[OPSEC] Erik Kline's Discuss on draft-ietf-opsec-v6-25: (with DISCUSS and COMMENT)
Erik Kline via Datatracker <noreply@ietf.org> Wed, 07 April 2021 04:18 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: opsec@ietf.org
Delivered-To: opsec@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 722653A3E18; Tue, 6 Apr 2021 21:18:27 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Erik Kline via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-opsec-v6@ietf.org, opsec-chairs@ietf.org, opsec@ietf.org, Gyan Mishra <hayabusagsm@gmail.com>, hayabusagsm@gmail.com
X-Test-IDTracker: no
X-IETF-IDTracker: 7.27.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Erik Kline <ek.ietf@gmail.com>
Message-ID: <161776910743.14253.17550631411662929687@ietfa.amsl.com>
Date: Tue, 06 Apr 2021 21:18:27 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/N6n0_8vpCHYhxYK3ToEBWtK_Q1I>
Subject: [OPSEC] Erik Kline's Discuss on draft-ietf-opsec-v6-25: (with DISCUSS and COMMENT)
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.29
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Apr 2021 04:18:28 -0000
Erik Kline has entered the following ballot position for draft-ietf-opsec-v6-25: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-opsec-v6/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- [ section 2.1 ] * "may also force the use of NPTv6" seems like it draws some conclusions. Perhaps something like: "may also increase the perceived need for the use of NPTv6"? [ section 2.2 ] * "It must also be noted that there is no indication in the IPv6 packet as to whether the Next Protocol field points to an extension header or to a transport header." What is this trying to say? Is this about what 8200 calls the "Next Header" field? If so, the Next Header field indicates...the next header, and whether that's a transport header or not depends on its value. I guess I read this text as implying that the 8200 standard is somehow ambiguous about what NH means, but it's really not. It's just that NH does not always indicate a transport. [ section 2.3.2.4 ] * "Only trivial cases [...] should have RA-guard..." Only? This doesn't strike me as being obviously the best recommendation. Definitely in trivial cases it should be enabled, but surely it should also be enabled even in more complex cases, albeit ones where knowledgeable administrators can configure things appropriately (vis. the applicability statement in section 1.1)...maybe? ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- [ general ] * There are many uses of ellipses ("...") that probably could be tightened up (usually just removed might work). [ section 2.1.1 ] * I think it never hurts to repeat the message that ULA /48s from the fd00::/8 space (L=1) MUST be generated with a pseudo-random algorithm, per RFC 4193 sections 3.2, 3.2.1, &c. [ section 2.1.4 ] * I think the opening sentence might clarify that it's talking about stable address assignment for nodes. On a one-pass reading, section 2.1.3 immediately preceding this is discussing router loopback addressing, so I found I had routers on the brain when I started 2.1.4. [ section 2.1.5 ] * Up to you, but 4941 has been superseded by 8981. [ section 2.1.6 ] * "(see Section 2.6.1.5)" -> I think the trailing ")" probably wants to be at the end of that sentence; if not, it does not quite make grammatical sense (to me). [ section 2.2.3 ] * s/ipv6/IPv6/g [ section 2.3.5 ] * As an addendum to the final paragraph, it might be noted that such filtering can inhibit mDNS (whether or not that's a desirable outcome). [ section 2.4 ] * "non-legit": perhaps a bit too casual? [ section 2.6.1.7 ] * "as currently collected as in" -> "as currently collected in", I suspect [ section 2.6.2.1 ] * There are other motivations for doing forensic analysis that simply investigating "malicious activity" (even if this is the most common motivation). As a concrete proposal, perhaps: "At the end of the process, the interface of the host originating, or the subscriber identity associated with, the activity in question has been determined." ...or something [ section 2.7.2 ] * "legit": perhaps a bit too casual? "legitimate"? Or perhaps just s/legit and//. [ section 2.7.2.8 ] * s/IPV4/IPv4/ * Consider port 123 NTP in your allowlist. :-) * "hardly never" -> "hardly ever" [ section 2.7.3.1 ] * Does this section belong in this document? It's all about IPv4, and not even particular to IPv4 in the presence of IPv6 -- just IPv4 in general. [ section 2.7.3.2 ] * "DNSSEC has an impact on DNS64" It might also be said that "DNS64 has an impact on DNSSEC", so perhaps "DNSSEC and DNS64 negatively interact"? [ section 4.3 ] * "and what the respective log retention" -> "and the respective log retention", I think
- [OPSEC] Erik Kline's Discuss on draft-ietf-opsec-… Erik Kline via Datatracker
- Re: [OPSEC] Erik Kline's Discuss on draft-ietf-op… Enno Rey
- Re: [OPSEC] Erik Kline's Discuss on draft-ietf-op… Erik Kline
- Re: [OPSEC] Erik Kline's Discuss on draft-ietf-op… Enno Rey