A**rchitect *
>
> *Email gyan.s.mishra@verizon.com <gyan.s.mishra@verizon.com>*
>
>
>
> *M 301 502-1347*
>
> --

<http://www.verizon.com/>

*Gyan Mishra*

*Network Solutions A**rchitect *

*Email gyan.s.mishra@verizon.com <gyan.s.mishra@verizon.com>*



*M 301 502-1347*

v2.23.0 | Report a Bug | By Email