IETF Logo Mail Archive

Re: [OPSEC] [v6ops] WGLC for draft-ietf-opsec-v6

otroan@employees.org Tue, 18 April 2017 08:21 UTC

Return-Path: <otroan@employees.org>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9245A126DEE for <opsec@ietfa.amsl.com>; Tue, 18 Apr 2017 01:21:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=employees.org; domainkeys=pass (1024-bit key) header.from=otroan@employees.org header.d=employees.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 313gQhFCbhMN for <opsec@ietfa.amsl.com>; Tue, 18 Apr 2017 01:21:53 -0700 (PDT)
Received: from esa01.kjsl.com (esa01.kjsl.com [IPv6:2607:7c80:54:3::87]) by ietfa.amsl.com (Postfix) with ESMTP id 29995128D2E for <opsec@ietf.org>; Tue, 18 Apr 2017 01:21:53 -0700 (PDT)
Received: from cowbell.employees.org ([198.137.202.74]) by esa01.kjsl.com with ESMTP; 18 Apr 2017 08:21:53 +0000
Received: from cowbell.employees.org (localhost [127.0.0.1]) by cowbell.employees.org (Postfix) with ESMTP id D082AD788B for <opsec@ietf.org>; Tue, 18 Apr 2017 01:21:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=employees.org; h=from :content-type:mime-version:subject:date:references:to :in-reply-to:message-id; s=selector1; bh=lli6D7nMX44LF/S55XEnM0h G11g=; b=NX8QXsV3QgY8nf1NeRGOA7M5ux5dSE8DmWg0vZg/FdeFGFGcHr7Xlu3 OdxeZLPp6rghHNErS0pp0NmY4MJsarNy663Wpw1VBVCfbQ9xs/1/wfRQrVrVO+59 3na8Y8Lbn/tal8ll/WDEJC5I/Z6SloWyYY0A0TxBfO4k2+4xIKg4=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=employees.org; h=from :content-type:mime-version:subject:date:references:to :in-reply-to:message-id; q=dns; s=selector1; b=kTM0KaF4IrpZxnVzN O2hAuoOCNMCIjrouP24hqqy0R8XOtPzVkYqjBKtAX7hZALpSiBqDLKtgmcnEDpi1 UBwYx870HuE8hq3XT8ag09x6w6zKp4mjEPzdPFAHGZJBXV/c4Alc1mHt82LL7B7O rSpIp5v9wlvRBukiXrgYtMjB9s=
Received: from h.hanazo.no (96.51-175-103.customer.lyse.net [51.175.103.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: otroan) by cowbell.employees.org (Postfix) with ESMTPSA id 73B51D788A for <opsec@ietf.org>; Tue, 18 Apr 2017 01:21:52 -0700 (PDT)
Received: from [IPv6:::1] (localhost [IPv6:::1]) by h.hanazo.no (Postfix) with ESMTP id E9764AA073ED for <opsec@ietf.org>; Tue, 18 Apr 2017 10:21:50 +0200 (CEST)
From: otroan@employees.org
Content-Type: multipart/signed; boundary="Apple-Mail=_A75483FE-CB0B-4FE2-8888-12608549CC3B"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Tue, 18 Apr 2017 10:21:50 +0200
References: <55cb757e-ee2d-4818-9fc2-67d559006f34@me.com> <3E179F05-ACCD-4290-A65F-57E4202FAA15@icloud.com>
To: opsec@ietf.org
In-Reply-To: <3E179F05-ACCD-4290-A65F-57E4202FAA15@icloud.com>
Message-Id: <DA2F1528-3C08-47FC-A297-1505CEE29386@employees.org>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/O_LCrHbpogjcHYEFSIdKZS4vISM>
Subject: Re: [OPSEC] [v6ops] WGLC for draft-ietf-opsec-v6
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Apr 2017 08:21:54 -0000

A few initial comments. Draft is not quite ready.

Section 2.1.3:
 6164 does not _recommend_ /127 it _permits_ /127 on p2p links.
 The ping pong attack is mitigated in RFC4443.
 I am not convinced there is justification that this document should recommend /127 for "security reasons".

Section 2.1.4:
  The description of the IID needs to be updated with the latest recommendations in 4291bis etc.
  The IID is no longer recommend to be created by MAC address for example.

  It might also be worth clarifying that the operator can only control a host's choice of IID / privacy by disabling SLAAC altogether.

Section 2.1.6:
 "DNS is often used for malware activities"... That just doesn't read well. I presume you aren't proposing to disable DNS? ;-)

Section 2.2:
 I am not sure that extension headers are one of the most critical differentiators between IPv4 and IPv6. IPv4 had variable length options...

Section 2.2.2:
 This section should be updated to reflect the new text in 2460bis. The reference to hbh-header-handling is no longer needed.

Section 2.2.3
 s/Fragment Extension Header/Fragment header
 Same for Hop by Hop options header. Please get the names of the headers correct.

Section 2.3.2:
 Consider Secure DHCPv6?

Section 2.3.3:
 I don't think those individual drafts are "actively" discussing methods to rate limit RA anymore. Wirth update / rewrite with summary from those discussions.

Section 2.7.2
  Remove the historic tunnel mechanisms? ISATAP, Teredo, 6to4?

Section 2.7.2.7:
  DS-lite is not a translation mechanism.

Section 2.7.2.8

 s/tunnel and encapsulation/encapsulation and translation/

Section 2.7.3.1:
 Why in an IPv6 document?

Section 3.1:
 In general update references. e.g. ipv6-eh-filtering is outdated.
 I question referencing opsec-ipv6-eh-filtering. It has wrong and outdated advice. E.g. on section of HBH header.
 The advice in ipv6-eh-filtering is essentially to ossify the network.

Section 5:
 Reference to balanced-ipv6-security... I don't think it is worth referencing an expired draft. Why not summarise the points in a paragraph?

Ole




> On 18 Apr 2017, at 09:18, Gunter Van De Velde <guntervandeveldecc@icloud.com> wrote:
> 
> Dear 6man, v6ops,
> 
> Due to the IPv6 focus of "draft-ietf-opsec-v6" the OPSEC WGLC for this document may be of interest to both 6man as v6ops.
> 
> Please send your feedback to OPSEC email list, where discussion around this document should take place.
> 
> Kind Regards,
> G/
> 
>> Begin forwarded message:
>> 
>> From: Gunter Van De Velde <guntervandeveldecc@icloud.com>
>> Subject: [OPSEC] WGLC for draft-ietf-opsec-v6
>> Date: 12 April 2017 at 09:39:28 GMT+2
>> To: opsec@ietf.org
>> 
>> This is to open a two week WGLC for https://tools.ietf.org/html/draft-ietf-opsec-v6.
>> If you have not read it, please do so now. You may send nits to the author, but substantive discussion should go to the list.
>> 
>> I will close the call on 26 April 2017
>> 
>> G/
>> Sent from iCloud
>> _______________________________________________
>> OPSEC mailing list
>> OPSEC@ietf.org
>> https://www.ietf.org/mailman/listinfo/opsec
> 
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops

v2.23.0 | Report a Bug | By Email